df8e064816add3f5c8ea6583b3a9fa0d413b7177871d3c522dfa6e3e4b77b362

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 18:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe
Size

216KB
MD5

d82b9b3a71c9b23964129878db0bb6c1
SHA1

d3a35cf46e58880543a38a092e94746305e8fa98
SHA256

df8e064816add3f5c8ea6583b3a9fa0d413b7177871d3c522dfa6e3e4b77b362
SHA512

0f65424c2f4f0218c44cbe6eea5e18fedbaae30515513cd7a1dc7c93831aa3305375158b2ee50df7c5f3c34ce6edd55b82d1cc52bbb0a2d778cc25a236b42c25
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGhlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}\stubpath = "C:\\Windows\\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe"	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}\stubpath = "C:\\Windows\\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe"	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30397D22-F099-4045-B66B-2E781096B84C}	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}\stubpath = "C:\\Windows\\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe"	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97106934-4719-49c9-A008-7721C8FCDA6D}\stubpath = "C:\\Windows\\{97106934-4719-49c9-A008-7721C8FCDA6D}.exe"	{30397D22-F099-4045-B66B-2E781096B84C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}	{97106934-4719-49c9-A008-7721C8FCDA6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}	{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}\stubpath = "C:\\Windows\\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe"	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}\stubpath = "C:\\Windows\\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe"	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}\stubpath = "C:\\Windows\\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe"	{97106934-4719-49c9-A008-7721C8FCDA6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97106934-4719-49c9-A008-7721C8FCDA6D}	{30397D22-F099-4045-B66B-2E781096B84C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}\stubpath = "C:\\Windows\\{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}.exe"	{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}\stubpath = "C:\\Windows\\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe"	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}\stubpath = "C:\\Windows\\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe"	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30397D22-F099-4045-B66B-2E781096B84C}\stubpath = "C:\\Windows\\{30397D22-F099-4045-B66B-2E781096B84C}.exe"	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe
2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe
2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe
2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe
2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe
2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe
572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe
1876	{30397D22-F099-4045-B66B-2E781096B84C}.exe
2156	{97106934-4719-49c9-A008-7721C8FCDA6D}.exe
2076	{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe
2092	{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe
File created	C:\Windows\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe
File created	C:\Windows\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe
File created	C:\Windows\{30397D22-F099-4045-B66B-2E781096B84C}.exe	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe
File created	C:\Windows\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe	{97106934-4719-49c9-A008-7721C8FCDA6D}.exe
File created	C:\Windows\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe
File created	C:\Windows\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe
File created	C:\Windows\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe
File created	C:\Windows\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe
File created	C:\Windows\{97106934-4719-49c9-A008-7721C8FCDA6D}.exe	{30397D22-F099-4045-B66B-2E781096B84C}.exe
File created	C:\Windows\{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}.exe	{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe
Token: SeIncBasePriorityPrivilege	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe
Token: SeIncBasePriorityPrivilege	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe
Token: SeIncBasePriorityPrivilege	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe
Token: SeIncBasePriorityPrivilege	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe
Token: SeIncBasePriorityPrivilege	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe
Token: SeIncBasePriorityPrivilege	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe
Token: SeIncBasePriorityPrivilege	1876	{30397D22-F099-4045-B66B-2E781096B84C}.exe
Token: SeIncBasePriorityPrivilege	2156	{97106934-4719-49c9-A008-7721C8FCDA6D}.exe
Token: SeIncBasePriorityPrivilege	2076	{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2212	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	28
PID 2572 wrote to memory of 2212	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	28
PID 2572 wrote to memory of 2212	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	28
PID 2572 wrote to memory of 2212	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	28
PID 2572 wrote to memory of 2476	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	29
PID 2572 wrote to memory of 2476	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	29
PID 2572 wrote to memory of 2476	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	29
PID 2572 wrote to memory of 2476	2572	d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe	29
PID 2212 wrote to memory of 2472	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	32
PID 2212 wrote to memory of 2472	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	32
PID 2212 wrote to memory of 2472	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	32
PID 2212 wrote to memory of 2472	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	32
PID 2212 wrote to memory of 2828	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	33
PID 2212 wrote to memory of 2828	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	33
PID 2212 wrote to memory of 2828	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	33
PID 2212 wrote to memory of 2828	2212	{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe	33
PID 2472 wrote to memory of 2152	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	34
PID 2472 wrote to memory of 2152	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	34
PID 2472 wrote to memory of 2152	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	34
PID 2472 wrote to memory of 2152	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	34
PID 2472 wrote to memory of 3036	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	35
PID 2472 wrote to memory of 3036	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	35
PID 2472 wrote to memory of 3036	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	35
PID 2472 wrote to memory of 3036	2472	{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe	35
PID 2152 wrote to memory of 2764	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	37
PID 2152 wrote to memory of 2764	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	37
PID 2152 wrote to memory of 2764	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	37
PID 2152 wrote to memory of 2764	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	37
PID 2152 wrote to memory of 2712	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	36
PID 2152 wrote to memory of 2712	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	36
PID 2152 wrote to memory of 2712	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	36
PID 2152 wrote to memory of 2712	2152	{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe	36
PID 2764 wrote to memory of 2740	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	38
PID 2764 wrote to memory of 2740	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	38
PID 2764 wrote to memory of 2740	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	38
PID 2764 wrote to memory of 2740	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	38
PID 2764 wrote to memory of 2436	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	39
PID 2764 wrote to memory of 2436	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	39
PID 2764 wrote to memory of 2436	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	39
PID 2764 wrote to memory of 2436	2764	{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe	39
PID 2740 wrote to memory of 2760	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	40
PID 2740 wrote to memory of 2760	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	40
PID 2740 wrote to memory of 2760	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	40
PID 2740 wrote to memory of 2760	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	40
PID 2740 wrote to memory of 1732	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	41
PID 2740 wrote to memory of 1732	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	41
PID 2740 wrote to memory of 1732	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	41
PID 2740 wrote to memory of 1732	2740	{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe	41
PID 2760 wrote to memory of 572	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	43
PID 2760 wrote to memory of 572	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	43
PID 2760 wrote to memory of 572	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	43
PID 2760 wrote to memory of 572	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	43
PID 2760 wrote to memory of 1116	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	42
PID 2760 wrote to memory of 1116	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	42
PID 2760 wrote to memory of 1116	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	42
PID 2760 wrote to memory of 1116	2760	{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe	42
PID 572 wrote to memory of 1876	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	44
PID 572 wrote to memory of 1876	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	44
PID 572 wrote to memory of 1876	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	44
PID 572 wrote to memory of 1876	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	44
PID 572 wrote to memory of 1860	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	45
PID 572 wrote to memory of 1860	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	45
PID 572 wrote to memory of 1860	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	45
PID 572 wrote to memory of 1860	572	{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe	45

C:\Users\Admin\AppData\Local\Temp\d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d82b9b3a71c9b23964129878db0bb6c1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe
  C:\Windows\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe
    C:\Windows\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe
      C:\Windows\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24A6D~1.EXE > nul
        5⤵
        
        PID:2712
    - - C:\Windows\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe
        
        C:\Windows\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe
        
        C:\Windows\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe
        
        C:\Windows\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6FF9~1.EXE > nul
        8⤵
        
        PID:1116
        
        C:\Windows\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe
        
        C:\Windows\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\{30397D22-F099-4045-B66B-2E781096B84C}.exe
        
        C:\Windows\{30397D22-F099-4045-B66B-2E781096B84C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\{97106934-4719-49c9-A008-7721C8FCDA6D}.exe
        
        C:\Windows\{97106934-4719-49c9-A008-7721C8FCDA6D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe
        
        C:\Windows\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}.exe
        
        C:\Windows\{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}.exe
        12⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C1BA~1.EXE > nul
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97106~1.EXE > nul
        11⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30397~1.EXE > nul
        10⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF95~1.EXE > nul
        9⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED95F~1.EXE > nul
        7⤵
        
        PID:1732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BE06~1.EXE > nul
        6⤵
        
        PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5DB62~1.EXE > nul
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D817~1.EXE > nul
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D82B9B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe

Filesize
216KB

MD5
349604307ce2f4e9ad27f8a1c6ffdd85

SHA1
ec89f1e7b32099ca19882ebbdb17ee5f7411a72e

SHA256
81614c86c87f3e803f7cb7e514b0df65910f0ecfeae7b245addcd3158ef8fb45

SHA512
c08c7f56cc70d983695e48beb0f9e44d87107dbe61b49ad01669d6814d0c3f56efadd4d0723681dafc2b055d70a097d53343020e910636799df333319e492f0e

Download Submit
C:\Windows\{24A6D527-308C-47d7-AC80-E2ADB3ADCCDE}.exe

Filesize
216KB

MD5
349604307ce2f4e9ad27f8a1c6ffdd85

SHA1
ec89f1e7b32099ca19882ebbdb17ee5f7411a72e

SHA256
81614c86c87f3e803f7cb7e514b0df65910f0ecfeae7b245addcd3158ef8fb45

SHA512
c08c7f56cc70d983695e48beb0f9e44d87107dbe61b49ad01669d6814d0c3f56efadd4d0723681dafc2b055d70a097d53343020e910636799df333319e492f0e

Download Submit
C:\Windows\{30397D22-F099-4045-B66B-2E781096B84C}.exe

Filesize
216KB

MD5
6193da19967c85cc9420ea489794caa5

SHA1
31352821baef4e3e22487e01d0670ff775474225

SHA256
e727a2edc7296e5627bf9670c6723f5564aa631710d0641eab4bfd824ba54ba4

SHA512
49b04a93768e13db1e8cce801c0fda17af3f364ff45a0b496a069452993e595bb040ec137049d6e8202425e9d941fe1e2419349c01cda65cd76f960dce32918a

Download Submit
C:\Windows\{30397D22-F099-4045-B66B-2E781096B84C}.exe

Filesize
216KB

MD5
6193da19967c85cc9420ea489794caa5

SHA1
31352821baef4e3e22487e01d0670ff775474225

SHA256
e727a2edc7296e5627bf9670c6723f5564aa631710d0641eab4bfd824ba54ba4

SHA512
49b04a93768e13db1e8cce801c0fda17af3f364ff45a0b496a069452993e595bb040ec137049d6e8202425e9d941fe1e2419349c01cda65cd76f960dce32918a

Download Submit
C:\Windows\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe

Filesize
216KB

MD5
17e02b58f433feb030c6a5cfdf83b538

SHA1
81a464f04287c7e02575d904e61a9658379560a7

SHA256
885f3c4b7e69597e215d9db51bac0ba1ae68826ac0187ea17f45364c1287bc71

SHA512
fb8dedfe15caa161181fc3d54d4ac47fdf15230b9fcddb6652cc9be650274a0b24fc0e3c879ba595275463860fffe6e1696f5d41ae151399eef2b0937bca2d84

Download Submit
C:\Windows\{5DB62A2F-4BA1-4bef-9533-D5029EE7B509}.exe

Filesize
216KB

MD5
17e02b58f433feb030c6a5cfdf83b538

SHA1
81a464f04287c7e02575d904e61a9658379560a7

SHA256
885f3c4b7e69597e215d9db51bac0ba1ae68826ac0187ea17f45364c1287bc71

SHA512
fb8dedfe15caa161181fc3d54d4ac47fdf15230b9fcddb6652cc9be650274a0b24fc0e3c879ba595275463860fffe6e1696f5d41ae151399eef2b0937bca2d84

Download Submit
C:\Windows\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe

Filesize
216KB

MD5
def649291638ed1626805bd713c596e9

SHA1
334d0653cee1255b6096557b1ff6177c66da44ed

SHA256
0d434f0f91417a2c0e32967c3a6f2f7f81fff05aa8479e47f1de0bbc8d0381a0

SHA512
6a826daa5940059b7470d76ce53b9463c10a6200a7831efb895ea021f7eefc3bcb0dd16406bbdc81671e799ba5c591c7cf366b91b25e2935239bb68d5a84c5d5

Download Submit
C:\Windows\{8BE06322-24A4-45f9-82C8-0FE2D6FC5391}.exe

Filesize
216KB

MD5
def649291638ed1626805bd713c596e9

SHA1
334d0653cee1255b6096557b1ff6177c66da44ed

SHA256
0d434f0f91417a2c0e32967c3a6f2f7f81fff05aa8479e47f1de0bbc8d0381a0

SHA512
6a826daa5940059b7470d76ce53b9463c10a6200a7831efb895ea021f7eefc3bcb0dd16406bbdc81671e799ba5c591c7cf366b91b25e2935239bb68d5a84c5d5

Download Submit
C:\Windows\{97106934-4719-49c9-A008-7721C8FCDA6D}.exe

Filesize
216KB

MD5
cc9afaecb1fea45393053a1cb6c7b55c

SHA1
2411bb86744e9c5175c91d8f4c0826d115111309

SHA256
f818b0cbb6041dacdd54647b107097cf9eca558fff824cf6ee1b9c92d00d9f30

SHA512
dda75b9661aad6ce74a1e75ea778aad913c8212e3bad3bc2958eb981bf584f1818cdca679a4a9edd0881d41f94fb7f7c49febb9a4e2bcd5cce81248ec0ca459d

Download Submit
C:\Windows\{97106934-4719-49c9-A008-7721C8FCDA6D}.exe

Filesize
216KB

MD5
cc9afaecb1fea45393053a1cb6c7b55c

SHA1
2411bb86744e9c5175c91d8f4c0826d115111309

SHA256
f818b0cbb6041dacdd54647b107097cf9eca558fff824cf6ee1b9c92d00d9f30

SHA512
dda75b9661aad6ce74a1e75ea778aad913c8212e3bad3bc2958eb981bf584f1818cdca679a4a9edd0881d41f94fb7f7c49febb9a4e2bcd5cce81248ec0ca459d

Download Submit
C:\Windows\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe

Filesize
216KB

MD5
8112edcc3fb9bacefbd3005219576f37

SHA1
6b7683d427f724084040184aa4cca9bc6afb2a5d

SHA256
36dfed469a415eb678d42dab0a77cdf121b1c0793e07c3723bf27249efc4a0c1

SHA512
768d5706f7a907590e3689606ad7f77c22d172e32548cdf0fb37a82ec3f729212ba5f05b4bcac86b0ee696c56bfd18e7e34c7d94bf3b0a5821c0170b614a2496

Download Submit
C:\Windows\{9C1BAF0D-5C57-4eb4-BCB5-312CC9DB1194}.exe

Filesize
216KB

MD5
8112edcc3fb9bacefbd3005219576f37

SHA1
6b7683d427f724084040184aa4cca9bc6afb2a5d

SHA256
36dfed469a415eb678d42dab0a77cdf121b1c0793e07c3723bf27249efc4a0c1

SHA512
768d5706f7a907590e3689606ad7f77c22d172e32548cdf0fb37a82ec3f729212ba5f05b4bcac86b0ee696c56bfd18e7e34c7d94bf3b0a5821c0170b614a2496

Download Submit
C:\Windows\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe

Filesize
216KB

MD5
e8514b1708acae15a78547e0ce4f3156

SHA1
6eb794bc5281537deb96526fabe8a16f52d5eaf7

SHA256
7b5ec3a364e4f2ba37a3b6270ba74bceef2cecc96760aa55505440c85beffa87

SHA512
5eeb403c987485e4a4c6c943621144372dc47157d8de1444035326c656a23a96a7935df5e3861be2e51ff312bbec795a917be82594bfd2817729bac5163c9b76

Download Submit
C:\Windows\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe

Filesize
216KB

MD5
e8514b1708acae15a78547e0ce4f3156

SHA1
6eb794bc5281537deb96526fabe8a16f52d5eaf7

SHA256
7b5ec3a364e4f2ba37a3b6270ba74bceef2cecc96760aa55505440c85beffa87

SHA512
5eeb403c987485e4a4c6c943621144372dc47157d8de1444035326c656a23a96a7935df5e3861be2e51ff312bbec795a917be82594bfd2817729bac5163c9b76

Download Submit
C:\Windows\{9D817EE8-DD4C-4337-8CF7-745245CCC60B}.exe

Filesize
216KB

MD5
e8514b1708acae15a78547e0ce4f3156

SHA1
6eb794bc5281537deb96526fabe8a16f52d5eaf7

SHA256
7b5ec3a364e4f2ba37a3b6270ba74bceef2cecc96760aa55505440c85beffa87

SHA512
5eeb403c987485e4a4c6c943621144372dc47157d8de1444035326c656a23a96a7935df5e3861be2e51ff312bbec795a917be82594bfd2817729bac5163c9b76

Download Submit
C:\Windows\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe

Filesize
216KB

MD5
21746fe6344a31f228d60e42f9824e5d

SHA1
c5db19a26231e51d7ec113c1f6b3e444db241f79

SHA256
20333ab120f749feef7b5cb00f114315c83384207c5535729b95e4985dceb039

SHA512
e4c630dfdfd6977e4172a624c37ccec60e96b3b5ffac87cfb8bf4649ca321abf171d614cd1ca9ec26349871f9e0f2bdc090f560316f63fb979eced952ee05d6c

Download Submit
C:\Windows\{9DF9578E-235B-4b35-992C-C44BAA0C9A89}.exe

Filesize
216KB

MD5
21746fe6344a31f228d60e42f9824e5d

SHA1
c5db19a26231e51d7ec113c1f6b3e444db241f79

SHA256
20333ab120f749feef7b5cb00f114315c83384207c5535729b95e4985dceb039

SHA512
e4c630dfdfd6977e4172a624c37ccec60e96b3b5ffac87cfb8bf4649ca321abf171d614cd1ca9ec26349871f9e0f2bdc090f560316f63fb979eced952ee05d6c

Download Submit
C:\Windows\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe

Filesize
216KB

MD5
8e3e1d236f95218ec391f4fd449c1c77

SHA1
58e5e1de166a0f1cfda9522e37c55d1787cfb202

SHA256
71237b8f56dc0e4393ac8c2e68add6d56330310cca2299dfcad92b6bd8d5e802

SHA512
b35c3e5715847e897e1edc261ca5efc6131f15c5997559b5703b5d3084163de282155efce9aada6cb889440aecc6217c7a35f004a0dc3b6c1b8664a57c93095a

Download Submit
C:\Windows\{B6FF9556-5D21-4eb5-A696-76C44A952CC0}.exe

Filesize
216KB

MD5
8e3e1d236f95218ec391f4fd449c1c77

SHA1
58e5e1de166a0f1cfda9522e37c55d1787cfb202

SHA256
71237b8f56dc0e4393ac8c2e68add6d56330310cca2299dfcad92b6bd8d5e802

SHA512
b35c3e5715847e897e1edc261ca5efc6131f15c5997559b5703b5d3084163de282155efce9aada6cb889440aecc6217c7a35f004a0dc3b6c1b8664a57c93095a

Download Submit
C:\Windows\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe

Filesize
216KB

MD5
8df4dce66b4ff9bc956a1606acf2dd33

SHA1
04df937b4455eaa3a89b3450ee0cbd4f96692a21

SHA256
45662726f8d4bd16c50d8ad4a12fe1113129dc85b6dfa80ca60ab56bc7603717

SHA512
5487eda46df1ae05562bb12f0e162644c40f66dafc02003e533cc246cde8e21904a9f01d72d8493f1fc3dc882ba5cc76f257064103697354e1ed91a185d2318f

Download Submit
C:\Windows\{ED95FCC3-DB79-41a2-A218-4CEBC5B3E34A}.exe

Filesize
216KB

MD5
8df4dce66b4ff9bc956a1606acf2dd33

SHA1
04df937b4455eaa3a89b3450ee0cbd4f96692a21

SHA256
45662726f8d4bd16c50d8ad4a12fe1113129dc85b6dfa80ca60ab56bc7603717

SHA512
5487eda46df1ae05562bb12f0e162644c40f66dafc02003e533cc246cde8e21904a9f01d72d8493f1fc3dc882ba5cc76f257064103697354e1ed91a185d2318f

Download Submit
C:\Windows\{F91DA79F-AA3F-491a-AD28-AEE28707A0FC}.exe

Filesize
216KB

MD5
2995a7946034867d41b89153bc018a7b

SHA1
a29b6fd44f50bb324e2b6e953c93b47d6b0bd7c0

SHA256
7a2dc7e8ae7e90a31a59d6d3f4a5f226dd14fd04569f97742c4881dc518698c6

SHA512
4282e2d772c0aa4494e5a72abb553e283b6410135a4936e2d3393af57919a2ea16b060735110c06426d2f09a4c30b3f4832cd62399fa485a38e95ca512ddfb1a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads