4d470e5a980f5baf25fd8e6da888a5386ba9c52cbd175da258b8ff2531ae52db

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-08-2023 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe
Size

216KB
MD5

9248013f0fa8f045340a4544d0cf0f74
SHA1

3b6970253754007b298ec1572872476905999f62
SHA256

4d470e5a980f5baf25fd8e6da888a5386ba9c52cbd175da258b8ff2531ae52db
SHA512

2269e1fa4929d9ef9f256d422bfa714326502682eea294f7c6c386c533fb3c181f39bb4be9d26aa99486e6dd1f8aa4da6e61b6039fc228bb0bf03c282656c2a0
SSDEEP

3072:jEGh0onl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}\stubpath = "C:\\Windows\\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe"	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}\stubpath = "C:\\Windows\\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe"	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864522D6-A3A7-43f6-8D09-9191426F9075}	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{312A9D2A-4662-4f6d-8691-FAAEF801841E}	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}\stubpath = "C:\\Windows\\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe"	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864522D6-A3A7-43f6-8D09-9191426F9075}\stubpath = "C:\\Windows\\{864522D6-A3A7-43f6-8D09-9191426F9075}.exe"	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}\stubpath = "C:\\Windows\\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe"	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}	{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5769E798-20A1-498b-ACA9-067772529EE9}\stubpath = "C:\\Windows\\{5769E798-20A1-498b-ACA9-067772529EE9}.exe"	{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}\stubpath = "C:\\Windows\\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe"	{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}	{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{312A9D2A-4662-4f6d-8691-FAAEF801841E}\stubpath = "C:\\Windows\\{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe"	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}\stubpath = "C:\\Windows\\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe"	{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}\stubpath = "C:\\Windows\\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe"	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}\stubpath = "C:\\Windows\\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe"	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5769E798-20A1-498b-ACA9-067772529EE9}	{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe
2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe
2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe
2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe
2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe
472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe
1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe
2692	{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe
768	{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe
2116	{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe
2164	{5769E798-20A1-498b-ACA9-067772529EE9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe
File created	C:\Windows\{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe
File created	C:\Windows\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe
File created	C:\Windows\{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe
File created	C:\Windows\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe
File created	C:\Windows\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe	{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe
File created	C:\Windows\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe
File created	C:\Windows\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe
File created	C:\Windows\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe	{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe
File created	C:\Windows\{5769E798-20A1-498b-ACA9-067772529EE9}.exe	{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe
File created	C:\Windows\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe
Token: SeIncBasePriorityPrivilege	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe
Token: SeIncBasePriorityPrivilege	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe
Token: SeIncBasePriorityPrivilege	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe
Token: SeIncBasePriorityPrivilege	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe
Token: SeIncBasePriorityPrivilege	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe
Token: SeIncBasePriorityPrivilege	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe
Token: SeIncBasePriorityPrivilege	2692	{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe
Token: SeIncBasePriorityPrivilege	768	{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe
Token: SeIncBasePriorityPrivilege	2116	{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2536	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	28
PID 3040 wrote to memory of 2536	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	28
PID 3040 wrote to memory of 2536	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	28
PID 3040 wrote to memory of 2536	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	28
PID 3040 wrote to memory of 2920	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	29
PID 3040 wrote to memory of 2920	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	29
PID 3040 wrote to memory of 2920	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	29
PID 3040 wrote to memory of 2920	3040	9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe	29
PID 2536 wrote to memory of 2328	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	32
PID 2536 wrote to memory of 2328	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	32
PID 2536 wrote to memory of 2328	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	32
PID 2536 wrote to memory of 2328	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	32
PID 2536 wrote to memory of 2424	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	33
PID 2536 wrote to memory of 2424	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	33
PID 2536 wrote to memory of 2424	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	33
PID 2536 wrote to memory of 2424	2536	{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe	33
PID 2328 wrote to memory of 2872	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	34
PID 2328 wrote to memory of 2872	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	34
PID 2328 wrote to memory of 2872	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	34
PID 2328 wrote to memory of 2872	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	34
PID 2328 wrote to memory of 2708	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	35
PID 2328 wrote to memory of 2708	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	35
PID 2328 wrote to memory of 2708	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	35
PID 2328 wrote to memory of 2708	2328	{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe	35
PID 2872 wrote to memory of 2728	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	36
PID 2872 wrote to memory of 2728	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	36
PID 2872 wrote to memory of 2728	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	36
PID 2872 wrote to memory of 2728	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	36
PID 2872 wrote to memory of 1620	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	37
PID 2872 wrote to memory of 1620	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	37
PID 2872 wrote to memory of 1620	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	37
PID 2872 wrote to memory of 1620	2872	{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe	37
PID 2728 wrote to memory of 2768	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	38
PID 2728 wrote to memory of 2768	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	38
PID 2728 wrote to memory of 2768	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	38
PID 2728 wrote to memory of 2768	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	38
PID 2728 wrote to memory of 2480	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	39
PID 2728 wrote to memory of 2480	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	39
PID 2728 wrote to memory of 2480	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	39
PID 2728 wrote to memory of 2480	2728	{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe	39
PID 2768 wrote to memory of 472	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	40
PID 2768 wrote to memory of 472	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	40
PID 2768 wrote to memory of 472	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	40
PID 2768 wrote to memory of 472	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	40
PID 2768 wrote to memory of 1248	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	41
PID 2768 wrote to memory of 1248	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	41
PID 2768 wrote to memory of 1248	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	41
PID 2768 wrote to memory of 1248	2768	{864522D6-A3A7-43f6-8D09-9191426F9075}.exe	41
PID 472 wrote to memory of 1440	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	42
PID 472 wrote to memory of 1440	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	42
PID 472 wrote to memory of 1440	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	42
PID 472 wrote to memory of 1440	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	42
PID 472 wrote to memory of 284	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	43
PID 472 wrote to memory of 284	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	43
PID 472 wrote to memory of 284	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	43
PID 472 wrote to memory of 284	472	{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe	43
PID 1440 wrote to memory of 2692	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	44
PID 1440 wrote to memory of 2692	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	44
PID 1440 wrote to memory of 2692	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	44
PID 1440 wrote to memory of 2692	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	44
PID 1440 wrote to memory of 2964	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	45
PID 1440 wrote to memory of 2964	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	45
PID 1440 wrote to memory of 2964	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	45
PID 1440 wrote to memory of 2964	1440	{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe	45

C:\Users\Admin\AppData\Local\Temp\9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9248013f0fa8f045340a4544d0cf0f74_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe
  C:\Windows\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe
    C:\Windows\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe
      C:\Windows\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe
        
        C:\Windows\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{864522D6-A3A7-43f6-8D09-9191426F9075}.exe
        
        C:\Windows\{864522D6-A3A7-43f6-8D09-9191426F9075}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe
        
        C:\Windows\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe
        
        C:\Windows\{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe
        
        C:\Windows\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8705F~1.EXE > nul
        10⤵
        
        PID:2460
        
        C:\Windows\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe
        
        C:\Windows\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe
        
        C:\Windows\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{5769E798-20A1-498b-ACA9-067772529EE9}.exe
        
        C:\Windows\{5769E798-20A1-498b-ACA9-067772529EE9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B4E1~1.EXE > nul
        12⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF11F~1.EXE > nul
        11⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{312A9~1.EXE > nul
        9⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B18BF~1.EXE > nul
        8⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86452~1.EXE > nul
        7⤵
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FCC4~1.EXE > nul
        6⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BADA~1.EXE > nul
        5⤵
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0901C~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F268A~1.EXE > nul
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\924801~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe

Filesize
216KB

MD5
2084e05b47f5ab79d90cff157e045c30

SHA1
5bcf18188a7b8bfcb8c49a3e085dffd7768b314e

SHA256
2e0b0c1b9fad7655f20a9ce7a62093d1c548566f92cab0032d3f15e86bafa946

SHA512
990d9212d77deabb82eede309178f38e728fcbc00e75f72e9032f045e1b4194a62f57c18d4a18ce5b8dba7e1d44d94619f3955a6d34fc67c82c3603bbeae94bd

Download Submit
C:\Windows\{0901C10D-4C39-40b0-9CC5-5E516AE3615B}.exe

Filesize
216KB

MD5
2084e05b47f5ab79d90cff157e045c30

SHA1
5bcf18188a7b8bfcb8c49a3e085dffd7768b314e

SHA256
2e0b0c1b9fad7655f20a9ce7a62093d1c548566f92cab0032d3f15e86bafa946

SHA512
990d9212d77deabb82eede309178f38e728fcbc00e75f72e9032f045e1b4194a62f57c18d4a18ce5b8dba7e1d44d94619f3955a6d34fc67c82c3603bbeae94bd

Download Submit
C:\Windows\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe

Filesize
216KB

MD5
4be5f3295690259d84057256de041952

SHA1
2afe69304daee7e03598a979796d1011992be753

SHA256
ef334542619f82151b3cf2079a44f276c353e62765935c0f9076f61e87723d56

SHA512
79060e1344ac7b6f04df9c2fc5af616a123ba73a4b47f7eacb5c6e901b7c23ffdc89c0f297f6de667149eb3830391e5b653d1d81b8914d55e4cdad7ce34dfdd6

Download Submit
C:\Windows\{0B4E1679-0EE4-436a-98D0-C2A51D8F891B}.exe

Filesize
216KB

MD5
4be5f3295690259d84057256de041952

SHA1
2afe69304daee7e03598a979796d1011992be753

SHA256
ef334542619f82151b3cf2079a44f276c353e62765935c0f9076f61e87723d56

SHA512
79060e1344ac7b6f04df9c2fc5af616a123ba73a4b47f7eacb5c6e901b7c23ffdc89c0f297f6de667149eb3830391e5b653d1d81b8914d55e4cdad7ce34dfdd6

Download Submit
C:\Windows\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe

Filesize
216KB

MD5
097f43b236669ff0e59d5ae759bcc3cd

SHA1
3604403865a18372016019e55079c7a673e20d57

SHA256
f50ef4935cbaf1a54b4d0ff00d6eef680c958621514001877fd5f6143ff5f661

SHA512
7dcba8b3838bd33cefb5ef951adf84c98769461eea3fd7abc9a1ee31b68e71f6cd39d1867ceb00b4e7ddbbe84e9987b0816504bb1a190fe26b01e3278c62c8f1

Download Submit
C:\Windows\{1BADA4A6-50BD-4f36-9B45-E2E5CAC4F6AF}.exe

Filesize
216KB

MD5
097f43b236669ff0e59d5ae759bcc3cd

SHA1
3604403865a18372016019e55079c7a673e20d57

SHA256
f50ef4935cbaf1a54b4d0ff00d6eef680c958621514001877fd5f6143ff5f661

SHA512
7dcba8b3838bd33cefb5ef951adf84c98769461eea3fd7abc9a1ee31b68e71f6cd39d1867ceb00b4e7ddbbe84e9987b0816504bb1a190fe26b01e3278c62c8f1

Download Submit
C:\Windows\{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe

Filesize
216KB

MD5
021c6da22a0228a7074594d87ae4a1d3

SHA1
2a9de1d5aeacadba4693990c61894d9eac798a57

SHA256
cae31d27b65c21a5b6079e55771c88cc2673788c544f2647d651b0c47d8b5eab

SHA512
757c5f0249ea7e4df802b86a550c83a6aaba84f0878bdb5cadda23f66dd07f1ffb4b0bc0e00f75aa9ea9e0996d421761559dfcc4a264d383e628fb6455e5eea3

Download Submit
C:\Windows\{312A9D2A-4662-4f6d-8691-FAAEF801841E}.exe

Filesize
216KB

MD5
021c6da22a0228a7074594d87ae4a1d3

SHA1
2a9de1d5aeacadba4693990c61894d9eac798a57

SHA256
cae31d27b65c21a5b6079e55771c88cc2673788c544f2647d651b0c47d8b5eab

SHA512
757c5f0249ea7e4df802b86a550c83a6aaba84f0878bdb5cadda23f66dd07f1ffb4b0bc0e00f75aa9ea9e0996d421761559dfcc4a264d383e628fb6455e5eea3

Download Submit
C:\Windows\{5769E798-20A1-498b-ACA9-067772529EE9}.exe

Filesize
216KB

MD5
74e0bf341fba72f6a29575946d19770e

SHA1
0869a9f261411b0d40f79e68858eb7812b85fbe1

SHA256
3156a3e6b0d60f578d67681e0e8831c7b81b8f3cbeb72683419bb23e4c1ce10b

SHA512
5400c3d36c7783deb9c05d415cbf01a8071d6aaa9362e3d90b432d0acda7a0a3735059520cb30a7f760f0a660d1e9a13e7d3a705048ec66fdb35799704c40da3

Download Submit
C:\Windows\{864522D6-A3A7-43f6-8D09-9191426F9075}.exe

Filesize
216KB

MD5
9275979d5f046cb3042cf853ec93fc87

SHA1
c9e16b450263cfc7347ea5d031e32a0e10db85b0

SHA256
91affc1867384ac1fb8fab4a3a98e309dcb315c0cbcff4169f69404102a62564

SHA512
6c43c7f90dca320ea0b4f1e2384e59a991efbdd9e690c80b3b7ac6036088124af2e0f714f38beb0a6e7bb247f99851d0300dd30343b2a5f1ebe660f735b4bebb

Download Submit
C:\Windows\{864522D6-A3A7-43f6-8D09-9191426F9075}.exe

Filesize
216KB

MD5
9275979d5f046cb3042cf853ec93fc87

SHA1
c9e16b450263cfc7347ea5d031e32a0e10db85b0

SHA256
91affc1867384ac1fb8fab4a3a98e309dcb315c0cbcff4169f69404102a62564

SHA512
6c43c7f90dca320ea0b4f1e2384e59a991efbdd9e690c80b3b7ac6036088124af2e0f714f38beb0a6e7bb247f99851d0300dd30343b2a5f1ebe660f735b4bebb

Download Submit
C:\Windows\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe

Filesize
216KB

MD5
109d52b50f2db7115b78fda0b1211430

SHA1
75a8a75fb9445afe8af28023286dd5bc094e93a4

SHA256
7d86077cced2a1cdfa1841156d472f5c39cdedb91ceebe0f9afb5659ad876163

SHA512
4bb749461be8ded7481111482144272e69db7e7ae57f31d26021be47ad3dcd78ca300d1c9c274bf42dde859986cebb04639da112a6be762ad3e59989926ce92c

Download Submit
C:\Windows\{8705FBFD-5900-48a0-BFFF-17EF1B67D44F}.exe

Filesize
216KB

MD5
109d52b50f2db7115b78fda0b1211430

SHA1
75a8a75fb9445afe8af28023286dd5bc094e93a4

SHA256
7d86077cced2a1cdfa1841156d472f5c39cdedb91ceebe0f9afb5659ad876163

SHA512
4bb749461be8ded7481111482144272e69db7e7ae57f31d26021be47ad3dcd78ca300d1c9c274bf42dde859986cebb04639da112a6be762ad3e59989926ce92c

Download Submit
C:\Windows\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe

Filesize
216KB

MD5
21e2fb509c7075bcc3ff960dacd651b5

SHA1
a5887ba2777937dbe2b38ef535861ea7d57593c8

SHA256
b892d3839e83528d5a7f4afe25649f984d51158311b9138fcd95d1b574469bea

SHA512
4d233c60e6a53cd93767a2f6c4eaba13fedc609f8b1c85241add86db060dac243c5e8bfc42366c00f6157a90128c089b2c64853ab3ec166879a61e715fe5840c

Download Submit
C:\Windows\{8FCC4EB0-D0E0-4f25-AB2B-8FA79868EE85}.exe

Filesize
216KB

MD5
21e2fb509c7075bcc3ff960dacd651b5

SHA1
a5887ba2777937dbe2b38ef535861ea7d57593c8

SHA256
b892d3839e83528d5a7f4afe25649f984d51158311b9138fcd95d1b574469bea

SHA512
4d233c60e6a53cd93767a2f6c4eaba13fedc609f8b1c85241add86db060dac243c5e8bfc42366c00f6157a90128c089b2c64853ab3ec166879a61e715fe5840c

Download Submit
C:\Windows\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe

Filesize
216KB

MD5
8fb619399613d189ecf3ff0fd80a3c54

SHA1
2c2f40aeec2392248ae018d1805b8b1d9fd6eb94

SHA256
4e6d64b139c85f8a16875c9933b34f94c690671459e3232d0c78b9736b02af84

SHA512
2921c61a72a5781a4323068a9f8dac8e4a6e0ba59482e93d4a20df83eb9f471beb132f7b2d323813a9af50d27a0d25e8938337defba31f54234ccaa9378363e6

Download Submit
C:\Windows\{B18BF911-32E4-42c1-8C17-8ECB584C02E9}.exe

Filesize
216KB

MD5
8fb619399613d189ecf3ff0fd80a3c54

SHA1
2c2f40aeec2392248ae018d1805b8b1d9fd6eb94

SHA256
4e6d64b139c85f8a16875c9933b34f94c690671459e3232d0c78b9736b02af84

SHA512
2921c61a72a5781a4323068a9f8dac8e4a6e0ba59482e93d4a20df83eb9f471beb132f7b2d323813a9af50d27a0d25e8938337defba31f54234ccaa9378363e6

Download Submit
C:\Windows\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe

Filesize
216KB

MD5
7fb7a853d90eb4d506d1abdb2866bd93

SHA1
08e3d4e9277d3d635c7b4d45843295b8236194c7

SHA256
e009c20b96770fb2f824d071fc2e601c9adde6c4f4cc26eea429186f681de4ab

SHA512
91dc6f46fe779f6b7ea6fb43051765605cf951f573ab98b1e94a6dc085475528d20e3dd5211847a7c93228820c0627296b62fb9e1966df483d6a4101b8e04ab1

Download Submit
C:\Windows\{DF11F2F9-D8EA-48c4-8452-63ABEB664309}.exe

Filesize
216KB

MD5
7fb7a853d90eb4d506d1abdb2866bd93

SHA1
08e3d4e9277d3d635c7b4d45843295b8236194c7

SHA256
e009c20b96770fb2f824d071fc2e601c9adde6c4f4cc26eea429186f681de4ab

SHA512
91dc6f46fe779f6b7ea6fb43051765605cf951f573ab98b1e94a6dc085475528d20e3dd5211847a7c93228820c0627296b62fb9e1966df483d6a4101b8e04ab1

Download Submit
C:\Windows\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe

Filesize
216KB

MD5
dc1e56d957103f62d33c3c2ec4202c30

SHA1
a3a00fd835e6862cd179ec2fbd4c7352f98f30a1

SHA256
9f4b4b01d5d74f1b8658efac65fc843197b4507c52596ce2d0b2e5e28e5c1695

SHA512
f4ecf3edef8c2b45766dbdb7bd21ee5a15d4d5716d1b33340c08d29ea616f94cf3038ff38e0e3f5ed58a8db267e20d664da73b82e4ef9006f58d64f9dad4dacf

Download Submit
C:\Windows\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe

Filesize
216KB

MD5
dc1e56d957103f62d33c3c2ec4202c30

SHA1
a3a00fd835e6862cd179ec2fbd4c7352f98f30a1

SHA256
9f4b4b01d5d74f1b8658efac65fc843197b4507c52596ce2d0b2e5e28e5c1695

SHA512
f4ecf3edef8c2b45766dbdb7bd21ee5a15d4d5716d1b33340c08d29ea616f94cf3038ff38e0e3f5ed58a8db267e20d664da73b82e4ef9006f58d64f9dad4dacf

Download Submit
C:\Windows\{F268AE53-961D-4758-8FB1-3F7A6252F4CB}.exe

Filesize
216KB

MD5
dc1e56d957103f62d33c3c2ec4202c30

SHA1
a3a00fd835e6862cd179ec2fbd4c7352f98f30a1

SHA256
9f4b4b01d5d74f1b8658efac65fc843197b4507c52596ce2d0b2e5e28e5c1695

SHA512
f4ecf3edef8c2b45766dbdb7bd21ee5a15d4d5716d1b33340c08d29ea616f94cf3038ff38e0e3f5ed58a8db267e20d664da73b82e4ef9006f58d64f9dad4dacf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads