be8e9eb0cf688f1f6eb31fb990134c75afa6d38a0c49e21103521a716f9b2d43

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Size

168KB
MD5

85a008b877c00b98c4245b7fb1d39144
SHA1

a5c10a4dba629d42281063458b03a524ef73e3c8
SHA256

be8e9eb0cf688f1f6eb31fb990134c75afa6d38a0c49e21103521a716f9b2d43
SHA512

9e07ffd071a2a9cf2e84af84cd5298854f235bf7489b6c13a271b37fa5c249e8145b85c3d4967788f3981a5efc68a2971560eb2f4f03fd51561a09aac68dcd37
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3942333C-A48F-4b2a-BF01-1921AD9E508B}\stubpath = "C:\\Windows\\{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe"	{390BCE55-1020-48b8-995D-BC43608687BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1535AC90-745B-4a33-834C-F8BFA74CDB14}\stubpath = "C:\\Windows\\{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe"	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}\stubpath = "C:\\Windows\\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe"	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC506023-B861-402f-9571-EDE192B83719}	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}\stubpath = "C:\\Windows\\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe"	{EC506023-B861-402f-9571-EDE192B83719}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D06F631-1D32-42c9-8218-736B0BE2DC58}	{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{390BCE55-1020-48b8-995D-BC43608687BA}\stubpath = "C:\\Windows\\{390BCE55-1020-48b8-995D-BC43608687BA}.exe"	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1535AC90-745B-4a33-834C-F8BFA74CDB14}	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6775728F-95E0-4de6-B96B-25CB2390BF65}	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}	{EC506023-B861-402f-9571-EDE192B83719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}\stubpath = "C:\\Windows\\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe"	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6775728F-95E0-4de6-B96B-25CB2390BF65}\stubpath = "C:\\Windows\\{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe"	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC506023-B861-402f-9571-EDE192B83719}\stubpath = "C:\\Windows\\{EC506023-B861-402f-9571-EDE192B83719}.exe"	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D06F631-1D32-42c9-8218-736B0BE2DC58}\stubpath = "C:\\Windows\\{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe"	{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0B7614E-2B9C-4bcf-9808-451B7155793F}	{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0B7614E-2B9C-4bcf-9808-451B7155793F}\stubpath = "C:\\Windows\\{F0B7614E-2B9C-4bcf-9808-451B7155793F}.exe"	{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{390BCE55-1020-48b8-995D-BC43608687BA}	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3942333C-A48F-4b2a-BF01-1921AD9E508B}	{390BCE55-1020-48b8-995D-BC43608687BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}\stubpath = "C:\\Windows\\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe"	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe

Deletes itself 1 IoCs

pid	Process
1136	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe
2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe
2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe
2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe
2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe
2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe
2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe
2680	{EC506023-B861-402f-9571-EDE192B83719}.exe
1556	{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe
2468	{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe
1716	{F0B7614E-2B9C-4bcf-9808-451B7155793F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe
File created	C:\Windows\{EC506023-B861-402f-9571-EDE192B83719}.exe	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe
File created	C:\Windows\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe	{EC506023-B861-402f-9571-EDE192B83719}.exe
File created	C:\Windows\{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe	{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe
File created	C:\Windows\{390BCE55-1020-48b8-995D-BC43608687BA}.exe	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
File created	C:\Windows\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe
File created	C:\Windows\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe
File created	C:\Windows\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe
File created	C:\Windows\{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	{390BCE55-1020-48b8-995D-BC43608687BA}.exe
File created	C:\Windows\{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe
File created	C:\Windows\{F0B7614E-2B9C-4bcf-9808-451B7155793F}.exe	{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe
Token: SeIncBasePriorityPrivilege	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe
Token: SeIncBasePriorityPrivilege	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe
Token: SeIncBasePriorityPrivilege	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe
Token: SeIncBasePriorityPrivilege	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe
Token: SeIncBasePriorityPrivilege	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe
Token: SeIncBasePriorityPrivilege	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe
Token: SeIncBasePriorityPrivilege	2680	{EC506023-B861-402f-9571-EDE192B83719}.exe
Token: SeIncBasePriorityPrivilege	1556	{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe
Token: SeIncBasePriorityPrivilege	2468	{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2192	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	28
PID 2616 wrote to memory of 2192	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	28
PID 2616 wrote to memory of 2192	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	28
PID 2616 wrote to memory of 2192	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	28
PID 2616 wrote to memory of 1136	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	29
PID 2616 wrote to memory of 1136	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	29
PID 2616 wrote to memory of 1136	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	29
PID 2616 wrote to memory of 1136	2616	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	29
PID 2192 wrote to memory of 2972	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	32
PID 2192 wrote to memory of 2972	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	32
PID 2192 wrote to memory of 2972	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	32
PID 2192 wrote to memory of 2972	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	32
PID 2192 wrote to memory of 2860	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	33
PID 2192 wrote to memory of 2860	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	33
PID 2192 wrote to memory of 2860	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	33
PID 2192 wrote to memory of 2860	2192	{390BCE55-1020-48b8-995D-BC43608687BA}.exe	33
PID 2972 wrote to memory of 2708	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	34
PID 2972 wrote to memory of 2708	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	34
PID 2972 wrote to memory of 2708	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	34
PID 2972 wrote to memory of 2708	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	34
PID 2972 wrote to memory of 3036	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	35
PID 2972 wrote to memory of 3036	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	35
PID 2972 wrote to memory of 3036	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	35
PID 2972 wrote to memory of 3036	2972	{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe	35
PID 2708 wrote to memory of 2728	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	36
PID 2708 wrote to memory of 2728	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	36
PID 2708 wrote to memory of 2728	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	36
PID 2708 wrote to memory of 2728	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	36
PID 2708 wrote to memory of 2316	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	37
PID 2708 wrote to memory of 2316	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	37
PID 2708 wrote to memory of 2316	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	37
PID 2708 wrote to memory of 2316	2708	{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe	37
PID 2728 wrote to memory of 2872	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	38
PID 2728 wrote to memory of 2872	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	38
PID 2728 wrote to memory of 2872	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	38
PID 2728 wrote to memory of 2872	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	38
PID 2728 wrote to memory of 2000	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	39
PID 2728 wrote to memory of 2000	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	39
PID 2728 wrote to memory of 2000	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	39
PID 2728 wrote to memory of 2000	2728	{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe	39
PID 2872 wrote to memory of 2716	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	40
PID 2872 wrote to memory of 2716	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	40
PID 2872 wrote to memory of 2716	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	40
PID 2872 wrote to memory of 2716	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	40
PID 2872 wrote to memory of 2776	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	41
PID 2872 wrote to memory of 2776	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	41
PID 2872 wrote to memory of 2776	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	41
PID 2872 wrote to memory of 2776	2872	{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe	41
PID 2716 wrote to memory of 2436	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	42
PID 2716 wrote to memory of 2436	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	42
PID 2716 wrote to memory of 2436	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	42
PID 2716 wrote to memory of 2436	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	42
PID 2716 wrote to memory of 2364	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	43
PID 2716 wrote to memory of 2364	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	43
PID 2716 wrote to memory of 2364	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	43
PID 2716 wrote to memory of 2364	2716	{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe	43
PID 2436 wrote to memory of 2680	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	44
PID 2436 wrote to memory of 2680	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	44
PID 2436 wrote to memory of 2680	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	44
PID 2436 wrote to memory of 2680	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	44
PID 2436 wrote to memory of 1948	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	45
PID 2436 wrote to memory of 1948	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	45
PID 2436 wrote to memory of 1948	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	45
PID 2436 wrote to memory of 1948	2436	{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe	45

C:\Users\Admin\AppData\Local\Temp\85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\{390BCE55-1020-48b8-995D-BC43608687BA}.exe
  C:\Windows\{390BCE55-1020-48b8-995D-BC43608687BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe
    C:\Windows\{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe
      C:\Windows\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe
        
        C:\Windows\{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe
        
        C:\Windows\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe
        
        C:\Windows\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe
        
        C:\Windows\{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{EC506023-B861-402f-9571-EDE192B83719}.exe
        
        C:\Windows\{EC506023-B861-402f-9571-EDE192B83719}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe
        
        C:\Windows\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe
        
        C:\Windows\{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{F0B7614E-2B9C-4bcf-9808-451B7155793F}.exe
        
        C:\Windows\{F0B7614E-2B9C-4bcf-9808-451B7155793F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D06F~1.EXE > nul
        12⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17A0E~1.EXE > nul
        11⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC506~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67757~1.EXE > nul
        9⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9AB~1.EXE > nul
        8⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{552FF~1.EXE > nul
        7⤵
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1535A~1.EXE > nul
        6⤵
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD499~1.EXE > nul
        5⤵
        
        PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39423~1.EXE > nul
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{390BC~1.EXE > nul
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\85A008~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe

Filesize
168KB

MD5
3ab42e8ea0aea2966fb17b31a9a42eec

SHA1
357c069f9c65b7d3eeba9f2abf1bd4a316e5e0e7

SHA256
002e84c94c57d3d0b711a8248eb39be6bdec7651740d7c8da8ca07e4ccca2f49

SHA512
3e380c711755ec27f288a96236f916da52b8abc0bff7032e1b4f4c495e90839f189f2afe70b3a4c5f9239cf467ac5e37185cdd5a450f0472275e5cdb6702c813

Download Submit
C:\Windows\{1535AC90-745B-4a33-834C-F8BFA74CDB14}.exe

Filesize
168KB

MD5
3ab42e8ea0aea2966fb17b31a9a42eec

SHA1
357c069f9c65b7d3eeba9f2abf1bd4a316e5e0e7

SHA256
002e84c94c57d3d0b711a8248eb39be6bdec7651740d7c8da8ca07e4ccca2f49

SHA512
3e380c711755ec27f288a96236f916da52b8abc0bff7032e1b4f4c495e90839f189f2afe70b3a4c5f9239cf467ac5e37185cdd5a450f0472275e5cdb6702c813

Download Submit
C:\Windows\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe

Filesize
168KB

MD5
705a95a7453fe419454647d9ae11b93e

SHA1
e4e2b4b16aecc379d18b0b49414f2cbe786113d7

SHA256
57b92534e82facd46b9e27364ff3ae797fc4a748f438566a60edad114958824c

SHA512
80465ff72a3831e844b47751a206160c2c97e684351b144b8fc44a078f13732df47966944c997e221a575b6c725b882c119b0d17646121fd112962d53ad7a9cf

Download Submit
C:\Windows\{17A0EC3C-6133-4ff4-9CFE-5A1ADF34E95C}.exe

Filesize
168KB

MD5
705a95a7453fe419454647d9ae11b93e

SHA1
e4e2b4b16aecc379d18b0b49414f2cbe786113d7

SHA256
57b92534e82facd46b9e27364ff3ae797fc4a748f438566a60edad114958824c

SHA512
80465ff72a3831e844b47751a206160c2c97e684351b144b8fc44a078f13732df47966944c997e221a575b6c725b882c119b0d17646121fd112962d53ad7a9cf

Download Submit
C:\Windows\{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe

Filesize
168KB

MD5
771192705b6834321cd6aa3b8e06ddb0

SHA1
3e8e8ca663cb3e65807ec3222451c1041ac85a70

SHA256
389a8183436c72544c440f5df6fa0939adebff8e222a1f1df3cb36be49cfb86a

SHA512
becb78ed9f69fe6838490e45d70cf50b33f96fc545ed2e0088aaf00e3caf226f558dd3cb40fd4c0ac3ce02299ca8c036b8291a9b3aec1b0e1035aa02284ed2f6

Download Submit
C:\Windows\{2D06F631-1D32-42c9-8218-736B0BE2DC58}.exe

Filesize
168KB

MD5
771192705b6834321cd6aa3b8e06ddb0

SHA1
3e8e8ca663cb3e65807ec3222451c1041ac85a70

SHA256
389a8183436c72544c440f5df6fa0939adebff8e222a1f1df3cb36be49cfb86a

SHA512
becb78ed9f69fe6838490e45d70cf50b33f96fc545ed2e0088aaf00e3caf226f558dd3cb40fd4c0ac3ce02299ca8c036b8291a9b3aec1b0e1035aa02284ed2f6

Download Submit
C:\Windows\{390BCE55-1020-48b8-995D-BC43608687BA}.exe

Filesize
168KB

MD5
f4505b99e20eaab46de204ac09ecf7f0

SHA1
ae7ad8cef8fd8605421637ae3e2520f25dc57a52

SHA256
a2bf9105d083f265c2825065effb9742f7cad7af503de3e82b04e3b6071196dc

SHA512
134fc441d44bc3f32dbb8ae72f46b19e173a3b1603db30f0b1aea50f55fc42e535192a92caa422795074b0ddf6a96f98566bfedf08ec829c0597fa46c4cec530

Download Submit
C:\Windows\{390BCE55-1020-48b8-995D-BC43608687BA}.exe

Filesize
168KB

MD5
f4505b99e20eaab46de204ac09ecf7f0

SHA1
ae7ad8cef8fd8605421637ae3e2520f25dc57a52

SHA256
a2bf9105d083f265c2825065effb9742f7cad7af503de3e82b04e3b6071196dc

SHA512
134fc441d44bc3f32dbb8ae72f46b19e173a3b1603db30f0b1aea50f55fc42e535192a92caa422795074b0ddf6a96f98566bfedf08ec829c0597fa46c4cec530

Download Submit
C:\Windows\{390BCE55-1020-48b8-995D-BC43608687BA}.exe

Filesize
168KB

MD5
f4505b99e20eaab46de204ac09ecf7f0

SHA1
ae7ad8cef8fd8605421637ae3e2520f25dc57a52

SHA256
a2bf9105d083f265c2825065effb9742f7cad7af503de3e82b04e3b6071196dc

SHA512
134fc441d44bc3f32dbb8ae72f46b19e173a3b1603db30f0b1aea50f55fc42e535192a92caa422795074b0ddf6a96f98566bfedf08ec829c0597fa46c4cec530

Download Submit
C:\Windows\{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe

Filesize
168KB

MD5
fef141322e92e5328e802f0f42b3bf5a

SHA1
22fe5d91ef86d8a4cd4b729b6d90910cb078d0ea

SHA256
e6cbaa843561897f673e108c2d5a6b950ed8e86e671aa6ae675f88b21a0d6314

SHA512
f59c57c11269544bae7a2a641b288b6a24e52d082f5cf61d98e559ea4da367fd131d8e8af00a6b069b44c8d535963baae5ea09b839414a7708a645cb905eb927

Download Submit
C:\Windows\{3942333C-A48F-4b2a-BF01-1921AD9E508B}.exe

Filesize
168KB

MD5
fef141322e92e5328e802f0f42b3bf5a

SHA1
22fe5d91ef86d8a4cd4b729b6d90910cb078d0ea

SHA256
e6cbaa843561897f673e108c2d5a6b950ed8e86e671aa6ae675f88b21a0d6314

SHA512
f59c57c11269544bae7a2a641b288b6a24e52d082f5cf61d98e559ea4da367fd131d8e8af00a6b069b44c8d535963baae5ea09b839414a7708a645cb905eb927

Download Submit
C:\Windows\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe

Filesize
168KB

MD5
29eebb91884a456c0f37672a7b27a084

SHA1
4b953e66c52a797fbd9223c1869e883df90348f5

SHA256
9caae518e4fac8b70af83ec88cb2e41d452014864470495d95f8993643dc1ee4

SHA512
697707c5b4b9b9ade57d547d7e724474dcbfc2833de91939f44a58ba4645b8535ddf54356d0b88e772d6950c3dd4a82aa7be0d8c9c247367f3861d6a6a518634

Download Submit
C:\Windows\{552FF645-8F9D-44e1-8C6F-8278D7C5828A}.exe

Filesize
168KB

MD5
29eebb91884a456c0f37672a7b27a084

SHA1
4b953e66c52a797fbd9223c1869e883df90348f5

SHA256
9caae518e4fac8b70af83ec88cb2e41d452014864470495d95f8993643dc1ee4

SHA512
697707c5b4b9b9ade57d547d7e724474dcbfc2833de91939f44a58ba4645b8535ddf54356d0b88e772d6950c3dd4a82aa7be0d8c9c247367f3861d6a6a518634

Download Submit
C:\Windows\{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe

Filesize
168KB

MD5
eca07269c8e39d56a30d539ea5c2cbb5

SHA1
4fade42f9d9fb5f149c57bb7ec307c02ab9025d4

SHA256
eff4825133d27a029f7505298851873799966ef4bda34241d2902f29c626de92

SHA512
adbf92ec6c1dba254bd2b66a32550f103a1f8a5bfbc0fbe7ba7a2b5c4fcbddff9b590b17c35e1d02476ab36000e22e9d578f883d5dde53e02ca96333b7b157c5

Download Submit
C:\Windows\{6775728F-95E0-4de6-B96B-25CB2390BF65}.exe

Filesize
168KB

MD5
eca07269c8e39d56a30d539ea5c2cbb5

SHA1
4fade42f9d9fb5f149c57bb7ec307c02ab9025d4

SHA256
eff4825133d27a029f7505298851873799966ef4bda34241d2902f29c626de92

SHA512
adbf92ec6c1dba254bd2b66a32550f103a1f8a5bfbc0fbe7ba7a2b5c4fcbddff9b590b17c35e1d02476ab36000e22e9d578f883d5dde53e02ca96333b7b157c5

Download Submit
C:\Windows\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe

Filesize
168KB

MD5
cb87b4976e8b00554097bf123fa2431b

SHA1
f5432484771472117960d7ceda4b9878b03fd688

SHA256
54d0dfc48d315aae92188efe8326af73a2e2136d61f9e4656932dc1f977c4e30

SHA512
9b9204f82e62ea1de972d6655053598a7f540ca7d2dcddf9b1774ab7745cbc900c26987fa7ef3ce69fbcc3b7ddc9b87d792b3270f619fd3ae38b057e836b510d

Download Submit
C:\Windows\{8D9ABED5-77D7-41eb-9BB0-953E1E82D60A}.exe

Filesize
168KB

MD5
cb87b4976e8b00554097bf123fa2431b

SHA1
f5432484771472117960d7ceda4b9878b03fd688

SHA256
54d0dfc48d315aae92188efe8326af73a2e2136d61f9e4656932dc1f977c4e30

SHA512
9b9204f82e62ea1de972d6655053598a7f540ca7d2dcddf9b1774ab7745cbc900c26987fa7ef3ce69fbcc3b7ddc9b87d792b3270f619fd3ae38b057e836b510d

Download Submit
C:\Windows\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe

Filesize
168KB

MD5
60f9dd82fba0d04f947922a0616dd546

SHA1
f882448d504ef5d800e95347d21e850edfefc4dd

SHA256
dad7d03a7b0bb7816ae8b63603582a86e205e98a716095e68af8b756fb4b8c42

SHA512
e787f6691a7c99ee33bf15dc53a893200024ded3ebd7a2964d9e6d8b6843daec2b191e9d8eb21d0c006a7ec14c19d92d54f1c7625fb9b101816ff39fb204f5ac

Download Submit
C:\Windows\{AD4997EB-814A-4f7e-8EA6-D8417E640B33}.exe

Filesize
168KB

MD5
60f9dd82fba0d04f947922a0616dd546

SHA1
f882448d504ef5d800e95347d21e850edfefc4dd

SHA256
dad7d03a7b0bb7816ae8b63603582a86e205e98a716095e68af8b756fb4b8c42

SHA512
e787f6691a7c99ee33bf15dc53a893200024ded3ebd7a2964d9e6d8b6843daec2b191e9d8eb21d0c006a7ec14c19d92d54f1c7625fb9b101816ff39fb204f5ac

Download Submit
C:\Windows\{EC506023-B861-402f-9571-EDE192B83719}.exe

Filesize
168KB

MD5
43ef891709f779c2911ca394be63cd74

SHA1
0c5b8ab3258ddd46c0bba017ed80a7b37c084ec6

SHA256
f3e6a5708f1a7959c642af84dfc00845eeb232712d5c7217b621fe3ef527a594

SHA512
6f1225428fc0432b070b39ee21846f42f3faa7ea2df30edc87efed539fc5d3589844f9e648bda64bdf483d064ea881b3c16c116a576352eb8b9068803e25eb15

Download Submit
C:\Windows\{EC506023-B861-402f-9571-EDE192B83719}.exe

Filesize
168KB

MD5
43ef891709f779c2911ca394be63cd74

SHA1
0c5b8ab3258ddd46c0bba017ed80a7b37c084ec6

SHA256
f3e6a5708f1a7959c642af84dfc00845eeb232712d5c7217b621fe3ef527a594

SHA512
6f1225428fc0432b070b39ee21846f42f3faa7ea2df30edc87efed539fc5d3589844f9e648bda64bdf483d064ea881b3c16c116a576352eb8b9068803e25eb15

Download Submit
C:\Windows\{F0B7614E-2B9C-4bcf-9808-451B7155793F}.exe

Filesize
168KB

MD5
874578dd85d0a64fd0eb9e910961216c

SHA1
2e87e99e5b2ca514226574c55d330ef4354affec

SHA256
dd67986314b0528da46a0435241d411efa2c9064c763da9a62e3c18481c478c6

SHA512
cbfdb9395ada27c68306ef45101114056874bc3aeeaa872a12ebb13b962489c1b39f9c2deeb30ef93738e4f1afd6fa90ad4ab0139939b8e0cc3e45fca7ce4d22

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads