bab86ddf4744da23c74ee5a69475760654c71c7a82e9c9bdba0e3a410a2a28f7

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Size

372KB
MD5

83bf96dc0aa16013a1d4fafd4173a357
SHA1

3f44c164b1ae25729f24e1aaebe16e48868ecbe8
SHA256

bab86ddf4744da23c74ee5a69475760654c71c7a82e9c9bdba0e3a410a2a28f7
SHA512

db8fa6862cd8d14b31d459d52015bfc6edc14073101d1ea0e53bc7dc5ce3c4aeb3cd00202c39336507999d979773d8be757a6b69f881b652d117a68d1697ea58
SSDEEP

3072:CEGh0oSmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG9l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}\stubpath = "C:\\Windows\\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe"	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}\stubpath = "C:\\Windows\\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe"	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1F0415-A488-41d6-A11D-7E5C93889521}\stubpath = "C:\\Windows\\{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe"	{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DC763FA-C665-423a-BE78-7D36BAD34797}	{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{952AC057-E901-43cd-8D84-09B61043A282}\stubpath = "C:\\Windows\\{952AC057-E901-43cd-8D84-09B61043A282}.exe"	{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94E8F35D-BA3B-4736-8641-814D0A881910}	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}\stubpath = "C:\\Windows\\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe"	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8287D9EF-779A-4bf6-8700-0616F120EE2F}\stubpath = "C:\\Windows\\{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe"	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B887E03-98EB-4623-B2CF-82262ECDE956}	{952AC057-E901-43cd-8D84-09B61043A282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}\stubpath = "C:\\Windows\\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe"	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}\stubpath = "C:\\Windows\\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe"	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}\stubpath = "C:\\Windows\\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe"	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94E8F35D-BA3B-4736-8641-814D0A881910}\stubpath = "C:\\Windows\\{94E8F35D-BA3B-4736-8641-814D0A881910}.exe"	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8287D9EF-779A-4bf6-8700-0616F120EE2F}	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1F0415-A488-41d6-A11D-7E5C93889521}	{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DC763FA-C665-423a-BE78-7D36BAD34797}\stubpath = "C:\\Windows\\{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe"	{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{952AC057-E901-43cd-8D84-09B61043A282}	{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B887E03-98EB-4623-B2CF-82262ECDE956}\stubpath = "C:\\Windows\\{2B887E03-98EB-4623-B2CF-82262ECDE956}.exe"	{952AC057-E901-43cd-8D84-09B61043A282}.exe

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe
1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe
1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe
2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe
2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe
2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe
2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe
2884	{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe
2800	{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe
2880	{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe
2688	{952AC057-E901-43cd-8D84-09B61043A282}.exe
3040	{2B887E03-98EB-4623-B2CF-82262ECDE956}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe
File created	C:\Windows\{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe	{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe
File created	C:\Windows\{952AC057-E901-43cd-8D84-09B61043A282}.exe	{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe
File created	C:\Windows\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe
File created	C:\Windows\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe
File created	C:\Windows\{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe
File created	C:\Windows\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe
File created	C:\Windows\{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe
File created	C:\Windows\{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe	{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe
File created	C:\Windows\{2B887E03-98EB-4623-B2CF-82262ECDE956}.exe	{952AC057-E901-43cd-8D84-09B61043A282}.exe
File created	C:\Windows\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
File created	C:\Windows\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe
Token: SeIncBasePriorityPrivilege	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe
Token: SeIncBasePriorityPrivilege	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe
Token: SeIncBasePriorityPrivilege	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe
Token: SeIncBasePriorityPrivilege	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe
Token: SeIncBasePriorityPrivilege	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe
Token: SeIncBasePriorityPrivilege	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe
Token: SeIncBasePriorityPrivilege	2884	{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe
Token: SeIncBasePriorityPrivilege	2800	{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe
Token: SeIncBasePriorityPrivilege	2880	{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe
Token: SeIncBasePriorityPrivilege	2688	{952AC057-E901-43cd-8D84-09B61043A282}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2944	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	30
PID 2252 wrote to memory of 2944	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	30
PID 2252 wrote to memory of 2944	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	30
PID 2252 wrote to memory of 2944	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	30
PID 2252 wrote to memory of 3044	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	31
PID 2252 wrote to memory of 3044	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	31
PID 2252 wrote to memory of 3044	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	31
PID 2252 wrote to memory of 3044	2252	83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe	31
PID 2944 wrote to memory of 1068	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	32
PID 2944 wrote to memory of 1068	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	32
PID 2944 wrote to memory of 1068	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	32
PID 2944 wrote to memory of 1068	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	32
PID 2944 wrote to memory of 748	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	33
PID 2944 wrote to memory of 748	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	33
PID 2944 wrote to memory of 748	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	33
PID 2944 wrote to memory of 748	2944	{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe	33
PID 1068 wrote to memory of 1672	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	35
PID 1068 wrote to memory of 1672	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	35
PID 1068 wrote to memory of 1672	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	35
PID 1068 wrote to memory of 1672	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	35
PID 1068 wrote to memory of 1524	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	34
PID 1068 wrote to memory of 1524	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	34
PID 1068 wrote to memory of 1524	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	34
PID 1068 wrote to memory of 1524	1068	{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe	34
PID 1672 wrote to memory of 2080	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	37
PID 1672 wrote to memory of 2080	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	37
PID 1672 wrote to memory of 2080	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	37
PID 1672 wrote to memory of 2080	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	37
PID 1672 wrote to memory of 880	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	36
PID 1672 wrote to memory of 880	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	36
PID 1672 wrote to memory of 880	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	36
PID 1672 wrote to memory of 880	1672	{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe	36
PID 2080 wrote to memory of 2324	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	38
PID 2080 wrote to memory of 2324	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	38
PID 2080 wrote to memory of 2324	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	38
PID 2080 wrote to memory of 2324	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	38
PID 2080 wrote to memory of 2676	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	39
PID 2080 wrote to memory of 2676	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	39
PID 2080 wrote to memory of 2676	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	39
PID 2080 wrote to memory of 2676	2080	{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe	39
PID 2324 wrote to memory of 2820	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	41
PID 2324 wrote to memory of 2820	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	41
PID 2324 wrote to memory of 2820	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	41
PID 2324 wrote to memory of 2820	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	41
PID 2324 wrote to memory of 2836	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	40
PID 2324 wrote to memory of 2836	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	40
PID 2324 wrote to memory of 2836	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	40
PID 2324 wrote to memory of 2836	2324	{94E8F35D-BA3B-4736-8641-814D0A881910}.exe	40
PID 2820 wrote to memory of 2860	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	42
PID 2820 wrote to memory of 2860	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	42
PID 2820 wrote to memory of 2860	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	42
PID 2820 wrote to memory of 2860	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	42
PID 2820 wrote to memory of 1452	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	43
PID 2820 wrote to memory of 1452	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	43
PID 2820 wrote to memory of 1452	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	43
PID 2820 wrote to memory of 1452	2820	{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe	43
PID 2860 wrote to memory of 2884	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	44
PID 2860 wrote to memory of 2884	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	44
PID 2860 wrote to memory of 2884	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	44
PID 2860 wrote to memory of 2884	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	44
PID 2860 wrote to memory of 2908	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	45
PID 2860 wrote to memory of 2908	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	45
PID 2860 wrote to memory of 2908	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	45
PID 2860 wrote to memory of 2908	2860	{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe	45

C:\Users\Admin\AppData\Local\Temp\83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\83bf96dc0aa16013a1d4fafd4173a357_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe
  C:\Windows\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe
    C:\Windows\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8837D~1.EXE > nul
      4⤵
      PID:1524
  - - C:\Windows\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe
      C:\Windows\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F4A6~1.EXE > nul
        5⤵
        
        PID:880
    - - C:\Windows\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe
        
        C:\Windows\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\{94E8F35D-BA3B-4736-8641-814D0A881910}.exe
        
        C:\Windows\{94E8F35D-BA3B-4736-8641-814D0A881910}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94E8F~1.EXE > nul
        7⤵
        
        PID:2836
        
        C:\Windows\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe
        
        C:\Windows\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe
        
        C:\Windows\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe
        
        C:\Windows\{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe
        
        C:\Windows\{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe
        
        C:\Windows\{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{952AC057-E901-43cd-8D84-09B61043A282}.exe
        
        C:\Windows\{952AC057-E901-43cd-8D84-09B61043A282}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\{2B887E03-98EB-4623-B2CF-82262ECDE956}.exe
        
        C:\Windows\{2B887E03-98EB-4623-B2CF-82262ECDE956}.exe
        13⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{952AC~1.EXE > nul
        13⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC76~1.EXE > nul
        12⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE1F0~1.EXE > nul
        11⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8287D~1.EXE > nul
        10⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D0DB~1.EXE > nul
        9⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1F0~1.EXE > nul
        8⤵
        
        PID:1452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCC6D~1.EXE > nul
        6⤵
        
        PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D1F4~1.EXE > nul
    3⤵
    PID:748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\83BF96~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B887E03-98EB-4623-B2CF-82262ECDE956}.exe

Filesize
372KB

MD5
9f44731123069ca41933d955d70b7552

SHA1
290083180b80fd174329f8eb6888d3ede962b457

SHA256
c3dffa9f4eee3aab1c871372ba749c799b6e9f81ae8319c3b9a019d3ef8defe3

SHA512
9064850201724b36deb3a06f6d6f55360b53706794faee394a7dbd7a8bfa52e5308c147b9c2460cacc1993c405fbbceb2b4b494c44394d9597ad3598e77981cf

Download Submit
C:\Windows\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe

Filesize
372KB

MD5
63c473ca39886d2dcb2b872fa1eaf748

SHA1
e6f7636313c86df07281e3bc6a3cd3affd72652e

SHA256
bfd00ed53cb469a5f6af9184ff91428dc2f0ea1731ad5025a9584d49809bd2ef

SHA512
90a959c142ad238811ca67848c8aba5cbfa964d762f03a37d03ed4c20a9ebeebb05cc3087024665f9f030461f45f88a6776f2bee75369eeac707a7b9e03efacc

Download Submit
C:\Windows\{3D0DBCE4-4AF4-4b15-B0EA-A5B4D5829F25}.exe

Filesize
372KB

MD5
63c473ca39886d2dcb2b872fa1eaf748

SHA1
e6f7636313c86df07281e3bc6a3cd3affd72652e

SHA256
bfd00ed53cb469a5f6af9184ff91428dc2f0ea1731ad5025a9584d49809bd2ef

SHA512
90a959c142ad238811ca67848c8aba5cbfa964d762f03a37d03ed4c20a9ebeebb05cc3087024665f9f030461f45f88a6776f2bee75369eeac707a7b9e03efacc

Download Submit
C:\Windows\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe

Filesize
372KB

MD5
865179cd6de0f11c1c8fbecb7db2fca1

SHA1
6b2f7a0b2578b025b503384cb0fec61601489c39

SHA256
c8220c159ae061b766ab03ced02e2a485c3593ba05c014d9f80907b6590f9b15

SHA512
8e809a64ca2889e3c9279e0d7e1c43f0e2c7fd7a0f5b181877712c042ace7a67e0e93f3408860d33cacc6172809c029acb69ea1c6cd3e689d395304808071533

Download Submit
C:\Windows\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe

Filesize
372KB

MD5
865179cd6de0f11c1c8fbecb7db2fca1

SHA1
6b2f7a0b2578b025b503384cb0fec61601489c39

SHA256
c8220c159ae061b766ab03ced02e2a485c3593ba05c014d9f80907b6590f9b15

SHA512
8e809a64ca2889e3c9279e0d7e1c43f0e2c7fd7a0f5b181877712c042ace7a67e0e93f3408860d33cacc6172809c029acb69ea1c6cd3e689d395304808071533

Download Submit
C:\Windows\{4D1F46F2-02F4-41bb-9B45-B507CFB2745B}.exe

Filesize
372KB

MD5
865179cd6de0f11c1c8fbecb7db2fca1

SHA1
6b2f7a0b2578b025b503384cb0fec61601489c39

SHA256
c8220c159ae061b766ab03ced02e2a485c3593ba05c014d9f80907b6590f9b15

SHA512
8e809a64ca2889e3c9279e0d7e1c43f0e2c7fd7a0f5b181877712c042ace7a67e0e93f3408860d33cacc6172809c029acb69ea1c6cd3e689d395304808071533

Download Submit
C:\Windows\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe

Filesize
372KB

MD5
f7b3cfd6d924758c75ccca5d6a3a623d

SHA1
55e7baed1c8ceff4236e697170fd48372d59c770

SHA256
050b08a413020f3fe64a39952b07d918fad8960dae206c40b890673d9c0337b6

SHA512
0cbc3e8a8a540c8ceebb1a87088593173a996d3c072c55f92b8ac886c91a3137604fa99cfe335a4241d6407961d0d982b1ef8a43bd5e697e7ae55a321f8e574f

Download Submit
C:\Windows\{5A1F085D-FE58-4d7c-8172-D7AD6E3DA2AE}.exe

Filesize
372KB

MD5
f7b3cfd6d924758c75ccca5d6a3a623d

SHA1
55e7baed1c8ceff4236e697170fd48372d59c770

SHA256
050b08a413020f3fe64a39952b07d918fad8960dae206c40b890673d9c0337b6

SHA512
0cbc3e8a8a540c8ceebb1a87088593173a996d3c072c55f92b8ac886c91a3137604fa99cfe335a4241d6407961d0d982b1ef8a43bd5e697e7ae55a321f8e574f

Download Submit
C:\Windows\{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe

Filesize
372KB

MD5
d02a841b22f7d3d8a6562c79c857898a

SHA1
013f2e6361983e49a2244287fe30aa1cfd094750

SHA256
7ae52f44e8c59f9363e2a1b26aa55fbd5356c320331bf04b3e33a94a546e0e66

SHA512
1e3fab111e467d7bba1e04810eda97eaeff1a7be4d92646fce55679e153799e28bca074d31ad1844e1f6bedefdccc18ae89a68ba71e9892e0917d6a9995f7902

Download Submit
C:\Windows\{7DC763FA-C665-423a-BE78-7D36BAD34797}.exe

Filesize
372KB

MD5
d02a841b22f7d3d8a6562c79c857898a

SHA1
013f2e6361983e49a2244287fe30aa1cfd094750

SHA256
7ae52f44e8c59f9363e2a1b26aa55fbd5356c320331bf04b3e33a94a546e0e66

SHA512
1e3fab111e467d7bba1e04810eda97eaeff1a7be4d92646fce55679e153799e28bca074d31ad1844e1f6bedefdccc18ae89a68ba71e9892e0917d6a9995f7902

Download Submit
C:\Windows\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe

Filesize
372KB

MD5
ba2a8989ba327c386787b6faa2597c7a

SHA1
a9b9829fbde2cbdb7490a58f3825bc4ee79f5ec7

SHA256
0dc6bfb689e312cdc54f70bd5ddecb57795d027c62fe49d4044e253223ac3ce3

SHA512
9de4a2a8e108983c0c03681df7df45e5bb9d9ef8015a4be022e36b309144a7ee69500938a58277934c007912bb7d264d9409de7de09ad09961713f52dd8bf1ec

Download Submit
C:\Windows\{7F4A6253-ACD6-487f-9BCB-7819C5DEB591}.exe

Filesize
372KB

MD5
ba2a8989ba327c386787b6faa2597c7a

SHA1
a9b9829fbde2cbdb7490a58f3825bc4ee79f5ec7

SHA256
0dc6bfb689e312cdc54f70bd5ddecb57795d027c62fe49d4044e253223ac3ce3

SHA512
9de4a2a8e108983c0c03681df7df45e5bb9d9ef8015a4be022e36b309144a7ee69500938a58277934c007912bb7d264d9409de7de09ad09961713f52dd8bf1ec

Download Submit
C:\Windows\{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe

Filesize
372KB

MD5
0c4d81b49cdfbc860596c49cfe604033

SHA1
d118cfeafdb42529d19c6db6fc58580a815637e2

SHA256
55f7739f1234fda4d7f5279ad06e0aeb1cfcc49435999ce8f9e6f01bb31fef9a

SHA512
21c93ceddec0dfbbd9882bebe1dc03e9f881094c00576450c832d29c1bb428d9ce9198ba1eac3bcd812870290ec6cf558c7e4d1c4defdb52771e305b52ab0715

Download Submit
C:\Windows\{8287D9EF-779A-4bf6-8700-0616F120EE2F}.exe

Filesize
372KB

MD5
0c4d81b49cdfbc860596c49cfe604033

SHA1
d118cfeafdb42529d19c6db6fc58580a815637e2

SHA256
55f7739f1234fda4d7f5279ad06e0aeb1cfcc49435999ce8f9e6f01bb31fef9a

SHA512
21c93ceddec0dfbbd9882bebe1dc03e9f881094c00576450c832d29c1bb428d9ce9198ba1eac3bcd812870290ec6cf558c7e4d1c4defdb52771e305b52ab0715

Download Submit
C:\Windows\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe

Filesize
372KB

MD5
669c3cb1717832f1c02fe2fd897a8523

SHA1
86362d81b0d1a5085562468ad4953599cdd1e675

SHA256
ec8eba18bee5a8dca0dbd6570c6766a1628e1286059b30b52aaffff989baeea8

SHA512
ebec5fcf834b18e51dd46e691519ba7391b86d8a9390859a8d03b075915b8957b24e5f209a3837397add820fc2d1317d9ff48423cb216107a8686d60d8824b58

Download Submit
C:\Windows\{8837D560-A1D6-4cc4-A64C-0E89E469E76E}.exe

Filesize
372KB

MD5
669c3cb1717832f1c02fe2fd897a8523

SHA1
86362d81b0d1a5085562468ad4953599cdd1e675

SHA256
ec8eba18bee5a8dca0dbd6570c6766a1628e1286059b30b52aaffff989baeea8

SHA512
ebec5fcf834b18e51dd46e691519ba7391b86d8a9390859a8d03b075915b8957b24e5f209a3837397add820fc2d1317d9ff48423cb216107a8686d60d8824b58

Download Submit
C:\Windows\{94E8F35D-BA3B-4736-8641-814D0A881910}.exe

Filesize
372KB

MD5
a9024ad3f8157cc8ae004e38ab87bd02

SHA1
6139c747d10e45703afb3706abdfa55fc87f40a8

SHA256
279d8ec82bed669f24bff619bc46834126de4c60e626eceb750a935159516f37

SHA512
a97c9a07284a662a7182d0ac8aad796e24d177911a8c33c0ec605272cc843d416feef447b559bd73b0d87121c135ea2bec4fafe0f49c7f53478970e8a505f087

Download Submit
C:\Windows\{94E8F35D-BA3B-4736-8641-814D0A881910}.exe

Filesize
372KB

MD5
a9024ad3f8157cc8ae004e38ab87bd02

SHA1
6139c747d10e45703afb3706abdfa55fc87f40a8

SHA256
279d8ec82bed669f24bff619bc46834126de4c60e626eceb750a935159516f37

SHA512
a97c9a07284a662a7182d0ac8aad796e24d177911a8c33c0ec605272cc843d416feef447b559bd73b0d87121c135ea2bec4fafe0f49c7f53478970e8a505f087

Download Submit
C:\Windows\{952AC057-E901-43cd-8D84-09B61043A282}.exe

Filesize
372KB

MD5
0984ba9d53a243b682bf26e71228603f

SHA1
74c807b3eee13119ef774899ca215fb7caf49816

SHA256
2560b472ae456e2502faa04826e9d6ad02eec0d3bf29518994b96737ed01129f

SHA512
a5ebadc8f965ba912458f852022958921d7c7957f08fc47d0372c850a8dc63e9d374926be3d7ae2aa43191bc69354d4e1ab398c2b17cdaebfabd5eca201e76ed

Download Submit
C:\Windows\{952AC057-E901-43cd-8D84-09B61043A282}.exe

Filesize
372KB

MD5
0984ba9d53a243b682bf26e71228603f

SHA1
74c807b3eee13119ef774899ca215fb7caf49816

SHA256
2560b472ae456e2502faa04826e9d6ad02eec0d3bf29518994b96737ed01129f

SHA512
a5ebadc8f965ba912458f852022958921d7c7957f08fc47d0372c850a8dc63e9d374926be3d7ae2aa43191bc69354d4e1ab398c2b17cdaebfabd5eca201e76ed

Download Submit
C:\Windows\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe

Filesize
372KB

MD5
77631860901ba45acda9b74d4b3e334d

SHA1
5780cc4a5ac06126672f7e3b6de801324254881f

SHA256
b6c6b1ca37eb57c9ec8b5a1ae0b954dc44f9373836b4b106644bbb0a6990cb63

SHA512
f5874c47408ff4c47192066a8e3d353587dd2b6695e1f4cf17d69eeebbaf6e04fadd61b3ba76f4f26859f109070751409ed41c7ea4fd0d81cd9fcdbf34879489

Download Submit
C:\Windows\{DCC6D55A-85D7-432a-A762-A3EF9D5E76CE}.exe

Filesize
372KB

MD5
77631860901ba45acda9b74d4b3e334d

SHA1
5780cc4a5ac06126672f7e3b6de801324254881f

SHA256
b6c6b1ca37eb57c9ec8b5a1ae0b954dc44f9373836b4b106644bbb0a6990cb63

SHA512
f5874c47408ff4c47192066a8e3d353587dd2b6695e1f4cf17d69eeebbaf6e04fadd61b3ba76f4f26859f109070751409ed41c7ea4fd0d81cd9fcdbf34879489

Download Submit
C:\Windows\{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe

Filesize
372KB

MD5
eeb0954ebf2ec2257f859dff5ad67384

SHA1
f3aae3d85340187c156d7aa075536aa0f9ad9e35

SHA256
70ca2b402abc2085f50181128dfdd2e87f2a4b06797363151fe693973028b6ce

SHA512
163303849c9fa8eb15aeaa3322ff0e776a648748c10788dd13cee3f0fa2fbd3b2c1d9ac79005bcd0480927e538504ff7556f35230cdd1d43b44a58b2f29741b2

Download Submit
C:\Windows\{DE1F0415-A488-41d6-A11D-7E5C93889521}.exe

Filesize
372KB

MD5
eeb0954ebf2ec2257f859dff5ad67384

SHA1
f3aae3d85340187c156d7aa075536aa0f9ad9e35

SHA256
70ca2b402abc2085f50181128dfdd2e87f2a4b06797363151fe693973028b6ce

SHA512
163303849c9fa8eb15aeaa3322ff0e776a648748c10788dd13cee3f0fa2fbd3b2c1d9ac79005bcd0480927e538504ff7556f35230cdd1d43b44a58b2f29741b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads