9ac8098d03f9e364e8da20692376d342f7e786fdd0a7b295e9c2f5b5f94d36da

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-08-2023 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe
Size

216KB
MD5

9aeb96dd957727a3f159d12c0e057696
SHA1

15e8b4a4cff7d5830039aa79167f74d465cdcfa9
SHA256

9ac8098d03f9e364e8da20692376d342f7e786fdd0a7b295e9c2f5b5f94d36da
SHA512

a828a242d56d957587909473c680afaa926c94dd46ca6e46b7fc7b4eecd70edcbfe5bd03f626e9b2af0e1dec0e1c85b647cfb260ebd28cfb1c919ded3e28c7d1
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG3lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81570652-B856-4876-985C-7EC52F255590}\stubpath = "C:\\Windows\\{81570652-B856-4876-985C-7EC52F255590}.exe"	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}\stubpath = "C:\\Windows\\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe"	{89609155-427F-4a5d-8829-1F8F8408B130}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}\stubpath = "C:\\Windows\\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe"	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}	{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}\stubpath = "C:\\Windows\\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe"	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81570652-B856-4876-985C-7EC52F255590}	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89609155-427F-4a5d-8829-1F8F8408B130}\stubpath = "C:\\Windows\\{89609155-427F-4a5d-8829-1F8F8408B130}.exe"	{81570652-B856-4876-985C-7EC52F255590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}\stubpath = "C:\\Windows\\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe"	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}\stubpath = "C:\\Windows\\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe"	{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}\stubpath = "C:\\Windows\\{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}.exe"	{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC28F21C-469B-47e1-8377-2E2FE451346E}	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC28F21C-469B-47e1-8377-2E2FE451346E}\stubpath = "C:\\Windows\\{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe"	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}\stubpath = "C:\\Windows\\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe"	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}\stubpath = "C:\\Windows\\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe"	{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89609155-427F-4a5d-8829-1F8F8408B130}	{81570652-B856-4876-985C-7EC52F255590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}	{89609155-427F-4a5d-8829-1F8F8408B130}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}	{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}	{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe

Deletes itself 1 IoCs

pid	Process
1744	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe
2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe
2484	{81570652-B856-4876-985C-7EC52F255590}.exe
2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe
2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe
2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe
2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe
1988	{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe
3060	{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe
2820	{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe
1940	{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}.exe	{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe
File created	C:\Windows\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe
File created	C:\Windows\{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe
File created	C:\Windows\{81570652-B856-4876-985C-7EC52F255590}.exe	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe
File created	C:\Windows\{89609155-427F-4a5d-8829-1F8F8408B130}.exe	{81570652-B856-4876-985C-7EC52F255590}.exe
File created	C:\Windows\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe
File created	C:\Windows\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe	{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe
File created	C:\Windows\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe	{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe
File created	C:\Windows\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	{89609155-427F-4a5d-8829-1F8F8408B130}.exe
File created	C:\Windows\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe
File created	C:\Windows\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe
Token: SeIncBasePriorityPrivilege	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe
Token: SeIncBasePriorityPrivilege	2484	{81570652-B856-4876-985C-7EC52F255590}.exe
Token: SeIncBasePriorityPrivilege	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe
Token: SeIncBasePriorityPrivilege	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe
Token: SeIncBasePriorityPrivilege	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe
Token: SeIncBasePriorityPrivilege	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe
Token: SeIncBasePriorityPrivilege	1988	{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe
Token: SeIncBasePriorityPrivilege	3060	{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe
Token: SeIncBasePriorityPrivilege	2820	{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2404	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	28
PID 2168 wrote to memory of 2404	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	28
PID 2168 wrote to memory of 2404	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	28
PID 2168 wrote to memory of 2404	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	28
PID 2168 wrote to memory of 1744	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	29
PID 2168 wrote to memory of 1744	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	29
PID 2168 wrote to memory of 1744	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	29
PID 2168 wrote to memory of 1744	2168	9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe	29
PID 2404 wrote to memory of 2880	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	32
PID 2404 wrote to memory of 2880	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	32
PID 2404 wrote to memory of 2880	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	32
PID 2404 wrote to memory of 2880	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	32
PID 2404 wrote to memory of 2668	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	33
PID 2404 wrote to memory of 2668	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	33
PID 2404 wrote to memory of 2668	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	33
PID 2404 wrote to memory of 2668	2404	{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe	33
PID 2880 wrote to memory of 2484	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	34
PID 2880 wrote to memory of 2484	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	34
PID 2880 wrote to memory of 2484	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	34
PID 2880 wrote to memory of 2484	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	34
PID 2880 wrote to memory of 1608	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	35
PID 2880 wrote to memory of 1608	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	35
PID 2880 wrote to memory of 1608	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	35
PID 2880 wrote to memory of 1608	2880	{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe	35
PID 2484 wrote to memory of 2276	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	36
PID 2484 wrote to memory of 2276	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	36
PID 2484 wrote to memory of 2276	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	36
PID 2484 wrote to memory of 2276	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	36
PID 2484 wrote to memory of 2892	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	37
PID 2484 wrote to memory of 2892	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	37
PID 2484 wrote to memory of 2892	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	37
PID 2484 wrote to memory of 2892	2484	{81570652-B856-4876-985C-7EC52F255590}.exe	37
PID 2276 wrote to memory of 2948	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	38
PID 2276 wrote to memory of 2948	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	38
PID 2276 wrote to memory of 2948	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	38
PID 2276 wrote to memory of 2948	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	38
PID 2276 wrote to memory of 2744	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	39
PID 2276 wrote to memory of 2744	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	39
PID 2276 wrote to memory of 2744	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	39
PID 2276 wrote to memory of 2744	2276	{89609155-427F-4a5d-8829-1F8F8408B130}.exe	39
PID 2948 wrote to memory of 2800	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	40
PID 2948 wrote to memory of 2800	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	40
PID 2948 wrote to memory of 2800	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	40
PID 2948 wrote to memory of 2800	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	40
PID 2948 wrote to memory of 2312	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	41
PID 2948 wrote to memory of 2312	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	41
PID 2948 wrote to memory of 2312	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	41
PID 2948 wrote to memory of 2312	2948	{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe	41
PID 2800 wrote to memory of 2204	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	42
PID 2800 wrote to memory of 2204	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	42
PID 2800 wrote to memory of 2204	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	42
PID 2800 wrote to memory of 2204	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	42
PID 2800 wrote to memory of 1856	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	43
PID 2800 wrote to memory of 1856	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	43
PID 2800 wrote to memory of 1856	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	43
PID 2800 wrote to memory of 1856	2800	{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe	43
PID 2204 wrote to memory of 1988	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	44
PID 2204 wrote to memory of 1988	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	44
PID 2204 wrote to memory of 1988	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	44
PID 2204 wrote to memory of 1988	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	44
PID 2204 wrote to memory of 2812	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	45
PID 2204 wrote to memory of 2812	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	45
PID 2204 wrote to memory of 2812	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	45
PID 2204 wrote to memory of 2812	2204	{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe	45

C:\Users\Admin\AppData\Local\Temp\9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9aeb96dd957727a3f159d12c0e057696_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe
  C:\Windows\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe
    C:\Windows\{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{81570652-B856-4876-985C-7EC52F255590}.exe
      C:\Windows\{81570652-B856-4876-985C-7EC52F255590}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\{89609155-427F-4a5d-8829-1F8F8408B130}.exe
        
        C:\Windows\{89609155-427F-4a5d-8829-1F8F8408B130}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe
        
        C:\Windows\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe
        
        C:\Windows\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe
        
        C:\Windows\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe
        
        C:\Windows\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe
        
        C:\Windows\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe
        
        C:\Windows\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}.exe
        
        C:\Windows\{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}.exe
        12⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8F6B~1.EXE > nul
        12⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFB3C~1.EXE > nul
        11⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{632E5~1.EXE > nul
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51C57~1.EXE > nul
        9⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30B29~1.EXE > nul
        8⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{163A2~1.EXE > nul
        7⤵
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89609~1.EXE > nul
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81570~1.EXE > nul
        5⤵
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AC28F~1.EXE > nul
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A2D0~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9AEB96~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe

Filesize
216KB

MD5
1fea8acde78cca687fc3d59fd351f8ad

SHA1
a2926e3a4b3e7ce40c1648aaed3d66edfe8fadf0

SHA256
46945ce2b13afafe29f17bcde96162bc0181a73cc44b6f1b62e097fb32deeeb6

SHA512
da7ecb09dc4144ca063407fb6ff82e56c0bdf9480b4cd3347e8e733518f15b02fd4116ff26d58589134084908e6b69bdf8b42cd420dbcb43671704945d2fe5a0

Download Submit
C:\Windows\{163A2A28-1DD6-48e3-8F31-7FBB4629520E}.exe

Filesize
216KB

MD5
1fea8acde78cca687fc3d59fd351f8ad

SHA1
a2926e3a4b3e7ce40c1648aaed3d66edfe8fadf0

SHA256
46945ce2b13afafe29f17bcde96162bc0181a73cc44b6f1b62e097fb32deeeb6

SHA512
da7ecb09dc4144ca063407fb6ff82e56c0bdf9480b4cd3347e8e733518f15b02fd4116ff26d58589134084908e6b69bdf8b42cd420dbcb43671704945d2fe5a0

Download Submit
C:\Windows\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe

Filesize
216KB

MD5
435dad602370a1327384e117dc8b40bc

SHA1
fb07ac561e90bee2e59c8fdb1c35ce8fb57a6dda

SHA256
62ece2e089bf71c41409bf70e3aaa4aa269bd1d8d779bd4fdc2ddf74df31a4d9

SHA512
be5ca2b0c44f51ee761f0f9c02f0bc2b9e88c8f4f7ae12f059d517ecf93bb2b8fe93396d568a5dee476a0d267dda33863fbe08c95057c48719f356b491cf5813

Download Submit
C:\Windows\{30B29DAB-E6AB-4208-9C0C-E4587B6F4B7A}.exe

Filesize
216KB

MD5
435dad602370a1327384e117dc8b40bc

SHA1
fb07ac561e90bee2e59c8fdb1c35ce8fb57a6dda

SHA256
62ece2e089bf71c41409bf70e3aaa4aa269bd1d8d779bd4fdc2ddf74df31a4d9

SHA512
be5ca2b0c44f51ee761f0f9c02f0bc2b9e88c8f4f7ae12f059d517ecf93bb2b8fe93396d568a5dee476a0d267dda33863fbe08c95057c48719f356b491cf5813

Download Submit
C:\Windows\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe

Filesize
216KB

MD5
e40576b7e8eabab59d85f597d3914b69

SHA1
9b1a06360b85a9f56cd3cd5ba95c53da53a4baf3

SHA256
4611746fadbd9c56bbcefb9b79e49c821b55b6f9b7dc67501f8c8ee0c0f23a34

SHA512
18ca61426a3bce55b1f5e997cace579796ee8f656040958af43ff16fe1a0b67142d54d6eeee48faaa1764206a733f6b1fac9f93b6e6f4e143dba598ed666ded9

Download Submit
C:\Windows\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe

Filesize
216KB

MD5
e40576b7e8eabab59d85f597d3914b69

SHA1
9b1a06360b85a9f56cd3cd5ba95c53da53a4baf3

SHA256
4611746fadbd9c56bbcefb9b79e49c821b55b6f9b7dc67501f8c8ee0c0f23a34

SHA512
18ca61426a3bce55b1f5e997cace579796ee8f656040958af43ff16fe1a0b67142d54d6eeee48faaa1764206a733f6b1fac9f93b6e6f4e143dba598ed666ded9

Download Submit
C:\Windows\{3A2D00DE-8355-4b4e-A3E9-B625A8501168}.exe

Filesize
216KB

MD5
e40576b7e8eabab59d85f597d3914b69

SHA1
9b1a06360b85a9f56cd3cd5ba95c53da53a4baf3

SHA256
4611746fadbd9c56bbcefb9b79e49c821b55b6f9b7dc67501f8c8ee0c0f23a34

SHA512
18ca61426a3bce55b1f5e997cace579796ee8f656040958af43ff16fe1a0b67142d54d6eeee48faaa1764206a733f6b1fac9f93b6e6f4e143dba598ed666ded9

Download Submit
C:\Windows\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe

Filesize
216KB

MD5
6c32029d5f4bde96d84c2b6ca2369de7

SHA1
12f89c0d22c78ebf18ae4dbfaac42835e0bf119d

SHA256
20c26fa882275189ee92d6f3d539d42c8bb987f8a67aab9681b83037929b04ca

SHA512
770124b510b6b5027ae54028aaa0bf0796ff736d789a72e547a3b3feec9a3614595b87d455404eeffa62a17c42f6ee8e86fbcd6d968f8e0cd84fcece3e21a9e2

Download Submit
C:\Windows\{51C57B0E-3E4F-4a37-B7A9-F610494E6C4A}.exe

Filesize
216KB

MD5
6c32029d5f4bde96d84c2b6ca2369de7

SHA1
12f89c0d22c78ebf18ae4dbfaac42835e0bf119d

SHA256
20c26fa882275189ee92d6f3d539d42c8bb987f8a67aab9681b83037929b04ca

SHA512
770124b510b6b5027ae54028aaa0bf0796ff736d789a72e547a3b3feec9a3614595b87d455404eeffa62a17c42f6ee8e86fbcd6d968f8e0cd84fcece3e21a9e2

Download Submit
C:\Windows\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe

Filesize
216KB

MD5
d2fed03501ad2929994aad50d3227e9e

SHA1
fd44f6b877101c112e2252206e28c6d75cbb6b45

SHA256
855a962fb406b8fddbbb4c7edb13b157bc798d463d0bd36e664538026daf9ee5

SHA512
4c0ff74d59cae03ca16a2a047bdd430a4a013dc0ed204ac8ea66dca7c6ef697f1c604291fc772ed34f678efa2d354c2f0049c1ad849ecbe1f32834101c77dc1b

Download Submit
C:\Windows\{632E5FCA-6413-4ecb-95D8-FA88BB05C07E}.exe

Filesize
216KB

MD5
d2fed03501ad2929994aad50d3227e9e

SHA1
fd44f6b877101c112e2252206e28c6d75cbb6b45

SHA256
855a962fb406b8fddbbb4c7edb13b157bc798d463d0bd36e664538026daf9ee5

SHA512
4c0ff74d59cae03ca16a2a047bdd430a4a013dc0ed204ac8ea66dca7c6ef697f1c604291fc772ed34f678efa2d354c2f0049c1ad849ecbe1f32834101c77dc1b

Download Submit
C:\Windows\{72DCFAC1-4B05-4c51-A3EF-1030D39A4E18}.exe

Filesize
216KB

MD5
dde186bb3d6b86dff04a115e4cadf406

SHA1
858667da5d0890874b34223d7843ee2f4dbf8549

SHA256
c99c51e9aad692ef24996777aea3378166c68fc2448c8e333b0bf6fbf4823df3

SHA512
c4c1ff4a8156aa64dca930f8356791c63864c73d0931b2517ff867398d5e70a12080ee03be235ac473f8ee8c0095e66bc9369a75234f93728b46c82607e32e4d

Download Submit
C:\Windows\{81570652-B856-4876-985C-7EC52F255590}.exe

Filesize
216KB

MD5
d901285821fc5041d1dffa0b66418c52

SHA1
1bd91de4119e5483e0aeb3f4930cb244ddc2a46a

SHA256
768aba3ced81a73322b0344a0bb0f07baa376cd224c98573d8b4aa39df6fcd12

SHA512
e2f0242917cd0130dfc7d2b0bf14c28304c9b6469d35e6e42feccf152023e01bdfefae8270f28ca3fedec1f9cdaff913fa9ee3b026529f496c82fdfdde29d474

Download Submit
C:\Windows\{81570652-B856-4876-985C-7EC52F255590}.exe

Filesize
216KB

MD5
d901285821fc5041d1dffa0b66418c52

SHA1
1bd91de4119e5483e0aeb3f4930cb244ddc2a46a

SHA256
768aba3ced81a73322b0344a0bb0f07baa376cd224c98573d8b4aa39df6fcd12

SHA512
e2f0242917cd0130dfc7d2b0bf14c28304c9b6469d35e6e42feccf152023e01bdfefae8270f28ca3fedec1f9cdaff913fa9ee3b026529f496c82fdfdde29d474

Download Submit
C:\Windows\{89609155-427F-4a5d-8829-1F8F8408B130}.exe

Filesize
216KB

MD5
96a96a09f74ed33a62685315711c9802

SHA1
7e6b940510e0cc609680130cc7220ae19fcccb81

SHA256
a343f08f882fa3718a5c5ffa38d5165caed0144319b12401512c1b35735329f5

SHA512
c0524d61d1a9f73afa681b8386639843c462f1f26d7e59aa8d446927ce3e08722169dece182d49173ea1b2ae0c20cd1171336a6434ac969f566d566f37de2e3d

Download Submit
C:\Windows\{89609155-427F-4a5d-8829-1F8F8408B130}.exe

Filesize
216KB

MD5
96a96a09f74ed33a62685315711c9802

SHA1
7e6b940510e0cc609680130cc7220ae19fcccb81

SHA256
a343f08f882fa3718a5c5ffa38d5165caed0144319b12401512c1b35735329f5

SHA512
c0524d61d1a9f73afa681b8386639843c462f1f26d7e59aa8d446927ce3e08722169dece182d49173ea1b2ae0c20cd1171336a6434ac969f566d566f37de2e3d

Download Submit
C:\Windows\{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe

Filesize
216KB

MD5
bc5b503bf5ff52218d938a0b4a370998

SHA1
9ca88f50484e76deb5417f52e3e58121b4a99438

SHA256
fe9755fbc023ca806d5f2c14c1f31f0d5fef6180dbaa4d425b4cf23089302d45

SHA512
2b7b1ed8dd42829be0c142536a872135835672c22aaa5456f2bd4e3b61d23b9a27296cd206a36db93ebff1ef76c1ecde2e3e75469a127384e82df537ac59d604

Download Submit
C:\Windows\{AC28F21C-469B-47e1-8377-2E2FE451346E}.exe

Filesize
216KB

MD5
bc5b503bf5ff52218d938a0b4a370998

SHA1
9ca88f50484e76deb5417f52e3e58121b4a99438

SHA256
fe9755fbc023ca806d5f2c14c1f31f0d5fef6180dbaa4d425b4cf23089302d45

SHA512
2b7b1ed8dd42829be0c142536a872135835672c22aaa5456f2bd4e3b61d23b9a27296cd206a36db93ebff1ef76c1ecde2e3e75469a127384e82df537ac59d604

Download Submit
C:\Windows\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe

Filesize
216KB

MD5
c373ff80fb5e5865f76eb2ef681f5640

SHA1
04f8f1afdd171fa09b7e5911bca9f3c9116a9a80

SHA256
0178fe31cfdac4e615ae7dd0749c0766ee9acbd22fa2faaab42a9595d03275d6

SHA512
c70a581ed638180d92222061b21c4e6fa7c5c5ac898be629f262272e03a309c78b9a63eb00a6ae005a79006c5478434536015ccdedde015e7b022e09328ff3e7

Download Submit
C:\Windows\{D8F6BB6E-8697-4703-88F8-BB45B0A5EDE7}.exe

Filesize
216KB

MD5
c373ff80fb5e5865f76eb2ef681f5640

SHA1
04f8f1afdd171fa09b7e5911bca9f3c9116a9a80

SHA256
0178fe31cfdac4e615ae7dd0749c0766ee9acbd22fa2faaab42a9595d03275d6

SHA512
c70a581ed638180d92222061b21c4e6fa7c5c5ac898be629f262272e03a309c78b9a63eb00a6ae005a79006c5478434536015ccdedde015e7b022e09328ff3e7

Download Submit
C:\Windows\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe

Filesize
216KB

MD5
93999fbb41ae3fbca8a2525ae001d6e5

SHA1
48a489e0a97051ef46df7be177cc8a2c8816dfb5

SHA256
1af5f5d50e370c9c8a34d6a4232b81b37ed4956114a12f6d6ba20e71029f6323

SHA512
197523beb34c2b7c382280e8ba4a26e1df622494ecc92edbe5c62303d267b6a730c8a2e03f5433915986916cd2a34ac5aee452e3bd9a5c453b23f3d095aaf30b

Download Submit
C:\Windows\{DFB3CAEE-CECF-4311-B460-2C3ECE20B251}.exe

Filesize
216KB

MD5
93999fbb41ae3fbca8a2525ae001d6e5

SHA1
48a489e0a97051ef46df7be177cc8a2c8816dfb5

SHA256
1af5f5d50e370c9c8a34d6a4232b81b37ed4956114a12f6d6ba20e71029f6323

SHA512
197523beb34c2b7c382280e8ba4a26e1df622494ecc92edbe5c62303d267b6a730c8a2e03f5433915986916cd2a34ac5aee452e3bd9a5c453b23f3d095aaf30b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads