6f6690d7e9f1bb92bddca248ca3500463b8aa5553b915731af125e09bb4c498f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 17:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Size

372KB
MD5

7c43335739fb8f4af0dd457fd57dee84
SHA1

7dc8928a02b3af1f0baab6507944fa6c04a69295
SHA256

6f6690d7e9f1bb92bddca248ca3500463b8aa5553b915731af125e09bb4c498f
SHA512

24128d9349e88602ef7b828043ea70192c89eae123c1e6e37c13c6fd0e53642e2fd3616a189cded02a2f52034686cec5ff770ec9f6e92fafc8163a188298fa4c
SSDEEP

3072:CEGh0onmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGEl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}\stubpath = "C:\\Windows\\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}.exe"	{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E19E07-C129-4652-9F95-EFD5C31293F4}	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}\stubpath = "C:\\Windows\\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe"	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62316341-1443-41fa-81B1-48F11BF30B3C}	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77757A62-3060-4fec-8BBD-0E28B94C2310}	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}\stubpath = "C:\\Windows\\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe"	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77757A62-3060-4fec-8BBD-0E28B94C2310}\stubpath = "C:\\Windows\\{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe"	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E672CB1-6946-4ec6-9271-EBF142E4474D}	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}\stubpath = "C:\\Windows\\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe"	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62316341-1443-41fa-81B1-48F11BF30B3C}\stubpath = "C:\\Windows\\{62316341-1443-41fa-81B1-48F11BF30B3C}.exe"	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87535B06-DBE1-458a-B307-E5BB30F17B22}\stubpath = "C:\\Windows\\{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe"	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}\stubpath = "C:\\Windows\\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe"	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E19E07-C129-4652-9F95-EFD5C31293F4}\stubpath = "C:\\Windows\\{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe"	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}\stubpath = "C:\\Windows\\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe"	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87535B06-DBE1-458a-B307-E5BB30F17B22}	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E672CB1-6946-4ec6-9271-EBF142E4474D}\stubpath = "C:\\Windows\\{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe"	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}\stubpath = "C:\\Windows\\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe"	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}	{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe

Executes dropped EXE 12 IoCs

pid	Process
1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe
1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe
748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe
4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe
3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe
1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe
1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe
1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe
1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe
3856	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe
644	{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe
5032	{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
File created	C:\Windows\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe
File created	C:\Windows\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe
File created	C:\Windows\{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe
File created	C:\Windows\{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe
File created	C:\Windows\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe
File created	C:\Windows\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe
File created	C:\Windows\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe
File created	C:\Windows\{62316341-1443-41fa-81B1-48F11BF30B3C}.exe	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe
File created	C:\Windows\{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe
File created	C:\Windows\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe
File created	C:\Windows\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}.exe	{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe
Token: SeIncBasePriorityPrivilege	1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe
Token: SeIncBasePriorityPrivilege	748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe
Token: SeIncBasePriorityPrivilege	4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe
Token: SeIncBasePriorityPrivilege	3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe
Token: SeIncBasePriorityPrivilege	1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe
Token: SeIncBasePriorityPrivilege	1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe
Token: SeIncBasePriorityPrivilege	1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe
Token: SeIncBasePriorityPrivilege	1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe
Token: SeIncBasePriorityPrivilege	3856	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe
Token: SeIncBasePriorityPrivilege	644	{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1452	2324	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	89
PID 2324 wrote to memory of 1452	2324	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	89
PID 2324 wrote to memory of 1452	2324	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	89
PID 2324 wrote to memory of 3548	2324	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	90
PID 2324 wrote to memory of 3548	2324	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	90
PID 2324 wrote to memory of 3548	2324	7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe	90
PID 1452 wrote to memory of 1280	1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe	91
PID 1452 wrote to memory of 1280	1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe	91
PID 1452 wrote to memory of 1280	1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe	91
PID 1452 wrote to memory of 228	1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe	92
PID 1452 wrote to memory of 228	1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe	92
PID 1452 wrote to memory of 228	1452	{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe	92
PID 1280 wrote to memory of 748	1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe	95
PID 1280 wrote to memory of 748	1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe	95
PID 1280 wrote to memory of 748	1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe	95
PID 1280 wrote to memory of 3656	1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe	94
PID 1280 wrote to memory of 3656	1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe	94
PID 1280 wrote to memory of 3656	1280	{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe	94
PID 748 wrote to memory of 4664	748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe	96
PID 748 wrote to memory of 4664	748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe	96
PID 748 wrote to memory of 4664	748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe	96
PID 748 wrote to memory of 5040	748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe	97
PID 748 wrote to memory of 5040	748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe	97
PID 748 wrote to memory of 5040	748	{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe	97
PID 4664 wrote to memory of 3772	4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe	98
PID 4664 wrote to memory of 3772	4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe	98
PID 4664 wrote to memory of 3772	4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe	98
PID 4664 wrote to memory of 2724	4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe	99
PID 4664 wrote to memory of 2724	4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe	99
PID 4664 wrote to memory of 2724	4664	{62316341-1443-41fa-81B1-48F11BF30B3C}.exe	99
PID 3772 wrote to memory of 1016	3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe	100
PID 3772 wrote to memory of 1016	3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe	100
PID 3772 wrote to memory of 1016	3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe	100
PID 3772 wrote to memory of 4592	3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe	101
PID 3772 wrote to memory of 4592	3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe	101
PID 3772 wrote to memory of 4592	3772	{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe	101
PID 1016 wrote to memory of 1656	1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe	102
PID 1016 wrote to memory of 1656	1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe	102
PID 1016 wrote to memory of 1656	1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe	102
PID 1016 wrote to memory of 2384	1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe	103
PID 1016 wrote to memory of 2384	1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe	103
PID 1016 wrote to memory of 2384	1016	{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe	103
PID 1656 wrote to memory of 1664	1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe	104
PID 1656 wrote to memory of 1664	1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe	104
PID 1656 wrote to memory of 1664	1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe	104
PID 1656 wrote to memory of 4748	1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe	105
PID 1656 wrote to memory of 4748	1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe	105
PID 1656 wrote to memory of 4748	1656	{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe	105
PID 1664 wrote to memory of 1848	1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe	106
PID 1664 wrote to memory of 1848	1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe	106
PID 1664 wrote to memory of 1848	1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe	106
PID 1664 wrote to memory of 544	1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe	107
PID 1664 wrote to memory of 544	1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe	107
PID 1664 wrote to memory of 544	1664	{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe	107
PID 1848 wrote to memory of 3856	1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe	108
PID 1848 wrote to memory of 3856	1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe	108
PID 1848 wrote to memory of 3856	1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe	108
PID 1848 wrote to memory of 3140	1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe	109
PID 1848 wrote to memory of 3140	1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe	109
PID 1848 wrote to memory of 3140	1848	{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe	109
PID 3856 wrote to memory of 644	3856	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe	110
PID 3856 wrote to memory of 644	3856	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe	110
PID 3856 wrote to memory of 644	3856	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe	110
PID 3856 wrote to memory of 5012	3856	{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe	111

C:\Users\Admin\AppData\Local\Temp\7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7c43335739fb8f4af0dd457fd57dee84_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe
  C:\Windows\{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe
    C:\Windows\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{68655~1.EXE > nul
      4⤵
      PID:3656
  - - C:\Windows\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe
      C:\Windows\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\{62316341-1443-41fa-81B1-48F11BF30B3C}.exe
        
        C:\Windows\{62316341-1443-41fa-81B1-48F11BF30B3C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
      - C:\Windows\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe
        
        C:\Windows\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe
        
        C:\Windows\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe
        
        C:\Windows\{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe
        
        C:\Windows\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe
        
        C:\Windows\{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe
        
        C:\Windows\{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe
        
        C:\Windows\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}.exe
        
        C:\Windows\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}.exe
        13⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE411~1.EXE > nul
        13⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E672~1.EXE > nul
        12⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77757~1.EXE > nul
        11⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDDC5~1.EXE > nul
        10⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87535~1.EXE > nul
        9⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B1C1~1.EXE > nul
        8⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB4A4~1.EXE > nul
        7⤵
        
        PID:4592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62316~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61C3F~1.EXE > nul
        5⤵
        
        PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{97E19~1.EXE > nul
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7C4333~1.EXE > nul
  2⤵
  PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe

Filesize
372KB

MD5
10a70e170931e89353566b102b4f20ba

SHA1
9b35ee8e6cb71800037ea086e179901c4e49684d

SHA256
02d6a7b05ca329fb5c12bb4594a71f97cf5612af3974260495697bfbdc0cc5c7

SHA512
b42ca0eb0aeed8a93e23298882af5c2c31b80e6204574095352659e30a1e7903c2a4ed5acad430cd6af0c16b0c291b6514bac462d47e56f61454441cae17a5b5

Download Submit
C:\Windows\{2B1C1099-74E9-447f-BCEB-AC3098A4168C}.exe

Filesize
372KB

MD5
10a70e170931e89353566b102b4f20ba

SHA1
9b35ee8e6cb71800037ea086e179901c4e49684d

SHA256
02d6a7b05ca329fb5c12bb4594a71f97cf5612af3974260495697bfbdc0cc5c7

SHA512
b42ca0eb0aeed8a93e23298882af5c2c31b80e6204574095352659e30a1e7903c2a4ed5acad430cd6af0c16b0c291b6514bac462d47e56f61454441cae17a5b5

Download Submit
C:\Windows\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe

Filesize
372KB

MD5
5a8e9833540d9ccf7fd32b84b5cbe749

SHA1
c52211547023652c3cca29659e8c586487ec5c74

SHA256
e7698dacda72351e56949e38eea596b756d710fdfa547b12cf0c5f1a8d8ee0ec

SHA512
26c0e31521f8ad93b1edc8fee7a113a52450ff13a3ae9078a5bf59938563c983746223853d1da7c1870f31ad1a282ee8551eb7101303cd8cb88a288236f263aa

Download Submit
C:\Windows\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe

Filesize
372KB

MD5
5a8e9833540d9ccf7fd32b84b5cbe749

SHA1
c52211547023652c3cca29659e8c586487ec5c74

SHA256
e7698dacda72351e56949e38eea596b756d710fdfa547b12cf0c5f1a8d8ee0ec

SHA512
26c0e31521f8ad93b1edc8fee7a113a52450ff13a3ae9078a5bf59938563c983746223853d1da7c1870f31ad1a282ee8551eb7101303cd8cb88a288236f263aa

Download Submit
C:\Windows\{61C3FAA1-BA5F-4963-B022-7E347A5AD121}.exe

Filesize
372KB

MD5
5a8e9833540d9ccf7fd32b84b5cbe749

SHA1
c52211547023652c3cca29659e8c586487ec5c74

SHA256
e7698dacda72351e56949e38eea596b756d710fdfa547b12cf0c5f1a8d8ee0ec

SHA512
26c0e31521f8ad93b1edc8fee7a113a52450ff13a3ae9078a5bf59938563c983746223853d1da7c1870f31ad1a282ee8551eb7101303cd8cb88a288236f263aa

Download Submit
C:\Windows\{62316341-1443-41fa-81B1-48F11BF30B3C}.exe

Filesize
372KB

MD5
a350c61cc68b58d76638e4f162e55cb4

SHA1
75fd08897d6386315482699b30756fca4c890fa4

SHA256
0fada9e88c45eebc5fe66b68a5514bc49b135d0f1fdb1f5873debc1651cd100e

SHA512
04a11b78b2dc8df102c32433b92f88bb0d066581f8c023867b869e77495809e11b1f12f0fd68b85e0cc41c0119578f4a9970091648308de6ec4d5a3b0f00877e

Download Submit
C:\Windows\{62316341-1443-41fa-81B1-48F11BF30B3C}.exe

Filesize
372KB

MD5
a350c61cc68b58d76638e4f162e55cb4

SHA1
75fd08897d6386315482699b30756fca4c890fa4

SHA256
0fada9e88c45eebc5fe66b68a5514bc49b135d0f1fdb1f5873debc1651cd100e

SHA512
04a11b78b2dc8df102c32433b92f88bb0d066581f8c023867b869e77495809e11b1f12f0fd68b85e0cc41c0119578f4a9970091648308de6ec4d5a3b0f00877e

Download Submit
C:\Windows\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}.exe

Filesize
372KB

MD5
1f474b288f5967c1bc6e02d4580be61c

SHA1
1f100ffb7962fef201c3ec9f4ea33df51afa98f7

SHA256
f0935d560ca6ed73796f0609a689324f37d69d55861c159a4ef22993cb0420cd

SHA512
847d511022ecee525f96df8d8202a98ef851bac5b3b8b33004a038908902803244a0cdd4483c46e00c9f7d7e0ef42ace05b837507c9a730a8f5f084832af4e69

Download Submit
C:\Windows\{63B7A81A-27F5-47d5-8D1A-B0D50A8A4D97}.exe

Filesize
372KB

MD5
1f474b288f5967c1bc6e02d4580be61c

SHA1
1f100ffb7962fef201c3ec9f4ea33df51afa98f7

SHA256
f0935d560ca6ed73796f0609a689324f37d69d55861c159a4ef22993cb0420cd

SHA512
847d511022ecee525f96df8d8202a98ef851bac5b3b8b33004a038908902803244a0cdd4483c46e00c9f7d7e0ef42ace05b837507c9a730a8f5f084832af4e69

Download Submit
C:\Windows\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe

Filesize
372KB

MD5
01043363cc8d4b5f4225c320933eadb5

SHA1
897981207e78cf2ae3bf02ab7cd407f7e66a81a2

SHA256
6cfaed3dff6e87cb1a49c6d4a1250a0021764fddbdf28c784e1a1c9ae106d96a

SHA512
de38e2cc7f3f8cca42e1d417e1877620e14ae00497e4057c54a1aa599172f25b2ebb4a9b342aa401e0d51a59908f412cfe0c34fc92dee3832106579f50131d33

Download Submit
C:\Windows\{68655CBB-643F-4ee7-8C8B-4E3FA3D9F05C}.exe

Filesize
372KB

MD5
01043363cc8d4b5f4225c320933eadb5

SHA1
897981207e78cf2ae3bf02ab7cd407f7e66a81a2

SHA256
6cfaed3dff6e87cb1a49c6d4a1250a0021764fddbdf28c784e1a1c9ae106d96a

SHA512
de38e2cc7f3f8cca42e1d417e1877620e14ae00497e4057c54a1aa599172f25b2ebb4a9b342aa401e0d51a59908f412cfe0c34fc92dee3832106579f50131d33

Download Submit
C:\Windows\{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe

Filesize
372KB

MD5
a4579655c4b654bcf866c69d1563ddd8

SHA1
6a0211b0fc871043a245ac885d8ac0e87d5d5579

SHA256
70d26c4b9e3879e9d64a2561a1f4246e25347c57e6c7804d88a3708bd87c77ed

SHA512
b65cb0785f2a8cb7061c69e54554e059855efd3ec6c1ec907aa73bce9ad133ea7b9c3aac11ea6721f2bcae676e9e29a52fa90eb39510ae02a6e9e313a3a2348d

Download Submit
C:\Windows\{77757A62-3060-4fec-8BBD-0E28B94C2310}.exe

Filesize
372KB

MD5
a4579655c4b654bcf866c69d1563ddd8

SHA1
6a0211b0fc871043a245ac885d8ac0e87d5d5579

SHA256
70d26c4b9e3879e9d64a2561a1f4246e25347c57e6c7804d88a3708bd87c77ed

SHA512
b65cb0785f2a8cb7061c69e54554e059855efd3ec6c1ec907aa73bce9ad133ea7b9c3aac11ea6721f2bcae676e9e29a52fa90eb39510ae02a6e9e313a3a2348d

Download Submit
C:\Windows\{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe

Filesize
372KB

MD5
009f7bad6fda5c20336202ad115bbcfb

SHA1
87e87cdafd0dda3122817f27906454177ac80581

SHA256
6fb4bfbf0f0d3687e39f43b3b0325541c32ab13d4b243cbe00a85a9f56896f08

SHA512
4c10d81b628d81fa076be64d446ac796785239635902b92b53094beb9b0673bd647eecc7e6123c0d26bed9566d08b9a6e6cddd922dbc42815b4f0649442882e0

Download Submit
C:\Windows\{87535B06-DBE1-458a-B307-E5BB30F17B22}.exe

Filesize
372KB

MD5
009f7bad6fda5c20336202ad115bbcfb

SHA1
87e87cdafd0dda3122817f27906454177ac80581

SHA256
6fb4bfbf0f0d3687e39f43b3b0325541c32ab13d4b243cbe00a85a9f56896f08

SHA512
4c10d81b628d81fa076be64d446ac796785239635902b92b53094beb9b0673bd647eecc7e6123c0d26bed9566d08b9a6e6cddd922dbc42815b4f0649442882e0

Download Submit
C:\Windows\{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe

Filesize
372KB

MD5
79fe92795d93739bd8e6b899ea76d733

SHA1
53bb40607193a9f1a7ac8b6334d8d410e5bf8efb

SHA256
b8947a1c34744379160b37e2891a59cf9e26d9ae0a51da7fd54583fbfacfeee7

SHA512
68d1ddd3e2f078bb4a9f5416a1bd71e26a901e1f9e47ebe5d4ba1b92212b95e235496eb4ea327483135b30a82364dd99c0bd6576cbeb78314ce1d152de70b40b

Download Submit
C:\Windows\{97E19E07-C129-4652-9F95-EFD5C31293F4}.exe

Filesize
372KB

MD5
79fe92795d93739bd8e6b899ea76d733

SHA1
53bb40607193a9f1a7ac8b6334d8d410e5bf8efb

SHA256
b8947a1c34744379160b37e2891a59cf9e26d9ae0a51da7fd54583fbfacfeee7

SHA512
68d1ddd3e2f078bb4a9f5416a1bd71e26a901e1f9e47ebe5d4ba1b92212b95e235496eb4ea327483135b30a82364dd99c0bd6576cbeb78314ce1d152de70b40b

Download Submit
C:\Windows\{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe

Filesize
372KB

MD5
bce7f51642caca3582046c1dfe1b539d

SHA1
6852699bd07697349cdf6bd8d9dbae0a6eaa6355

SHA256
395650e90ee6cd7a8b662a9a3037f333992e8078479b08a357a5560bd26f80fc

SHA512
09900186beae330b5f08146318c86e977d1ce2317a127afadf60bab89a52b1b321ecb5dcc6bb5c6352937a7a9486218951699c8c64dec717217f6f72949bbd2c

Download Submit
C:\Windows\{9E672CB1-6946-4ec6-9271-EBF142E4474D}.exe

Filesize
372KB

MD5
bce7f51642caca3582046c1dfe1b539d

SHA1
6852699bd07697349cdf6bd8d9dbae0a6eaa6355

SHA256
395650e90ee6cd7a8b662a9a3037f333992e8078479b08a357a5560bd26f80fc

SHA512
09900186beae330b5f08146318c86e977d1ce2317a127afadf60bab89a52b1b321ecb5dcc6bb5c6352937a7a9486218951699c8c64dec717217f6f72949bbd2c

Download Submit
C:\Windows\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe

Filesize
372KB

MD5
a320ffa9d636c77bec7f48590a3a137e

SHA1
1b0386a090d1e1ece2f740658b208a57ed8fb99c

SHA256
c5ddad68612daed5cc1cc9866ac01bc5cd8e09b67bfa137d99a8f775f3498f50

SHA512
76b01acefcb1f203c998ece25ba8bddc83e96479bb52522ca3f50971b6fc4561cd48e0a565b4eff0700d37c749acfab89e4d3f986ddc77ad3990563c60e2fbf6

Download Submit
C:\Windows\{AB4A45A5-40B6-4d46-BAB4-365CEBC4B8D4}.exe

Filesize
372KB

MD5
a320ffa9d636c77bec7f48590a3a137e

SHA1
1b0386a090d1e1ece2f740658b208a57ed8fb99c

SHA256
c5ddad68612daed5cc1cc9866ac01bc5cd8e09b67bfa137d99a8f775f3498f50

SHA512
76b01acefcb1f203c998ece25ba8bddc83e96479bb52522ca3f50971b6fc4561cd48e0a565b4eff0700d37c749acfab89e4d3f986ddc77ad3990563c60e2fbf6

Download Submit
C:\Windows\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe

Filesize
372KB

MD5
63f828d4e71f70f1112b571b126c6c45

SHA1
b6ed49c920f54a91f60a5e638938424b5e885c7d

SHA256
a9fd052332fc2d1491d424150a38153d9dadb00ace214d09e6015ef7b10d0e4e

SHA512
cd714c91b2ac64d4697c8390b8fc588ce818e7872809d1343a365cd31c12721066c696e77dec3fbb97da9885cb219267aca4c84a3976e7b81ec86f6a029f093c

Download Submit
C:\Windows\{AE4113B0-3296-42f1-AC3D-ACA884E9B436}.exe

Filesize
372KB

MD5
63f828d4e71f70f1112b571b126c6c45

SHA1
b6ed49c920f54a91f60a5e638938424b5e885c7d

SHA256
a9fd052332fc2d1491d424150a38153d9dadb00ace214d09e6015ef7b10d0e4e

SHA512
cd714c91b2ac64d4697c8390b8fc588ce818e7872809d1343a365cd31c12721066c696e77dec3fbb97da9885cb219267aca4c84a3976e7b81ec86f6a029f093c

Download Submit
C:\Windows\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe

Filesize
372KB

MD5
5f522de4d1f677c317c2035f4fa39f72

SHA1
a31722c5fd5f5201eaef5883ef132837c6f8940b

SHA256
a7328d81b187af06a2f82852655981912d1d9eb407c567afe8e5570ce2a75f9f

SHA512
07fee88fbd1419c45a36b2250b040649d5c09e262fa9eec53fb1574b19747d97deb0cd05a6ecaa523440dd7e85e9e1c8f158b61835770675fee3861be3018b97

Download Submit
C:\Windows\{DDDC5E07-26F1-41aa-84E6-11E078C97F96}.exe

Filesize
372KB

MD5
5f522de4d1f677c317c2035f4fa39f72

SHA1
a31722c5fd5f5201eaef5883ef132837c6f8940b

SHA256
a7328d81b187af06a2f82852655981912d1d9eb407c567afe8e5570ce2a75f9f

SHA512
07fee88fbd1419c45a36b2250b040649d5c09e262fa9eec53fb1574b19747d97deb0cd05a6ecaa523440dd7e85e9e1c8f158b61835770675fee3861be3018b97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads