3345fdd40abbd3d10228df4c14d015e2dd819b83a4d460b5c6d3125c249c2c6c

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/08/2023, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Size

372KB
MD5

541823e918e36d78ba1e9341ed55eae1
SHA1

67c6e1515bcdf0f92c72cc339a8c0dcec7072dc5
SHA256

3345fdd40abbd3d10228df4c14d015e2dd819b83a4d460b5c6d3125c249c2c6c
SHA512

be75244719c3e86215a6c2ca2afd9d0b0392949c3d2c0e529aec31d8e12fd2a89951414166d4bcb008a3d9bfc35d46dc731a5a545e7a2e5347368873187d3ce6
SSDEEP

3072:CEGh0oZmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGil/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}\stubpath = "C:\\Windows\\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe"	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59776E74-C250-49d1-B03E-1E42C1A61B8F}\stubpath = "C:\\Windows\\{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe"	{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24F099F6-98B3-4837-82D0-F6935C0C0459}	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74473098-21DD-4576-9BA0-C034F38E423D}	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74473098-21DD-4576-9BA0-C034F38E423D}\stubpath = "C:\\Windows\\{74473098-21DD-4576-9BA0-C034F38E423D}.exe"	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}\stubpath = "C:\\Windows\\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe"	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}	{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59776E74-C250-49d1-B03E-1E42C1A61B8F}	{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24F099F6-98B3-4837-82D0-F6935C0C0459}\stubpath = "C:\\Windows\\{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe"	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}\stubpath = "C:\\Windows\\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe"	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}\stubpath = "C:\\Windows\\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe"	{74473098-21DD-4576-9BA0-C034F38E423D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}\stubpath = "C:\\Windows\\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe"	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}\stubpath = "C:\\Windows\\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe"	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}\stubpath = "C:\\Windows\\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe"	{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EF37D27-3C8F-4477-85EE-EF21E0584973}	{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EF37D27-3C8F-4477-85EE-EF21E0584973}\stubpath = "C:\\Windows\\{3EF37D27-3C8F-4477-85EE-EF21E0584973}.exe"	{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}	{74473098-21DD-4576-9BA0-C034F38E423D}.exe

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe
2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe
2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe
2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe
2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe
2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe
1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe
336	{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe
1348	{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe
2932	{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe
2296	{3EF37D27-3C8F-4477-85EE-EF21E0584973}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
File created	C:\Windows\{74473098-21DD-4576-9BA0-C034F38E423D}.exe	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe
File created	C:\Windows\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe
File created	C:\Windows\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe
File created	C:\Windows\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe	{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe
File created	C:\Windows\{3EF37D27-3C8F-4477-85EE-EF21E0584973}.exe	{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe
File created	C:\Windows\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	{74473098-21DD-4576-9BA0-C034F38E423D}.exe
File created	C:\Windows\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe
File created	C:\Windows\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe
File created	C:\Windows\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe
File created	C:\Windows\{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe	{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe
Token: SeIncBasePriorityPrivilege	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe
Token: SeIncBasePriorityPrivilege	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe
Token: SeIncBasePriorityPrivilege	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe
Token: SeIncBasePriorityPrivilege	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe
Token: SeIncBasePriorityPrivilege	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe
Token: SeIncBasePriorityPrivilege	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe
Token: SeIncBasePriorityPrivilege	336	{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe
Token: SeIncBasePriorityPrivilege	1348	{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe
Token: SeIncBasePriorityPrivilege	2932	{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2524	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2524	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2524	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2524	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2804	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	29
PID 2356 wrote to memory of 2804	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	29
PID 2356 wrote to memory of 2804	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	29
PID 2356 wrote to memory of 2804	2356	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	29
PID 2524 wrote to memory of 2308	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	32
PID 2524 wrote to memory of 2308	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	32
PID 2524 wrote to memory of 2308	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	32
PID 2524 wrote to memory of 2308	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	32
PID 2524 wrote to memory of 2824	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	33
PID 2524 wrote to memory of 2824	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	33
PID 2524 wrote to memory of 2824	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	33
PID 2524 wrote to memory of 2824	2524	{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe	33
PID 2308 wrote to memory of 2852	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	35
PID 2308 wrote to memory of 2852	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	35
PID 2308 wrote to memory of 2852	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	35
PID 2308 wrote to memory of 2852	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	35
PID 2308 wrote to memory of 2836	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	34
PID 2308 wrote to memory of 2836	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	34
PID 2308 wrote to memory of 2836	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	34
PID 2308 wrote to memory of 2836	2308	{74473098-21DD-4576-9BA0-C034F38E423D}.exe	34
PID 2852 wrote to memory of 2744	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	36
PID 2852 wrote to memory of 2744	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	36
PID 2852 wrote to memory of 2744	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	36
PID 2852 wrote to memory of 2744	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	36
PID 2852 wrote to memory of 2740	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	37
PID 2852 wrote to memory of 2740	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	37
PID 2852 wrote to memory of 2740	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	37
PID 2852 wrote to memory of 2740	2852	{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe	37
PID 2744 wrote to memory of 2832	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	39
PID 2744 wrote to memory of 2832	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	39
PID 2744 wrote to memory of 2832	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	39
PID 2744 wrote to memory of 2832	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	39
PID 2744 wrote to memory of 2712	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	38
PID 2744 wrote to memory of 2712	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	38
PID 2744 wrote to memory of 2712	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	38
PID 2744 wrote to memory of 2712	2744	{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe	38
PID 2832 wrote to memory of 2780	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	40
PID 2832 wrote to memory of 2780	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	40
PID 2832 wrote to memory of 2780	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	40
PID 2832 wrote to memory of 2780	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	40
PID 2832 wrote to memory of 2520	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	41
PID 2832 wrote to memory of 2520	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	41
PID 2832 wrote to memory of 2520	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	41
PID 2832 wrote to memory of 2520	2832	{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe	41
PID 2780 wrote to memory of 1260	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	42
PID 2780 wrote to memory of 1260	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	42
PID 2780 wrote to memory of 1260	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	42
PID 2780 wrote to memory of 1260	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	42
PID 2780 wrote to memory of 568	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	43
PID 2780 wrote to memory of 568	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	43
PID 2780 wrote to memory of 568	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	43
PID 2780 wrote to memory of 568	2780	{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe	43
PID 1260 wrote to memory of 336	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	44
PID 1260 wrote to memory of 336	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	44
PID 1260 wrote to memory of 336	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	44
PID 1260 wrote to memory of 336	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	44
PID 1260 wrote to memory of 1092	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	45
PID 1260 wrote to memory of 1092	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	45
PID 1260 wrote to memory of 1092	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	45
PID 1260 wrote to memory of 1092	1260	{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe	45

C:\Users\Admin\AppData\Local\Temp\541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe
  C:\Windows\{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\{74473098-21DD-4576-9BA0-C034F38E423D}.exe
    C:\Windows\{74473098-21DD-4576-9BA0-C034F38E423D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74473~1.EXE > nul
      4⤵
      PID:2836
  - - C:\Windows\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe
      C:\Windows\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe
        
        C:\Windows\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D699D~1.EXE > nul
        6⤵
        
        PID:2712
      - C:\Windows\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe
        
        C:\Windows\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe
        
        C:\Windows\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe
        
        C:\Windows\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe
        
        C:\Windows\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe
        
        C:\Windows\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe
        
        C:\Windows\{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{3EF37D27-3C8F-4477-85EE-EF21E0584973}.exe
        
        C:\Windows\{3EF37D27-3C8F-4477-85EE-EF21E0584973}.exe
        12⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59776~1.EXE > nul
        12⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86A89~1.EXE > nul
        11⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC7FC~1.EXE > nul
        10⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8266E~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE2C6~1.EXE > nul
        8⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2052F~1.EXE > nul
        7⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC66C~1.EXE > nul
        5⤵
        
        PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24F09~1.EXE > nul
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\541823~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe

Filesize
372KB

MD5
597cae61850dae5c57e9f1227caeea9e

SHA1
ac3aeea553ce86871d84d4aac6716c6611d2cd76

SHA256
f050ae97410e3b16c35b9014e1f7dd9b4981bfe89f5769bf6c8163d4601943ce

SHA512
6aa8850e5873a33e77cc5cac2d8ced5ff769ea53537fa05df78fe5bab48fe3b860e0bb3b72145ce4238d1b7eab0d4bff8a431966011b157831698fdd146223a7

Download Submit
C:\Windows\{2052F8B1-611B-43c0-A5D7-DF5162BE15AB}.exe

Filesize
372KB

MD5
597cae61850dae5c57e9f1227caeea9e

SHA1
ac3aeea553ce86871d84d4aac6716c6611d2cd76

SHA256
f050ae97410e3b16c35b9014e1f7dd9b4981bfe89f5769bf6c8163d4601943ce

SHA512
6aa8850e5873a33e77cc5cac2d8ced5ff769ea53537fa05df78fe5bab48fe3b860e0bb3b72145ce4238d1b7eab0d4bff8a431966011b157831698fdd146223a7

Download Submit
C:\Windows\{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe

Filesize
372KB

MD5
368af7f2bdef054977ef0ce20a4cdeb1

SHA1
7ecf4809135f8ba2c58fe557b18bc5d40c29be11

SHA256
3f25bf8658fc69dc7de4db43a9c3bece65759c7bbdaac4f5f132ce3696639f20

SHA512
746609d68de9db7d1e9f4b5592e0b2b35dcc00741a232fe1a4dddd7a70f07945aff7e0308457f21ebd5e406f30cc386ce88600811c18e56ff692cf5d2f696ca2

Download Submit
C:\Windows\{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe

Filesize
372KB

MD5
368af7f2bdef054977ef0ce20a4cdeb1

SHA1
7ecf4809135f8ba2c58fe557b18bc5d40c29be11

SHA256
3f25bf8658fc69dc7de4db43a9c3bece65759c7bbdaac4f5f132ce3696639f20

SHA512
746609d68de9db7d1e9f4b5592e0b2b35dcc00741a232fe1a4dddd7a70f07945aff7e0308457f21ebd5e406f30cc386ce88600811c18e56ff692cf5d2f696ca2

Download Submit
C:\Windows\{24F099F6-98B3-4837-82D0-F6935C0C0459}.exe

Filesize
372KB

MD5
368af7f2bdef054977ef0ce20a4cdeb1

SHA1
7ecf4809135f8ba2c58fe557b18bc5d40c29be11

SHA256
3f25bf8658fc69dc7de4db43a9c3bece65759c7bbdaac4f5f132ce3696639f20

SHA512
746609d68de9db7d1e9f4b5592e0b2b35dcc00741a232fe1a4dddd7a70f07945aff7e0308457f21ebd5e406f30cc386ce88600811c18e56ff692cf5d2f696ca2

Download Submit
C:\Windows\{3EF37D27-3C8F-4477-85EE-EF21E0584973}.exe

Filesize
372KB

MD5
5a8530352282336bb29f433952905a89

SHA1
c6009becd282c5027548b36ebb35c631280f482e

SHA256
4fde580d98c850f8d287edb2810f9c714a2d7d8ac6e2f48ee0e4ac6d7e4cef81

SHA512
ade6a07d2016701df117880eea680e67e2fc3a784d02c10dd457b44bfa2a1e7ec48f99e00d894ccd2b6ee23e548f108516d8c6ba4ec27befffc9e813407aece5

Download Submit
C:\Windows\{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe

Filesize
372KB

MD5
16d9edda56b07da9cda93a14932c0db5

SHA1
ebb4e07df5e199d97a09baf5d4c9481169bfdcc0

SHA256
371f06b64cb33e6f4936690198224dd2394fd77c183f4981d007fbdba917d4e3

SHA512
028246f824100ec4027c39d9735d5fe16254be6b4dd6bd756f671e5769a858cd31233f346074be69331cc96c8f0163801994862ba2e18a0b69aa4e4c76b7f5a8

Download Submit
C:\Windows\{59776E74-C250-49d1-B03E-1E42C1A61B8F}.exe

Filesize
372KB

MD5
16d9edda56b07da9cda93a14932c0db5

SHA1
ebb4e07df5e199d97a09baf5d4c9481169bfdcc0

SHA256
371f06b64cb33e6f4936690198224dd2394fd77c183f4981d007fbdba917d4e3

SHA512
028246f824100ec4027c39d9735d5fe16254be6b4dd6bd756f671e5769a858cd31233f346074be69331cc96c8f0163801994862ba2e18a0b69aa4e4c76b7f5a8

Download Submit
C:\Windows\{74473098-21DD-4576-9BA0-C034F38E423D}.exe

Filesize
372KB

MD5
8c36d2db58f89f49dc5bb1bbfe5e5d61

SHA1
fded89ee0dcdc7fb8a7fadc1f9a517b6e374fb3a

SHA256
dc8c35f63228e23f6606632999df9fe6d63c55ca44806840b74f51f58d3d6579

SHA512
f388d4afeae92837eb82d3cb54e95cf6be4271d2660e1a64025753ad2d51dda2a744a656160b98a23ac402fead2d5207eaa549345ee5f8def80e00871e0ee6c1

Download Submit
C:\Windows\{74473098-21DD-4576-9BA0-C034F38E423D}.exe

Filesize
372KB

MD5
8c36d2db58f89f49dc5bb1bbfe5e5d61

SHA1
fded89ee0dcdc7fb8a7fadc1f9a517b6e374fb3a

SHA256
dc8c35f63228e23f6606632999df9fe6d63c55ca44806840b74f51f58d3d6579

SHA512
f388d4afeae92837eb82d3cb54e95cf6be4271d2660e1a64025753ad2d51dda2a744a656160b98a23ac402fead2d5207eaa549345ee5f8def80e00871e0ee6c1

Download Submit
C:\Windows\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe

Filesize
372KB

MD5
85be1a15dcf754a5fb22811b29cde84a

SHA1
9c061e5e6ae94d9f8c90ec08d6a2d005d1bc8cdc

SHA256
dea7dbecc35a668865e628938b237e1b7202027f47fa9d6e16c8ae0c6d58d5de

SHA512
3f73ea89cf643a37d6a896bbe56d73a8371ea894117b1b4c1d3df255a58f41976608e76b59e66b49dd330b1a91e1871096cbd504bf8178707c52b37ff51730ca

Download Submit
C:\Windows\{8266E553-1A30-4255-8320-8EC7F3E6EB0C}.exe

Filesize
372KB

MD5
85be1a15dcf754a5fb22811b29cde84a

SHA1
9c061e5e6ae94d9f8c90ec08d6a2d005d1bc8cdc

SHA256
dea7dbecc35a668865e628938b237e1b7202027f47fa9d6e16c8ae0c6d58d5de

SHA512
3f73ea89cf643a37d6a896bbe56d73a8371ea894117b1b4c1d3df255a58f41976608e76b59e66b49dd330b1a91e1871096cbd504bf8178707c52b37ff51730ca

Download Submit
C:\Windows\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe

Filesize
372KB

MD5
60e84c8cf5f833695b5a7fefbd245e0e

SHA1
cd9af88b798163b4400faf5894c670d4a6b919ff

SHA256
4fdfb29c49c377fd71933f7d24c3001e7f125f320494fe45c9a2423847b53db9

SHA512
c1048097f6cf6d95de68d0bff0803a1ca7da6ca4b6a0971b24f823b0b1f1f781f050698c1f9cae245fd0331f00bd31617fbb88be96e038290b89952b2502f5ec

Download Submit
C:\Windows\{86A89F74-EC29-4b39-921F-55FD4BF7D0B3}.exe

Filesize
372KB

MD5
60e84c8cf5f833695b5a7fefbd245e0e

SHA1
cd9af88b798163b4400faf5894c670d4a6b919ff

SHA256
4fdfb29c49c377fd71933f7d24c3001e7f125f320494fe45c9a2423847b53db9

SHA512
c1048097f6cf6d95de68d0bff0803a1ca7da6ca4b6a0971b24f823b0b1f1f781f050698c1f9cae245fd0331f00bd31617fbb88be96e038290b89952b2502f5ec

Download Submit
C:\Windows\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe

Filesize
372KB

MD5
91f97849845268b209dc74f3b5f8f2ad

SHA1
1ae2d56f3b6d3f6b6345fe6c97cddc5913e6afc3

SHA256
a419ec0ae215070de8babb841bcc6a7685b89ddbe88d508c1c23b4555c110129

SHA512
64b28060fca9b8e4a5530e0799da77d522a61585e87604bb2c9f8a32cad02edb65d7543e020607b108bd5398e857551746bd90036f505086ca0706111f59df7a

Download Submit
C:\Windows\{AC66C14D-2638-4fa8-9D1E-6278395ECE27}.exe

Filesize
372KB

MD5
91f97849845268b209dc74f3b5f8f2ad

SHA1
1ae2d56f3b6d3f6b6345fe6c97cddc5913e6afc3

SHA256
a419ec0ae215070de8babb841bcc6a7685b89ddbe88d508c1c23b4555c110129

SHA512
64b28060fca9b8e4a5530e0799da77d522a61585e87604bb2c9f8a32cad02edb65d7543e020607b108bd5398e857551746bd90036f505086ca0706111f59df7a

Download Submit
C:\Windows\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe

Filesize
372KB

MD5
7669fe57cbb6126a965a9c93991ea186

SHA1
dbb9f0621e17ad09e22ce1de2aec81aa39e43284

SHA256
5fa75b4df786ea60492c2f2fee2415dd84a20fafb5380f889deb2c850f03b3af

SHA512
12ce0a0bfd94d664d137ee717996f63ede2fa08f1796fca31e52fd9cc245d8302a58550b873744ff15db4cca90a54c853c4d150ff03cb5571475473f8ad4d48e

Download Submit
C:\Windows\{D699DE5F-A4EB-42f8-9808-21B9FFDDF94B}.exe

Filesize
372KB

MD5
7669fe57cbb6126a965a9c93991ea186

SHA1
dbb9f0621e17ad09e22ce1de2aec81aa39e43284

SHA256
5fa75b4df786ea60492c2f2fee2415dd84a20fafb5380f889deb2c850f03b3af

SHA512
12ce0a0bfd94d664d137ee717996f63ede2fa08f1796fca31e52fd9cc245d8302a58550b873744ff15db4cca90a54c853c4d150ff03cb5571475473f8ad4d48e

Download Submit
C:\Windows\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe

Filesize
372KB

MD5
5c9c0b9c8056ba354f544b849b53c4cb

SHA1
ab45768d160d038b055c6dd187e7fcbaf9db2eea

SHA256
ea0c535d438e03ecee37cac11f3099871b7f09bf19b1682e9a554fee939b5214

SHA512
be010e2f9c9b18546e87dccbb3e4fd8f95f9b1064084631774d02307027e9748c04d23d9b6f300d1d52e5d1c090816135254152a0b6ea9930b742ae6e4ad30eb

Download Submit
C:\Windows\{EC7FCF22-5B87-42a2-9EAB-C525B768F916}.exe

Filesize
372KB

MD5
5c9c0b9c8056ba354f544b849b53c4cb

SHA1
ab45768d160d038b055c6dd187e7fcbaf9db2eea

SHA256
ea0c535d438e03ecee37cac11f3099871b7f09bf19b1682e9a554fee939b5214

SHA512
be010e2f9c9b18546e87dccbb3e4fd8f95f9b1064084631774d02307027e9748c04d23d9b6f300d1d52e5d1c090816135254152a0b6ea9930b742ae6e4ad30eb

Download Submit
C:\Windows\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe

Filesize
372KB

MD5
4644ac551bcc9de320ec9d3e5256ecaa

SHA1
c185f9558cb37a19371df3dd9d220da2cb96e317

SHA256
1ef3aca1393ce7fd6a341f510ef93a7d270e974a48d3f3fd8b0e653fe4cf8c50

SHA512
78a01beb0441ce19e007b0e7ff2a66c7bc74ad7898cb8b32db02550ca88d95f2583c85a0ae2c1ebc45c0cf9dac7876ac1a44e3e91a49739fc7c5111177b6994a

Download Submit
C:\Windows\{EE2C6D1E-75C8-4501-B65F-B5040882A1DE}.exe

Filesize
372KB

MD5
4644ac551bcc9de320ec9d3e5256ecaa

SHA1
c185f9558cb37a19371df3dd9d220da2cb96e317

SHA256
1ef3aca1393ce7fd6a341f510ef93a7d270e974a48d3f3fd8b0e653fe4cf8c50

SHA512
78a01beb0441ce19e007b0e7ff2a66c7bc74ad7898cb8b32db02550ca88d95f2583c85a0ae2c1ebc45c0cf9dac7876ac1a44e3e91a49739fc7c5111177b6994a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads