b11624631a77de1dc09acd430aec8ac12f457d1851045f93ed3f5f5dc28cc5f5

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 12:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Size

372KB
MD5

3f1bd3c7f516afaf62ddb898002bd7c3
SHA1

ee3465891ffddb154ae186b409cd3e0d571c9fc9
SHA256

b11624631a77de1dc09acd430aec8ac12f457d1851045f93ed3f5f5dc28cc5f5
SHA512

574d4889f2b2f645196bf000ccc86edd4faeede6a26fa222cb42b1486ba991b85528cc3c6da237604f1ca01cfdd80bba06502329cf17eb6e0964639d6253d83a
SSDEEP

3072:CEGh0oPmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG8l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29D5F392-39FF-4535-A4FF-1242AC2789D0}	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3741C394-6AEC-45dc-BE67-D83B7007804C}	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D12E0D3D-D8D1-4320-828F-539C38852EAE}	{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}\stubpath = "C:\\Windows\\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe"	{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A28B5E4F-E4EB-436a-B296-05B9047B0861}\stubpath = "C:\\Windows\\{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe"	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29D5F392-39FF-4535-A4FF-1242AC2789D0}\stubpath = "C:\\Windows\\{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe"	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}\stubpath = "C:\\Windows\\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe"	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}\stubpath = "C:\\Windows\\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe"	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16A1844E-E248-45dc-A19C-7DD219739300}	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3741C394-6AEC-45dc-BE67-D83B7007804C}\stubpath = "C:\\Windows\\{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe"	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}	{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0325A33E-F999-437e-92DE-76772E1C5BDD}	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16A1844E-E248-45dc-A19C-7DD219739300}\stubpath = "C:\\Windows\\{16A1844E-E248-45dc-A19C-7DD219739300}.exe"	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E59BDC-8820-4729-9052-99AAD22CD2FE}	{16A1844E-E248-45dc-A19C-7DD219739300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}\stubpath = "C:\\Windows\\{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}.exe"	{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A28B5E4F-E4EB-436a-B296-05B9047B0861}	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0325A33E-F999-437e-92DE-76772E1C5BDD}\stubpath = "C:\\Windows\\{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe"	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E59BDC-8820-4729-9052-99AAD22CD2FE}\stubpath = "C:\\Windows\\{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe"	{16A1844E-E248-45dc-A19C-7DD219739300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D12E0D3D-D8D1-4320-828F-539C38852EAE}\stubpath = "C:\\Windows\\{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe"	{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}	{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe

Deletes itself 1 IoCs

pid	Process
1208	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe
2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe
2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe
2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe
2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe
2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe
872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe
2668	{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe
2956	{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe
2724	{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe
1068	{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe
File created	C:\Windows\{16A1844E-E248-45dc-A19C-7DD219739300}.exe	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe
File created	C:\Windows\{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	{16A1844E-E248-45dc-A19C-7DD219739300}.exe
File created	C:\Windows\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe	{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe
File created	C:\Windows\{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe	{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe
File created	C:\Windows\{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}.exe	{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe
File created	C:\Windows\{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
File created	C:\Windows\{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe
File created	C:\Windows\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe
File created	C:\Windows\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe
File created	C:\Windows\{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe
Token: SeIncBasePriorityPrivilege	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe
Token: SeIncBasePriorityPrivilege	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe
Token: SeIncBasePriorityPrivilege	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe
Token: SeIncBasePriorityPrivilege	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe
Token: SeIncBasePriorityPrivilege	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe
Token: SeIncBasePriorityPrivilege	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe
Token: SeIncBasePriorityPrivilege	2668	{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe
Token: SeIncBasePriorityPrivilege	2956	{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe
Token: SeIncBasePriorityPrivilege	2724	{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2872	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	28
PID 1996 wrote to memory of 2872	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	28
PID 1996 wrote to memory of 2872	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	28
PID 1996 wrote to memory of 2872	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	28
PID 1996 wrote to memory of 1208	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	29
PID 1996 wrote to memory of 1208	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	29
PID 1996 wrote to memory of 1208	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	29
PID 1996 wrote to memory of 1208	1996	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	29
PID 2872 wrote to memory of 2820	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	32
PID 2872 wrote to memory of 2820	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	32
PID 2872 wrote to memory of 2820	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	32
PID 2872 wrote to memory of 2820	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	32
PID 2872 wrote to memory of 2912	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	33
PID 2872 wrote to memory of 2912	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	33
PID 2872 wrote to memory of 2912	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	33
PID 2872 wrote to memory of 2912	2872	{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe	33
PID 2820 wrote to memory of 2128	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	34
PID 2820 wrote to memory of 2128	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	34
PID 2820 wrote to memory of 2128	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	34
PID 2820 wrote to memory of 2128	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	34
PID 2820 wrote to memory of 3020	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	35
PID 2820 wrote to memory of 3020	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	35
PID 2820 wrote to memory of 3020	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	35
PID 2820 wrote to memory of 3020	2820	{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe	35
PID 2128 wrote to memory of 2852	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	36
PID 2128 wrote to memory of 2852	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	36
PID 2128 wrote to memory of 2852	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	36
PID 2128 wrote to memory of 2852	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	36
PID 2128 wrote to memory of 2684	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	37
PID 2128 wrote to memory of 2684	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	37
PID 2128 wrote to memory of 2684	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	37
PID 2128 wrote to memory of 2684	2128	{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe	37
PID 2852 wrote to memory of 2728	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	38
PID 2852 wrote to memory of 2728	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	38
PID 2852 wrote to memory of 2728	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	38
PID 2852 wrote to memory of 2728	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	38
PID 2852 wrote to memory of 2808	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	39
PID 2852 wrote to memory of 2808	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	39
PID 2852 wrote to memory of 2808	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	39
PID 2852 wrote to memory of 2808	2852	{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe	39
PID 2728 wrote to memory of 2388	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	40
PID 2728 wrote to memory of 2388	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	40
PID 2728 wrote to memory of 2388	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	40
PID 2728 wrote to memory of 2388	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	40
PID 2728 wrote to memory of 592	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	41
PID 2728 wrote to memory of 592	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	41
PID 2728 wrote to memory of 592	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	41
PID 2728 wrote to memory of 592	2728	{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe	41
PID 2388 wrote to memory of 872	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	42
PID 2388 wrote to memory of 872	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	42
PID 2388 wrote to memory of 872	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	42
PID 2388 wrote to memory of 872	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	42
PID 2388 wrote to memory of 1628	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	43
PID 2388 wrote to memory of 1628	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	43
PID 2388 wrote to memory of 1628	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	43
PID 2388 wrote to memory of 1628	2388	{16A1844E-E248-45dc-A19C-7DD219739300}.exe	43
PID 872 wrote to memory of 2668	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	45
PID 872 wrote to memory of 2668	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	45
PID 872 wrote to memory of 2668	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	45
PID 872 wrote to memory of 2668	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	45
PID 872 wrote to memory of 2384	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	44
PID 872 wrote to memory of 2384	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	44
PID 872 wrote to memory of 2384	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	44
PID 872 wrote to memory of 2384	872	{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe	44

C:\Users\Admin\AppData\Local\Temp\3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe
  C:\Windows\{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe
    C:\Windows\{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe
      C:\Windows\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe
        
        C:\Windows\{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe
        
        C:\Windows\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{16A1844E-E248-45dc-A19C-7DD219739300}.exe
        
        C:\Windows\{16A1844E-E248-45dc-A19C-7DD219739300}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe
        
        C:\Windows\{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06E59~1.EXE > nul
        9⤵
        
        PID:2384
        
        C:\Windows\{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe
        
        C:\Windows\{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe
        
        C:\Windows\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe
        
        C:\Windows\{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}.exe
        
        C:\Windows\{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D12E0~1.EXE > nul
        12⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB59~1.EXE > nul
        11⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3741C~1.EXE > nul
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16A18~1.EXE > nul
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C456~1.EXE > nul
        7⤵
        
        PID:592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0325A~1.EXE > nul
        6⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A8F~1.EXE > nul
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29D5F~1.EXE > nul
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A28B5~1.EXE > nul
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3F1BD3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe

Filesize
372KB

MD5
9919d37fe4ecbb4fa623689046407290

SHA1
9858ca828c3fa1410031d62f9b418dc8b54bb09d

SHA256
9a617f79fc6b86056d0ccf555ab4c0c1b39996a687b73ef695e2d464f56caa15

SHA512
376726c43936dd7dd25dc7680bed32bdeac49e2d0efc89c35668984fd72ca41eaee80ce1bdce1063d2289f0915166aaf02105032c4b9f6fd895dbe106c4cad54

Download Submit
C:\Windows\{0325A33E-F999-437e-92DE-76772E1C5BDD}.exe

Filesize
372KB

MD5
9919d37fe4ecbb4fa623689046407290

SHA1
9858ca828c3fa1410031d62f9b418dc8b54bb09d

SHA256
9a617f79fc6b86056d0ccf555ab4c0c1b39996a687b73ef695e2d464f56caa15

SHA512
376726c43936dd7dd25dc7680bed32bdeac49e2d0efc89c35668984fd72ca41eaee80ce1bdce1063d2289f0915166aaf02105032c4b9f6fd895dbe106c4cad54

Download Submit
C:\Windows\{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe

Filesize
372KB

MD5
8e209acded8b8a8285e818a17dcb56af

SHA1
71daa8662daad148e7bc092a53da9a9ef8b6c61f

SHA256
8b196f282dda437016c915757fe349150eaa550b835464f7f822394b4632bbdb

SHA512
cdf29939ca79d5c5649a8f657b37a0a20af7aef20af5eb44f00351ad8fde0f6440c11d0fec21a2c2df1a6029942fc4c14deaa3823a33312a89afba02f301110f

Download Submit
C:\Windows\{06E59BDC-8820-4729-9052-99AAD22CD2FE}.exe

Filesize
372KB

MD5
8e209acded8b8a8285e818a17dcb56af

SHA1
71daa8662daad148e7bc092a53da9a9ef8b6c61f

SHA256
8b196f282dda437016c915757fe349150eaa550b835464f7f822394b4632bbdb

SHA512
cdf29939ca79d5c5649a8f657b37a0a20af7aef20af5eb44f00351ad8fde0f6440c11d0fec21a2c2df1a6029942fc4c14deaa3823a33312a89afba02f301110f

Download Submit
C:\Windows\{0F1170AA-AC0E-4d18-A72D-3F42B639DD0C}.exe

Filesize
372KB

MD5
ca2bbfe2c5aea06f3da02dc436bfbfad

SHA1
111b8cbdb0985f92f13f63f4c4d8eff83a92ebdf

SHA256
293cf606e78cea58f81718eb37170364055dac515bdb9acca9e0ce40ccbf876b

SHA512
22796e716c7ccb48d6cc72e3c67b89f215422f94977ddf1a6d4f5ec46a1504954aba15407b9308cb35ec085fea4212e72430fb146ccf8f6074ca9a6234997afc

Download Submit
C:\Windows\{16A1844E-E248-45dc-A19C-7DD219739300}.exe

Filesize
372KB

MD5
765582062dd00381c571357c5e3fd51a

SHA1
3a2e567a8237185f960c245807fbddc37e10bb59

SHA256
6d6ed4266fb32ebbc179f173975f0a7e62ca4e8d82b8c07cd4858eddbdbeff41

SHA512
dd689828b7d5a79cba62fac80022cb6d977857eb138b9a29f1fde442fe04e0f83154bf99c1924e26e15149f9faed8b6722e66664b8c2af5caf3101f980e6cd48

Download Submit
C:\Windows\{16A1844E-E248-45dc-A19C-7DD219739300}.exe

Filesize
372KB

MD5
765582062dd00381c571357c5e3fd51a

SHA1
3a2e567a8237185f960c245807fbddc37e10bb59

SHA256
6d6ed4266fb32ebbc179f173975f0a7e62ca4e8d82b8c07cd4858eddbdbeff41

SHA512
dd689828b7d5a79cba62fac80022cb6d977857eb138b9a29f1fde442fe04e0f83154bf99c1924e26e15149f9faed8b6722e66664b8c2af5caf3101f980e6cd48

Download Submit
C:\Windows\{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe

Filesize
372KB

MD5
623f7c306085ad69c627aae4e75bec85

SHA1
e115a048519487696c46228e02c0d589eed13280

SHA256
3cd54d529a2f904033919d732871b193e93cfb8d18db51ef8d42d2f65ce1abaa

SHA512
2ee13977f1ee896dfbc1b9f48f34127e0f577a2f7dd1a6b0a0b3c2d375956ca2784f6e21451ee3f5a77559289afb0b7bb997d7eaaf026c4127f290a1219495a7

Download Submit
C:\Windows\{29D5F392-39FF-4535-A4FF-1242AC2789D0}.exe

Filesize
372KB

MD5
623f7c306085ad69c627aae4e75bec85

SHA1
e115a048519487696c46228e02c0d589eed13280

SHA256
3cd54d529a2f904033919d732871b193e93cfb8d18db51ef8d42d2f65ce1abaa

SHA512
2ee13977f1ee896dfbc1b9f48f34127e0f577a2f7dd1a6b0a0b3c2d375956ca2784f6e21451ee3f5a77559289afb0b7bb997d7eaaf026c4127f290a1219495a7

Download Submit
C:\Windows\{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe

Filesize
372KB

MD5
69240e6b5feac8f2cdbf9de6e7a872db

SHA1
30221e440f959cfc7442c23eecc028305f6dc991

SHA256
07ca8ab18f620f04562c3fdb38b125f04e3b1cad1629937e5cbe94d068dc68be

SHA512
21eef0f33a55a2d0ee8f421b8dba65db836c5a177c90b049f712b9be341f505f99462cae467f007142cc3aa6c8709872d7bef7041508e1ba753d5f6d740e9234

Download Submit
C:\Windows\{3741C394-6AEC-45dc-BE67-D83B7007804C}.exe

Filesize
372KB

MD5
69240e6b5feac8f2cdbf9de6e7a872db

SHA1
30221e440f959cfc7442c23eecc028305f6dc991

SHA256
07ca8ab18f620f04562c3fdb38b125f04e3b1cad1629937e5cbe94d068dc68be

SHA512
21eef0f33a55a2d0ee8f421b8dba65db836c5a177c90b049f712b9be341f505f99462cae467f007142cc3aa6c8709872d7bef7041508e1ba753d5f6d740e9234

Download Submit
C:\Windows\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe

Filesize
372KB

MD5
07ba5e41d143b29b73d96645677ac868

SHA1
c0aed7aa15b403a0e12688f7cfe822dab286a9ec

SHA256
3c6e1061c128dbfb00bca88dd7ee376de28013a6276b64ca563aac82266e3a15

SHA512
7f3fab364f0ba62a92b208147413096e537189161b35c69ce0016c68c5ac1a70e59e3dac8642f606086ccf454b3b97e76973b09af0d99f7089dc13c1685f2795

Download Submit
C:\Windows\{3C456404-C612-4b8e-A9AC-5E1DABE8AA61}.exe

Filesize
372KB

MD5
07ba5e41d143b29b73d96645677ac868

SHA1
c0aed7aa15b403a0e12688f7cfe822dab286a9ec

SHA256
3c6e1061c128dbfb00bca88dd7ee376de28013a6276b64ca563aac82266e3a15

SHA512
7f3fab364f0ba62a92b208147413096e537189161b35c69ce0016c68c5ac1a70e59e3dac8642f606086ccf454b3b97e76973b09af0d99f7089dc13c1685f2795

Download Submit
C:\Windows\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe

Filesize
372KB

MD5
3a0078e6a7ceb308a5e0649061f45d78

SHA1
dc0e9ce2a846d2c9501396538faca64a63fd1c99

SHA256
cbb1814cfac7389d6257afc94c48e9e5de483d5b077ef0866b6fefc77256143c

SHA512
1ee223c4c270d9ce174b6cbd839a6e1c85969c12fcb5115ef738f7f93a07312de3e5e502219872a3fdeba541f342cc2baff712db3e7c8fa31587c433d1d4ba7a

Download Submit
C:\Windows\{6EB5904F-5FC9-4e3d-A94C-040A18BA57C5}.exe

Filesize
372KB

MD5
3a0078e6a7ceb308a5e0649061f45d78

SHA1
dc0e9ce2a846d2c9501396538faca64a63fd1c99

SHA256
cbb1814cfac7389d6257afc94c48e9e5de483d5b077ef0866b6fefc77256143c

SHA512
1ee223c4c270d9ce174b6cbd839a6e1c85969c12fcb5115ef738f7f93a07312de3e5e502219872a3fdeba541f342cc2baff712db3e7c8fa31587c433d1d4ba7a

Download Submit
C:\Windows\{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe

Filesize
372KB

MD5
9e152e5611a892309c1752bbef2d9cfe

SHA1
ddc53d456ae48237fcd61fbef98e7a950271b88b

SHA256
0ae347857d549efde817208ad86e617006cf1403c53e72194579fbe4245754dc

SHA512
506646d2633c2a3d902a2a55a0c4df6bbf127473cc97fa3dea6755d62ed3464889bc5c491651745c69432e7a0222cded690a4d6dc38a92d5c622df7e5017e53c

Download Submit
C:\Windows\{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe

Filesize
372KB

MD5
9e152e5611a892309c1752bbef2d9cfe

SHA1
ddc53d456ae48237fcd61fbef98e7a950271b88b

SHA256
0ae347857d549efde817208ad86e617006cf1403c53e72194579fbe4245754dc

SHA512
506646d2633c2a3d902a2a55a0c4df6bbf127473cc97fa3dea6755d62ed3464889bc5c491651745c69432e7a0222cded690a4d6dc38a92d5c622df7e5017e53c

Download Submit
C:\Windows\{A28B5E4F-E4EB-436a-B296-05B9047B0861}.exe

Filesize
372KB

MD5
9e152e5611a892309c1752bbef2d9cfe

SHA1
ddc53d456ae48237fcd61fbef98e7a950271b88b

SHA256
0ae347857d549efde817208ad86e617006cf1403c53e72194579fbe4245754dc

SHA512
506646d2633c2a3d902a2a55a0c4df6bbf127473cc97fa3dea6755d62ed3464889bc5c491651745c69432e7a0222cded690a4d6dc38a92d5c622df7e5017e53c

Download Submit
C:\Windows\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe

Filesize
372KB

MD5
197d5303fe257a157b24f10470eb96ce

SHA1
fd4453b3e95cc2364ee11fe3f59debdde5582d1e

SHA256
f60d00f95cca65b07ac789d19094045900ed909068a7c25d69a6610f2cc8360a

SHA512
5bb7389d0902aada14d8fb85b8ea1f55bc7d3896a1b5e3fea15078e51114fbbf0830f1aae2573b49f35d68d7449c523e24d42145cbff8f80be857116098cc62d

Download Submit
C:\Windows\{C0A8F2D9-E6F4-4459-84FC-E9B63AD10B25}.exe

Filesize
372KB

MD5
197d5303fe257a157b24f10470eb96ce

SHA1
fd4453b3e95cc2364ee11fe3f59debdde5582d1e

SHA256
f60d00f95cca65b07ac789d19094045900ed909068a7c25d69a6610f2cc8360a

SHA512
5bb7389d0902aada14d8fb85b8ea1f55bc7d3896a1b5e3fea15078e51114fbbf0830f1aae2573b49f35d68d7449c523e24d42145cbff8f80be857116098cc62d

Download Submit
C:\Windows\{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe

Filesize
372KB

MD5
d1ae044287b0302b536d55f031c34e22

SHA1
e845b91e60457deb1bcd41752dded0716b0c12c3

SHA256
74b8be21ed4ef9577e5041d482da7e672070fdab4ee0e226ceb4fd4bd24e7f4c

SHA512
8bbe1d59b501fe6ddc45f3a7f6abc4b83fac67e7fc71e5122f04c16ff1a5a810298e05786952c825b56f7a83647b514df281d41d0e0367efa176dd8f8ede15d1

Download Submit
C:\Windows\{D12E0D3D-D8D1-4320-828F-539C38852EAE}.exe

Filesize
372KB

MD5
d1ae044287b0302b536d55f031c34e22

SHA1
e845b91e60457deb1bcd41752dded0716b0c12c3

SHA256
74b8be21ed4ef9577e5041d482da7e672070fdab4ee0e226ceb4fd4bd24e7f4c

SHA512
8bbe1d59b501fe6ddc45f3a7f6abc4b83fac67e7fc71e5122f04c16ff1a5a810298e05786952c825b56f7a83647b514df281d41d0e0367efa176dd8f8ede15d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads