70e63d8bf18ea2b4e6d2b570afab399f04c87d62596e81bc6c555dd044b2034b

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Size

216KB
MD5

e1adc912447b616b8e6b5e08d242d82a
SHA1

a4e69b9d6a1e93b3c88178f9dc84556f25848dde
SHA256

70e63d8bf18ea2b4e6d2b570afab399f04c87d62596e81bc6c555dd044b2034b
SHA512

6c425ebbaea20e23b8177d61d387a3dbf1eb7bef339968f8d8bdd54d6766348f0fa6ed877d7f6d3cffffeeea42a49115d1d74b56cb1592e5e2c57d3b2f10a982
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGNlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}\stubpath = "C:\\Windows\\{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}.exe"	{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77360BC-D130-4687-A914-B5C83A6BC508}\stubpath = "C:\\Windows\\{B77360BC-D130-4687-A914-B5C83A6BC508}.exe"	{CF60BCC9-331A-4afb-A31A-335152867828}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7339222A-CEFD-4a96-A356-CB23B46BD19D}	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBD444B0-5B56-4e87-8812-CA3695577BB4}\stubpath = "C:\\Windows\\{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe"	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}	{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{676E9919-9C28-496a-AC85-7DAA60EDA047}\stubpath = "C:\\Windows\\{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe"	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}\stubpath = "C:\\Windows\\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe"	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}	{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBD444B0-5B56-4e87-8812-CA3695577BB4}	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}\stubpath = "C:\\Windows\\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe"	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{676E9919-9C28-496a-AC85-7DAA60EDA047}	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF60BCC9-331A-4afb-A31A-335152867828}	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF60BCC9-331A-4afb-A31A-335152867828}\stubpath = "C:\\Windows\\{CF60BCC9-331A-4afb-A31A-335152867828}.exe"	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}	{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B77360BC-D130-4687-A914-B5C83A6BC508}	{CF60BCC9-331A-4afb-A31A-335152867828}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7339222A-CEFD-4a96-A356-CB23B46BD19D}\stubpath = "C:\\Windows\\{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe"	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}\stubpath = "C:\\Windows\\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe"	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}\stubpath = "C:\\Windows\\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe"	{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}\stubpath = "C:\\Windows\\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe"	{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe
2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe
2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe
2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe
2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe
396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe
628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe
1096	{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe
2276	{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe
2908	{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe
3056	{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
File created	C:\Windows\{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe
File created	C:\Windows\{CF60BCC9-331A-4afb-A31A-335152867828}.exe	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe
File created	C:\Windows\{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe
File created	C:\Windows\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe
File created	C:\Windows\{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe
File created	C:\Windows\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe	{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe
File created	C:\Windows\{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}.exe	{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe
File created	C:\Windows\{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	{CF60BCC9-331A-4afb-A31A-335152867828}.exe
File created	C:\Windows\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe
File created	C:\Windows\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe	{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe
Token: SeIncBasePriorityPrivilege	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe
Token: SeIncBasePriorityPrivilege	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe
Token: SeIncBasePriorityPrivilege	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe
Token: SeIncBasePriorityPrivilege	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe
Token: SeIncBasePriorityPrivilege	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe
Token: SeIncBasePriorityPrivilege	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe
Token: SeIncBasePriorityPrivilege	1096	{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe
Token: SeIncBasePriorityPrivilege	2276	{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe
Token: SeIncBasePriorityPrivilege	2908	{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2508	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	28
PID 1256 wrote to memory of 2508	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	28
PID 1256 wrote to memory of 2508	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	28
PID 1256 wrote to memory of 2508	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	28
PID 1256 wrote to memory of 2960	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	29
PID 1256 wrote to memory of 2960	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	29
PID 1256 wrote to memory of 2960	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	29
PID 1256 wrote to memory of 2960	1256	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	29
PID 2508 wrote to memory of 2160	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	33
PID 2508 wrote to memory of 2160	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	33
PID 2508 wrote to memory of 2160	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	33
PID 2508 wrote to memory of 2160	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	33
PID 2508 wrote to memory of 2236	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	32
PID 2508 wrote to memory of 2236	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	32
PID 2508 wrote to memory of 2236	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	32
PID 2508 wrote to memory of 2236	2508	{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe	32
PID 2160 wrote to memory of 2860	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	34
PID 2160 wrote to memory of 2860	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	34
PID 2160 wrote to memory of 2860	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	34
PID 2160 wrote to memory of 2860	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	34
PID 2160 wrote to memory of 848	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	35
PID 2160 wrote to memory of 848	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	35
PID 2160 wrote to memory of 848	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	35
PID 2160 wrote to memory of 848	2160	{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe	35
PID 2860 wrote to memory of 2716	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	36
PID 2860 wrote to memory of 2716	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	36
PID 2860 wrote to memory of 2716	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	36
PID 2860 wrote to memory of 2716	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	36
PID 2860 wrote to memory of 2776	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	37
PID 2860 wrote to memory of 2776	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	37
PID 2860 wrote to memory of 2776	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	37
PID 2860 wrote to memory of 2776	2860	{CF60BCC9-331A-4afb-A31A-335152867828}.exe	37
PID 2716 wrote to memory of 2468	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	38
PID 2716 wrote to memory of 2468	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	38
PID 2716 wrote to memory of 2468	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	38
PID 2716 wrote to memory of 2468	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	38
PID 2716 wrote to memory of 2060	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	39
PID 2716 wrote to memory of 2060	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	39
PID 2716 wrote to memory of 2060	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	39
PID 2716 wrote to memory of 2060	2716	{B77360BC-D130-4687-A914-B5C83A6BC508}.exe	39
PID 2468 wrote to memory of 396	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	40
PID 2468 wrote to memory of 396	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	40
PID 2468 wrote to memory of 396	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	40
PID 2468 wrote to memory of 396	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	40
PID 2468 wrote to memory of 296	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	41
PID 2468 wrote to memory of 296	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	41
PID 2468 wrote to memory of 296	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	41
PID 2468 wrote to memory of 296	2468	{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe	41
PID 396 wrote to memory of 628	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	42
PID 396 wrote to memory of 628	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	42
PID 396 wrote to memory of 628	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	42
PID 396 wrote to memory of 628	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	42
PID 396 wrote to memory of 740	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	43
PID 396 wrote to memory of 740	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	43
PID 396 wrote to memory of 740	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	43
PID 396 wrote to memory of 740	396	{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe	43
PID 628 wrote to memory of 1096	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	44
PID 628 wrote to memory of 1096	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	44
PID 628 wrote to memory of 1096	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	44
PID 628 wrote to memory of 1096	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	44
PID 628 wrote to memory of 3060	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	45
PID 628 wrote to memory of 3060	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	45
PID 628 wrote to memory of 3060	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	45
PID 628 wrote to memory of 3060	628	{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe	45

C:\Users\Admin\AppData\Local\Temp\e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe
  C:\Windows\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AB3FE~1.EXE > nul
    3⤵
    PID:2236
- - C:\Windows\{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe
    C:\Windows\{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\{CF60BCC9-331A-4afb-A31A-335152867828}.exe
      C:\Windows\{CF60BCC9-331A-4afb-A31A-335152867828}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{B77360BC-D130-4687-A914-B5C83A6BC508}.exe
        
        C:\Windows\{B77360BC-D130-4687-A914-B5C83A6BC508}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe
        
        C:\Windows\{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe
        
        C:\Windows\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe
        
        C:\Windows\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe
        
        C:\Windows\{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe
        
        C:\Windows\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7742~1.EXE > nul
        11⤵
        
        PID:300
        
        C:\Windows\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe
        
        C:\Windows\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}.exe
        
        C:\Windows\{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}.exe
        12⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A94DB~1.EXE > nul
        12⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBD44~1.EXE > nul
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB0BB~1.EXE > nul
        9⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE726~1.EXE > nul
        8⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73392~1.EXE > nul
        7⤵
        
        PID:296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7736~1.EXE > nul
        6⤵
        
        PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF60B~1.EXE > nul
        5⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{676E9~1.EXE > nul
      4⤵
      PID:848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E1ADC9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe

Filesize
216KB

MD5
05a190b3b814cd13ab8ab471db70d6dc

SHA1
0a78270afe507edc76132a4bdfd219376f8dfb34

SHA256
1c4847960d8cc907a8d1daa5437d224cb7f20d6b6f7470b9f7b42203991110b3

SHA512
56d54f1eb67dc22e244d80750111825f1b43c0914e87fc51e0794d3df968b857a972bd83a9e5dc7aa190a324118f4c61830b17b6dec4bda1fcf230e7cdbb0f8b

Download Submit
C:\Windows\{676E9919-9C28-496a-AC85-7DAA60EDA047}.exe

Filesize
216KB

MD5
05a190b3b814cd13ab8ab471db70d6dc

SHA1
0a78270afe507edc76132a4bdfd219376f8dfb34

SHA256
1c4847960d8cc907a8d1daa5437d224cb7f20d6b6f7470b9f7b42203991110b3

SHA512
56d54f1eb67dc22e244d80750111825f1b43c0914e87fc51e0794d3df968b857a972bd83a9e5dc7aa190a324118f4c61830b17b6dec4bda1fcf230e7cdbb0f8b

Download Submit
C:\Windows\{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe

Filesize
216KB

MD5
5d0326cad32815aa8ed7a0c5dc391677

SHA1
7820bcd8505a14db24da168f4af99d9e6aba2adc

SHA256
bed4505fbf3ef9442a6cbf0593b33151f4b860a20832d9827dc1d7a106259459

SHA512
8b2ba17668263bb5a47ca60ae4e90e55f0ce4397bf2ada5f5edd2fb2742f842502d6dc9fb336585bb6cb626fda53f5f6ce708313c7ac7a97d3a61072a35c5e66

Download Submit
C:\Windows\{7339222A-CEFD-4a96-A356-CB23B46BD19D}.exe

Filesize
216KB

MD5
5d0326cad32815aa8ed7a0c5dc391677

SHA1
7820bcd8505a14db24da168f4af99d9e6aba2adc

SHA256
bed4505fbf3ef9442a6cbf0593b33151f4b860a20832d9827dc1d7a106259459

SHA512
8b2ba17668263bb5a47ca60ae4e90e55f0ce4397bf2ada5f5edd2fb2742f842502d6dc9fb336585bb6cb626fda53f5f6ce708313c7ac7a97d3a61072a35c5e66

Download Submit
C:\Windows\{8F8FCEA3-AAFB-46ba-94FB-93CE688A45FD}.exe

Filesize
216KB

MD5
94d8528c1b425151349925b1fad99092

SHA1
f2c9ec0e3bb66aa2f03104ed68539a457b5c26ac

SHA256
cfa8af376a92ac7b1ab3c9ac3fd16a40ab825924dda83c0cdb713e123b24f83d

SHA512
f8737653601db0999529d9a8357fb767fd28ed0bfe4062153c5e1a9de786ce2259f27856f34964da854162bf21c25ed50e9321498c57253f54032953866a826b

Download Submit
C:\Windows\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe

Filesize
216KB

MD5
1bad0bdefabb3119a86af9441b1c7ffe

SHA1
f2bd015268b58105ae97727e192bf8b6da7538e0

SHA256
e416854cd8fb42eccf362b9d2ea57243a8d3cc9ca6c4294f110461b2770a47e5

SHA512
1ad7c3fb1d2dc6e35b9abb57205ee1babbfa40571f8ed7191baadd95f132a095509901952744aed659e9ddb6b942746281a35b6d946220be8c8b708445cd8df6

Download Submit
C:\Windows\{A7742F7F-6B4D-4864-BC1E-8518F76C13AA}.exe

Filesize
216KB

MD5
1bad0bdefabb3119a86af9441b1c7ffe

SHA1
f2bd015268b58105ae97727e192bf8b6da7538e0

SHA256
e416854cd8fb42eccf362b9d2ea57243a8d3cc9ca6c4294f110461b2770a47e5

SHA512
1ad7c3fb1d2dc6e35b9abb57205ee1babbfa40571f8ed7191baadd95f132a095509901952744aed659e9ddb6b942746281a35b6d946220be8c8b708445cd8df6

Download Submit
C:\Windows\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe

Filesize
216KB

MD5
6259e918feb2e0f3b141f2c8f13f2796

SHA1
2ffd2c39b1a4eebca109c7171a381990ad33c0a1

SHA256
bbabf314bad00584e4128f12d0bb81bbb62dd7aa3ebf90c4e61d89bd4abbb8f5

SHA512
5e0c2fc2348d4f37528cfce0f0c00a4eb0706b6e06d4e5f8e4960097401315d6ff3e0c0e4494417a6ed0e580f793d0d4da097e355c78a5354a6d6f7f20aaa884

Download Submit
C:\Windows\{A94DB3A6-1400-43ff-B6D6-AF407268ACC1}.exe

Filesize
216KB

MD5
6259e918feb2e0f3b141f2c8f13f2796

SHA1
2ffd2c39b1a4eebca109c7171a381990ad33c0a1

SHA256
bbabf314bad00584e4128f12d0bb81bbb62dd7aa3ebf90c4e61d89bd4abbb8f5

SHA512
5e0c2fc2348d4f37528cfce0f0c00a4eb0706b6e06d4e5f8e4960097401315d6ff3e0c0e4494417a6ed0e580f793d0d4da097e355c78a5354a6d6f7f20aaa884

Download Submit
C:\Windows\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe

Filesize
216KB

MD5
d0bfc9f6fba6515e4b079f67b5dafa02

SHA1
d1614956a8722de7277ae6476ea4fcaea4a7935d

SHA256
8817c994aeededc500636e84d247a4014472baa5f5e2e813e50c7da2113f0d07

SHA512
7b2d83da0ba2ed8f58168498d806f90f084e734cb416d2c6ba51437862b3286842d87457c3a995ba22c16050bc4bfa806f8ae0e30e91690bfc28cd03d5dc3503

Download Submit
C:\Windows\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe

Filesize
216KB

MD5
d0bfc9f6fba6515e4b079f67b5dafa02

SHA1
d1614956a8722de7277ae6476ea4fcaea4a7935d

SHA256
8817c994aeededc500636e84d247a4014472baa5f5e2e813e50c7da2113f0d07

SHA512
7b2d83da0ba2ed8f58168498d806f90f084e734cb416d2c6ba51437862b3286842d87457c3a995ba22c16050bc4bfa806f8ae0e30e91690bfc28cd03d5dc3503

Download Submit
C:\Windows\{AB3FE2F3-A3E3-4fc5-9AEB-D19A04BB685C}.exe

Filesize
216KB

MD5
d0bfc9f6fba6515e4b079f67b5dafa02

SHA1
d1614956a8722de7277ae6476ea4fcaea4a7935d

SHA256
8817c994aeededc500636e84d247a4014472baa5f5e2e813e50c7da2113f0d07

SHA512
7b2d83da0ba2ed8f58168498d806f90f084e734cb416d2c6ba51437862b3286842d87457c3a995ba22c16050bc4bfa806f8ae0e30e91690bfc28cd03d5dc3503

Download Submit
C:\Windows\{B77360BC-D130-4687-A914-B5C83A6BC508}.exe

Filesize
216KB

MD5
f31f11a03b7a848b147c68ce66bc899c

SHA1
a6a73254d20b5f940e9ba1856dd1801eb1a912a4

SHA256
bec85e91e5c76d1671aa35232e141e771621e7d31fb7b7c811e03645a1e7ce15

SHA512
38ee200de05dedbebc4760c5d716ea7b45657274ba0c45f1540247901085c7ca13ac43ac431e4e43bbcf6e82677fbc918feec7a227b634df97787f718d917ada

Download Submit
C:\Windows\{B77360BC-D130-4687-A914-B5C83A6BC508}.exe

Filesize
216KB

MD5
f31f11a03b7a848b147c68ce66bc899c

SHA1
a6a73254d20b5f940e9ba1856dd1801eb1a912a4

SHA256
bec85e91e5c76d1671aa35232e141e771621e7d31fb7b7c811e03645a1e7ce15

SHA512
38ee200de05dedbebc4760c5d716ea7b45657274ba0c45f1540247901085c7ca13ac43ac431e4e43bbcf6e82677fbc918feec7a227b634df97787f718d917ada

Download Submit
C:\Windows\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe

Filesize
216KB

MD5
070489e1dfa2db0ede14d21d4860bb3a

SHA1
8d50fc3720aaf96bac89eb1f04bb14dd4675ec3a

SHA256
6119730198a5af9098e407eb14efd06d4b470a5b2a219513828d43f973fff6de

SHA512
4ac135ada48ead22a8939689993eb1f99c8e40d6782cf7c61014e16f166cf40ab07eb1e9a9da6c1fd8dfb879c0c3615a59a6c73a1415ecf616c8327d34baac78

Download Submit
C:\Windows\{BB0BB318-FC34-4f0c-91F9-818A78C5188A}.exe

Filesize
216KB

MD5
070489e1dfa2db0ede14d21d4860bb3a

SHA1
8d50fc3720aaf96bac89eb1f04bb14dd4675ec3a

SHA256
6119730198a5af9098e407eb14efd06d4b470a5b2a219513828d43f973fff6de

SHA512
4ac135ada48ead22a8939689993eb1f99c8e40d6782cf7c61014e16f166cf40ab07eb1e9a9da6c1fd8dfb879c0c3615a59a6c73a1415ecf616c8327d34baac78

Download Submit
C:\Windows\{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe

Filesize
216KB

MD5
1c2d0a687aa9ed05605d50e136dc3c0e

SHA1
54ed390c9ba558aa873731838bbe318b94dbc104

SHA256
97f80413cc3031e2aa20aa2a022af9fa007878c2c5d90e31eb96da147145f034

SHA512
6fdbcc185aff08e535e3598c23bc238a2f0670ab2f2e7bd171d1896064efacd2d1bbc6643aea959867ce874ae046ed08c6bc1e90756e186e3d7be11fbed42f64

Download Submit
C:\Windows\{BBD444B0-5B56-4e87-8812-CA3695577BB4}.exe

Filesize
216KB

MD5
1c2d0a687aa9ed05605d50e136dc3c0e

SHA1
54ed390c9ba558aa873731838bbe318b94dbc104

SHA256
97f80413cc3031e2aa20aa2a022af9fa007878c2c5d90e31eb96da147145f034

SHA512
6fdbcc185aff08e535e3598c23bc238a2f0670ab2f2e7bd171d1896064efacd2d1bbc6643aea959867ce874ae046ed08c6bc1e90756e186e3d7be11fbed42f64

Download Submit
C:\Windows\{CF60BCC9-331A-4afb-A31A-335152867828}.exe

Filesize
216KB

MD5
0d29c9ae42c20c4c49dbd59921371f36

SHA1
c3fdd36999c6e8371bfb74bda34ee2af5eb75929

SHA256
5004b9d532612547f189ca000330b5c727338a1384a53d4bd7ce71aec8186287

SHA512
2fee080d7d9818a8f1dcfb79ab17313e6624762dd7bc5dd7d35069cfab36ed65a65ad006b61aee423e09c95e8aed602e307aecae11836b9510bbecdb6aa623aa

Download Submit
C:\Windows\{CF60BCC9-331A-4afb-A31A-335152867828}.exe

Filesize
216KB

MD5
0d29c9ae42c20c4c49dbd59921371f36

SHA1
c3fdd36999c6e8371bfb74bda34ee2af5eb75929

SHA256
5004b9d532612547f189ca000330b5c727338a1384a53d4bd7ce71aec8186287

SHA512
2fee080d7d9818a8f1dcfb79ab17313e6624762dd7bc5dd7d35069cfab36ed65a65ad006b61aee423e09c95e8aed602e307aecae11836b9510bbecdb6aa623aa

Download Submit
C:\Windows\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe

Filesize
216KB

MD5
c0086fe61e55741b79a3779e1a9d1a1b

SHA1
4c64d4330036d8c4de432ee9c7d21a89300cee05

SHA256
393ddd3908c2be0ed15673d58876fa7e37f05c892619c3c84c939440aab48062

SHA512
de532e1a12b4f1f28ed4aea55f9f9289bc829959f596dcc5a60fa92749147af63d9fd367dcdf1ad5f25710b50e424d2ba87c491a0738234272f23c449bcc0fff

Download Submit
C:\Windows\{DE7262D5-54FE-409c-AE8C-36A0FADB3ADC}.exe

Filesize
216KB

MD5
c0086fe61e55741b79a3779e1a9d1a1b

SHA1
4c64d4330036d8c4de432ee9c7d21a89300cee05

SHA256
393ddd3908c2be0ed15673d58876fa7e37f05c892619c3c84c939440aab48062

SHA512
de532e1a12b4f1f28ed4aea55f9f9289bc829959f596dcc5a60fa92749147af63d9fd367dcdf1ad5f25710b50e424d2ba87c491a0738234272f23c449bcc0fff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads