167eb26a906726c454e101e56f481e32cae989ca56cab6f04b273a2186c6e17f

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Size

168KB
MD5

c9e4c70978bbdf429344cc704c9ddb70
SHA1

67422b0ec88830b8fc90ff818528d458091f29b4
SHA256

167eb26a906726c454e101e56f481e32cae989ca56cab6f04b273a2186c6e17f
SHA512

df9cec14a7d7d8084e57735896297ee474febb3c41e10c1828aeb928785e352a110c737d1559662f564206455e1f1e0942d0e44adf093fc246f569123821da00
SSDEEP

1536:1EGh0oclq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oclqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{473360AB-6A1B-4d13-BD2B-F394D85962DD}	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B946FB-C2CB-432a-AB55-E7822517B37A}\stubpath = "C:\\Windows\\{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe"	{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}	{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}\stubpath = "C:\\Windows\\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe"	{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}	{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}\stubpath = "C:\\Windows\\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe"	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}\stubpath = "C:\\Windows\\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe"	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{473360AB-6A1B-4d13-BD2B-F394D85962DD}\stubpath = "C:\\Windows\\{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe"	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}\stubpath = "C:\\Windows\\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe"	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{812A9256-A491-4d48-8F97-E6917C6A4C3D}	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4048FA9-C18E-4336-B188-E80D6064C952}	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}\stubpath = "C:\\Windows\\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe"	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}\stubpath = "C:\\Windows\\{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}.exe"	{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{812A9256-A491-4d48-8F97-E6917C6A4C3D}\stubpath = "C:\\Windows\\{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe"	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}\stubpath = "C:\\Windows\\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe"	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4048FA9-C18E-4336-B188-E80D6064C952}\stubpath = "C:\\Windows\\{D4048FA9-C18E-4336-B188-E80D6064C952}.exe"	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}	{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}\stubpath = "C:\\Windows\\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe"	{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B946FB-C2CB-432a-AB55-E7822517B37A}	{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe

Deletes itself 1 IoCs

pid	Process
1052	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe
2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe
1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe
2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe
2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe
2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe
2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe
2888	{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe
2760	{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe
2744	{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe
1748	{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe
1332	{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe
File created	C:\Windows\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe
File created	C:\Windows\{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe
File created	C:\Windows\{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe
File created	C:\Windows\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe
File created	C:\Windows\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe	{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe
File created	C:\Windows\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe	{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe
File created	C:\Windows\{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
File created	C:\Windows\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe
File created	C:\Windows\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe
File created	C:\Windows\{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe	{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe
File created	C:\Windows\{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}.exe	{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe
Token: SeIncBasePriorityPrivilege	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe
Token: SeIncBasePriorityPrivilege	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe
Token: SeIncBasePriorityPrivilege	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe
Token: SeIncBasePriorityPrivilege	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe
Token: SeIncBasePriorityPrivilege	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe
Token: SeIncBasePriorityPrivilege	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe
Token: SeIncBasePriorityPrivilege	2888	{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe
Token: SeIncBasePriorityPrivilege	2760	{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe
Token: SeIncBasePriorityPrivilege	2744	{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe
Token: SeIncBasePriorityPrivilege	1748	{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1212	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	30
PID 2616 wrote to memory of 1212	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	30
PID 2616 wrote to memory of 1212	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	30
PID 2616 wrote to memory of 1212	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	30
PID 2616 wrote to memory of 1052	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	31
PID 2616 wrote to memory of 1052	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	31
PID 2616 wrote to memory of 1052	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	31
PID 2616 wrote to memory of 1052	2616	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	31
PID 1212 wrote to memory of 2068	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	32
PID 1212 wrote to memory of 2068	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	32
PID 1212 wrote to memory of 2068	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	32
PID 1212 wrote to memory of 2068	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	32
PID 1212 wrote to memory of 1632	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	33
PID 1212 wrote to memory of 1632	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	33
PID 1212 wrote to memory of 1632	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	33
PID 1212 wrote to memory of 1632	1212	{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe	33
PID 2068 wrote to memory of 1704	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	34
PID 2068 wrote to memory of 1704	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	34
PID 2068 wrote to memory of 1704	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	34
PID 2068 wrote to memory of 1704	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	34
PID 2068 wrote to memory of 2892	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	35
PID 2068 wrote to memory of 2892	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	35
PID 2068 wrote to memory of 2892	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	35
PID 2068 wrote to memory of 2892	2068	{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe	35
PID 1704 wrote to memory of 2332	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	36
PID 1704 wrote to memory of 2332	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	36
PID 1704 wrote to memory of 2332	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	36
PID 1704 wrote to memory of 2332	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	36
PID 1704 wrote to memory of 2860	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	37
PID 1704 wrote to memory of 2860	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	37
PID 1704 wrote to memory of 2860	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	37
PID 1704 wrote to memory of 2860	1704	{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe	37
PID 2332 wrote to memory of 2920	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	38
PID 2332 wrote to memory of 2920	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	38
PID 2332 wrote to memory of 2920	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	38
PID 2332 wrote to memory of 2920	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	38
PID 2332 wrote to memory of 3044	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	39
PID 2332 wrote to memory of 3044	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	39
PID 2332 wrote to memory of 3044	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	39
PID 2332 wrote to memory of 3044	2332	{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe	39
PID 2920 wrote to memory of 2816	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	40
PID 2920 wrote to memory of 2816	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	40
PID 2920 wrote to memory of 2816	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	40
PID 2920 wrote to memory of 2816	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	40
PID 2920 wrote to memory of 2956	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	41
PID 2920 wrote to memory of 2956	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	41
PID 2920 wrote to memory of 2956	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	41
PID 2920 wrote to memory of 2956	2920	{D4048FA9-C18E-4336-B188-E80D6064C952}.exe	41
PID 2816 wrote to memory of 2844	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	42
PID 2816 wrote to memory of 2844	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	42
PID 2816 wrote to memory of 2844	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	42
PID 2816 wrote to memory of 2844	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	42
PID 2816 wrote to memory of 2828	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	43
PID 2816 wrote to memory of 2828	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	43
PID 2816 wrote to memory of 2828	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	43
PID 2816 wrote to memory of 2828	2816	{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe	43
PID 2844 wrote to memory of 2888	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	44
PID 2844 wrote to memory of 2888	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	44
PID 2844 wrote to memory of 2888	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	44
PID 2844 wrote to memory of 2888	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	44
PID 2844 wrote to memory of 2736	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	45
PID 2844 wrote to memory of 2736	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	45
PID 2844 wrote to memory of 2736	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	45
PID 2844 wrote to memory of 2736	2844	{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe	45

C:\Users\Admin\AppData\Local\Temp\c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe
  C:\Windows\{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe
    C:\Windows\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe
      C:\Windows\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe
        
        C:\Windows\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\{D4048FA9-C18E-4336-B188-E80D6064C952}.exe
        
        C:\Windows\{D4048FA9-C18E-4336-B188-E80D6064C952}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe
        
        C:\Windows\{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe
        
        C:\Windows\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe
        
        C:\Windows\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe
        
        C:\Windows\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe
        
        C:\Windows\{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe
        
        C:\Windows\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}.exe
        
        C:\Windows\{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}.exe
        13⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C410~1.EXE > nul
        13⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B94~1.EXE > nul
        12⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43DFC~1.EXE > nul
        11⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17981~1.EXE > nul
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AB74~1.EXE > nul
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47336~1.EXE > nul
        8⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4048~1.EXE > nul
        7⤵
        
        PID:2956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE862~1.EXE > nul
        6⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE9C3~1.EXE > nul
        5⤵
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC1B~1.EXE > nul
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{812A9~1.EXE > nul
    3⤵
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C9E4C7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe

Filesize
168KB

MD5
fdf743927de13a136f48c67ca9189c4f

SHA1
fe10bec3817f90d7efca4708df2a0c54a72b6b15

SHA256
e91425e3227d0314941dac8f48936e42a9437931df1634defb09148345c33462

SHA512
04eb737534f1ee956773a74c50a125a897153a899ddcb14a328f838c13b55c65551150eeb0ed41a13d6688ab80a9b41f66312291d7f137461c8b85f7d12dbc99

Download Submit
C:\Windows\{17981BC5-6716-4901-BF2D-6DB7C1251B1E}.exe

Filesize
168KB

MD5
fdf743927de13a136f48c67ca9189c4f

SHA1
fe10bec3817f90d7efca4708df2a0c54a72b6b15

SHA256
e91425e3227d0314941dac8f48936e42a9437931df1634defb09148345c33462

SHA512
04eb737534f1ee956773a74c50a125a897153a899ddcb14a328f838c13b55c65551150eeb0ed41a13d6688ab80a9b41f66312291d7f137461c8b85f7d12dbc99

Download Submit
C:\Windows\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe

Filesize
168KB

MD5
19e1906ad35fb25715ab19139d55c7af

SHA1
5485018767a608d71babef735e6e0bb5c8dd0ace

SHA256
9d8179233ce78afdc1a5fed5dae231e61f6febcdc35a8b340f932c0e4bd50f76

SHA512
cb75d382d73be9fcc9c9db91507336ca07edd55243bad87b28b1fbef27ac6b08be24425e32e2cd61c717ebded33cbda372c295d08eb7987685ca02831bc32ff7

Download Submit
C:\Windows\{3C410AA5-7A92-4005-A277-8BC3D5D631A0}.exe

Filesize
168KB

MD5
19e1906ad35fb25715ab19139d55c7af

SHA1
5485018767a608d71babef735e6e0bb5c8dd0ace

SHA256
9d8179233ce78afdc1a5fed5dae231e61f6febcdc35a8b340f932c0e4bd50f76

SHA512
cb75d382d73be9fcc9c9db91507336ca07edd55243bad87b28b1fbef27ac6b08be24425e32e2cd61c717ebded33cbda372c295d08eb7987685ca02831bc32ff7

Download Submit
C:\Windows\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe

Filesize
168KB

MD5
0124a1a0c57ac76d5b4e418e1ca1839a

SHA1
cb8faa3cb6db366d7a594f7d264cfc3d041109ec

SHA256
d66bb1afc6de3864201816d9c620efe954ac7c3166ce696f6e1cc25fef4a654b

SHA512
5fc143bb18ab041e8da521be75ecafa826bc2d81f3811d6173a3be80a5a10f2b09784935faf4de0d91928adb7b44754c1d926af97ae40c42e92f35963877c35b

Download Submit
C:\Windows\{43DFCDFB-DB70-44fc-9AC4-5BFD49F4C274}.exe

Filesize
168KB

MD5
0124a1a0c57ac76d5b4e418e1ca1839a

SHA1
cb8faa3cb6db366d7a594f7d264cfc3d041109ec

SHA256
d66bb1afc6de3864201816d9c620efe954ac7c3166ce696f6e1cc25fef4a654b

SHA512
5fc143bb18ab041e8da521be75ecafa826bc2d81f3811d6173a3be80a5a10f2b09784935faf4de0d91928adb7b44754c1d926af97ae40c42e92f35963877c35b

Download Submit
C:\Windows\{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe

Filesize
168KB

MD5
cc2f470c8907da3d8e226abdca1e2ff1

SHA1
417ec3442ac09975b3143ac264482e0c08b2d59f

SHA256
118ad0599025251260af25e3f286997b528a025d8767a40a742945d89f4287d1

SHA512
9ed0a1e4181a99e542ce78db1cd97a43dea1e0822d695ab52ea4ddcfff1bbc5f9ecf10fc83f365982d7223e94cbb9cf464ee340756570f8179b2c0893352e0b8

Download Submit
C:\Windows\{473360AB-6A1B-4d13-BD2B-F394D85962DD}.exe

Filesize
168KB

MD5
cc2f470c8907da3d8e226abdca1e2ff1

SHA1
417ec3442ac09975b3143ac264482e0c08b2d59f

SHA256
118ad0599025251260af25e3f286997b528a025d8767a40a742945d89f4287d1

SHA512
9ed0a1e4181a99e542ce78db1cd97a43dea1e0822d695ab52ea4ddcfff1bbc5f9ecf10fc83f365982d7223e94cbb9cf464ee340756570f8179b2c0893352e0b8

Download Submit
C:\Windows\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe

Filesize
168KB

MD5
2d8926664a3a4726467c719c2c211601

SHA1
ad6621a1e6da82f296641e0416a7f68dd365f057

SHA256
17597162469f1dba446693f10e45b3e375ba3584579b70195ea6bfde9cb40988

SHA512
d3171189b567cbbae1732eb5d66eba233c74a1c8299409bd6800cbf3e1c4fb57a85d5ce586d74b609c45d8f3ed05312c435ff0a282fb5f31120e4f1475d7585a

Download Submit
C:\Windows\{4AB745BD-4A34-4c9b-B8DD-FC3934358D92}.exe

Filesize
168KB

MD5
2d8926664a3a4726467c719c2c211601

SHA1
ad6621a1e6da82f296641e0416a7f68dd365f057

SHA256
17597162469f1dba446693f10e45b3e375ba3584579b70195ea6bfde9cb40988

SHA512
d3171189b567cbbae1732eb5d66eba233c74a1c8299409bd6800cbf3e1c4fb57a85d5ce586d74b609c45d8f3ed05312c435ff0a282fb5f31120e4f1475d7585a

Download Submit
C:\Windows\{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe

Filesize
168KB

MD5
2867123a69d8e2e994782edc8f7f445c

SHA1
39b7fc61716230bbdfe8e3889a1e7de57291d182

SHA256
bacb95ef1f0416beaa60119f6a934b7ae98233b36d6ca91121c64fb59f050665

SHA512
6be5ddbb49b3b23c856b4ceee5694bce210070676763e33b678261558218756477a5ec71784ab0c0de3e5b40299585c0fa304bb045703d8f92f1d35716001c32

Download Submit
C:\Windows\{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe

Filesize
168KB

MD5
2867123a69d8e2e994782edc8f7f445c

SHA1
39b7fc61716230bbdfe8e3889a1e7de57291d182

SHA256
bacb95ef1f0416beaa60119f6a934b7ae98233b36d6ca91121c64fb59f050665

SHA512
6be5ddbb49b3b23c856b4ceee5694bce210070676763e33b678261558218756477a5ec71784ab0c0de3e5b40299585c0fa304bb045703d8f92f1d35716001c32

Download Submit
C:\Windows\{812A9256-A491-4d48-8F97-E6917C6A4C3D}.exe

Filesize
168KB

MD5
2867123a69d8e2e994782edc8f7f445c

SHA1
39b7fc61716230bbdfe8e3889a1e7de57291d182

SHA256
bacb95ef1f0416beaa60119f6a934b7ae98233b36d6ca91121c64fb59f050665

SHA512
6be5ddbb49b3b23c856b4ceee5694bce210070676763e33b678261558218756477a5ec71784ab0c0de3e5b40299585c0fa304bb045703d8f92f1d35716001c32

Download Submit
C:\Windows\{948BDE4C-ABDE-4add-9041-1CE7C5AF3550}.exe

Filesize
168KB

MD5
0f1e2728073dc9757d1ca2f22e54c3e2

SHA1
844decb1e3f5dcea51b4c0b97afa4f8cee1b723a

SHA256
df1945cb2d53db270f9c4f6a7e3e4b0858a88d4d1774553a65a900dfdcf8bf8f

SHA512
af206817189304aa5f5f23ca640e255dde0422cf2e0d08e43852d631543d104ebb419029d45fe7ca039e9da92a059820f6e1afebd09978084ecf73ccf5f71248

Download Submit
C:\Windows\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe

Filesize
168KB

MD5
9607c4a64dfbe73e972b66d15f47d7d4

SHA1
ac70bb414a462f9345ca182c1e9c7517cff968a7

SHA256
97aa5b2cdb89130e1729edfa35b6d531b1727bcb3ef5926074e23f32d048f643

SHA512
74e281cadfde35b5f76e5168ac8fb1dda17f3bba029d745cde02b94aadec82d9fa96c5010cdf5bfe0fcbed02af9e1f38d3fd4a6bc0a7f654a935614d6fd8b0e3

Download Submit
C:\Windows\{9EC1BAB7-7A44-45b5-BBFB-DD64D738DE1A}.exe

Filesize
168KB

MD5
9607c4a64dfbe73e972b66d15f47d7d4

SHA1
ac70bb414a462f9345ca182c1e9c7517cff968a7

SHA256
97aa5b2cdb89130e1729edfa35b6d531b1727bcb3ef5926074e23f32d048f643

SHA512
74e281cadfde35b5f76e5168ac8fb1dda17f3bba029d745cde02b94aadec82d9fa96c5010cdf5bfe0fcbed02af9e1f38d3fd4a6bc0a7f654a935614d6fd8b0e3

Download Submit
C:\Windows\{D4048FA9-C18E-4336-B188-E80D6064C952}.exe

Filesize
168KB

MD5
6fb55524d55fe3c6e9f528a8b9d65481

SHA1
5b923da17d020cd484609e01aab730b0e8148bd3

SHA256
0bfaa909b0942145109d84d30cc572766fd9781202575ff40dc94d2d2e6b09e2

SHA512
ee98644b4a63371acfb04485da2f799dcc26d99824934020dcd5cf2bdbf46d6e6b1f5b06b532e4dd8863c9fd94166db7d6639b27f96ee9ccc4a7635923298219

Download Submit
C:\Windows\{D4048FA9-C18E-4336-B188-E80D6064C952}.exe

Filesize
168KB

MD5
6fb55524d55fe3c6e9f528a8b9d65481

SHA1
5b923da17d020cd484609e01aab730b0e8148bd3

SHA256
0bfaa909b0942145109d84d30cc572766fd9781202575ff40dc94d2d2e6b09e2

SHA512
ee98644b4a63371acfb04485da2f799dcc26d99824934020dcd5cf2bdbf46d6e6b1f5b06b532e4dd8863c9fd94166db7d6639b27f96ee9ccc4a7635923298219

Download Submit
C:\Windows\{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe

Filesize
168KB

MD5
a8f94ad382002b6f6859a00a06f9d94d

SHA1
2dae8843f8ccb5ebaa1638e26257551f0e8792ef

SHA256
47d4bc13b05a5bfe0917a8b6689e19df13f7f4c7398a3c56d675abe4c7894220

SHA512
1c58fffb7adf91ab850cff364b28aa4375afd0ee5e057da7a3a9a3c332853846ec70ba6eeb8dd9dbaf2890ee548da753ca4da79fe6a7d1e35aecc2e0f0ed286c

Download Submit
C:\Windows\{D8B946FB-C2CB-432a-AB55-E7822517B37A}.exe

Filesize
168KB

MD5
a8f94ad382002b6f6859a00a06f9d94d

SHA1
2dae8843f8ccb5ebaa1638e26257551f0e8792ef

SHA256
47d4bc13b05a5bfe0917a8b6689e19df13f7f4c7398a3c56d675abe4c7894220

SHA512
1c58fffb7adf91ab850cff364b28aa4375afd0ee5e057da7a3a9a3c332853846ec70ba6eeb8dd9dbaf2890ee548da753ca4da79fe6a7d1e35aecc2e0f0ed286c

Download Submit
C:\Windows\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe

Filesize
168KB

MD5
f594c7096036a95e496c0b1170626c4a

SHA1
46305f73bcb7e05c9bd1a7212f555807f4be8ba1

SHA256
5290bdeb7b9e3384160c974ce6a51c087db9ecaffd2a41e829b4ebc93ea1a069

SHA512
3145ae035efeabcf535bc4e41744e13eada69a7fa3eafba77862bfa71e77af3d848d347999c3d2bae6b870f6c44cb49c7e9647ab60c2e9dee95e8d637d507612

Download Submit
C:\Windows\{EE862F5A-9288-45c4-8A25-FC2AD9B0C2F9}.exe

Filesize
168KB

MD5
f594c7096036a95e496c0b1170626c4a

SHA1
46305f73bcb7e05c9bd1a7212f555807f4be8ba1

SHA256
5290bdeb7b9e3384160c974ce6a51c087db9ecaffd2a41e829b4ebc93ea1a069

SHA512
3145ae035efeabcf535bc4e41744e13eada69a7fa3eafba77862bfa71e77af3d848d347999c3d2bae6b870f6c44cb49c7e9647ab60c2e9dee95e8d637d507612

Download Submit
C:\Windows\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe

Filesize
168KB

MD5
8284fdeef9ea1650d76b33880152a890

SHA1
c544ade899e3cde0bd59b75414dfb319a8247d10

SHA256
5755e061f07e28b099dff47c9599bbd24faa5f0b9b8a37651e02e1f9691163b4

SHA512
fab73f872ffc9f191d8a118c14a4d98ff98b212c8909eb75364919ffa013118e32e20ec80b5d8c9cf79a934402842ce857b9a8beae7e7cae9d1488a01c38f75b

Download Submit
C:\Windows\{FE9C3A73-F4AD-4f20-BFE4-5E139D18B2E2}.exe

Filesize
168KB

MD5
8284fdeef9ea1650d76b33880152a890

SHA1
c544ade899e3cde0bd59b75414dfb319a8247d10

SHA256
5755e061f07e28b099dff47c9599bbd24faa5f0b9b8a37651e02e1f9691163b4

SHA512
fab73f872ffc9f191d8a118c14a4d98ff98b212c8909eb75364919ffa013118e32e20ec80b5d8c9cf79a934402842ce857b9a8beae7e7cae9d1488a01c38f75b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads