6fa2afe27207708bd9262e3b271dea0301f79032611cb579018842ee1952a915

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Size

204KB
MD5

9aa10fcfd350b7a05b41de6972ab8827
SHA1

edc141fc5be807828f69f9ca36e3a0b1201f7f9b
SHA256

6fa2afe27207708bd9262e3b271dea0301f79032611cb579018842ee1952a915
SHA512

efe4fede9023b9bbd69d36bc9e322cf79bd7117e302aa1bb833bde0f451c895213875e011ac15ab4a49551fd04b54c1f6a76a133703ab3d739293288a172982e
SSDEEP

1536:1EGh0oYl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oYl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55C1ADE-AC30-44b9-94B7-955962C16327}	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D55C1ADE-AC30-44b9-94B7-955962C16327}\stubpath = "C:\\Windows\\{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe"	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BF46020-5CCC-4071-A619-734673BD5C2F}	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BF46020-5CCC-4071-A619-734673BD5C2F}\stubpath = "C:\\Windows\\{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe"	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11395E9B-2A41-42d2-BD34-FE8A092A3981}	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11395E9B-2A41-42d2-BD34-FE8A092A3981}\stubpath = "C:\\Windows\\{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe"	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}\stubpath = "C:\\Windows\\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe"	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}\stubpath = "C:\\Windows\\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe"	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}	{5178ACF1-329C-426d-A3C6-07520814787F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}\stubpath = "C:\\Windows\\{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}.exe"	{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98545BF5-3718-4c06-8669-9B5B554BEFD6}\stubpath = "C:\\Windows\\{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe"	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1D53578-B47A-4946-B938-4707BB7081B9}\stubpath = "C:\\Windows\\{D1D53578-B47A-4946-B938-4707BB7081B9}.exe"	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}\stubpath = "C:\\Windows\\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe"	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98545BF5-3718-4c06-8669-9B5B554BEFD6}	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1D53578-B47A-4946-B938-4707BB7081B9}	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5178ACF1-329C-426d-A3C6-07520814787F}	{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5178ACF1-329C-426d-A3C6-07520814787F}\stubpath = "C:\\Windows\\{5178ACF1-329C-426d-A3C6-07520814787F}.exe"	{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}\stubpath = "C:\\Windows\\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe"	{5178ACF1-329C-426d-A3C6-07520814787F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}	{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe
2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe
2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe
2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe
2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe
2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe
2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe
576	{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe
456	{5178ACF1-329C-426d-A3C6-07520814787F}.exe
2640	{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe
3040	{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe
File created	C:\Windows\{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe
File created	C:\Windows\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe
File created	C:\Windows\{5178ACF1-329C-426d-A3C6-07520814787F}.exe	{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe
File created	C:\Windows\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe	{5178ACF1-329C-426d-A3C6-07520814787F}.exe
File created	C:\Windows\{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
File created	C:\Windows\{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe
File created	C:\Windows\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe
File created	C:\Windows\{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}.exe	{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe
File created	C:\Windows\{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe
File created	C:\Windows\{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe
Token: SeIncBasePriorityPrivilege	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe
Token: SeIncBasePriorityPrivilege	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe
Token: SeIncBasePriorityPrivilege	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe
Token: SeIncBasePriorityPrivilege	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe
Token: SeIncBasePriorityPrivilege	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe
Token: SeIncBasePriorityPrivilege	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe
Token: SeIncBasePriorityPrivilege	576	{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe
Token: SeIncBasePriorityPrivilege	456	{5178ACF1-329C-426d-A3C6-07520814787F}.exe
Token: SeIncBasePriorityPrivilege	2640	{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2372	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2372	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2372	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2372	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2496	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	29
PID 2440 wrote to memory of 2496	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	29
PID 2440 wrote to memory of 2496	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	29
PID 2440 wrote to memory of 2496	2440	9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe	29
PID 2372 wrote to memory of 2748	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	31
PID 2372 wrote to memory of 2748	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	31
PID 2372 wrote to memory of 2748	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	31
PID 2372 wrote to memory of 2748	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	31
PID 2372 wrote to memory of 2612	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	32
PID 2372 wrote to memory of 2612	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	32
PID 2372 wrote to memory of 2612	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	32
PID 2372 wrote to memory of 2612	2372	{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe	32
PID 2748 wrote to memory of 2836	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	35
PID 2748 wrote to memory of 2836	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	35
PID 2748 wrote to memory of 2836	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	35
PID 2748 wrote to memory of 2836	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	35
PID 2748 wrote to memory of 2788	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	34
PID 2748 wrote to memory of 2788	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	34
PID 2748 wrote to memory of 2788	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	34
PID 2748 wrote to memory of 2788	2748	{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe	34
PID 2836 wrote to memory of 2824	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	36
PID 2836 wrote to memory of 2824	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	36
PID 2836 wrote to memory of 2824	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	36
PID 2836 wrote to memory of 2824	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	36
PID 2836 wrote to memory of 2692	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	37
PID 2836 wrote to memory of 2692	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	37
PID 2836 wrote to memory of 2692	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	37
PID 2836 wrote to memory of 2692	2836	{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe	37
PID 2824 wrote to memory of 2340	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	38
PID 2824 wrote to memory of 2340	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	38
PID 2824 wrote to memory of 2340	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	38
PID 2824 wrote to memory of 2340	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	38
PID 2824 wrote to memory of 2768	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	39
PID 2824 wrote to memory of 2768	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	39
PID 2824 wrote to memory of 2768	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	39
PID 2824 wrote to memory of 2768	2824	{D1D53578-B47A-4946-B938-4707BB7081B9}.exe	39
PID 2340 wrote to memory of 2672	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	40
PID 2340 wrote to memory of 2672	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	40
PID 2340 wrote to memory of 2672	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	40
PID 2340 wrote to memory of 2672	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	40
PID 2340 wrote to memory of 2732	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	41
PID 2340 wrote to memory of 2732	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	41
PID 2340 wrote to memory of 2732	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	41
PID 2340 wrote to memory of 2732	2340	{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe	41
PID 2672 wrote to memory of 2436	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	42
PID 2672 wrote to memory of 2436	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	42
PID 2672 wrote to memory of 2436	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	42
PID 2672 wrote to memory of 2436	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	42
PID 2672 wrote to memory of 2552	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	43
PID 2672 wrote to memory of 2552	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	43
PID 2672 wrote to memory of 2552	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	43
PID 2672 wrote to memory of 2552	2672	{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe	43
PID 2436 wrote to memory of 576	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	44
PID 2436 wrote to memory of 576	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	44
PID 2436 wrote to memory of 576	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	44
PID 2436 wrote to memory of 576	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	44
PID 2436 wrote to memory of 980	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	45
PID 2436 wrote to memory of 980	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	45
PID 2436 wrote to memory of 980	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	45
PID 2436 wrote to memory of 980	2436	{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe	45

C:\Users\Admin\AppData\Local\Temp\9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9aa10fcfd350b7a05b41de6972ab8827_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe
  C:\Windows\{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe
    C:\Windows\{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11395~1.EXE > nul
      4⤵
      PID:2788
  - - C:\Windows\{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe
      C:\Windows\{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{D1D53578-B47A-4946-B938-4707BB7081B9}.exe
        
        C:\Windows\{D1D53578-B47A-4946-B938-4707BB7081B9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe
        
        C:\Windows\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe
        
        C:\Windows\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe
        
        C:\Windows\{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe
        
        C:\Windows\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{5178ACF1-329C-426d-A3C6-07520814787F}.exe
        
        C:\Windows\{5178ACF1-329C-426d-A3C6-07520814787F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe
        
        C:\Windows\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}.exe
        
        C:\Windows\{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}.exe
        12⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AB6A~1.EXE > nul
        12⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5178A~1.EXE > nul
        11⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2F86~1.EXE > nul
        10⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D55C1~1.EXE > nul
        9⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10ABD~1.EXE > nul
        8⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F1DB~1.EXE > nul
        7⤵
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1D53~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98545~1.EXE > nul
        5⤵
        
        PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BF46~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9AA10F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe

Filesize
204KB

MD5
52c22cd5dd7471cfbd68b5832f91a0ae

SHA1
6ec57b078f452dbed8354b3c286ee394b93471a3

SHA256
f768382a13b0d5d60e7933bb4c68bb874b96362f03686c2bade324dc4c365bb9

SHA512
93fc315626af7f4ceb22e5170eafb478a54ebe75837c72af281a6f69d208938a24726146f7c1c17d0de1c57b05a5a9970a15fdc759fab91362169b3f9ae5e7e3

Download Submit
C:\Windows\{10ABDCAB-7961-4c5c-8BBD-CD4C66277EED}.exe

Filesize
204KB

MD5
52c22cd5dd7471cfbd68b5832f91a0ae

SHA1
6ec57b078f452dbed8354b3c286ee394b93471a3

SHA256
f768382a13b0d5d60e7933bb4c68bb874b96362f03686c2bade324dc4c365bb9

SHA512
93fc315626af7f4ceb22e5170eafb478a54ebe75837c72af281a6f69d208938a24726146f7c1c17d0de1c57b05a5a9970a15fdc759fab91362169b3f9ae5e7e3

Download Submit
C:\Windows\{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe

Filesize
204KB

MD5
83fb430a6dcd49741d2dc9377d0df525

SHA1
2b7f74a49f741c4039fb09b0d1a070f269a44ab9

SHA256
3acabff94cffaa27184b31cef397e3bfcfa029561ec59c115d06f8361e42e30c

SHA512
49fbc1156b231838f0a05834ca01b49072a624d77c3ed6e62b5fe3075e5ee81bd7c2faf21917e921d6256fc0237e91ec38c445fb929042b49083d8caa0559d34

Download Submit
C:\Windows\{11395E9B-2A41-42d2-BD34-FE8A092A3981}.exe

Filesize
204KB

MD5
83fb430a6dcd49741d2dc9377d0df525

SHA1
2b7f74a49f741c4039fb09b0d1a070f269a44ab9

SHA256
3acabff94cffaa27184b31cef397e3bfcfa029561ec59c115d06f8361e42e30c

SHA512
49fbc1156b231838f0a05834ca01b49072a624d77c3ed6e62b5fe3075e5ee81bd7c2faf21917e921d6256fc0237e91ec38c445fb929042b49083d8caa0559d34

Download Submit
C:\Windows\{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe

Filesize
204KB

MD5
3809c44a8f767baebc1bd0df8ca86929

SHA1
48a7d13023e1b3385204aabf25a5572d8382b836

SHA256
24f0510f43d8ed2290a7f10c94573314d24fa152233657e2c6bdcd60ee6587bb

SHA512
430fe1ca2c82c58a6683a3aac20a78df1573c2c6ef70ce8df8a0677ca60a5caa43af3c3dd8a457001860ab173710a815fedb40d7c283079b29665c97f3c9f522

Download Submit
C:\Windows\{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe

Filesize
204KB

MD5
3809c44a8f767baebc1bd0df8ca86929

SHA1
48a7d13023e1b3385204aabf25a5572d8382b836

SHA256
24f0510f43d8ed2290a7f10c94573314d24fa152233657e2c6bdcd60ee6587bb

SHA512
430fe1ca2c82c58a6683a3aac20a78df1573c2c6ef70ce8df8a0677ca60a5caa43af3c3dd8a457001860ab173710a815fedb40d7c283079b29665c97f3c9f522

Download Submit
C:\Windows\{1BF46020-5CCC-4071-A619-734673BD5C2F}.exe

Filesize
204KB

MD5
3809c44a8f767baebc1bd0df8ca86929

SHA1
48a7d13023e1b3385204aabf25a5572d8382b836

SHA256
24f0510f43d8ed2290a7f10c94573314d24fa152233657e2c6bdcd60ee6587bb

SHA512
430fe1ca2c82c58a6683a3aac20a78df1573c2c6ef70ce8df8a0677ca60a5caa43af3c3dd8a457001860ab173710a815fedb40d7c283079b29665c97f3c9f522

Download Submit
C:\Windows\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe

Filesize
204KB

MD5
a55dbf027ea511dd0e741c96d0bdb103

SHA1
ea5f69540916159c60b7ccadd3766123427591c6

SHA256
29e6e04262367e3b5253d81f256424e0ecb49689a77e6c0cfe7f87fdaab1b47a

SHA512
4dba41aa552f626ad8ef2b900c19f12cf93f0b77af58e72802772975a8ba8d90565b221b411854393f1d80800f24ed467c668412bfe606f5862c05ef792b9d74

Download Submit
C:\Windows\{4F1DBF51-9E83-4b3f-AF2C-C8A7ECD2F2AB}.exe

Filesize
204KB

MD5
a55dbf027ea511dd0e741c96d0bdb103

SHA1
ea5f69540916159c60b7ccadd3766123427591c6

SHA256
29e6e04262367e3b5253d81f256424e0ecb49689a77e6c0cfe7f87fdaab1b47a

SHA512
4dba41aa552f626ad8ef2b900c19f12cf93f0b77af58e72802772975a8ba8d90565b221b411854393f1d80800f24ed467c668412bfe606f5862c05ef792b9d74

Download Submit
C:\Windows\{5178ACF1-329C-426d-A3C6-07520814787F}.exe

Filesize
204KB

MD5
085a7c2f3c9ff95af9146290e8f2691b

SHA1
7be25dcb8bec389fb774336554cb2f3334df7bef

SHA256
076ea317885daf5d792a98de94a4d5399ba10861362e310e9c10daa9721bd66f

SHA512
c3e6f69204b024153ff8d8628b108bd00d8aec1ddaaf17a7884cdf363535106618a7e8fe860b0b176b3a467fcd9232a8e79f0f240f9da7083a3edf40a5ed06b5

Download Submit
C:\Windows\{5178ACF1-329C-426d-A3C6-07520814787F}.exe

Filesize
204KB

MD5
085a7c2f3c9ff95af9146290e8f2691b

SHA1
7be25dcb8bec389fb774336554cb2f3334df7bef

SHA256
076ea317885daf5d792a98de94a4d5399ba10861362e310e9c10daa9721bd66f

SHA512
c3e6f69204b024153ff8d8628b108bd00d8aec1ddaaf17a7884cdf363535106618a7e8fe860b0b176b3a467fcd9232a8e79f0f240f9da7083a3edf40a5ed06b5

Download Submit
C:\Windows\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe

Filesize
204KB

MD5
d328bdd29c4e55bd543ff262d69e4207

SHA1
f9fefbc433c5468e792e79196e4366d9deacd83f

SHA256
ee469fb18072189ab0232d9bf2ada79635e540dc2dea02895354da89a16246a2

SHA512
b0c72a8e9e5da71c23820938e26c827c7b3c148f7798acafe920149392c694c56f5d63c80e0c205d824485a1d4c288e46779c475ef0d378146d5d49f8a899cc6

Download Submit
C:\Windows\{5AB6A567-57D1-4cbe-85D8-ADF7CD6EC4DE}.exe

Filesize
204KB

MD5
d328bdd29c4e55bd543ff262d69e4207

SHA1
f9fefbc433c5468e792e79196e4366d9deacd83f

SHA256
ee469fb18072189ab0232d9bf2ada79635e540dc2dea02895354da89a16246a2

SHA512
b0c72a8e9e5da71c23820938e26c827c7b3c148f7798acafe920149392c694c56f5d63c80e0c205d824485a1d4c288e46779c475ef0d378146d5d49f8a899cc6

Download Submit
C:\Windows\{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe

Filesize
204KB

MD5
66b641cea037ce146d01be23f09de8bf

SHA1
dc75892f48f467feabede3393729ec74a8953dd5

SHA256
bec1e8e586894bffdc5e8018aa6bd8a3035ce74c1c3b4bcadaa084ccd4835566

SHA512
8a33d72d49fb7821b36c0972d2468283e0986b8e3eeb90bad416224a088c1468093f9bc9d41010d0d9eb5ddc5bfbb05188f463c3c80ec861d4e859f8eddc6887

Download Submit
C:\Windows\{98545BF5-3718-4c06-8669-9B5B554BEFD6}.exe

Filesize
204KB

MD5
66b641cea037ce146d01be23f09de8bf

SHA1
dc75892f48f467feabede3393729ec74a8953dd5

SHA256
bec1e8e586894bffdc5e8018aa6bd8a3035ce74c1c3b4bcadaa084ccd4835566

SHA512
8a33d72d49fb7821b36c0972d2468283e0986b8e3eeb90bad416224a088c1468093f9bc9d41010d0d9eb5ddc5bfbb05188f463c3c80ec861d4e859f8eddc6887

Download Submit
C:\Windows\{B94A5168-7FEB-485e-AEE7-AEB20B2C1925}.exe

Filesize
204KB

MD5
cbdc939a83c0f8b9d277ca9cf38f7591

SHA1
b5c49a4c462e528b3db2f9e0970119d854fa0709

SHA256
a6ff058e62a9f2a5d90c4b034aff7440154b3c2d5749cba74ef0aac5ef36743c

SHA512
055b90e265b38e4dabf7ff51503039f5dc672fd164c62303e82899674f18357b3ffe27253e6d8467f1f289167b5faed2558d7809d8ef7c85a79453bae3ffb731

Download Submit
C:\Windows\{D1D53578-B47A-4946-B938-4707BB7081B9}.exe

Filesize
204KB

MD5
51c0643711f74287820eb6f53168245b

SHA1
60218135a77e0968f8067dbed6d4fd7dc52cd081

SHA256
3f9bd4d53eae96c28c20122e92f215a083c118e785f649de76fb38c3d1d14526

SHA512
334679592ce51234bd406f770e4ed9e590e27eacd0c006280f4f3dcc30b7d65f167c8194d405b8cdd28d2feca7d4fe253085f5b757004060e9ddb1b26a338516

Download Submit
C:\Windows\{D1D53578-B47A-4946-B938-4707BB7081B9}.exe

Filesize
204KB

MD5
51c0643711f74287820eb6f53168245b

SHA1
60218135a77e0968f8067dbed6d4fd7dc52cd081

SHA256
3f9bd4d53eae96c28c20122e92f215a083c118e785f649de76fb38c3d1d14526

SHA512
334679592ce51234bd406f770e4ed9e590e27eacd0c006280f4f3dcc30b7d65f167c8194d405b8cdd28d2feca7d4fe253085f5b757004060e9ddb1b26a338516

Download Submit
C:\Windows\{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe

Filesize
204KB

MD5
b7c205bd49ef6581f45bc473b42871ef

SHA1
4a843a2e3c0a515e9f1eba4120a0b4ff3fef7ccb

SHA256
ace5997d30850bbddd2580cad27e5d217b8161f6a0eda946e9529fc651b85076

SHA512
b5b4843db3900dcf32934d7e9258e920b1292863dbee33efa0db0115738c20ed76ebd68f6a8e892db43f8d48c241489b2bff6f0fe53131068cecb723f0dd4be8

Download Submit
C:\Windows\{D55C1ADE-AC30-44b9-94B7-955962C16327}.exe

Filesize
204KB

MD5
b7c205bd49ef6581f45bc473b42871ef

SHA1
4a843a2e3c0a515e9f1eba4120a0b4ff3fef7ccb

SHA256
ace5997d30850bbddd2580cad27e5d217b8161f6a0eda946e9529fc651b85076

SHA512
b5b4843db3900dcf32934d7e9258e920b1292863dbee33efa0db0115738c20ed76ebd68f6a8e892db43f8d48c241489b2bff6f0fe53131068cecb723f0dd4be8

Download Submit
C:\Windows\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe

Filesize
204KB

MD5
4ee45bff539f48fe311e55b095345ec3

SHA1
1f009c79944be92bf5f375ee07db9754c112f687

SHA256
c4c2bfea487d15fc9f9149925034fb72c82461469075503295e15325375d24a2

SHA512
d6bb41ac4b602f1cb70c0c9aa71ee957c88a0e9b67712dfdfd44788c24882eef96ebeb34d02dc4749b01b3136392732f9fdad2301738a7e0659f3e1e98804c6a

Download Submit
C:\Windows\{F2F86DD4-C7BA-4f94-81D1-1CD62A5CD0B1}.exe

Filesize
204KB

MD5
4ee45bff539f48fe311e55b095345ec3

SHA1
1f009c79944be92bf5f375ee07db9754c112f687

SHA256
c4c2bfea487d15fc9f9149925034fb72c82461469075503295e15325375d24a2

SHA512
d6bb41ac4b602f1cb70c0c9aa71ee957c88a0e9b67712dfdfd44788c24882eef96ebeb34d02dc4749b01b3136392732f9fdad2301738a7e0659f3e1e98804c6a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads