6f6690d7e9f1bb92bddca248ca3500463b8aa5553b915731af125e09bb4c498f

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23-08-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Size

372KB
MD5

7c43335739fb8f4af0dd457fd57dee84
SHA1

7dc8928a02b3af1f0baab6507944fa6c04a69295
SHA256

6f6690d7e9f1bb92bddca248ca3500463b8aa5553b915731af125e09bb4c498f
SHA512

24128d9349e88602ef7b828043ea70192c89eae123c1e6e37c13c6fd0e53642e2fd3616a189cded02a2f52034686cec5ff770ec9f6e92fafc8163a188298fa4c
SSDEEP

3072:CEGh0onmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGEl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CA86499-0B09-4bef-BB3D-63278A9A8326}	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}	{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}	{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}\stubpath = "C:\\Windows\\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe"	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D00C027B-A192-486e-A297-84ECA2B382D4}	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F63CCBC-3824-4389-A1B9-100A2704C570}	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}\stubpath = "C:\\Windows\\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe"	{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB6276B6-FE13-407a-93D4-20B82D13695D}	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB6276B6-FE13-407a-93D4-20B82D13695D}\stubpath = "C:\\Windows\\{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe"	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CA86499-0B09-4bef-BB3D-63278A9A8326}\stubpath = "C:\\Windows\\{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe"	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521C0189-7089-4d17-B742-1AEE9BB95A25}	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}	{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}\stubpath = "C:\\Windows\\{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}.exe"	{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}\stubpath = "C:\\Windows\\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe"	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D00C027B-A192-486e-A297-84ECA2B382D4}\stubpath = "C:\\Windows\\{D00C027B-A192-486e-A297-84ECA2B382D4}.exe"	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}\stubpath = "C:\\Windows\\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe"	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{521C0189-7089-4d17-B742-1AEE9BB95A25}\stubpath = "C:\\Windows\\{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe"	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}\stubpath = "C:\\Windows\\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe"	{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F63CCBC-3824-4389-A1B9-100A2704C570}\stubpath = "C:\\Windows\\{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe"	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe

Deletes itself 1 IoCs

pid	Process
2364	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe
2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe
2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe
2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe
2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe
1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe
872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe
2668	{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe
2956	{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe
1964	{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe
2948	{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe
File created	C:\Windows\{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe
File created	C:\Windows\{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe
File created	C:\Windows\{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe
File created	C:\Windows\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe	{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe
File created	C:\Windows\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe	{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe
File created	C:\Windows\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
File created	C:\Windows\{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe
File created	C:\Windows\{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}.exe	{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe
File created	C:\Windows\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe
File created	C:\Windows\{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe
Token: SeIncBasePriorityPrivilege	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe
Token: SeIncBasePriorityPrivilege	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe
Token: SeIncBasePriorityPrivilege	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe
Token: SeIncBasePriorityPrivilege	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe
Token: SeIncBasePriorityPrivilege	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe
Token: SeIncBasePriorityPrivilege	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe
Token: SeIncBasePriorityPrivilege	2668	{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe
Token: SeIncBasePriorityPrivilege	2956	{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe
Token: SeIncBasePriorityPrivilege	1964	{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2972	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	28
PID 1412 wrote to memory of 2972	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	28
PID 1412 wrote to memory of 2972	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	28
PID 1412 wrote to memory of 2972	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	28
PID 1412 wrote to memory of 2364	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	29
PID 1412 wrote to memory of 2364	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	29
PID 1412 wrote to memory of 2364	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	29
PID 1412 wrote to memory of 2364	1412	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	29
PID 2972 wrote to memory of 2928	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	32
PID 2972 wrote to memory of 2928	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	32
PID 2972 wrote to memory of 2928	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	32
PID 2972 wrote to memory of 2928	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	32
PID 2972 wrote to memory of 2932	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	33
PID 2972 wrote to memory of 2932	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	33
PID 2972 wrote to memory of 2932	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	33
PID 2972 wrote to memory of 2932	2972	{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe	33
PID 2928 wrote to memory of 2128	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	34
PID 2928 wrote to memory of 2128	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	34
PID 2928 wrote to memory of 2128	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	34
PID 2928 wrote to memory of 2128	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	34
PID 2928 wrote to memory of 3020	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	35
PID 2928 wrote to memory of 3020	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	35
PID 2928 wrote to memory of 3020	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	35
PID 2928 wrote to memory of 3020	2928	{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe	35
PID 2128 wrote to memory of 2852	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	36
PID 2128 wrote to memory of 2852	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	36
PID 2128 wrote to memory of 2852	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	36
PID 2128 wrote to memory of 2852	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	36
PID 2128 wrote to memory of 2684	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	37
PID 2128 wrote to memory of 2684	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	37
PID 2128 wrote to memory of 2684	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	37
PID 2128 wrote to memory of 2684	2128	{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe	37
PID 2852 wrote to memory of 2716	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	38
PID 2852 wrote to memory of 2716	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	38
PID 2852 wrote to memory of 2716	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	38
PID 2852 wrote to memory of 2716	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	38
PID 2852 wrote to memory of 2764	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	39
PID 2852 wrote to memory of 2764	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	39
PID 2852 wrote to memory of 2764	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	39
PID 2852 wrote to memory of 2764	2852	{D00C027B-A192-486e-A297-84ECA2B382D4}.exe	39
PID 2716 wrote to memory of 1096	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	40
PID 2716 wrote to memory of 1096	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	40
PID 2716 wrote to memory of 1096	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	40
PID 2716 wrote to memory of 1096	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	40
PID 2716 wrote to memory of 524	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	41
PID 2716 wrote to memory of 524	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	41
PID 2716 wrote to memory of 524	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	41
PID 2716 wrote to memory of 524	2716	{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe	41
PID 1096 wrote to memory of 872	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	42
PID 1096 wrote to memory of 872	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	42
PID 1096 wrote to memory of 872	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	42
PID 1096 wrote to memory of 872	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	42
PID 1096 wrote to memory of 1628	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	43
PID 1096 wrote to memory of 1628	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	43
PID 1096 wrote to memory of 1628	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	43
PID 1096 wrote to memory of 1628	1096	{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe	43
PID 872 wrote to memory of 2668	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	44
PID 872 wrote to memory of 2668	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	44
PID 872 wrote to memory of 2668	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	44
PID 872 wrote to memory of 2668	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	44
PID 872 wrote to memory of 2384	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	45
PID 872 wrote to memory of 2384	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	45
PID 872 wrote to memory of 2384	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	45
PID 872 wrote to memory of 2384	872	{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe	45

C:\Users\Admin\AppData\Local\Temp\7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe
  C:\Windows\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe
    C:\Windows\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe
      C:\Windows\{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\{D00C027B-A192-486e-A297-84ECA2B382D4}.exe
        
        C:\Windows\{D00C027B-A192-486e-A297-84ECA2B382D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe
        
        C:\Windows\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe
        
        C:\Windows\{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe
        
        C:\Windows\{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe
        
        C:\Windows\{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe
        
        C:\Windows\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe
        
        C:\Windows\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}.exe
        
        C:\Windows\{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}.exe
        12⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DCC8~1.EXE > nul
        12⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1CE7~1.EXE > nul
        11⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{521C0~1.EXE > nul
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CA86~1.EXE > nul
        9⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB627~1.EXE > nul
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71D22~1.EXE > nul
        7⤵
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D00C0~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F63C~1.EXE > nul
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FF3FC~1.EXE > nul
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2025~1.EXE > nul
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7C4333~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F3A2027-ABCA-474c-9A7E-9F3E442C9965}.exe

Filesize
372KB

MD5
e56d517c0466234f361bbb51bf1b7a76

SHA1
93996dcaad9d08e431158e0bb48fbe62f70c7b02

SHA256
47fa86048c49e7671aae8045e0e684cf09e824875813015a3af6cd799af80ff7

SHA512
006dddd8fbf9cc8a314ac14d4766f00ba50fbc32835b1e22d55c5fd0083e2ab821a16388cd950d47b20fee11af5f0f59f41c8c24652aa4174a345ffd2c7e3b2c

Download Submit
C:\Windows\{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe

Filesize
372KB

MD5
5e440be7b92782addec2e0725ee2ac90

SHA1
a12963ca5e55ddf4902e99d987499c50cb595ced

SHA256
a41617460d5e16cda6906feb7850de3f5900f7f3b86d0f842acf722f07ae2d54

SHA512
673145cfd59f50ad7c58ed4c9400f8b1d43de3ac5d82d17eaeb6c96ec5d3bf03f90a962550880beec90742f9b4e0f2ebcd632e6cc026e426f030cbaedfcc509a

Download Submit
C:\Windows\{521C0189-7089-4d17-B742-1AEE9BB95A25}.exe

Filesize
372KB

MD5
5e440be7b92782addec2e0725ee2ac90

SHA1
a12963ca5e55ddf4902e99d987499c50cb595ced

SHA256
a41617460d5e16cda6906feb7850de3f5900f7f3b86d0f842acf722f07ae2d54

SHA512
673145cfd59f50ad7c58ed4c9400f8b1d43de3ac5d82d17eaeb6c96ec5d3bf03f90a962550880beec90742f9b4e0f2ebcd632e6cc026e426f030cbaedfcc509a

Download Submit
C:\Windows\{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe

Filesize
372KB

MD5
f210e45fe0153b389457d799f1a1cb3f

SHA1
5804a022e4df9a621b44e19ed2eff9d737bb259a

SHA256
230a338510f797c3747785aad7644b2748c14747ed8effe6f4273b8f5119fbfa

SHA512
f8c856db1fb3ad5f88626f1f214bd91b0c028dda5f4552fc600f02cd28f329ea06c97ae34f7ef822ed7e8e9934e13ab5db4513375f5c4a8d09b0be588af0e248

Download Submit
C:\Windows\{5CA86499-0B09-4bef-BB3D-63278A9A8326}.exe

Filesize
372KB

MD5
f210e45fe0153b389457d799f1a1cb3f

SHA1
5804a022e4df9a621b44e19ed2eff9d737bb259a

SHA256
230a338510f797c3747785aad7644b2748c14747ed8effe6f4273b8f5119fbfa

SHA512
f8c856db1fb3ad5f88626f1f214bd91b0c028dda5f4552fc600f02cd28f329ea06c97ae34f7ef822ed7e8e9934e13ab5db4513375f5c4a8d09b0be588af0e248

Download Submit
C:\Windows\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe

Filesize
372KB

MD5
2031273b19d3fc24544997403cc00470

SHA1
2afa778e6cdd4d36bc67088a7e1c32044746ab8d

SHA256
b365a2f3158bf1e9650028630f60bd566f63ed92dc037cb1effc039682a1253e

SHA512
365f6a5a0d42130ad5dddb1f011bac74ec2ff0603efa7cc628d564d6f235953653a13c57ac7c6a543094a9b6bace30e46839fca5c10be318f0982a786cff495b

Download Submit
C:\Windows\{71D22C5A-1EAA-4bfe-8212-C9506EB69C80}.exe

Filesize
372KB

MD5
2031273b19d3fc24544997403cc00470

SHA1
2afa778e6cdd4d36bc67088a7e1c32044746ab8d

SHA256
b365a2f3158bf1e9650028630f60bd566f63ed92dc037cb1effc039682a1253e

SHA512
365f6a5a0d42130ad5dddb1f011bac74ec2ff0603efa7cc628d564d6f235953653a13c57ac7c6a543094a9b6bace30e46839fca5c10be318f0982a786cff495b

Download Submit
C:\Windows\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe

Filesize
372KB

MD5
9726e5a0c1a9096b7ce955819f641582

SHA1
b6538edcb0b4d11c6ab5f4796c00516ceff839ba

SHA256
c8b9a089d6b0e30698fb580e55a3b83c91127cde68bf6405aa125efc98e30b1d

SHA512
96bd9fe6112b76faac7a1879bda50430e6c1423bc0ffc63bbc07e0628f8bf69ba65adbec8738fa946366f5b4952038ff083e2a6eb9fea1057da17e1b2f4c2ff0

Download Submit
C:\Windows\{7DCC85C8-0ED1-4efd-93A2-427E88968B71}.exe

Filesize
372KB

MD5
9726e5a0c1a9096b7ce955819f641582

SHA1
b6538edcb0b4d11c6ab5f4796c00516ceff839ba

SHA256
c8b9a089d6b0e30698fb580e55a3b83c91127cde68bf6405aa125efc98e30b1d

SHA512
96bd9fe6112b76faac7a1879bda50430e6c1423bc0ffc63bbc07e0628f8bf69ba65adbec8738fa946366f5b4952038ff083e2a6eb9fea1057da17e1b2f4c2ff0

Download Submit
C:\Windows\{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe

Filesize
372KB

MD5
8dbe59171ab88f12a7f24695275975bb

SHA1
8cecf6390e7f53270be563845db80aca86f62b9d

SHA256
5605cc0c41307f65d914f6257f338dcc3d8ce7979119d16af3ad1e9f97f31cd9

SHA512
ad53239d10b088e4bd295ed470799d03e0998781ad94fc8fda611f4a5b062cbc065ad8abb1ce6139ea65ff3296439d73c1760e6f3321c89cbca7f32efca50acc

Download Submit
C:\Windows\{9F63CCBC-3824-4389-A1B9-100A2704C570}.exe

Filesize
372KB

MD5
8dbe59171ab88f12a7f24695275975bb

SHA1
8cecf6390e7f53270be563845db80aca86f62b9d

SHA256
5605cc0c41307f65d914f6257f338dcc3d8ce7979119d16af3ad1e9f97f31cd9

SHA512
ad53239d10b088e4bd295ed470799d03e0998781ad94fc8fda611f4a5b062cbc065ad8abb1ce6139ea65ff3296439d73c1760e6f3321c89cbca7f32efca50acc

Download Submit
C:\Windows\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe

Filesize
372KB

MD5
5391c7244dff07fafd9f5896aa1651ec

SHA1
cdafa9f7aeb26b64a13aeb59d2c565347c78f5dc

SHA256
42fbbdde3b248f342db8035b7552072884eff481fa7a799f8eea8b41da6ab34d

SHA512
a2818759f08020a4afdd8e8b4390feba9000454a4c5c66ba0d8e787607e582564918d3e002f62d263e0854d3e49f6ce1f72430689ec86768540ed870e4c98466

Download Submit
C:\Windows\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe

Filesize
372KB

MD5
5391c7244dff07fafd9f5896aa1651ec

SHA1
cdafa9f7aeb26b64a13aeb59d2c565347c78f5dc

SHA256
42fbbdde3b248f342db8035b7552072884eff481fa7a799f8eea8b41da6ab34d

SHA512
a2818759f08020a4afdd8e8b4390feba9000454a4c5c66ba0d8e787607e582564918d3e002f62d263e0854d3e49f6ce1f72430689ec86768540ed870e4c98466

Download Submit
C:\Windows\{A20259FE-7EE2-4843-9F91-A1602EF7C14E}.exe

Filesize
372KB

MD5
5391c7244dff07fafd9f5896aa1651ec

SHA1
cdafa9f7aeb26b64a13aeb59d2c565347c78f5dc

SHA256
42fbbdde3b248f342db8035b7552072884eff481fa7a799f8eea8b41da6ab34d

SHA512
a2818759f08020a4afdd8e8b4390feba9000454a4c5c66ba0d8e787607e582564918d3e002f62d263e0854d3e49f6ce1f72430689ec86768540ed870e4c98466

Download Submit
C:\Windows\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe

Filesize
372KB

MD5
9f90512fc001ffb5179078f2b0c58f6c

SHA1
7b24a75a30511cc9f813649f38e24004f06f902e

SHA256
ed6d33ec0f543580929a6503f5c81ca166f2dbffbfef083a7372e60a7465c5ce

SHA512
53ed90d9f0dc54dad62592ac5f108c9f88fe57bd7679320b6b4b8ab5c279dcb502476397f0710f7a9ec693ab99147f923c6ef945f54a9d9a02b48e3e7c5e3e52

Download Submit
C:\Windows\{C1CE7F84-80BD-4ab5-8B69-6595D32EC805}.exe

Filesize
372KB

MD5
9f90512fc001ffb5179078f2b0c58f6c

SHA1
7b24a75a30511cc9f813649f38e24004f06f902e

SHA256
ed6d33ec0f543580929a6503f5c81ca166f2dbffbfef083a7372e60a7465c5ce

SHA512
53ed90d9f0dc54dad62592ac5f108c9f88fe57bd7679320b6b4b8ab5c279dcb502476397f0710f7a9ec693ab99147f923c6ef945f54a9d9a02b48e3e7c5e3e52

Download Submit
C:\Windows\{D00C027B-A192-486e-A297-84ECA2B382D4}.exe

Filesize
372KB

MD5
39a9a8560b8f0a0bff4aa44f753b07c3

SHA1
439c4bbf2e9f88c9c992be8e34f0b71573296720

SHA256
1840ed50a44a7723bc4a28ab1fe3133032a5856fca298daca3ad870aea1c45e3

SHA512
6469254f96d3b1da1e5bd65ad84d6d102914396b81db6b82c2a0c0ad9add911fa406e9b67068e313110ae294bb97b62eb870b3313c61ecb811b77631a07d4d0b

Download Submit
C:\Windows\{D00C027B-A192-486e-A297-84ECA2B382D4}.exe

Filesize
372KB

MD5
39a9a8560b8f0a0bff4aa44f753b07c3

SHA1
439c4bbf2e9f88c9c992be8e34f0b71573296720

SHA256
1840ed50a44a7723bc4a28ab1fe3133032a5856fca298daca3ad870aea1c45e3

SHA512
6469254f96d3b1da1e5bd65ad84d6d102914396b81db6b82c2a0c0ad9add911fa406e9b67068e313110ae294bb97b62eb870b3313c61ecb811b77631a07d4d0b

Download Submit
C:\Windows\{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe

Filesize
372KB

MD5
94df46dfab3dfaee51b1e3e6b2014aac

SHA1
150fc1d93931867080f46053c7d3384d701a4b6a

SHA256
b1ec820121b365c0fc752bcfb9d9dcf718bc51ae6fdb277d7c2deb773c925c3c

SHA512
f0778b42f6722a7a79ab2af9531393d5173daa33af6a87ced1460393ad9e525fed540b4029c5892f4c0086c4c15b034163db631e9bd8c2ae48ee60daf5909e2f

Download Submit
C:\Windows\{FB6276B6-FE13-407a-93D4-20B82D13695D}.exe

Filesize
372KB

MD5
94df46dfab3dfaee51b1e3e6b2014aac

SHA1
150fc1d93931867080f46053c7d3384d701a4b6a

SHA256
b1ec820121b365c0fc752bcfb9d9dcf718bc51ae6fdb277d7c2deb773c925c3c

SHA512
f0778b42f6722a7a79ab2af9531393d5173daa33af6a87ced1460393ad9e525fed540b4029c5892f4c0086c4c15b034163db631e9bd8c2ae48ee60daf5909e2f

Download Submit
C:\Windows\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe

Filesize
372KB

MD5
1461f2a01eb04b57e24f1bf360874027

SHA1
a8f80e5113a11351a68bd1b59ff99828e2468ffe

SHA256
9218a80ae29ee9d57d8d88300bcfea6c2415ffeb724f0df141db99939660a156

SHA512
a7bf6658b29e2dc1102ce1f57c268356fd0d4be84b60f22436937d79651b15265b9cc6e984f4dc9096541f52b10f4417c8e96fc67ac776d13c7a9a489e2a7ddf

Download Submit
C:\Windows\{FF3FC7D6-9BCD-49a6-B207-4DDD4171A21C}.exe

Filesize
372KB

MD5
1461f2a01eb04b57e24f1bf360874027

SHA1
a8f80e5113a11351a68bd1b59ff99828e2468ffe

SHA256
9218a80ae29ee9d57d8d88300bcfea6c2415ffeb724f0df141db99939660a156

SHA512
a7bf6658b29e2dc1102ce1f57c268356fd0d4be84b60f22436937d79651b15265b9cc6e984f4dc9096541f52b10f4417c8e96fc67ac776d13c7a9a489e2a7ddf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads