43f4eb673f818a9033d80838793d8fceb9e82358a2d8f23d7a49d198b298dd30

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-08-2023 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Size

204KB
MD5

4e3a4dab1107babb8a340e5929eef324
SHA1

eb31afff833bdaad03332d1c3d60a3dc01fa1144
SHA256

43f4eb673f818a9033d80838793d8fceb9e82358a2d8f23d7a49d198b298dd30
SHA512

1d8c082710be88407b2557ac86ae37e49cb5ca740c1ae4c83ff219861b36b1eeb80b882c5488c4095b53417d09a921507758ccdc4127d91e24f9fddbff4df78f
SSDEEP

1536:1EGh0o3l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o3l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}\stubpath = "C:\\Windows\\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe"	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A2E0793-E71A-401f-9101-E18FC75A8E09}	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1C63B27-5E87-42ed-943B-722E7E84B134}\stubpath = "C:\\Windows\\{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe"	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49CFD33-931F-46ae-830E-280AC1D52FB8}	{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}	{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}\stubpath = "C:\\Windows\\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe"	{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F49CFD33-931F-46ae-830E-280AC1D52FB8}\stubpath = "C:\\Windows\\{F49CFD33-931F-46ae-830E-280AC1D52FB8}.exe"	{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A2E0793-E71A-401f-9101-E18FC75A8E09}\stubpath = "C:\\Windows\\{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe"	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D11A3D2-9807-4217-A541-4850F97AFE57}	{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D11A3D2-9807-4217-A541-4850F97AFE57}\stubpath = "C:\\Windows\\{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe"	{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EFB801E-833F-40f2-AC2F-0930E53E9546}\stubpath = "C:\\Windows\\{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe"	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}\stubpath = "C:\\Windows\\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe"	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}\stubpath = "C:\\Windows\\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe"	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12C373F3-B231-45fe-9913-39A35F4A72E1}	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}	{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}\stubpath = "C:\\Windows\\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe"	{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EFB801E-833F-40f2-AC2F-0930E53E9546}	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}\stubpath = "C:\\Windows\\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe"	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1C63B27-5E87-42ed-943B-722E7E84B134}	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12C373F3-B231-45fe-9913-39A35F4A72E1}\stubpath = "C:\\Windows\\{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe"	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe

Deletes itself 1 IoCs

pid	Process
788	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe
2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe
3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe
1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe
2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe
2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe
1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe
2180	{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe
1984	{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe
1244	{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe
2904	{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe
File created	C:\Windows\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe
File created	C:\Windows\{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe	{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe
File created	C:\Windows\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe	{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe
File created	C:\Windows\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
File created	C:\Windows\{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe
File created	C:\Windows\{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe
File created	C:\Windows\{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe
File created	C:\Windows\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe	{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe
File created	C:\Windows\{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe
File created	C:\Windows\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe
Token: SeIncBasePriorityPrivilege	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe
Token: SeIncBasePriorityPrivilege	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe
Token: SeIncBasePriorityPrivilege	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe
Token: SeIncBasePriorityPrivilege	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe
Token: SeIncBasePriorityPrivilege	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe
Token: SeIncBasePriorityPrivilege	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe
Token: SeIncBasePriorityPrivilege	2180	{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe
Token: SeIncBasePriorityPrivilege	1984	{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe
Token: SeIncBasePriorityPrivilege	1244	{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2380	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	28
PID 2500 wrote to memory of 2380	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	28
PID 2500 wrote to memory of 2380	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	28
PID 2500 wrote to memory of 2380	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	28
PID 2500 wrote to memory of 788	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	29
PID 2500 wrote to memory of 788	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	29
PID 2500 wrote to memory of 788	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	29
PID 2500 wrote to memory of 788	2500	4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe	29
PID 2380 wrote to memory of 2300	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	32
PID 2380 wrote to memory of 2300	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	32
PID 2380 wrote to memory of 2300	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	32
PID 2380 wrote to memory of 2300	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	32
PID 2380 wrote to memory of 2712	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	33
PID 2380 wrote to memory of 2712	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	33
PID 2380 wrote to memory of 2712	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	33
PID 2380 wrote to memory of 2712	2380	{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe	33
PID 2300 wrote to memory of 3016	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	34
PID 2300 wrote to memory of 3016	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	34
PID 2300 wrote to memory of 3016	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	34
PID 2300 wrote to memory of 3016	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	34
PID 2300 wrote to memory of 2876	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	35
PID 2300 wrote to memory of 2876	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	35
PID 2300 wrote to memory of 2876	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	35
PID 2300 wrote to memory of 2876	2300	{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe	35
PID 3016 wrote to memory of 1196	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	36
PID 3016 wrote to memory of 1196	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	36
PID 3016 wrote to memory of 1196	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	36
PID 3016 wrote to memory of 1196	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	36
PID 3016 wrote to memory of 3012	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	37
PID 3016 wrote to memory of 3012	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	37
PID 3016 wrote to memory of 3012	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	37
PID 3016 wrote to memory of 3012	3016	{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe	37
PID 1196 wrote to memory of 2724	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	38
PID 1196 wrote to memory of 2724	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	38
PID 1196 wrote to memory of 2724	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	38
PID 1196 wrote to memory of 2724	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	38
PID 1196 wrote to memory of 1936	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	39
PID 1196 wrote to memory of 1936	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	39
PID 1196 wrote to memory of 1936	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	39
PID 1196 wrote to memory of 1936	1196	{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe	39
PID 2724 wrote to memory of 2432	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	40
PID 2724 wrote to memory of 2432	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	40
PID 2724 wrote to memory of 2432	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	40
PID 2724 wrote to memory of 2432	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	40
PID 2724 wrote to memory of 2068	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	41
PID 2724 wrote to memory of 2068	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	41
PID 2724 wrote to memory of 2068	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	41
PID 2724 wrote to memory of 2068	2724	{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe	41
PID 2432 wrote to memory of 1408	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	42
PID 2432 wrote to memory of 1408	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	42
PID 2432 wrote to memory of 1408	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	42
PID 2432 wrote to memory of 1408	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	42
PID 2432 wrote to memory of 1152	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	43
PID 2432 wrote to memory of 1152	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	43
PID 2432 wrote to memory of 1152	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	43
PID 2432 wrote to memory of 1152	2432	{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe	43
PID 1408 wrote to memory of 2180	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	45
PID 1408 wrote to memory of 2180	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	45
PID 1408 wrote to memory of 2180	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	45
PID 1408 wrote to memory of 2180	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	45
PID 1408 wrote to memory of 3040	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	44
PID 1408 wrote to memory of 3040	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	44
PID 1408 wrote to memory of 3040	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	44
PID 1408 wrote to memory of 3040	1408	{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe	44

C:\Users\Admin\AppData\Local\Temp\4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4e3a4dab1107babb8a340e5929eef324_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe
  C:\Windows\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe
    C:\Windows\{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe
      C:\Windows\{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe
        
        C:\Windows\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe
        
        C:\Windows\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe
        
        C:\Windows\{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe
        
        C:\Windows\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDF87~1.EXE > nul
        9⤵
        
        PID:3040
        
        C:\Windows\{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe
        
        C:\Windows\{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe
        
        C:\Windows\{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe
        
        C:\Windows\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe
        
        C:\Windows\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{918A4~1.EXE > nul
        12⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D11A~1.EXE > nul
        11⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12C37~1.EXE > nul
        10⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C63~1.EXE > nul
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F84B~1.EXE > nul
        7⤵
        
        PID:2068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BF18~1.EXE > nul
        6⤵
        
        PID:1936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A2E0~1.EXE > nul
        5⤵
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1EFB8~1.EXE > nul
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{621DE~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4E3A4D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe

Filesize
204KB

MD5
d8650eccb591982d53d9dca4370060f2

SHA1
a3eae5b071982e749b49025ee2a97fa1348fe4fa

SHA256
948ba4572b33f3d277c9c70b7c7945e2f3250bce19d8fc100367e39bf68f1a65

SHA512
5988affdada1f611de35a4c919eff77a66b2525bff640920ac26cb1ed75e9fbc435bbb5f9f03676c66d55a12ff0bc3279be18c3475f5df0d8d4c1fbfeb55607e

Download Submit
C:\Windows\{0BF182A6-752F-4fcd-A9FD-56C3E4B842B8}.exe

Filesize
204KB

MD5
d8650eccb591982d53d9dca4370060f2

SHA1
a3eae5b071982e749b49025ee2a97fa1348fe4fa

SHA256
948ba4572b33f3d277c9c70b7c7945e2f3250bce19d8fc100367e39bf68f1a65

SHA512
5988affdada1f611de35a4c919eff77a66b2525bff640920ac26cb1ed75e9fbc435bbb5f9f03676c66d55a12ff0bc3279be18c3475f5df0d8d4c1fbfeb55607e

Download Submit
C:\Windows\{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe

Filesize
204KB

MD5
232aa86e947537cb0f93b77645ff4106

SHA1
ceb53b22127aa338bdc800ff074b9428157cb156

SHA256
fdc6101e63940443486638f709eebfcfc83a76243916e647abc148dc5dc9b425

SHA512
9343a2829953e654ebca3c9bf99dacf59bf06e826e215e4f3b42f0f8d363c583fdcd2f67a7d32cd75d838a1599426a5fa8fb931ac671dc2ce33d935d832e3d31

Download Submit
C:\Windows\{12C373F3-B231-45fe-9913-39A35F4A72E1}.exe

Filesize
204KB

MD5
232aa86e947537cb0f93b77645ff4106

SHA1
ceb53b22127aa338bdc800ff074b9428157cb156

SHA256
fdc6101e63940443486638f709eebfcfc83a76243916e647abc148dc5dc9b425

SHA512
9343a2829953e654ebca3c9bf99dacf59bf06e826e215e4f3b42f0f8d363c583fdcd2f67a7d32cd75d838a1599426a5fa8fb931ac671dc2ce33d935d832e3d31

Download Submit
C:\Windows\{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe

Filesize
204KB

MD5
126473ac41e6bc927753f8b1839cc7a3

SHA1
c079660161b11e8f99162b95c28732a78d5b4eb9

SHA256
c93fc90b53c01332b5a1747f1624a8586b45497afd29ac88bcc1eb690b20b14c

SHA512
a4a62fb34fa45adc7e5dcb308e5f4ff627ac5145cdccb52a7dce5cc62d2f2811e33d97040a5964eb2028043144a2c833e8b895eb6254c1252ca3c511e8a4539b

Download Submit
C:\Windows\{1EFB801E-833F-40f2-AC2F-0930E53E9546}.exe

Filesize
204KB

MD5
126473ac41e6bc927753f8b1839cc7a3

SHA1
c079660161b11e8f99162b95c28732a78d5b4eb9

SHA256
c93fc90b53c01332b5a1747f1624a8586b45497afd29ac88bcc1eb690b20b14c

SHA512
a4a62fb34fa45adc7e5dcb308e5f4ff627ac5145cdccb52a7dce5cc62d2f2811e33d97040a5964eb2028043144a2c833e8b895eb6254c1252ca3c511e8a4539b

Download Submit
C:\Windows\{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe

Filesize
204KB

MD5
704b7c0f9373a7514acd17b5714c560c

SHA1
6212c4935a45ccc4d15d64ce3b4e3cca654fd4f9

SHA256
de3b1790a10b373a088d9ee7d0fb372ae53a7959f1ffe00ea037dc896620d001

SHA512
a1ccacd841b9c4a84d60e1b1096b516a49cf8a10557040773e9d160b99fb54451e30bea4fcfccb3eda0f241156a076a242806a280ce608a1b96326e2e660dc3c

Download Submit
C:\Windows\{5A2E0793-E71A-401f-9101-E18FC75A8E09}.exe

Filesize
204KB

MD5
704b7c0f9373a7514acd17b5714c560c

SHA1
6212c4935a45ccc4d15d64ce3b4e3cca654fd4f9

SHA256
de3b1790a10b373a088d9ee7d0fb372ae53a7959f1ffe00ea037dc896620d001

SHA512
a1ccacd841b9c4a84d60e1b1096b516a49cf8a10557040773e9d160b99fb54451e30bea4fcfccb3eda0f241156a076a242806a280ce608a1b96326e2e660dc3c

Download Submit
C:\Windows\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe

Filesize
204KB

MD5
3977ae2c4bf0a73bbb16d3d57f5e6f40

SHA1
534b33ec2309c33a54268008028ffbe806f11857

SHA256
73756c9efc1a9950f9180deee34386ac2f4a207410c138625155619ec36b90bc

SHA512
4047f21bc06a24da16e6cedb8165d9fb249b9816df506cf011e72d8e459e3187da19c3bc14c4af0c1b4d5029bc6f80e367e7718369a223d297f387d7172aad97

Download Submit
C:\Windows\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe

Filesize
204KB

MD5
3977ae2c4bf0a73bbb16d3d57f5e6f40

SHA1
534b33ec2309c33a54268008028ffbe806f11857

SHA256
73756c9efc1a9950f9180deee34386ac2f4a207410c138625155619ec36b90bc

SHA512
4047f21bc06a24da16e6cedb8165d9fb249b9816df506cf011e72d8e459e3187da19c3bc14c4af0c1b4d5029bc6f80e367e7718369a223d297f387d7172aad97

Download Submit
C:\Windows\{621DEFA5-AB7E-49c5-8C78-F7ED27922862}.exe

Filesize
204KB

MD5
3977ae2c4bf0a73bbb16d3d57f5e6f40

SHA1
534b33ec2309c33a54268008028ffbe806f11857

SHA256
73756c9efc1a9950f9180deee34386ac2f4a207410c138625155619ec36b90bc

SHA512
4047f21bc06a24da16e6cedb8165d9fb249b9816df506cf011e72d8e459e3187da19c3bc14c4af0c1b4d5029bc6f80e367e7718369a223d297f387d7172aad97

Download Submit
C:\Windows\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe

Filesize
204KB

MD5
935f749bba07fb41bd29b456afb46cda

SHA1
dc43bd995db1a18c63accf2b516ca930adb4ba66

SHA256
163ab69026e1bc789abe0bc8179c9e990c69cc1e668be31221022699c4b8d4aa

SHA512
299eb17a9ed3a0464ff4fa8d2f1a3a71afd06a9f7b802b5d3fc9f78775532c6ba22b789e8aa54492c03a876389d38d0ef9fb4f4b850b02e81f22179d7b896ea8

Download Submit
C:\Windows\{718CC33B-3CA2-4898-AC3D-A8043DC64F8F}.exe

Filesize
103KB

MD5
ce050f8a7dc4e3bac98d3b577d8563ac

SHA1
730332ffc8ef16fcbcde15509e12c3b37ab6ee4c

SHA256
549d8daeb1e6e2e67baca6ae7ebd6ea2c5b44e84d7e605fe3032a92956a504cd

SHA512
4b4ea03eedf39564d9a2f931f97a54dea06d5216dac7b3de7060c7e869a7bc3f381349de5d688f4ea3ed53c3c992df8931bed0071d7e45425118cad039856436

Download Submit
C:\Windows\{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe

Filesize
204KB

MD5
b11cda2769ccfaf5067492d5722c7b71

SHA1
357d9351d3077f111ccd693a35c2479dc62f50b8

SHA256
92c9cee5a7bc87aa77e00fa3426cdcfdf99d16da8e84fb05d5731df7b01f8401

SHA512
e3669c536494d8937d2754053c4862299f79b7a6e7eb96604f05124707c21de876ab78bbbaeb04d4a396a3935e3abcbc65af1efa9d008492c03c06f47de85b0f

Download Submit
C:\Windows\{7D11A3D2-9807-4217-A541-4850F97AFE57}.exe

Filesize
204KB

MD5
b11cda2769ccfaf5067492d5722c7b71

SHA1
357d9351d3077f111ccd693a35c2479dc62f50b8

SHA256
92c9cee5a7bc87aa77e00fa3426cdcfdf99d16da8e84fb05d5731df7b01f8401

SHA512
e3669c536494d8937d2754053c4862299f79b7a6e7eb96604f05124707c21de876ab78bbbaeb04d4a396a3935e3abcbc65af1efa9d008492c03c06f47de85b0f

Download Submit
C:\Windows\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe

Filesize
204KB

MD5
5a56c68dd4e5091a9c0023445ee49f2c

SHA1
1417ec08d834e093633c3d2073d78939165f0887

SHA256
22763c6e6f9e80aa2652148e633443de972351d446735d5f349b544b4068d98b

SHA512
9b7d54f2b9c519569948a99f7db69d646c66f3aae679b4d03e2c6096399c43728942b1f9e5d5372be0c4485e7909419cf7a2c2c3e7d18c67a03bed01a0ba988a

Download Submit
C:\Windows\{8F84BF2B-8508-46c9-9EAC-B62DC147C165}.exe

Filesize
204KB

MD5
5a56c68dd4e5091a9c0023445ee49f2c

SHA1
1417ec08d834e093633c3d2073d78939165f0887

SHA256
22763c6e6f9e80aa2652148e633443de972351d446735d5f349b544b4068d98b

SHA512
9b7d54f2b9c519569948a99f7db69d646c66f3aae679b4d03e2c6096399c43728942b1f9e5d5372be0c4485e7909419cf7a2c2c3e7d18c67a03bed01a0ba988a

Download Submit
C:\Windows\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe

Filesize
204KB

MD5
1d62ed2f835bbed30e0006e20171e4f7

SHA1
717e5ad008cabf463a8468a1f1fc84435f26065c

SHA256
6f29fb4c3ebd61ea4bc0a009a2812f3cc3beb2306bfb598dde99170fe16e2544

SHA512
afa103ea597222323355e7650e39a826b4537f4a447f40f2fb3a6ca81aa8e513ffb9afb2c56d8e1978df7cd53fdc6103267f9b615d5f3bd1a01c436c57483918

Download Submit
C:\Windows\{918A4E3D-B2FC-413d-9C48-55F58FA6C144}.exe

Filesize
204KB

MD5
1d62ed2f835bbed30e0006e20171e4f7

SHA1
717e5ad008cabf463a8468a1f1fc84435f26065c

SHA256
6f29fb4c3ebd61ea4bc0a009a2812f3cc3beb2306bfb598dde99170fe16e2544

SHA512
afa103ea597222323355e7650e39a826b4537f4a447f40f2fb3a6ca81aa8e513ffb9afb2c56d8e1978df7cd53fdc6103267f9b615d5f3bd1a01c436c57483918

Download Submit
C:\Windows\{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe

Filesize
204KB

MD5
c609fd00020fda0f7d9ca5d4685ad870

SHA1
1ebf343a8b9d00dea03b0455b9bcd84ed5c4ba3e

SHA256
a678f04200d3db26bdf78484c7d176893674111504080b9c3e45bf5ced484ef5

SHA512
e9d7a7e054cc77a59cd4984be5ed4d5ebd85bd62acdb60fc3882c63d1f11382b80f024becf9a5b68f45f624ca8044d4becfa5aaf333aa395aaa02463d4d9834b

Download Submit
C:\Windows\{E1C63B27-5E87-42ed-943B-722E7E84B134}.exe

Filesize
204KB

MD5
c609fd00020fda0f7d9ca5d4685ad870

SHA1
1ebf343a8b9d00dea03b0455b9bcd84ed5c4ba3e

SHA256
a678f04200d3db26bdf78484c7d176893674111504080b9c3e45bf5ced484ef5

SHA512
e9d7a7e054cc77a59cd4984be5ed4d5ebd85bd62acdb60fc3882c63d1f11382b80f024becf9a5b68f45f624ca8044d4becfa5aaf333aa395aaa02463d4d9834b

Download Submit
C:\Windows\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe

Filesize
204KB

MD5
f227ecf3e40981cca58b8c33f6501c76

SHA1
fc103b0404809afb131d62ef0e0ea51b42fce89c

SHA256
86bd42ca6798395460ea1bc2b7663a09825a96240120f1d2bd7dc31b33c4a645

SHA512
db8942fffae55a868288cab5fab20ecf3208150102f58241f13508175f72ac43e705f086971ee4353cc7ae9a4770cd703f3e4cb158817ade7ed1afe42bb5d5d1

Download Submit
C:\Windows\{EDF8706F-3CB0-4680-990D-20AD3CF31F5D}.exe

Filesize
204KB

MD5
f227ecf3e40981cca58b8c33f6501c76

SHA1
fc103b0404809afb131d62ef0e0ea51b42fce89c

SHA256
86bd42ca6798395460ea1bc2b7663a09825a96240120f1d2bd7dc31b33c4a645

SHA512
db8942fffae55a868288cab5fab20ecf3208150102f58241f13508175f72ac43e705f086971ee4353cc7ae9a4770cd703f3e4cb158817ade7ed1afe42bb5d5d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads