6a63262fd79bde1378c47addf0f2b914c433fa34faa790b91f472de4d830ebbf

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
Size

216KB
MD5

034092f2028e5bc59a7c124adab9dbc3
SHA1

dd5b9f5f7b97a2f3b7923f64e4f52f0f5c367442
SHA256

6a63262fd79bde1378c47addf0f2b914c433fa34faa790b91f472de4d830ebbf
SHA512

0cb2cde859dc12e0786dccdc3ffe8b8579d0a99e4470c636868f669f52560ce0e80be9ceae56438b948da8a0ed535c47ef075db3c6dc625156da352cd510e707
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG2lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}\stubpath = "C:\\Windows\\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe"	{74AD8024-F117-4705-965E-2194983CD293}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}\stubpath = "C:\\Windows\\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe"	{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7BBFD9B-D182-489c-A555-5A0AD1428604}\stubpath = "C:\\Windows\\{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe"	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}\stubpath = "C:\\Windows\\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe"	{28E07799-E683-41b6-90B2-408D72946FE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74AD8024-F117-4705-965E-2194983CD293}	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}\stubpath = "C:\\Windows\\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe"	{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC268ABB-9AB3-44f3-B090-F7337E1205AA}\stubpath = "C:\\Windows\\{EC268ABB-9AB3-44f3-B090-F7337E1205AA}.exe"	{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7BBFD9B-D182-489c-A555-5A0AD1428604}	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0082969-E57A-4c6c-9AC8-83E600E30407}	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0082969-E57A-4c6c-9AC8-83E600E30407}\stubpath = "C:\\Windows\\{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe"	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{103D6C8F-8EA5-4029-9021-92F29410B8FD}\stubpath = "C:\\Windows\\{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe"	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}	{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC268ABB-9AB3-44f3-B090-F7337E1205AA}	{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}\stubpath = "C:\\Windows\\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe"	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{103D6C8F-8EA5-4029-9021-92F29410B8FD}	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74AD8024-F117-4705-965E-2194983CD293}\stubpath = "C:\\Windows\\{74AD8024-F117-4705-965E-2194983CD293}.exe"	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}	{74AD8024-F117-4705-965E-2194983CD293}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}	{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E07799-E683-41b6-90B2-408D72946FE1}	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E07799-E683-41b6-90B2-408D72946FE1}\stubpath = "C:\\Windows\\{28E07799-E683-41b6-90B2-408D72946FE1}.exe"	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}	{28E07799-E683-41b6-90B2-408D72946FE1}.exe

Deletes itself 1 IoCs

pid	Process
1088	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe
2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe
2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe
2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe
2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe
2632	{74AD8024-F117-4705-965E-2194983CD293}.exe
2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe
1476	{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe
1720	{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe
2996	{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe
1816	{EC268ABB-9AB3-44f3-B090-F7337E1205AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	{28E07799-E683-41b6-90B2-408D72946FE1}.exe
File created	C:\Windows\{74AD8024-F117-4705-965E-2194983CD293}.exe	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe
File created	C:\Windows\{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe
File created	C:\Windows\{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe
File created	C:\Windows\{28E07799-E683-41b6-90B2-408D72946FE1}.exe	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe
File created	C:\Windows\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe	{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe
File created	C:\Windows\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe	{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe
File created	C:\Windows\{EC268ABB-9AB3-44f3-B090-F7337E1205AA}.exe	{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe
File created	C:\Windows\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
File created	C:\Windows\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	{74AD8024-F117-4705-965E-2194983CD293}.exe
File created	C:\Windows\{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe
Token: SeIncBasePriorityPrivilege	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe
Token: SeIncBasePriorityPrivilege	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe
Token: SeIncBasePriorityPrivilege	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe
Token: SeIncBasePriorityPrivilege	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe
Token: SeIncBasePriorityPrivilege	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe
Token: SeIncBasePriorityPrivilege	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe
Token: SeIncBasePriorityPrivilege	1476	{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe
Token: SeIncBasePriorityPrivilege	1720	{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe
Token: SeIncBasePriorityPrivilege	2996	{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2580	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	28
PID 1712 wrote to memory of 2580	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	28
PID 1712 wrote to memory of 2580	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	28
PID 1712 wrote to memory of 2580	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	28
PID 1712 wrote to memory of 1088	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	29
PID 1712 wrote to memory of 1088	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	29
PID 1712 wrote to memory of 1088	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	29
PID 1712 wrote to memory of 1088	1712	034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe	29
PID 2580 wrote to memory of 2128	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	33
PID 2580 wrote to memory of 2128	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	33
PID 2580 wrote to memory of 2128	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	33
PID 2580 wrote to memory of 2128	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	33
PID 2580 wrote to memory of 2960	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	32
PID 2580 wrote to memory of 2960	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	32
PID 2580 wrote to memory of 2960	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	32
PID 2580 wrote to memory of 2960	2580	{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe	32
PID 2128 wrote to memory of 2992	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	34
PID 2128 wrote to memory of 2992	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	34
PID 2128 wrote to memory of 2992	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	34
PID 2128 wrote to memory of 2992	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	34
PID 2128 wrote to memory of 2112	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	35
PID 2128 wrote to memory of 2112	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	35
PID 2128 wrote to memory of 2112	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	35
PID 2128 wrote to memory of 2112	2128	{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe	35
PID 2992 wrote to memory of 2292	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	36
PID 2992 wrote to memory of 2292	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	36
PID 2992 wrote to memory of 2292	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	36
PID 2992 wrote to memory of 2292	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	36
PID 2992 wrote to memory of 2868	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	37
PID 2992 wrote to memory of 2868	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	37
PID 2992 wrote to memory of 2868	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	37
PID 2992 wrote to memory of 2868	2992	{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe	37
PID 2292 wrote to memory of 2704	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	39
PID 2292 wrote to memory of 2704	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	39
PID 2292 wrote to memory of 2704	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	39
PID 2292 wrote to memory of 2704	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	39
PID 2292 wrote to memory of 2736	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	38
PID 2292 wrote to memory of 2736	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	38
PID 2292 wrote to memory of 2736	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	38
PID 2292 wrote to memory of 2736	2292	{28E07799-E683-41b6-90B2-408D72946FE1}.exe	38
PID 2704 wrote to memory of 2632	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	40
PID 2704 wrote to memory of 2632	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	40
PID 2704 wrote to memory of 2632	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	40
PID 2704 wrote to memory of 2632	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	40
PID 2704 wrote to memory of 2748	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	41
PID 2704 wrote to memory of 2748	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	41
PID 2704 wrote to memory of 2748	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	41
PID 2704 wrote to memory of 2748	2704	{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe	41
PID 2632 wrote to memory of 2260	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	43
PID 2632 wrote to memory of 2260	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	43
PID 2632 wrote to memory of 2260	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	43
PID 2632 wrote to memory of 2260	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	43
PID 2632 wrote to memory of 472	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	42
PID 2632 wrote to memory of 472	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	42
PID 2632 wrote to memory of 472	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	42
PID 2632 wrote to memory of 472	2632	{74AD8024-F117-4705-965E-2194983CD293}.exe	42
PID 2260 wrote to memory of 1476	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	45
PID 2260 wrote to memory of 1476	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	45
PID 2260 wrote to memory of 1476	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	45
PID 2260 wrote to memory of 1476	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	45
PID 2260 wrote to memory of 636	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	44
PID 2260 wrote to memory of 636	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	44
PID 2260 wrote to memory of 636	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	44
PID 2260 wrote to memory of 636	2260	{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe	44

C:\Users\Admin\AppData\Local\Temp\034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\034092f2028e5bc59a7c124adab9dbc3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe
  C:\Windows\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2F086~1.EXE > nul
    3⤵
    PID:2960
- - C:\Windows\{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe
    C:\Windows\{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe
      C:\Windows\{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\{28E07799-E683-41b6-90B2-408D72946FE1}.exe
        
        C:\Windows\{28E07799-E683-41b6-90B2-408D72946FE1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28E07~1.EXE > nul
        6⤵
        
        PID:2736
      - C:\Windows\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe
        
        C:\Windows\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{74AD8024-F117-4705-965E-2194983CD293}.exe
        
        C:\Windows\{74AD8024-F117-4705-965E-2194983CD293}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74AD8~1.EXE > nul
        8⤵
        
        PID:472
        
        C:\Windows\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe
        
        C:\Windows\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A455~1.EXE > nul
        9⤵
        
        PID:636
        
        C:\Windows\{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe
        
        C:\Windows\{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe
        
        C:\Windows\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33E47~1.EXE > nul
        11⤵
        
        PID:3012
        
        C:\Windows\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe
        
        C:\Windows\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{EC268ABB-9AB3-44f3-B090-F7337E1205AA}.exe
        
        C:\Windows\{EC268ABB-9AB3-44f3-B090-F7337E1205AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97919~1.EXE > nul
        12⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0082~1.EXE > nul
        10⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04E77~1.EXE > nul
        7⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7BBF~1.EXE > nul
        5⤵
        
        PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{103D6~1.EXE > nul
      4⤵
      PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\034092~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe

Filesize
216KB

MD5
4aaa318d929627cfa6938fdf9d0b86e0

SHA1
5943f7a55ef56d541221c5dbd3b2a263b8703d57

SHA256
d3c499b0f37c31f73607b0208d4ef1e4bae2182789f533eaed564ee992c43033

SHA512
05a5c42748e5080a26993271fffcda290ae7ecd3f9cb375e5ea8b306901ab89864dfb1e8a8ee2688d6382e1da4bf7aef5f9e7b460bb24466e8a91ba2e81b65ad

Download Submit
C:\Windows\{04E77F90-74DE-4afe-88E1-3A6DE2D9D10B}.exe

Filesize
216KB

MD5
4aaa318d929627cfa6938fdf9d0b86e0

SHA1
5943f7a55ef56d541221c5dbd3b2a263b8703d57

SHA256
d3c499b0f37c31f73607b0208d4ef1e4bae2182789f533eaed564ee992c43033

SHA512
05a5c42748e5080a26993271fffcda290ae7ecd3f9cb375e5ea8b306901ab89864dfb1e8a8ee2688d6382e1da4bf7aef5f9e7b460bb24466e8a91ba2e81b65ad

Download Submit
C:\Windows\{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe

Filesize
216KB

MD5
c44e26809ad4d7741fd36a153db128bc

SHA1
59676a2a3ef67047e81b5c1cd50b24ece85a67d5

SHA256
bc6d79175da69a6e80a062f239bf6aab6d87cac172cce83d0368a77c319ec4a9

SHA512
8c1c528c51eea4fd9683fc2f47d6f37223a2749d4ca98ea97b96e1ec0231dbf147b94f4bfe7fad9a621ae1e70a1864da67ae02315706a16138cfe7149e87ee08

Download Submit
C:\Windows\{103D6C8F-8EA5-4029-9021-92F29410B8FD}.exe

Filesize
216KB

MD5
c44e26809ad4d7741fd36a153db128bc

SHA1
59676a2a3ef67047e81b5c1cd50b24ece85a67d5

SHA256
bc6d79175da69a6e80a062f239bf6aab6d87cac172cce83d0368a77c319ec4a9

SHA512
8c1c528c51eea4fd9683fc2f47d6f37223a2749d4ca98ea97b96e1ec0231dbf147b94f4bfe7fad9a621ae1e70a1864da67ae02315706a16138cfe7149e87ee08

Download Submit
C:\Windows\{28E07799-E683-41b6-90B2-408D72946FE1}.exe

Filesize
216KB

MD5
0a389841bf1c27eda082fdff7efc7a2e

SHA1
4828dacf1e2f6001153d10423fb8d3191ff88ab0

SHA256
f1f6a9b74639da280e87c78dce956187379e1d89913ecf4c4b85d07db21790af

SHA512
1768023edcf5c67789ac911d5b4a17628172abc0b4c6e729883b140ae481130f53c06f14fc6dd7e64ecc6a19eb81032f89e6b3ea5e1b5d30440060951f88c9fa

Download Submit
C:\Windows\{28E07799-E683-41b6-90B2-408D72946FE1}.exe

Filesize
216KB

MD5
0a389841bf1c27eda082fdff7efc7a2e

SHA1
4828dacf1e2f6001153d10423fb8d3191ff88ab0

SHA256
f1f6a9b74639da280e87c78dce956187379e1d89913ecf4c4b85d07db21790af

SHA512
1768023edcf5c67789ac911d5b4a17628172abc0b4c6e729883b140ae481130f53c06f14fc6dd7e64ecc6a19eb81032f89e6b3ea5e1b5d30440060951f88c9fa

Download Submit
C:\Windows\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe

Filesize
216KB

MD5
4eebfbfcaac5b74bb923ae44a8713c87

SHA1
86ebb6c8fab74a64cbc25f9d1af806a0ccc86887

SHA256
2ebc6e0ea5a81e4853446a9529ce92aea2c82475eca08b1e144fa55c736f7740

SHA512
18aa55baa2465e60919d5b742efe844cc6aac5e360791dd98ca083babd5e6503ccd33a9ecf50d2cd9f92dc59f6f9f5842619d62b0a841b4c8ff87051779cd854

Download Submit
C:\Windows\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe

Filesize
216KB

MD5
4eebfbfcaac5b74bb923ae44a8713c87

SHA1
86ebb6c8fab74a64cbc25f9d1af806a0ccc86887

SHA256
2ebc6e0ea5a81e4853446a9529ce92aea2c82475eca08b1e144fa55c736f7740

SHA512
18aa55baa2465e60919d5b742efe844cc6aac5e360791dd98ca083babd5e6503ccd33a9ecf50d2cd9f92dc59f6f9f5842619d62b0a841b4c8ff87051779cd854

Download Submit
C:\Windows\{2F08669D-5C49-4d47-8598-2CAFFDE273F5}.exe

Filesize
216KB

MD5
4eebfbfcaac5b74bb923ae44a8713c87

SHA1
86ebb6c8fab74a64cbc25f9d1af806a0ccc86887

SHA256
2ebc6e0ea5a81e4853446a9529ce92aea2c82475eca08b1e144fa55c736f7740

SHA512
18aa55baa2465e60919d5b742efe844cc6aac5e360791dd98ca083babd5e6503ccd33a9ecf50d2cd9f92dc59f6f9f5842619d62b0a841b4c8ff87051779cd854

Download Submit
C:\Windows\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe

Filesize
216KB

MD5
d691dc8effbeaa06ca8a031be077417f

SHA1
0d5902b0dadedba3921a3d48115ce1d5e977bb1c

SHA256
557f44b49df31ad4391cd655c3ff5f1d7a8e2bf81091b408e59d5482c0ac39e8

SHA512
39faac325bfe7ebf9713a610b69233d2c1bc821fc9687c88511afaf9c3efc46fac33c7ba269debdb00a7b5085d95a8321f03827871639011cae09f93840b65cb

Download Submit
C:\Windows\{33E4752F-3AFB-45e8-BA2B-2CB6A5E7A890}.exe

Filesize
216KB

MD5
d691dc8effbeaa06ca8a031be077417f

SHA1
0d5902b0dadedba3921a3d48115ce1d5e977bb1c

SHA256
557f44b49df31ad4391cd655c3ff5f1d7a8e2bf81091b408e59d5482c0ac39e8

SHA512
39faac325bfe7ebf9713a610b69233d2c1bc821fc9687c88511afaf9c3efc46fac33c7ba269debdb00a7b5085d95a8321f03827871639011cae09f93840b65cb

Download Submit
C:\Windows\{74AD8024-F117-4705-965E-2194983CD293}.exe

Filesize
216KB

MD5
4b86eb5cee86d7b5252aa7e80df9819e

SHA1
da7d46bff3d65b3dfeaf5584a8507610a38696a2

SHA256
bc93c6d5bc24ba772228deb5d075bc4da71000e9c5d1b91caf37bd47d14dbf52

SHA512
9c152b5e3a6115f455e9fac213a01877ef9bf64f36a9647d541e73545e87da16a69f0efad4ed91dedc8ade1d44da50932d6320ef206882bd6aa2b7abbf957fe9

Download Submit
C:\Windows\{74AD8024-F117-4705-965E-2194983CD293}.exe

Filesize
216KB

MD5
4b86eb5cee86d7b5252aa7e80df9819e

SHA1
da7d46bff3d65b3dfeaf5584a8507610a38696a2

SHA256
bc93c6d5bc24ba772228deb5d075bc4da71000e9c5d1b91caf37bd47d14dbf52

SHA512
9c152b5e3a6115f455e9fac213a01877ef9bf64f36a9647d541e73545e87da16a69f0efad4ed91dedc8ade1d44da50932d6320ef206882bd6aa2b7abbf957fe9

Download Submit
C:\Windows\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe

Filesize
216KB

MD5
598e50e3b27849c500dbc728140e2bd0

SHA1
ed7507574683349b1ae6dc15541e534dd8d0e18b

SHA256
918ecc546ee7b61431e46e1e37c0fe9c8d9ca5cf280d4c9a3f3419d6dbd13675

SHA512
a617f563c70011e0ed4d5386b741ca63490911481736184c9c1763d986433183d73587fc199fb43fbc772c8b56135938958aa6392efbc6d3e3889f1c4b19e98a

Download Submit
C:\Windows\{7A455DB3-DE11-40ec-9075-244C7FDEB1C4}.exe

Filesize
216KB

MD5
598e50e3b27849c500dbc728140e2bd0

SHA1
ed7507574683349b1ae6dc15541e534dd8d0e18b

SHA256
918ecc546ee7b61431e46e1e37c0fe9c8d9ca5cf280d4c9a3f3419d6dbd13675

SHA512
a617f563c70011e0ed4d5386b741ca63490911481736184c9c1763d986433183d73587fc199fb43fbc772c8b56135938958aa6392efbc6d3e3889f1c4b19e98a

Download Submit
C:\Windows\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe

Filesize
216KB

MD5
56cf05ec076d3f52e5e935bdda9671ed

SHA1
a95ffbc4403a01a15fac0073bfe380b5d25b9ab1

SHA256
50e336d4af5fabf1b6b3f91c8236c1f7a7625159d5bd4ae86ba3fdebce52c5d5

SHA512
b2e78c6e889c7811d1f0b1ff0c8f8c66cd8881a752107e5f8112e1bc06ab0e1a552b35935f0388fd428ff853f518843f58d0fc856f17e132dead6ed078d34c43

Download Submit
C:\Windows\{9791931A-2F79-4c88-B5D7-78BD6FB25EAC}.exe

Filesize
216KB

MD5
56cf05ec076d3f52e5e935bdda9671ed

SHA1
a95ffbc4403a01a15fac0073bfe380b5d25b9ab1

SHA256
50e336d4af5fabf1b6b3f91c8236c1f7a7625159d5bd4ae86ba3fdebce52c5d5

SHA512
b2e78c6e889c7811d1f0b1ff0c8f8c66cd8881a752107e5f8112e1bc06ab0e1a552b35935f0388fd428ff853f518843f58d0fc856f17e132dead6ed078d34c43

Download Submit
C:\Windows\{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe

Filesize
216KB

MD5
660b6af694659058a6222ca948cd0997

SHA1
325bcb14eac1a6e3e28c1ce0b6cb0f225bbac08c

SHA256
de575de5ad8cda936c270d558c97ec224d9ccf0d93bcaf08b0deb186a036d388

SHA512
c42db95d8aef2c4b6acd6cc7d9010a00949e845fb72879ef9fba82ba00f0ad01d382be9626b031131ef519b001ec8161b6decd2becd2bb59c0273657f138f334

Download Submit
C:\Windows\{B0082969-E57A-4c6c-9AC8-83E600E30407}.exe

Filesize
216KB

MD5
660b6af694659058a6222ca948cd0997

SHA1
325bcb14eac1a6e3e28c1ce0b6cb0f225bbac08c

SHA256
de575de5ad8cda936c270d558c97ec224d9ccf0d93bcaf08b0deb186a036d388

SHA512
c42db95d8aef2c4b6acd6cc7d9010a00949e845fb72879ef9fba82ba00f0ad01d382be9626b031131ef519b001ec8161b6decd2becd2bb59c0273657f138f334

Download Submit
C:\Windows\{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe

Filesize
216KB

MD5
523dac824b694e73ea63cd465f8dbf58

SHA1
e95c0f4847baad17fda3e3f95afc85afbb9a601a

SHA256
136023eaa46841c8d4c0488f3396f35095b03510830c593eeb289498abec27af

SHA512
8f149a9aa3dfe74a7ecc3fce13a6e8c221ffbbff72ce30058c5e891eb8cd606188837f3c86c2ff0111026922c91a146028039906a635030e0670fb2db233ea71

Download Submit
C:\Windows\{B7BBFD9B-D182-489c-A555-5A0AD1428604}.exe

Filesize
216KB

MD5
523dac824b694e73ea63cd465f8dbf58

SHA1
e95c0f4847baad17fda3e3f95afc85afbb9a601a

SHA256
136023eaa46841c8d4c0488f3396f35095b03510830c593eeb289498abec27af

SHA512
8f149a9aa3dfe74a7ecc3fce13a6e8c221ffbbff72ce30058c5e891eb8cd606188837f3c86c2ff0111026922c91a146028039906a635030e0670fb2db233ea71

Download Submit
C:\Windows\{EC268ABB-9AB3-44f3-B090-F7337E1205AA}.exe

Filesize
216KB

MD5
1f254c4f679c984ef40bd0c60c77f526

SHA1
78477c16a4308d1e12f057b3575a384f8ca9668c

SHA256
bcda4185efb3d2c88299989d0c0639cc69c138931c7fc85512a985a5683f9102

SHA512
1d6f86907a442e41ea5725aa15eddd30099373b41d5b78bd95108e7f33cdc18a04e7902b532a7958ed00a48874b4d98e22ecc9e961bd36621342d4da850f77c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads