620a8381da401216e9d8e4c1fec37bffcffa8dd0576d7ecee97a52b56a5a04f8

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 16:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Size

408KB
MD5

17842c8951a159c36adafd753a087ab4
SHA1

e49960ac8cbe0338a74e717485bbd6815066d2c7
SHA256

620a8381da401216e9d8e4c1fec37bffcffa8dd0576d7ecee97a52b56a5a04f8
SHA512

ac8346ee01db1cb5326663065f3d083e0e8336a5fbb96ad5db336d111018bab28d2867824c87fba8e51f65148538f9a147a86eadca06b83472faa157349b217e
SSDEEP

3072:CEGh0owl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGGldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593A71CF-A1A5-48dd-B38A-8698600D12FF}	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D638E9AA-6099-4b82-8279-1A6CFE72353A}	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D638E9AA-6099-4b82-8279-1A6CFE72353A}\stubpath = "C:\\Windows\\{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe"	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}\stubpath = "C:\\Windows\\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe"	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}\stubpath = "C:\\Windows\\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe"	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50A3C2B0-3416-4e80-B069-FD85E1532651}\stubpath = "C:\\Windows\\{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe"	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC709934-304F-41df-A716-A06128DDC18A}\stubpath = "C:\\Windows\\{EC709934-304F-41df-A716-A06128DDC18A}.exe"	{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B054ED66-BF62-4ded-A2CD-727E8803D669}	{B021F373-F469-4c97-94F4-3D79B04207A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}\stubpath = "C:\\Windows\\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe"	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC709934-304F-41df-A716-A06128DDC18A}	{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B021F373-F469-4c97-94F4-3D79B04207A9}\stubpath = "C:\\Windows\\{B021F373-F469-4c97-94F4-3D79B04207A9}.exe"	{EC709934-304F-41df-A716-A06128DDC18A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B054ED66-BF62-4ded-A2CD-727E8803D669}\stubpath = "C:\\Windows\\{B054ED66-BF62-4ded-A2CD-727E8803D669}.exe"	{B021F373-F469-4c97-94F4-3D79B04207A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}\stubpath = "C:\\Windows\\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe"	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593A71CF-A1A5-48dd-B38A-8698600D12FF}\stubpath = "C:\\Windows\\{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe"	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D331FE52-5B8F-4692-9924-70F21F3532E2}	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D331FE52-5B8F-4692-9924-70F21F3532E2}\stubpath = "C:\\Windows\\{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe"	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B021F373-F469-4c97-94F4-3D79B04207A9}	{EC709934-304F-41df-A716-A06128DDC18A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50A3C2B0-3416-4e80-B069-FD85E1532651}	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe

Deletes itself 1 IoCs

pid	Process
1404	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe
2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe
1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe
2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe
2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe
2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe
964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe
624	{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe
2456	{EC709934-304F-41df-A716-A06128DDC18A}.exe
3048	{B021F373-F469-4c97-94F4-3D79B04207A9}.exe
612	{B054ED66-BF62-4ded-A2CD-727E8803D669}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe
File created	C:\Windows\{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe
File created	C:\Windows\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe
File created	C:\Windows\{EC709934-304F-41df-A716-A06128DDC18A}.exe	{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe
File created	C:\Windows\{B021F373-F469-4c97-94F4-3D79B04207A9}.exe	{EC709934-304F-41df-A716-A06128DDC18A}.exe
File created	C:\Windows\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe
File created	C:\Windows\{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe
File created	C:\Windows\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe
File created	C:\Windows\{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe
File created	C:\Windows\{B054ED66-BF62-4ded-A2CD-727E8803D669}.exe	{B021F373-F469-4c97-94F4-3D79B04207A9}.exe
File created	C:\Windows\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe
Token: SeIncBasePriorityPrivilege	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe
Token: SeIncBasePriorityPrivilege	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe
Token: SeIncBasePriorityPrivilege	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe
Token: SeIncBasePriorityPrivilege	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe
Token: SeIncBasePriorityPrivilege	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe
Token: SeIncBasePriorityPrivilege	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe
Token: SeIncBasePriorityPrivilege	624	{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe
Token: SeIncBasePriorityPrivilege	2456	{EC709934-304F-41df-A716-A06128DDC18A}.exe
Token: SeIncBasePriorityPrivilege	3048	{B021F373-F469-4c97-94F4-3D79B04207A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2308	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	28
PID 2276 wrote to memory of 2308	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	28
PID 2276 wrote to memory of 2308	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	28
PID 2276 wrote to memory of 2308	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	28
PID 2276 wrote to memory of 1404	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	29
PID 2276 wrote to memory of 1404	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	29
PID 2276 wrote to memory of 1404	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	29
PID 2276 wrote to memory of 1404	2276	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	29
PID 2308 wrote to memory of 2908	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	32
PID 2308 wrote to memory of 2908	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	32
PID 2308 wrote to memory of 2908	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	32
PID 2308 wrote to memory of 2908	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	32
PID 2308 wrote to memory of 2072	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	33
PID 2308 wrote to memory of 2072	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	33
PID 2308 wrote to memory of 2072	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	33
PID 2308 wrote to memory of 2072	2308	{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe	33
PID 2908 wrote to memory of 1208	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	34
PID 2908 wrote to memory of 1208	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	34
PID 2908 wrote to memory of 1208	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	34
PID 2908 wrote to memory of 1208	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	34
PID 2908 wrote to memory of 2868	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	35
PID 2908 wrote to memory of 2868	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	35
PID 2908 wrote to memory of 2868	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	35
PID 2908 wrote to memory of 2868	2908	{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe	35
PID 1208 wrote to memory of 2864	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	36
PID 1208 wrote to memory of 2864	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	36
PID 1208 wrote to memory of 2864	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	36
PID 1208 wrote to memory of 2864	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	36
PID 1208 wrote to memory of 2700	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	37
PID 1208 wrote to memory of 2700	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	37
PID 1208 wrote to memory of 2700	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	37
PID 1208 wrote to memory of 2700	1208	{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe	37
PID 2864 wrote to memory of 2744	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	38
PID 2864 wrote to memory of 2744	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	38
PID 2864 wrote to memory of 2744	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	38
PID 2864 wrote to memory of 2744	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	38
PID 2864 wrote to memory of 2820	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	39
PID 2864 wrote to memory of 2820	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	39
PID 2864 wrote to memory of 2820	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	39
PID 2864 wrote to memory of 2820	2864	{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe	39
PID 2744 wrote to memory of 2988	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	40
PID 2744 wrote to memory of 2988	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	40
PID 2744 wrote to memory of 2988	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	40
PID 2744 wrote to memory of 2988	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	40
PID 2744 wrote to memory of 2632	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	41
PID 2744 wrote to memory of 2632	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	41
PID 2744 wrote to memory of 2632	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	41
PID 2744 wrote to memory of 2632	2744	{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe	41
PID 2988 wrote to memory of 964	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	43
PID 2988 wrote to memory of 964	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	43
PID 2988 wrote to memory of 964	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	43
PID 2988 wrote to memory of 964	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	43
PID 2988 wrote to memory of 1480	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	42
PID 2988 wrote to memory of 1480	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	42
PID 2988 wrote to memory of 1480	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	42
PID 2988 wrote to memory of 1480	2988	{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe	42
PID 964 wrote to memory of 624	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	45
PID 964 wrote to memory of 624	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	45
PID 964 wrote to memory of 624	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	45
PID 964 wrote to memory of 624	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	45
PID 964 wrote to memory of 2680	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	44
PID 964 wrote to memory of 2680	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	44
PID 964 wrote to memory of 2680	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	44
PID 964 wrote to memory of 2680	964	{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe	44

C:\Users\Admin\AppData\Local\Temp\17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe
  C:\Windows\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe
    C:\Windows\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe
      C:\Windows\{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe
        
        C:\Windows\{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe
        
        C:\Windows\{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe
        
        C:\Windows\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FFD2~1.EXE > nul
        8⤵
        
        PID:1480
        
        C:\Windows\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe
        
        C:\Windows\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4AFF~1.EXE > nul
        9⤵
        
        PID:2680
        
        C:\Windows\{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe
        
        C:\Windows\{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D331F~1.EXE > nul
        10⤵
        
        PID:2984
        
        C:\Windows\{EC709934-304F-41df-A716-A06128DDC18A}.exe
        
        C:\Windows\{EC709934-304F-41df-A716-A06128DDC18A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{B021F373-F469-4c97-94F4-3D79B04207A9}.exe
        
        C:\Windows\{B021F373-F469-4c97-94F4-3D79B04207A9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\{B054ED66-BF62-4ded-A2CD-727E8803D669}.exe
        
        C:\Windows\{B054ED66-BF62-4ded-A2CD-727E8803D669}.exe
        12⤵
        Executes dropped EXE
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B021F~1.EXE > nul
        12⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC709~1.EXE > nul
        11⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D638E~1.EXE > nul
        7⤵
        
        PID:2632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{593A7~1.EXE > nul
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50A3C~1.EXE > nul
        5⤵
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{61A7F~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{978C2~1.EXE > nul
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\17842C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe

Filesize
408KB

MD5
ded82347af108f90aa5e8aa708ed6a09

SHA1
ae1d6854b5c3efb38ffe0d69007f06c0e0219ee2

SHA256
7614f086a0796c556be7b71175d8f0bc75bcbbffee8cbdf686e749846f8b5094

SHA512
fb62f369c00eb28cae0748e8782b9fc3acb52e3413df493d0d462a6c70307cc666b932a50972aadc6226a9fbc64579de9bde0a166164dde0366f99839a593d9e

Download Submit
C:\Windows\{50A3C2B0-3416-4e80-B069-FD85E1532651}.exe

Filesize
408KB

MD5
ded82347af108f90aa5e8aa708ed6a09

SHA1
ae1d6854b5c3efb38ffe0d69007f06c0e0219ee2

SHA256
7614f086a0796c556be7b71175d8f0bc75bcbbffee8cbdf686e749846f8b5094

SHA512
fb62f369c00eb28cae0748e8782b9fc3acb52e3413df493d0d462a6c70307cc666b932a50972aadc6226a9fbc64579de9bde0a166164dde0366f99839a593d9e

Download Submit
C:\Windows\{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe

Filesize
408KB

MD5
28419e21fe1f0393ed64c01c41864a0a

SHA1
3322aad896e5338db7e46eae7bb3e03fa4778998

SHA256
6a733788b78327b218225eea7a2343e305ae787083bb00277c973dc26e8848cd

SHA512
b35400fce857d5cc9cbd4da438bfbd4d8298f61151ecbe53c3de710b02424790143ee0d7b69c17aff3b7e2121a9b35cf17b830035a164853d834399f8bc2e9ea

Download Submit
C:\Windows\{593A71CF-A1A5-48dd-B38A-8698600D12FF}.exe

Filesize
408KB

MD5
28419e21fe1f0393ed64c01c41864a0a

SHA1
3322aad896e5338db7e46eae7bb3e03fa4778998

SHA256
6a733788b78327b218225eea7a2343e305ae787083bb00277c973dc26e8848cd

SHA512
b35400fce857d5cc9cbd4da438bfbd4d8298f61151ecbe53c3de710b02424790143ee0d7b69c17aff3b7e2121a9b35cf17b830035a164853d834399f8bc2e9ea

Download Submit
C:\Windows\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe

Filesize
408KB

MD5
7218303a0733f2bb2beb1362dd90bd87

SHA1
5e8c2a2e842580c83c345529abe31a703562f80b

SHA256
7187311d31ce891bbf0219c842123389fec96dd7d4c714f4a3fd36701a467348

SHA512
56982e1dbc0c4157c616c0ba8ebbf593356d2d01d4d406f7510baf8be6907d4fd54e215c2b68a5a8269cc125172753ff0ec077b35d0147c7d83b7160c8ed09a5

Download Submit
C:\Windows\{61A7FF05-C311-46d5-858B-BEAFF7EEA064}.exe

Filesize
408KB

MD5
7218303a0733f2bb2beb1362dd90bd87

SHA1
5e8c2a2e842580c83c345529abe31a703562f80b

SHA256
7187311d31ce891bbf0219c842123389fec96dd7d4c714f4a3fd36701a467348

SHA512
56982e1dbc0c4157c616c0ba8ebbf593356d2d01d4d406f7510baf8be6907d4fd54e215c2b68a5a8269cc125172753ff0ec077b35d0147c7d83b7160c8ed09a5

Download Submit
C:\Windows\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe

Filesize
408KB

MD5
5ad2953ce09d668654a93317e7399715

SHA1
75c4f11f5ae537e3e435a5caec3d5551db54b643

SHA256
71bfc48b4c66d7d48daa6abe96c75716fd9d0edd74edc10a6b20baeb9065d6ef

SHA512
73159c26f0a1d7c362650b648bf2a7aff01c326aed03a194eec54034c2db4c4b2644f3440fbc0381633663e3c38fb5ec9ac962a82933803d01ff8e3bfdf8cf33

Download Submit
C:\Windows\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe

Filesize
408KB

MD5
5ad2953ce09d668654a93317e7399715

SHA1
75c4f11f5ae537e3e435a5caec3d5551db54b643

SHA256
71bfc48b4c66d7d48daa6abe96c75716fd9d0edd74edc10a6b20baeb9065d6ef

SHA512
73159c26f0a1d7c362650b648bf2a7aff01c326aed03a194eec54034c2db4c4b2644f3440fbc0381633663e3c38fb5ec9ac962a82933803d01ff8e3bfdf8cf33

Download Submit
C:\Windows\{978C2477-57B4-416d-BCFF-36E6EB3CDFCA}.exe

Filesize
408KB

MD5
5ad2953ce09d668654a93317e7399715

SHA1
75c4f11f5ae537e3e435a5caec3d5551db54b643

SHA256
71bfc48b4c66d7d48daa6abe96c75716fd9d0edd74edc10a6b20baeb9065d6ef

SHA512
73159c26f0a1d7c362650b648bf2a7aff01c326aed03a194eec54034c2db4c4b2644f3440fbc0381633663e3c38fb5ec9ac962a82933803d01ff8e3bfdf8cf33

Download Submit
C:\Windows\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe

Filesize
408KB

MD5
9bab815872c35b8c7264318bb9cb4930

SHA1
993b860ce37a5d20b1f555bd184edc0ba5aae5a4

SHA256
dd03aa0280ae6ec593899e53e592c3aba3a25d7839f6a886b4ad5df751274d3e

SHA512
635fa1b604f84ba5ab4370abf94583843ff4a1374aad6e950ed24ae0dafc207d337616774339095e8d0d254b68f9ab0e3c4f9550c062b36ad2e3c35fb944d083

Download Submit
C:\Windows\{9FFD2F20-6584-4caa-917A-D3D20A1259CD}.exe

Filesize
408KB

MD5
9bab815872c35b8c7264318bb9cb4930

SHA1
993b860ce37a5d20b1f555bd184edc0ba5aae5a4

SHA256
dd03aa0280ae6ec593899e53e592c3aba3a25d7839f6a886b4ad5df751274d3e

SHA512
635fa1b604f84ba5ab4370abf94583843ff4a1374aad6e950ed24ae0dafc207d337616774339095e8d0d254b68f9ab0e3c4f9550c062b36ad2e3c35fb944d083

Download Submit
C:\Windows\{B021F373-F469-4c97-94F4-3D79B04207A9}.exe

Filesize
408KB

MD5
a96c5d8cfdfab2db5fc674277ee51d8c

SHA1
d4a3dfe5d16c2855bc35371c328f08f7718091ff

SHA256
fe209e35aa6c6f465bfaeedc36f60ae3ad25c573adfeef39806338ae5f1bfecf

SHA512
5ddc6f29ec50dd2db3b6ad444d4d48772441396b0ae97d2a8f9b85ef76d38cefca870d5cdd58115c268c623a4820ba2e9e5df22ed5e8b07f43f4d829a5b0189a

Download Submit
C:\Windows\{B021F373-F469-4c97-94F4-3D79B04207A9}.exe

Filesize
408KB

MD5
a96c5d8cfdfab2db5fc674277ee51d8c

SHA1
d4a3dfe5d16c2855bc35371c328f08f7718091ff

SHA256
fe209e35aa6c6f465bfaeedc36f60ae3ad25c573adfeef39806338ae5f1bfecf

SHA512
5ddc6f29ec50dd2db3b6ad444d4d48772441396b0ae97d2a8f9b85ef76d38cefca870d5cdd58115c268c623a4820ba2e9e5df22ed5e8b07f43f4d829a5b0189a

Download Submit
C:\Windows\{B054ED66-BF62-4ded-A2CD-727E8803D669}.exe

Filesize
408KB

MD5
bbd933c4327645f3f327d0a2a2eb5215

SHA1
17f650f4aa849af77759a68981a22dc467b1a09b

SHA256
e56aad10501be27486fd665852a25dcb9274eec7db6a1475cff6a06222d183d8

SHA512
06dfc5d75d2f2c2343ce8aec72ad3450343f358349acd9fd9003f06bf3f427616afdda200325c78b86d4d440f9d594aeb220ab36f5a597a87969db9400010bf8

Download Submit
C:\Windows\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe

Filesize
408KB

MD5
1011c4a953a6b5ed8648572dd63d0cfc

SHA1
4c8de59633c644c858f92172e4740099789d16b0

SHA256
4c7914209ec557898d3c76d8d7eb73fecdeb3af0be07996d54c4fc2ff9a2add3

SHA512
74535bb9de173600678a783d9ee974bacc7eb67d2d176cdd2fbe5db390d2a5631daf1500a57504d7d585a73b0928719526c01564e86649d50efd93f9c287e08b

Download Submit
C:\Windows\{B4AFF36C-D87F-4f5b-BAFF-710D74B4DAEE}.exe

Filesize
408KB

MD5
1011c4a953a6b5ed8648572dd63d0cfc

SHA1
4c8de59633c644c858f92172e4740099789d16b0

SHA256
4c7914209ec557898d3c76d8d7eb73fecdeb3af0be07996d54c4fc2ff9a2add3

SHA512
74535bb9de173600678a783d9ee974bacc7eb67d2d176cdd2fbe5db390d2a5631daf1500a57504d7d585a73b0928719526c01564e86649d50efd93f9c287e08b

Download Submit
C:\Windows\{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe

Filesize
408KB

MD5
8bd6e4a62addd16dd2cb7648e2aa2726

SHA1
41a4770f97e7bc094e8f1c6178fb6b553067c003

SHA256
0ef766e75dde40a6fd6dfb8972c26e386f1d34608441bb310f99e52d6bc5f99c

SHA512
6d4a34fa9f897a835476ac853dd94ddd96761d5bae2d140166a634823b0d7001180bf644c22cab44f095b9b641724e71bf71df362d770999f409de60e1d0aa9c

Download Submit
C:\Windows\{D331FE52-5B8F-4692-9924-70F21F3532E2}.exe

Filesize
408KB

MD5
8bd6e4a62addd16dd2cb7648e2aa2726

SHA1
41a4770f97e7bc094e8f1c6178fb6b553067c003

SHA256
0ef766e75dde40a6fd6dfb8972c26e386f1d34608441bb310f99e52d6bc5f99c

SHA512
6d4a34fa9f897a835476ac853dd94ddd96761d5bae2d140166a634823b0d7001180bf644c22cab44f095b9b641724e71bf71df362d770999f409de60e1d0aa9c

Download Submit
C:\Windows\{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe

Filesize
408KB

MD5
8d354970dc164e0364c05ea05b1f6dcf

SHA1
5f65dfa77ae95bf66d1332829dd3eb58118b2b75

SHA256
ef62094b88734ed6e1c6caaeff0f685312b2973f2288bc35db2aa67f999d00f2

SHA512
70d1a8cfa8edbe409b00782d5338c2aa4f98b826ebdde7a87928f58b9fcf7cba1655e41c006eafedf1d9d4d4ed115311e3ad146e1a0438cea05b4193f185dc4c

Download Submit
C:\Windows\{D638E9AA-6099-4b82-8279-1A6CFE72353A}.exe

Filesize
408KB

MD5
8d354970dc164e0364c05ea05b1f6dcf

SHA1
5f65dfa77ae95bf66d1332829dd3eb58118b2b75

SHA256
ef62094b88734ed6e1c6caaeff0f685312b2973f2288bc35db2aa67f999d00f2

SHA512
70d1a8cfa8edbe409b00782d5338c2aa4f98b826ebdde7a87928f58b9fcf7cba1655e41c006eafedf1d9d4d4ed115311e3ad146e1a0438cea05b4193f185dc4c

Download Submit
C:\Windows\{EC709934-304F-41df-A716-A06128DDC18A}.exe

Filesize
408KB

MD5
5f9d76a6ed6e986037c5f5c5cde59dce

SHA1
ea6da8dc70b2cb0106c7119b9e761e64043f62a4

SHA256
42b6219dfd3aca987b929916bb451a2dc97da3acaf884ea526fbd7b366662d11

SHA512
154f0b2dd8566f94b6422f3d5615d5864a0bc6f692ffe3fe08f6d9e1cf0c2fc559183e39c7209a52b3fe9e87e7932f85c4d02d2a8669d895d6c0f3c50f656d9d

Download Submit
C:\Windows\{EC709934-304F-41df-A716-A06128DDC18A}.exe

Filesize
408KB

MD5
5f9d76a6ed6e986037c5f5c5cde59dce

SHA1
ea6da8dc70b2cb0106c7119b9e761e64043f62a4

SHA256
42b6219dfd3aca987b929916bb451a2dc97da3acaf884ea526fbd7b366662d11

SHA512
154f0b2dd8566f94b6422f3d5615d5864a0bc6f692ffe3fe08f6d9e1cf0c2fc559183e39c7209a52b3fe9e87e7932f85c4d02d2a8669d895d6c0f3c50f656d9d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads