9104762c3497d386fafdc44983db7f043cb002e60e97b81c96ffcc547a913e46

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Size

192KB
MD5

7a83ff093fbf1692c5ada43f993d272c
SHA1

d724cc05d90bc1a3df54266190e5fe798b0a9fad
SHA256

9104762c3497d386fafdc44983db7f043cb002e60e97b81c96ffcc547a913e46
SHA512

12028ebcc360fa40fb515124a06dc197aa9689a9c5fdd97dfb57140e674009b61a0e8d2e0c5ae23d57818c396d1d69a5fff830503ef1832ccd7df08466fa4b2d
SSDEEP

1536:1EGh0o2l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o2l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}	{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33F62203-259C-4949-BE0E-F4FD9E9EBC50}	{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}\stubpath = "C:\\Windows\\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe"	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}\stubpath = "C:\\Windows\\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe"	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}\stubpath = "C:\\Windows\\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe"	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9564760-173E-4dfe-BD15-E04DF2687F02}	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}\stubpath = "C:\\Windows\\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe"	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83362CE-6C50-442e-B994-4ADB755F33BA}	{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33F62203-259C-4949-BE0E-F4FD9E9EBC50}\stubpath = "C:\\Windows\\{33F62203-259C-4949-BE0E-F4FD9E9EBC50}.exe"	{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}\stubpath = "C:\\Windows\\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe"	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD1BA3E0-046C-4435-A166-91CED6EBD602}	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}\stubpath = "C:\\Windows\\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe"	{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A83362CE-6C50-442e-B994-4ADB755F33BA}\stubpath = "C:\\Windows\\{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe"	{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9564760-173E-4dfe-BD15-E04DF2687F02}\stubpath = "C:\\Windows\\{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe"	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD1BA3E0-046C-4435-A166-91CED6EBD602}\stubpath = "C:\\Windows\\{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe"	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}\stubpath = "C:\\Windows\\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe"	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe
2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe
2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe
2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe
2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe
1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe
2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe
2276	{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe
304	{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe
1028	{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe
3044	{33F62203-259C-4949-BE0E-F4FD9E9EBC50}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe
File created	C:\Windows\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe	{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe
File created	C:\Windows\{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe	{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe
File created	C:\Windows\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
File created	C:\Windows\{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe
File created	C:\Windows\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe
File created	C:\Windows\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe
File created	C:\Windows\{33F62203-259C-4949-BE0E-F4FD9E9EBC50}.exe	{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe
File created	C:\Windows\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe
File created	C:\Windows\{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe
File created	C:\Windows\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe
Token: SeIncBasePriorityPrivilege	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe
Token: SeIncBasePriorityPrivilege	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe
Token: SeIncBasePriorityPrivilege	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe
Token: SeIncBasePriorityPrivilege	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe
Token: SeIncBasePriorityPrivilege	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe
Token: SeIncBasePriorityPrivilege	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe
Token: SeIncBasePriorityPrivilege	2276	{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe
Token: SeIncBasePriorityPrivilege	304	{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe
Token: SeIncBasePriorityPrivilege	1028	{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2492	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	28
PID 2080 wrote to memory of 2492	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	28
PID 2080 wrote to memory of 2492	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	28
PID 2080 wrote to memory of 2492	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	28
PID 2080 wrote to memory of 2384	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	29
PID 2080 wrote to memory of 2384	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	29
PID 2080 wrote to memory of 2384	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	29
PID 2080 wrote to memory of 2384	2080	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	29
PID 2492 wrote to memory of 2860	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	32
PID 2492 wrote to memory of 2860	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	32
PID 2492 wrote to memory of 2860	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	32
PID 2492 wrote to memory of 2860	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	32
PID 2492 wrote to memory of 2928	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	33
PID 2492 wrote to memory of 2928	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	33
PID 2492 wrote to memory of 2928	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	33
PID 2492 wrote to memory of 2928	2492	{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe	33
PID 2860 wrote to memory of 2124	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	34
PID 2860 wrote to memory of 2124	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	34
PID 2860 wrote to memory of 2124	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	34
PID 2860 wrote to memory of 2124	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	34
PID 2860 wrote to memory of 2888	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	35
PID 2860 wrote to memory of 2888	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	35
PID 2860 wrote to memory of 2888	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	35
PID 2860 wrote to memory of 2888	2860	{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe	35
PID 2124 wrote to memory of 2452	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	36
PID 2124 wrote to memory of 2452	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	36
PID 2124 wrote to memory of 2452	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	36
PID 2124 wrote to memory of 2452	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	36
PID 2124 wrote to memory of 2520	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	37
PID 2124 wrote to memory of 2520	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	37
PID 2124 wrote to memory of 2520	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	37
PID 2124 wrote to memory of 2520	2124	{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe	37
PID 2452 wrote to memory of 2988	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	38
PID 2452 wrote to memory of 2988	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	38
PID 2452 wrote to memory of 2988	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	38
PID 2452 wrote to memory of 2988	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	38
PID 2452 wrote to memory of 2832	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	39
PID 2452 wrote to memory of 2832	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	39
PID 2452 wrote to memory of 2832	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	39
PID 2452 wrote to memory of 2832	2452	{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe	39
PID 2988 wrote to memory of 1952	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	40
PID 2988 wrote to memory of 1952	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	40
PID 2988 wrote to memory of 1952	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	40
PID 2988 wrote to memory of 1952	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	40
PID 2988 wrote to memory of 2680	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	41
PID 2988 wrote to memory of 2680	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	41
PID 2988 wrote to memory of 2680	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	41
PID 2988 wrote to memory of 2680	2988	{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe	41
PID 1952 wrote to memory of 2736	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	42
PID 1952 wrote to memory of 2736	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	42
PID 1952 wrote to memory of 2736	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	42
PID 1952 wrote to memory of 2736	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	42
PID 1952 wrote to memory of 2400	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	43
PID 1952 wrote to memory of 2400	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	43
PID 1952 wrote to memory of 2400	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	43
PID 1952 wrote to memory of 2400	1952	{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe	43
PID 2736 wrote to memory of 2276	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	44
PID 2736 wrote to memory of 2276	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	44
PID 2736 wrote to memory of 2276	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	44
PID 2736 wrote to memory of 2276	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	44
PID 2736 wrote to memory of 764	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	45
PID 2736 wrote to memory of 764	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	45
PID 2736 wrote to memory of 764	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	45
PID 2736 wrote to memory of 764	2736	{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe	45

C:\Users\Admin\AppData\Local\Temp\7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe
  C:\Windows\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe
    C:\Windows\{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe
      C:\Windows\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe
        
        C:\Windows\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe
        
        C:\Windows\{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe
        
        C:\Windows\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe
        
        C:\Windows\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe
        
        C:\Windows\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe
        
        C:\Windows\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe
        
        C:\Windows\{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\{33F62203-259C-4949-BE0E-F4FD9E9EBC50}.exe
        
        C:\Windows\{33F62203-259C-4949-BE0E-F4FD9E9EBC50}.exe
        12⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8336~1.EXE > nul
        12⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C6CD~1.EXE > nul
        11⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A06F~1.EXE > nul
        10⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E1D1~1.EXE > nul
        9⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3386B~1.EXE > nul
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD1BA~1.EXE > nul
        7⤵
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23FDB~1.EXE > nul
        6⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E4E7~1.EXE > nul
        5⤵
        
        PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9564~1.EXE > nul
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8651B~1.EXE > nul
    3⤵
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7A83FF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe

Filesize
192KB

MD5
f4bc9dd88955215edf9f7d1d2f8a0777

SHA1
37529a66f666b80351b0a73103c0f74572890418

SHA256
dbeb6479f65352c0239f0a8debe28c530861eb59e9d03de786e3bb1c51525001

SHA512
b0086c81211791c5f81424ffe0d466d79782c63ba774f706de369c9c3169202154339eb231e93f7b4876ebbb4626ed01d10b2739a7a8583b60a3d373008fcc96

Download Submit
C:\Windows\{1A06FEA4-D2D0-4379-ADD1-A826CB9AD523}.exe

Filesize
192KB

MD5
f4bc9dd88955215edf9f7d1d2f8a0777

SHA1
37529a66f666b80351b0a73103c0f74572890418

SHA256
dbeb6479f65352c0239f0a8debe28c530861eb59e9d03de786e3bb1c51525001

SHA512
b0086c81211791c5f81424ffe0d466d79782c63ba774f706de369c9c3169202154339eb231e93f7b4876ebbb4626ed01d10b2739a7a8583b60a3d373008fcc96

Download Submit
C:\Windows\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe

Filesize
192KB

MD5
2c2960d3e3113c7a5731115872f7c2fd

SHA1
b66a70e01f50a5593430f6494c53e96b80cdadf3

SHA256
1d75c75f94b10af96ae2d49b90c026e605ca6a23def862046001cdd7e679c5a9

SHA512
e8b09027707df1e47259c900dac3d12c793f5584b17ec13473edffa71e5e34b08142135484d0917dc4e990ade8fd16a2c95cc7915f2dd76b28681e6c8f229254

Download Submit
C:\Windows\{23FDBCE8-6603-46a3-9DCF-763061F6E28B}.exe

Filesize
192KB

MD5
2c2960d3e3113c7a5731115872f7c2fd

SHA1
b66a70e01f50a5593430f6494c53e96b80cdadf3

SHA256
1d75c75f94b10af96ae2d49b90c026e605ca6a23def862046001cdd7e679c5a9

SHA512
e8b09027707df1e47259c900dac3d12c793f5584b17ec13473edffa71e5e34b08142135484d0917dc4e990ade8fd16a2c95cc7915f2dd76b28681e6c8f229254

Download Submit
C:\Windows\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe

Filesize
192KB

MD5
71f1393335be38dc635f1acbe08f5517

SHA1
e80f79daf1383efe5919fad6b3c5505c67632363

SHA256
ef8a417d7332181203fd165d17021cefd57bf1efbd35e55c000feb64ae790c11

SHA512
2307e179dbc3136e1cb17665c37198df75c3a8056112896ec39b60b1701e9831300cd1ee6c4099c3552d19dbd139a5731aebeafaf8718a2537c463e92f301cda

Download Submit
C:\Windows\{3386B5C5-C198-413f-9BE0-C8D28E4AB7AA}.exe

Filesize
192KB

MD5
71f1393335be38dc635f1acbe08f5517

SHA1
e80f79daf1383efe5919fad6b3c5505c67632363

SHA256
ef8a417d7332181203fd165d17021cefd57bf1efbd35e55c000feb64ae790c11

SHA512
2307e179dbc3136e1cb17665c37198df75c3a8056112896ec39b60b1701e9831300cd1ee6c4099c3552d19dbd139a5731aebeafaf8718a2537c463e92f301cda

Download Submit
C:\Windows\{33F62203-259C-4949-BE0E-F4FD9E9EBC50}.exe

Filesize
192KB

MD5
6844879cfe626af7c68fb014377d3624

SHA1
5dcca941e0c362378089900bb6b3d30e8cb4be8a

SHA256
9147de618173960691945126244b4381a87a796a5d4bbc418c49264e37660972

SHA512
622f3b669992a28c46a380cd8e9215c02063de585bf85fe4081eb4a7ee16f9492f435937334f61f4578a68a728f63ae4b3158ff025ef68984d89d05745fccd1e

Download Submit
C:\Windows\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe

Filesize
192KB

MD5
a3c72b339c244dad604b45dccb022b24

SHA1
a7c76bdbf6490a8499968c8f5cc489f9fbd51218

SHA256
b021214b1b63357b81c359f46ffd2f3b888a66c9a32a14121522b7b8b88ae3e1

SHA512
b06a34126c912bb8bcd928bcb5aa3dd428a94209b6b0bc27d6f33c21a3358b42a98a99052182fa8440a57ed187c2678a17bb592c66686436dcc26156073cb714

Download Submit
C:\Windows\{3C6CD9E3-27E1-4523-9659-E2D992185D0D}.exe

Filesize
192KB

MD5
a3c72b339c244dad604b45dccb022b24

SHA1
a7c76bdbf6490a8499968c8f5cc489f9fbd51218

SHA256
b021214b1b63357b81c359f46ffd2f3b888a66c9a32a14121522b7b8b88ae3e1

SHA512
b06a34126c912bb8bcd928bcb5aa3dd428a94209b6b0bc27d6f33c21a3358b42a98a99052182fa8440a57ed187c2678a17bb592c66686436dcc26156073cb714

Download Submit
C:\Windows\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe

Filesize
192KB

MD5
25abc1beb8d42da8f159ca3fc13aec19

SHA1
f8646676f4c7b33bc0aacb920cf8eff1913aba10

SHA256
1fe4418a95853443c719712dee528ed98e77fefee82219c1b6d367fe41e73fb2

SHA512
222c03be5ddcee3a6c714490a4c0d82072c975385d10e8bb72f7a85f1e92407ab506430d7025b4709ae764e1a599101d6557fa65209563433a6406d0bed1be68

Download Submit
C:\Windows\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe

Filesize
192KB

MD5
25abc1beb8d42da8f159ca3fc13aec19

SHA1
f8646676f4c7b33bc0aacb920cf8eff1913aba10

SHA256
1fe4418a95853443c719712dee528ed98e77fefee82219c1b6d367fe41e73fb2

SHA512
222c03be5ddcee3a6c714490a4c0d82072c975385d10e8bb72f7a85f1e92407ab506430d7025b4709ae764e1a599101d6557fa65209563433a6406d0bed1be68

Download Submit
C:\Windows\{8651B5A3-9F67-48c3-9ACD-60B402AE5406}.exe

Filesize
192KB

MD5
25abc1beb8d42da8f159ca3fc13aec19

SHA1
f8646676f4c7b33bc0aacb920cf8eff1913aba10

SHA256
1fe4418a95853443c719712dee528ed98e77fefee82219c1b6d367fe41e73fb2

SHA512
222c03be5ddcee3a6c714490a4c0d82072c975385d10e8bb72f7a85f1e92407ab506430d7025b4709ae764e1a599101d6557fa65209563433a6406d0bed1be68

Download Submit
C:\Windows\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe

Filesize
192KB

MD5
ce3a9e1cb4f873ce853ffde250f1270c

SHA1
a51410bfd07bce26899ab6bcb94b3c021660dce0

SHA256
0c695c7c1d76a84a83deb84df2b173ef8308f6938428ba7a4431e00861a6d9d1

SHA512
86248f9ed24f910a180f7c3698b3a72343a4d924c4cfabc83cd6c7213e5cc0cb5dbb4a2e1fa42918b179f99f0a0bfdc5b02fd64135734fd441d17b875c878bce

Download Submit
C:\Windows\{9E1D1E9E-226B-4a8f-BEE2-4FD8FCB1DC45}.exe

Filesize
192KB

MD5
ce3a9e1cb4f873ce853ffde250f1270c

SHA1
a51410bfd07bce26899ab6bcb94b3c021660dce0

SHA256
0c695c7c1d76a84a83deb84df2b173ef8308f6938428ba7a4431e00861a6d9d1

SHA512
86248f9ed24f910a180f7c3698b3a72343a4d924c4cfabc83cd6c7213e5cc0cb5dbb4a2e1fa42918b179f99f0a0bfdc5b02fd64135734fd441d17b875c878bce

Download Submit
C:\Windows\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe

Filesize
192KB

MD5
ea2751a6f4d1895c34c0d674ca3a115e

SHA1
296d045cf8eefdefb5f636151e8f9cd1f4f2ea3a

SHA256
c5432cfaa487f1916999f585e159f76c1702e30c16b45b2695e692cb24b263e5

SHA512
03a4ee3e43516d8d33e5b31e1ba3b29e21c90f045127caf9a6430c997a455d97cbbc2db5b3000b668c5d9dd5ace644150b16e21598a567529f87d4b7629077e6

Download Submit
C:\Windows\{9E4E7E6F-34EE-4945-B5C2-C4412BFD31B0}.exe

Filesize
192KB

MD5
ea2751a6f4d1895c34c0d674ca3a115e

SHA1
296d045cf8eefdefb5f636151e8f9cd1f4f2ea3a

SHA256
c5432cfaa487f1916999f585e159f76c1702e30c16b45b2695e692cb24b263e5

SHA512
03a4ee3e43516d8d33e5b31e1ba3b29e21c90f045127caf9a6430c997a455d97cbbc2db5b3000b668c5d9dd5ace644150b16e21598a567529f87d4b7629077e6

Download Submit
C:\Windows\{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe

Filesize
192KB

MD5
937566d583dc8211758fdb74ddc8dcb6

SHA1
2acc59022acec4a7212d3811db702d7b01cb5672

SHA256
e6e280f6dfd6f267928e82ade720f9803718c82afd4b6aaf00788ec3f43252c7

SHA512
ef6b14d6e8e5025b5fad90701d8255aa63811aa89470d7125d0c0ffc017e6e683a50e11d9ce50de84c286d607cf051b731acdfd48f12d2e50fee64f7b4aa0c09

Download Submit
C:\Windows\{A83362CE-6C50-442e-B994-4ADB755F33BA}.exe

Filesize
192KB

MD5
937566d583dc8211758fdb74ddc8dcb6

SHA1
2acc59022acec4a7212d3811db702d7b01cb5672

SHA256
e6e280f6dfd6f267928e82ade720f9803718c82afd4b6aaf00788ec3f43252c7

SHA512
ef6b14d6e8e5025b5fad90701d8255aa63811aa89470d7125d0c0ffc017e6e683a50e11d9ce50de84c286d607cf051b731acdfd48f12d2e50fee64f7b4aa0c09

Download Submit
C:\Windows\{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe

Filesize
192KB

MD5
c3e643eea770ce0c359be2b45dc72e59

SHA1
ca9fbfe3ad59a6ec6076b009b385f9bca7c21d68

SHA256
11d0d06d2582a1e353d3894d9eb6486bea3d9205a2b2919ea32c2674c41e67fd

SHA512
3a1506002ac9ccbe34bb97ac1a83e5a2d1ab37a1e3547cee546e4da870c0057cb5ec2d4cf2d1e323b5f97ec09c455c20e16d15b4937a1e2c2c4133e5e5f26294

Download Submit
C:\Windows\{C9564760-173E-4dfe-BD15-E04DF2687F02}.exe

Filesize
192KB

MD5
c3e643eea770ce0c359be2b45dc72e59

SHA1
ca9fbfe3ad59a6ec6076b009b385f9bca7c21d68

SHA256
11d0d06d2582a1e353d3894d9eb6486bea3d9205a2b2919ea32c2674c41e67fd

SHA512
3a1506002ac9ccbe34bb97ac1a83e5a2d1ab37a1e3547cee546e4da870c0057cb5ec2d4cf2d1e323b5f97ec09c455c20e16d15b4937a1e2c2c4133e5e5f26294

Download Submit
C:\Windows\{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe

Filesize
192KB

MD5
45d865ac13e92ce921b71c90dc1dce37

SHA1
7cbc5228069f53acde7fa687a244a9a7b624f201

SHA256
2b213351e91d8f6e60d6467dc71c993fcc883149631fed01a2cb37caa241edac

SHA512
8c12a522561bab4e9756fb7b43d09d4bccfee8bf367b1ca1c422dfc5134087cd3c511f01d1d8cf4cbbc581d3a7309e3215cb3b0f5bacedc8748d1a596ea60f46

Download Submit
C:\Windows\{DD1BA3E0-046C-4435-A166-91CED6EBD602}.exe

Filesize
192KB

MD5
45d865ac13e92ce921b71c90dc1dce37

SHA1
7cbc5228069f53acde7fa687a244a9a7b624f201

SHA256
2b213351e91d8f6e60d6467dc71c993fcc883149631fed01a2cb37caa241edac

SHA512
8c12a522561bab4e9756fb7b43d09d4bccfee8bf367b1ca1c422dfc5134087cd3c511f01d1d8cf4cbbc581d3a7309e3215cb3b0f5bacedc8748d1a596ea60f46

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads