87f4bbd6f6ebbd635427ec06441f8656192ae337f1ea59b2b691e9bd4342bdf1

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Size

168KB
MD5

81a8d771a529c68cb18faa23de210608
SHA1

1f496424bbb65f91e92d981b29e7e6011f9719c3
SHA256

87f4bbd6f6ebbd635427ec06441f8656192ae337f1ea59b2b691e9bd4342bdf1
SHA512

c6e89522d1764b7543008053410c9231717b55c10af0524eae4c529c0226aac6ad4ec40aa9ffe0db9442854150e175e7c425d364003cd4ab716c7776ac5c21e4
SSDEEP

1536:1EGh0oqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}\stubpath = "C:\\Windows\\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe"	{FE08E584-7229-4493-8950-6C5C598A372B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C19EE8-A814-48f2-A104-594163FCF95D}\stubpath = "C:\\Windows\\{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe"	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}\stubpath = "C:\\Windows\\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe"	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211886D6-6F5C-484f-8418-D1DA99BFEB42}\stubpath = "C:\\Windows\\{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe"	{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34BC099A-04FB-410c-B67C-E9EAC77D524F}	{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{512717CA-F90D-40e8-894C-1FC602EEC55E}	{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE08E584-7229-4493-8950-6C5C598A372B}	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B62A108D-E88D-4797-9764-0F96004AAC6F}	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211886D6-6F5C-484f-8418-D1DA99BFEB42}	{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{512717CA-F90D-40e8-894C-1FC602EEC55E}\stubpath = "C:\\Windows\\{512717CA-F90D-40e8-894C-1FC602EEC55E}.exe"	{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}	{FE08E584-7229-4493-8950-6C5C598A372B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9C19EE8-A814-48f2-A104-594163FCF95D}	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34BC099A-04FB-410c-B67C-E9EAC77D524F}\stubpath = "C:\\Windows\\{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe"	{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}\stubpath = "C:\\Windows\\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe"	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE08E584-7229-4493-8950-6C5C598A372B}\stubpath = "C:\\Windows\\{FE08E584-7229-4493-8950-6C5C598A372B}.exe"	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B62A108D-E88D-4797-9764-0F96004AAC6F}\stubpath = "C:\\Windows\\{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe"	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}\stubpath = "C:\\Windows\\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe"	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}\stubpath = "C:\\Windows\\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe"	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe
3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe
2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe
2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe
2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe
600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe
564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe
2012	{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe
2312	{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe
1964	{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe
2604	{512717CA-F90D-40e8-894C-1FC602EEC55E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{512717CA-F90D-40e8-894C-1FC602EEC55E}.exe	{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe
File created	C:\Windows\{FE08E584-7229-4493-8950-6C5C598A372B}.exe	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe
File created	C:\Windows\{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe
File created	C:\Windows\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe
File created	C:\Windows\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe
File created	C:\Windows\{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe	{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe
File created	C:\Windows\{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe	{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe
File created	C:\Windows\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
File created	C:\Windows\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	{FE08E584-7229-4493-8950-6C5C598A372B}.exe
File created	C:\Windows\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe
File created	C:\Windows\{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe
Token: SeIncBasePriorityPrivilege	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe
Token: SeIncBasePriorityPrivilege	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe
Token: SeIncBasePriorityPrivilege	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe
Token: SeIncBasePriorityPrivilege	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe
Token: SeIncBasePriorityPrivilege	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe
Token: SeIncBasePriorityPrivilege	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe
Token: SeIncBasePriorityPrivilege	2012	{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe
Token: SeIncBasePriorityPrivilege	2312	{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe
Token: SeIncBasePriorityPrivilege	1964	{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2344	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	28
PID 2284 wrote to memory of 2344	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	28
PID 2284 wrote to memory of 2344	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	28
PID 2284 wrote to memory of 2344	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	28
PID 2284 wrote to memory of 2924	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	29
PID 2284 wrote to memory of 2924	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	29
PID 2284 wrote to memory of 2924	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	29
PID 2284 wrote to memory of 2924	2284	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	29
PID 2344 wrote to memory of 3008	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	32
PID 2344 wrote to memory of 3008	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	32
PID 2344 wrote to memory of 3008	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	32
PID 2344 wrote to memory of 3008	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	32
PID 2344 wrote to memory of 2288	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	33
PID 2344 wrote to memory of 2288	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	33
PID 2344 wrote to memory of 2288	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	33
PID 2344 wrote to memory of 2288	2344	{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe	33
PID 3008 wrote to memory of 2884	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	34
PID 3008 wrote to memory of 2884	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	34
PID 3008 wrote to memory of 2884	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	34
PID 3008 wrote to memory of 2884	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	34
PID 3008 wrote to memory of 2720	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	35
PID 3008 wrote to memory of 2720	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	35
PID 3008 wrote to memory of 2720	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	35
PID 3008 wrote to memory of 2720	3008	{FE08E584-7229-4493-8950-6C5C598A372B}.exe	35
PID 2884 wrote to memory of 2740	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	36
PID 2884 wrote to memory of 2740	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	36
PID 2884 wrote to memory of 2740	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	36
PID 2884 wrote to memory of 2740	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	36
PID 2884 wrote to memory of 2800	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	37
PID 2884 wrote to memory of 2800	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	37
PID 2884 wrote to memory of 2800	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	37
PID 2884 wrote to memory of 2800	2884	{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe	37
PID 2740 wrote to memory of 2468	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	38
PID 2740 wrote to memory of 2468	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	38
PID 2740 wrote to memory of 2468	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	38
PID 2740 wrote to memory of 2468	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	38
PID 2740 wrote to memory of 2356	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	39
PID 2740 wrote to memory of 2356	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	39
PID 2740 wrote to memory of 2356	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	39
PID 2740 wrote to memory of 2356	2740	{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe	39
PID 2468 wrote to memory of 600	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	40
PID 2468 wrote to memory of 600	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	40
PID 2468 wrote to memory of 600	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	40
PID 2468 wrote to memory of 600	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	40
PID 2468 wrote to memory of 868	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	41
PID 2468 wrote to memory of 868	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	41
PID 2468 wrote to memory of 868	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	41
PID 2468 wrote to memory of 868	2468	{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe	41
PID 600 wrote to memory of 564	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	42
PID 600 wrote to memory of 564	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	42
PID 600 wrote to memory of 564	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	42
PID 600 wrote to memory of 564	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	42
PID 600 wrote to memory of 1112	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	43
PID 600 wrote to memory of 1112	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	43
PID 600 wrote to memory of 1112	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	43
PID 600 wrote to memory of 1112	600	{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe	43
PID 564 wrote to memory of 2012	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	45
PID 564 wrote to memory of 2012	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	45
PID 564 wrote to memory of 2012	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	45
PID 564 wrote to memory of 2012	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	45
PID 564 wrote to memory of 1860	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	44
PID 564 wrote to memory of 1860	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	44
PID 564 wrote to memory of 1860	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	44
PID 564 wrote to memory of 1860	564	{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe	44

C:\Users\Admin\AppData\Local\Temp\81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe
  C:\Windows\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\{FE08E584-7229-4493-8950-6C5C598A372B}.exe
    C:\Windows\{FE08E584-7229-4493-8950-6C5C598A372B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe
      C:\Windows\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe
        
        C:\Windows\{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe
        
        C:\Windows\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe
        
        C:\Windows\{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe
        
        C:\Windows\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE3AC~1.EXE > nul
        9⤵
        
        PID:1860
        
        C:\Windows\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe
        
        C:\Windows\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe
        
        C:\Windows\{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21188~1.EXE > nul
        11⤵
        
        PID:2588
        
        C:\Windows\{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe
        
        C:\Windows\{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{512717CA-F90D-40e8-894C-1FC602EEC55E}.exe
        
        C:\Windows\{512717CA-F90D-40e8-894C-1FC602EEC55E}.exe
        12⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34BC0~1.EXE > nul
        12⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBF50~1.EXE > nul
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C19~1.EXE > nul
        8⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B8EA~1.EXE > nul
        7⤵
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B62A1~1.EXE > nul
        6⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE28~1.EXE > nul
        5⤵
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE08E~1.EXE > nul
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E4A8~1.EXE > nul
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\81A8D7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe

Filesize
168KB

MD5
3eb553ce26c0650ff2ce5fdfac9a2272

SHA1
f69f2f26716f7af87b608cad93c8ed96ae69759b

SHA256
2136741aad99e689733a800f5c0095e4182e3f80bce146948b9ec4f95249d16c

SHA512
a337c43b7383a478235aa3a997c5e7ddfe69e65b91528aff4cfdba853a0f8e65efcbc1b409b1cc0053a66a154fc546646dc05d9a88211f7c17935ccecc773c45

Download Submit
C:\Windows\{211886D6-6F5C-484f-8418-D1DA99BFEB42}.exe

Filesize
168KB

MD5
3eb553ce26c0650ff2ce5fdfac9a2272

SHA1
f69f2f26716f7af87b608cad93c8ed96ae69759b

SHA256
2136741aad99e689733a800f5c0095e4182e3f80bce146948b9ec4f95249d16c

SHA512
a337c43b7383a478235aa3a997c5e7ddfe69e65b91528aff4cfdba853a0f8e65efcbc1b409b1cc0053a66a154fc546646dc05d9a88211f7c17935ccecc773c45

Download Submit
C:\Windows\{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe

Filesize
168KB

MD5
ab194a68e3aa80987785dcf0e88423cc

SHA1
2801f47c37655210f383912011f5bbf2696f9291

SHA256
b6e09be1a9841e798a3e9bf2c3bd1497c6aa048bdd6f5294aae3f6c3bff2d397

SHA512
af42e0507f26e31d3b875a4a76f79568770fb42d8e4035498e869a82622ae65498d7481c145ea10fb1c2f3818f3dd721f406e6bcb7cf00ec6efba63216be6573

Download Submit
C:\Windows\{34BC099A-04FB-410c-B67C-E9EAC77D524F}.exe

Filesize
168KB

MD5
ab194a68e3aa80987785dcf0e88423cc

SHA1
2801f47c37655210f383912011f5bbf2696f9291

SHA256
b6e09be1a9841e798a3e9bf2c3bd1497c6aa048bdd6f5294aae3f6c3bff2d397

SHA512
af42e0507f26e31d3b875a4a76f79568770fb42d8e4035498e869a82622ae65498d7481c145ea10fb1c2f3818f3dd721f406e6bcb7cf00ec6efba63216be6573

Download Submit
C:\Windows\{512717CA-F90D-40e8-894C-1FC602EEC55E}.exe

Filesize
168KB

MD5
c3df47217c256ca49b40acd4ff17279a

SHA1
0aaeae7de3fd670b1c7afa709c814a78e1186bad

SHA256
62b6387f7f78a1b3066d4e8513ae93337ca8ae91c0ac8aaf04f9e70aaa6361f2

SHA512
6ba9633647730a4d49492ef32234867d438cf0d9a33343060d351180e01895854a2e1c48bcefaad92a936c2df229cf07e325f609c59417f4cb030342df8b2338

Download Submit
C:\Windows\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe

Filesize
168KB

MD5
e109600d6312a194e8995c260de0b1d2

SHA1
7dc5574ded914254073fd5769158f538d8820e97

SHA256
e238075845926f1e511eb2cdba104ca9e40c9b7a1a7a02078577eb9735539e94

SHA512
4c55ce7d846de04a9a7b61edcd57bcbe08b426f6d56c683c67a968363c256db495b9844e8ca5f43e9181a101b6d7cc420ea628303fcc6dcf9959b2a6e8286b95

Download Submit
C:\Windows\{5B8EAD77-ED6B-46c4-9967-4758A6CC5891}.exe

Filesize
168KB

MD5
e109600d6312a194e8995c260de0b1d2

SHA1
7dc5574ded914254073fd5769158f538d8820e97

SHA256
e238075845926f1e511eb2cdba104ca9e40c9b7a1a7a02078577eb9735539e94

SHA512
4c55ce7d846de04a9a7b61edcd57bcbe08b426f6d56c683c67a968363c256db495b9844e8ca5f43e9181a101b6d7cc420ea628303fcc6dcf9959b2a6e8286b95

Download Submit
C:\Windows\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe

Filesize
168KB

MD5
e18d8b402c8a3ab86a67558a610dec44

SHA1
b991da8646b8a7a5c3377125522699d09cc98b43

SHA256
ebef695823ded08beb035f16a623e1c4696f790b599f86b4e095f7381dd35a7d

SHA512
38bcacd872f4225dfda29ac1c68a8487600919629fc7d817bf5ba665cf1813af292091651762f2d0b08618b21642d8e648920c71e7115ab8d57819a3883a0c26

Download Submit
C:\Windows\{7DE2887F-FDFC-4ec3-974C-2F8DAF71DC9B}.exe

Filesize
168KB

MD5
e18d8b402c8a3ab86a67558a610dec44

SHA1
b991da8646b8a7a5c3377125522699d09cc98b43

SHA256
ebef695823ded08beb035f16a623e1c4696f790b599f86b4e095f7381dd35a7d

SHA512
38bcacd872f4225dfda29ac1c68a8487600919629fc7d817bf5ba665cf1813af292091651762f2d0b08618b21642d8e648920c71e7115ab8d57819a3883a0c26

Download Submit
C:\Windows\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe

Filesize
168KB

MD5
834dfec89dd799b288b36f3a88a1f322

SHA1
ac25df926916d9347c7bd9d408f7e9e4f82a508f

SHA256
ef3f65279f9e22adca71f2b8e60c6354be24b2943b0724c3697f5702413140b6

SHA512
d5906f49670a9fc902db20801db41179ccf6eace30fe444f98943ce730856bcd0f204e6fd680ea8a01f8a61ffecc9a4742481692eb8388641f7f3746aa9b2f95

Download Submit
C:\Windows\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe

Filesize
168KB

MD5
834dfec89dd799b288b36f3a88a1f322

SHA1
ac25df926916d9347c7bd9d408f7e9e4f82a508f

SHA256
ef3f65279f9e22adca71f2b8e60c6354be24b2943b0724c3697f5702413140b6

SHA512
d5906f49670a9fc902db20801db41179ccf6eace30fe444f98943ce730856bcd0f204e6fd680ea8a01f8a61ffecc9a4742481692eb8388641f7f3746aa9b2f95

Download Submit
C:\Windows\{9E4A8B9B-04C0-485a-AA90-B7C03F9FA68E}.exe

Filesize
168KB

MD5
834dfec89dd799b288b36f3a88a1f322

SHA1
ac25df926916d9347c7bd9d408f7e9e4f82a508f

SHA256
ef3f65279f9e22adca71f2b8e60c6354be24b2943b0724c3697f5702413140b6

SHA512
d5906f49670a9fc902db20801db41179ccf6eace30fe444f98943ce730856bcd0f204e6fd680ea8a01f8a61ffecc9a4742481692eb8388641f7f3746aa9b2f95

Download Submit
C:\Windows\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe

Filesize
168KB

MD5
da7b528dcbdbc3cf78461cf137b5791c

SHA1
46ecfc850a51cc032fcc534117510f91ba938f00

SHA256
02e5436285101f8daee7b4a0609ea6ef1a7bfd27d57ec621580026ad5b5aeb8a

SHA512
78f35a3ad643a15be5b0614ac5dbdfdd9288d68f8e9399d71d2759cb1ae3528b9afd37d5b0be168140ac19b813e1392880313ba586df26778bf1103f3caa354c

Download Submit
C:\Windows\{AE3ACB94-A2BC-40af-925E-FDAF8E904685}.exe

Filesize
168KB

MD5
da7b528dcbdbc3cf78461cf137b5791c

SHA1
46ecfc850a51cc032fcc534117510f91ba938f00

SHA256
02e5436285101f8daee7b4a0609ea6ef1a7bfd27d57ec621580026ad5b5aeb8a

SHA512
78f35a3ad643a15be5b0614ac5dbdfdd9288d68f8e9399d71d2759cb1ae3528b9afd37d5b0be168140ac19b813e1392880313ba586df26778bf1103f3caa354c

Download Submit
C:\Windows\{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe

Filesize
168KB

MD5
3eadcbb08e03e3a819545dda3d75528e

SHA1
76428681d6730d5a6cdd19ec80b8ed4d346f50e9

SHA256
a89ea80c56c6308d8894e7eb15c41042c1134484c9bd7dc5f3a26ca52b9001b6

SHA512
bf752cd50fa62ef84155fc2cdc46d0838e8607d33e61056dd9fe6b2155eba089493315c5bcdbb8fa771cd5d3b8ed0fd354bf6c1d8cd75e2649d9db6dba978620

Download Submit
C:\Windows\{B62A108D-E88D-4797-9764-0F96004AAC6F}.exe

Filesize
168KB

MD5
3eadcbb08e03e3a819545dda3d75528e

SHA1
76428681d6730d5a6cdd19ec80b8ed4d346f50e9

SHA256
a89ea80c56c6308d8894e7eb15c41042c1134484c9bd7dc5f3a26ca52b9001b6

SHA512
bf752cd50fa62ef84155fc2cdc46d0838e8607d33e61056dd9fe6b2155eba089493315c5bcdbb8fa771cd5d3b8ed0fd354bf6c1d8cd75e2649d9db6dba978620

Download Submit
C:\Windows\{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe

Filesize
168KB

MD5
cc27b0e8c5790946bfba782cab653244

SHA1
d064351fd90d7138c4f62e02cbb9480dbe9bc953

SHA256
5224ab4c88069cc08f2802ba41eac9a94557aebfbcb0a05589db7a4e71bf04e0

SHA512
c1127be8f076bbd1f7583ad1c5e44ac08851e2d6fde44cc6bea98bce6cd91cab93295faa09685c92bf19199421cfbb0b2d73151392de73c85c2d1771dbfb25ea

Download Submit
C:\Windows\{B9C19EE8-A814-48f2-A104-594163FCF95D}.exe

Filesize
168KB

MD5
cc27b0e8c5790946bfba782cab653244

SHA1
d064351fd90d7138c4f62e02cbb9480dbe9bc953

SHA256
5224ab4c88069cc08f2802ba41eac9a94557aebfbcb0a05589db7a4e71bf04e0

SHA512
c1127be8f076bbd1f7583ad1c5e44ac08851e2d6fde44cc6bea98bce6cd91cab93295faa09685c92bf19199421cfbb0b2d73151392de73c85c2d1771dbfb25ea

Download Submit
C:\Windows\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe

Filesize
168KB

MD5
918a65ecd9945dab0b5686052c6a8da3

SHA1
32be5fe31d064911ae193dba8bbf0e6744ca0ac8

SHA256
cf9c2bebf7c1f6e6e3f1733131a464ad0a4a1af15549b895c4a876a702824e6a

SHA512
60b47347eb72ee0c5f41f7c805afa3c250a2a741077727ef879dc5e60a46b09c79526acdfcd85ff2a2221ffd004186e1b09aa6ffb982480a792b4beb66c15382

Download Submit
C:\Windows\{EBF50192-D397-4bef-ABF7-EB7F5804ED7B}.exe

Filesize
168KB

MD5
918a65ecd9945dab0b5686052c6a8da3

SHA1
32be5fe31d064911ae193dba8bbf0e6744ca0ac8

SHA256
cf9c2bebf7c1f6e6e3f1733131a464ad0a4a1af15549b895c4a876a702824e6a

SHA512
60b47347eb72ee0c5f41f7c805afa3c250a2a741077727ef879dc5e60a46b09c79526acdfcd85ff2a2221ffd004186e1b09aa6ffb982480a792b4beb66c15382

Download Submit
C:\Windows\{FE08E584-7229-4493-8950-6C5C598A372B}.exe

Filesize
168KB

MD5
b2573a5f1dd224da524ec0d707a2a2b9

SHA1
dfb61234d26b911318fca82fea1033f0c2a7f0e5

SHA256
429da41cb3e5023422c5d879bcdc06e768e0ff217291a97ce7b8d8b6b2d121e7

SHA512
b13632d44623f22105566cbd1cf4108704534bde4fe3a09437019fca23423ccd552b9a91b8a1935982b9cf3335d409e90525e45aec0c46d2b63cda3283939215

Download Submit
C:\Windows\{FE08E584-7229-4493-8950-6C5C598A372B}.exe

Filesize
168KB

MD5
b2573a5f1dd224da524ec0d707a2a2b9

SHA1
dfb61234d26b911318fca82fea1033f0c2a7f0e5

SHA256
429da41cb3e5023422c5d879bcdc06e768e0ff217291a97ce7b8d8b6b2d121e7

SHA512
b13632d44623f22105566cbd1cf4108704534bde4fe3a09437019fca23423ccd552b9a91b8a1935982b9cf3335d409e90525e45aec0c46d2b63cda3283939215

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads