bf36452ea22ee166c887a4f98f58a86466d21fc732d7d5905a79e5cfc45ac471

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe
Size

372KB
MD5

1c29ba78c9222ca1ff4b500adef7d91c
SHA1

7bcf8c0253f5d91751df3fb7cda93b7eb10c4e78
SHA256

bf36452ea22ee166c887a4f98f58a86466d21fc732d7d5905a79e5cfc45ac471
SHA512

420762a120408622aca280c27ea40c335b6411907c1d458074b860a0b84bee3e67fc14b418d575b2805ca597f1ae3e6c92b9d49a7bdfe66393e4c52670356012
SSDEEP

3072:CEGh0o8mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGnl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}\stubpath = "C:\\Windows\\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe"	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}\stubpath = "C:\\Windows\\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe"	{5A0A5751-B228-4275-8D14-07B79621422D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}\stubpath = "C:\\Windows\\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe"	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}\stubpath = "C:\\Windows\\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}.exe"	{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C980766-7A16-43af-A123-649B4DDEA4E5}	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9733AF-B82F-41ec-AFA5-54466F53C689}\stubpath = "C:\\Windows\\{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe"	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}	{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0588711F-9AD5-484a-B7F0-92A50467E934}	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0588711F-9AD5-484a-B7F0-92A50467E934}\stubpath = "C:\\Windows\\{0588711F-9AD5-484a-B7F0-92A50467E934}.exe"	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C980766-7A16-43af-A123-649B4DDEA4E5}\stubpath = "C:\\Windows\\{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe"	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9733AF-B82F-41ec-AFA5-54466F53C689}	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE272D16-31F0-49e9-8C05-B5B21450A59D}	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}\stubpath = "C:\\Windows\\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe"	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}\stubpath = "C:\\Windows\\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe"	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0A5751-B228-4275-8D14-07B79621422D}	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0A5751-B228-4275-8D14-07B79621422D}\stubpath = "C:\\Windows\\{5A0A5751-B228-4275-8D14-07B79621422D}.exe"	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}	{5A0A5751-B228-4275-8D14-07B79621422D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}\stubpath = "C:\\Windows\\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe"	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE272D16-31F0-49e9-8C05-B5B21450A59D}\stubpath = "C:\\Windows\\{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe"	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe

Executes dropped EXE 12 IoCs

pid	Process
2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe
1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe
2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe
1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe
896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe
1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe
3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe
3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe
4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe
1680	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe
4024	{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe
4048	{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe
File created	C:\Windows\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe
File created	C:\Windows\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe
File created	C:\Windows\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}.exe	{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe
File created	C:\Windows\{0588711F-9AD5-484a-B7F0-92A50467E934}.exe	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe
File created	C:\Windows\{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe
File created	C:\Windows\{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe
File created	C:\Windows\{5A0A5751-B228-4275-8D14-07B79621422D}.exe	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe
File created	C:\Windows\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe	{5A0A5751-B228-4275-8D14-07B79621422D}.exe
File created	C:\Windows\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe
File created	C:\Windows\{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe
File created	C:\Windows\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4752	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe
Token: SeIncBasePriorityPrivilege	1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe
Token: SeIncBasePriorityPrivilege	2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe
Token: SeIncBasePriorityPrivilege	1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe
Token: SeIncBasePriorityPrivilege	896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe
Token: SeIncBasePriorityPrivilege	1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe
Token: SeIncBasePriorityPrivilege	3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe
Token: SeIncBasePriorityPrivilege	3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe
Token: SeIncBasePriorityPrivilege	4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe
Token: SeIncBasePriorityPrivilege	1680	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe
Token: SeIncBasePriorityPrivilege	4024	{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2172	4752	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe	89
PID 4752 wrote to memory of 2172	4752	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe	89
PID 4752 wrote to memory of 2172	4752	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe	89
PID 4752 wrote to memory of 4356	4752	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe	90
PID 4752 wrote to memory of 4356	4752	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe	90
PID 4752 wrote to memory of 4356	4752	1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe	90
PID 2172 wrote to memory of 1012	2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe	91
PID 2172 wrote to memory of 1012	2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe	91
PID 2172 wrote to memory of 1012	2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe	91
PID 2172 wrote to memory of 1972	2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe	92
PID 2172 wrote to memory of 1972	2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe	92
PID 2172 wrote to memory of 1972	2172	{0588711F-9AD5-484a-B7F0-92A50467E934}.exe	92
PID 1012 wrote to memory of 2024	1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe	94
PID 1012 wrote to memory of 2024	1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe	94
PID 1012 wrote to memory of 2024	1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe	94
PID 1012 wrote to memory of 2220	1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe	95
PID 1012 wrote to memory of 2220	1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe	95
PID 1012 wrote to memory of 2220	1012	{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe	95
PID 2024 wrote to memory of 1008	2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe	96
PID 2024 wrote to memory of 1008	2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe	96
PID 2024 wrote to memory of 1008	2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe	96
PID 2024 wrote to memory of 3936	2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe	97
PID 2024 wrote to memory of 3936	2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe	97
PID 2024 wrote to memory of 3936	2024	{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe	97
PID 1008 wrote to memory of 896	1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe	98
PID 1008 wrote to memory of 896	1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe	98
PID 1008 wrote to memory of 896	1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe	98
PID 1008 wrote to memory of 2508	1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe	99
PID 1008 wrote to memory of 2508	1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe	99
PID 1008 wrote to memory of 2508	1008	{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe	99
PID 896 wrote to memory of 1492	896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe	100
PID 896 wrote to memory of 1492	896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe	100
PID 896 wrote to memory of 1492	896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe	100
PID 896 wrote to memory of 2204	896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe	101
PID 896 wrote to memory of 2204	896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe	101
PID 896 wrote to memory of 2204	896	{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe	101
PID 1492 wrote to memory of 3976	1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe	102
PID 1492 wrote to memory of 3976	1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe	102
PID 1492 wrote to memory of 3976	1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe	102
PID 1492 wrote to memory of 4308	1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe	103
PID 1492 wrote to memory of 4308	1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe	103
PID 1492 wrote to memory of 4308	1492	{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe	103
PID 3976 wrote to memory of 3704	3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe	104
PID 3976 wrote to memory of 3704	3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe	104
PID 3976 wrote to memory of 3704	3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe	104
PID 3976 wrote to memory of 2312	3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe	105
PID 3976 wrote to memory of 2312	3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe	105
PID 3976 wrote to memory of 2312	3976	{5A0A5751-B228-4275-8D14-07B79621422D}.exe	105
PID 3704 wrote to memory of 4288	3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe	106
PID 3704 wrote to memory of 4288	3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe	106
PID 3704 wrote to memory of 4288	3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe	106
PID 3704 wrote to memory of 868	3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe	107
PID 3704 wrote to memory of 868	3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe	107
PID 3704 wrote to memory of 868	3704	{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe	107
PID 4288 wrote to memory of 1680	4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe	108
PID 4288 wrote to memory of 1680	4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe	108
PID 4288 wrote to memory of 1680	4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe	108
PID 4288 wrote to memory of 4656	4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe	109
PID 4288 wrote to memory of 4656	4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe	109
PID 4288 wrote to memory of 4656	4288	{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe	109
PID 1680 wrote to memory of 4024	1680	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe	110
PID 1680 wrote to memory of 4024	1680	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe	110
PID 1680 wrote to memory of 4024	1680	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe	110
PID 1680 wrote to memory of 1136	1680	{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe	111

C:\Users\Admin\AppData\Local\Temp\1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1c29ba78c9222ca1ff4b500adef7d91c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\{0588711F-9AD5-484a-B7F0-92A50467E934}.exe
  C:\Windows\{0588711F-9AD5-484a-B7F0-92A50467E934}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe
    C:\Windows\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe
      C:\Windows\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe
        
        C:\Windows\{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe
        
        C:\Windows\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe
        
        C:\Windows\{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{5A0A5751-B228-4275-8D14-07B79621422D}.exe
        
        C:\Windows\{5A0A5751-B228-4275-8D14-07B79621422D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe
        
        C:\Windows\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe
        
        C:\Windows\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe
        
        C:\Windows\{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe
        
        C:\Windows\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}.exe
        
        C:\Windows\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}.exe
        13⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE77C~1.EXE > nul
        13⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE272~1.EXE > nul
        12⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE456~1.EXE > nul
        11⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE3E7~1.EXE > nul
        10⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A0A5~1.EXE > nul
        9⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A973~1.EXE > nul
        8⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DECB2~1.EXE > nul
        7⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C980~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F369F~1.EXE > nul
        5⤵
        
        PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA3C~1.EXE > nul
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{05887~1.EXE > nul
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1C29BA~1.EXE > nul
  2⤵
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0588711F-9AD5-484a-B7F0-92A50467E934}.exe

Filesize
372KB

MD5
92b4d875707d63556c1541b300d0b050

SHA1
4e40dd99fbc1559a0f52db40567ae29725aeb287

SHA256
6cb272c6cbd40b5e13cc8071a5ee7d013feb8b4414d35d3be2e84b2476177416

SHA512
31a7148de4b270ab288942f5d2f1372fe50f43d98adfaefbed4f357545dec953a83385461bbe5b4ab15c2837a33dda758a4207987464c116e1d7d10553c8c9d2

Download Submit
C:\Windows\{0588711F-9AD5-484a-B7F0-92A50467E934}.exe

Filesize
372KB

MD5
92b4d875707d63556c1541b300d0b050

SHA1
4e40dd99fbc1559a0f52db40567ae29725aeb287

SHA256
6cb272c6cbd40b5e13cc8071a5ee7d013feb8b4414d35d3be2e84b2476177416

SHA512
31a7148de4b270ab288942f5d2f1372fe50f43d98adfaefbed4f357545dec953a83385461bbe5b4ab15c2837a33dda758a4207987464c116e1d7d10553c8c9d2

Download Submit
C:\Windows\{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe

Filesize
372KB

MD5
c8b4e588fbf72920821acf32fce86e49

SHA1
64d4830de9decda69222ca1249b2a6c3d4aeb4e1

SHA256
fb2d34a887004ea7dbb7dbcac7fa42a6d158778377c06ab99e17568727c2727a

SHA512
0ebfed5b512cab10af596451eb8393bfdbedae4e488e49fd25c1e1a09421c7c496d4b098cad47d0ba3e91e94a46c20ce0ecf8f8a66fcafaa17c9641ff42170eb

Download Submit
C:\Windows\{0A9733AF-B82F-41ec-AFA5-54466F53C689}.exe

Filesize
372KB

MD5
c8b4e588fbf72920821acf32fce86e49

SHA1
64d4830de9decda69222ca1249b2a6c3d4aeb4e1

SHA256
fb2d34a887004ea7dbb7dbcac7fa42a6d158778377c06ab99e17568727c2727a

SHA512
0ebfed5b512cab10af596451eb8393bfdbedae4e488e49fd25c1e1a09421c7c496d4b098cad47d0ba3e91e94a46c20ce0ecf8f8a66fcafaa17c9641ff42170eb

Download Submit
C:\Windows\{5A0A5751-B228-4275-8D14-07B79621422D}.exe

Filesize
372KB

MD5
6c370507e7af506d622c8b52653cac26

SHA1
02231046dbb9aff037b7955a67413f82bca38c4c

SHA256
65bcfec4e1920d581ebcbecca6769fe17902f6c5cbe125e81693abdda9fb7120

SHA512
39a26c18e6a1d1d7502b27da957933092a0bbb5d559655d3a32c4d7c4dc007957b297d617df50700db906c6d3fc89aef7d0a0f314d69bb21f8b1821bb3b7f6e9

Download Submit
C:\Windows\{5A0A5751-B228-4275-8D14-07B79621422D}.exe

Filesize
372KB

MD5
6c370507e7af506d622c8b52653cac26

SHA1
02231046dbb9aff037b7955a67413f82bca38c4c

SHA256
65bcfec4e1920d581ebcbecca6769fe17902f6c5cbe125e81693abdda9fb7120

SHA512
39a26c18e6a1d1d7502b27da957933092a0bbb5d559655d3a32c4d7c4dc007957b297d617df50700db906c6d3fc89aef7d0a0f314d69bb21f8b1821bb3b7f6e9

Download Submit
C:\Windows\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe

Filesize
372KB

MD5
6c35af16fb2f1655bbcad5060c636ac5

SHA1
421d325573ef6dcfa5d017665d12d85a70bb464c

SHA256
c408f402876a493a144b1a1f05c5a41eb9917557821b6c766bd46c875d46f2c7

SHA512
8afec821e2aa4509b2e4dffcf5b65763ee0f38fceb3a755d287b1aa201c1e2ee22f3f9c4df1e32fe5ddafc7b912c90d218f44014118da82569b1a33465c866ba

Download Submit
C:\Windows\{6FA3CD5C-32A2-4db7-B593-FA149EEE68EA}.exe

Filesize
372KB

MD5
6c35af16fb2f1655bbcad5060c636ac5

SHA1
421d325573ef6dcfa5d017665d12d85a70bb464c

SHA256
c408f402876a493a144b1a1f05c5a41eb9917557821b6c766bd46c875d46f2c7

SHA512
8afec821e2aa4509b2e4dffcf5b65763ee0f38fceb3a755d287b1aa201c1e2ee22f3f9c4df1e32fe5ddafc7b912c90d218f44014118da82569b1a33465c866ba

Download Submit
C:\Windows\{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe

Filesize
372KB

MD5
2a285d1e780407ec4637cdd4085ab120

SHA1
9dc4893455dfeec3990d9ff11dadc78443288689

SHA256
7cc9d2749037c6fb23f7daca1b57b5669a876ad384221bfce0a2222c0600c3cb

SHA512
881464b633b9a17b117f0ed77bc846a7ed6361893e57c06cdb7a6689d13b47f8f95f56b81143c9ea10e29e77da188430bfb1a4181440e067282ce822ee887686

Download Submit
C:\Windows\{7C980766-7A16-43af-A123-649B4DDEA4E5}.exe

Filesize
372KB

MD5
2a285d1e780407ec4637cdd4085ab120

SHA1
9dc4893455dfeec3990d9ff11dadc78443288689

SHA256
7cc9d2749037c6fb23f7daca1b57b5669a876ad384221bfce0a2222c0600c3cb

SHA512
881464b633b9a17b117f0ed77bc846a7ed6361893e57c06cdb7a6689d13b47f8f95f56b81143c9ea10e29e77da188430bfb1a4181440e067282ce822ee887686

Download Submit
C:\Windows\{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe

Filesize
372KB

MD5
95d1c8b116561ab2306ad2eb65885738

SHA1
33a68a9777b8cb873facd05470a3727edb948b10

SHA256
f03dc75a54d48ff5b351bf5f03c11333b68e26ac2ffd1a207c30f87074af17f3

SHA512
c503e58bf45846109cab8df783d0f7f38081626061273f3b744d694b2996e6d086c4fb445cc5de7d562e89137a1f528cbb107ad7f1a8f8b6860aaa0c4278ff9e

Download Submit
C:\Windows\{AE272D16-31F0-49e9-8C05-B5B21450A59D}.exe

Filesize
372KB

MD5
95d1c8b116561ab2306ad2eb65885738

SHA1
33a68a9777b8cb873facd05470a3727edb948b10

SHA256
f03dc75a54d48ff5b351bf5f03c11333b68e26ac2ffd1a207c30f87074af17f3

SHA512
c503e58bf45846109cab8df783d0f7f38081626061273f3b744d694b2996e6d086c4fb445cc5de7d562e89137a1f528cbb107ad7f1a8f8b6860aaa0c4278ff9e

Download Submit
C:\Windows\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}.exe

Filesize
372KB

MD5
ca92dc3f99de228fbf772cee0c9f514f

SHA1
d310e9a0ef0c29355da57b8da789e7bd219dc862

SHA256
ca697a97711a87556ea52bbf8f7bb6b52965d34b00dfda65b87f11eeccd94ac4

SHA512
ff77cf97b084c5404cd6434e1ef1a558ce711e44b9a7c2f2e990ce4067b0718a6a8b916c3e2aaa5f6673189ebe2b5ce72ec56a8c78ef7edcf7085baf17dc23ca

Download Submit
C:\Windows\{BC4E1F8B-46DB-44b6-877C-6F1B35368D25}.exe

Filesize
372KB

MD5
ca92dc3f99de228fbf772cee0c9f514f

SHA1
d310e9a0ef0c29355da57b8da789e7bd219dc862

SHA256
ca697a97711a87556ea52bbf8f7bb6b52965d34b00dfda65b87f11eeccd94ac4

SHA512
ff77cf97b084c5404cd6434e1ef1a558ce711e44b9a7c2f2e990ce4067b0718a6a8b916c3e2aaa5f6673189ebe2b5ce72ec56a8c78ef7edcf7085baf17dc23ca

Download Submit
C:\Windows\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe

Filesize
372KB

MD5
44e20e2145e2b86b0d4c799e1ce77115

SHA1
eb67ebb3acdcc97a0821fb2e40f9823ff4734afe

SHA256
cc2e89b3509876d17524c02f5b3f8af75700204020005bb7f99ba132e5ad6450

SHA512
6ab5a50811b734b358d5ebe5f912477b8d3eb8e02bdd8dd23563cae6dca86d6419d6cb0ce6e00cfd39cc7b126a165842d88c689c37458670cfba707aceb76960

Download Submit
C:\Windows\{BE3E72CC-7EE4-4fab-A7DF-7D1BD5DC19A7}.exe

Filesize
372KB

MD5
44e20e2145e2b86b0d4c799e1ce77115

SHA1
eb67ebb3acdcc97a0821fb2e40f9823ff4734afe

SHA256
cc2e89b3509876d17524c02f5b3f8af75700204020005bb7f99ba132e5ad6450

SHA512
6ab5a50811b734b358d5ebe5f912477b8d3eb8e02bdd8dd23563cae6dca86d6419d6cb0ce6e00cfd39cc7b126a165842d88c689c37458670cfba707aceb76960

Download Submit
C:\Windows\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe

Filesize
372KB

MD5
e046106a6952d09e32426159fcbebf47

SHA1
78f71e607c519eec57c69c3be0aa094d685bbad0

SHA256
b3bf7e77a323e93bb47c485ae9c2822b01c2a6169ab08b929487566839473fe1

SHA512
8ac8ea4e12353474fb757e54e2c36f23d4d04bab82b8c42ca519e53de4386bb4a8c0c95040aa53c016d349dbc1ee35012aafca579e6c951e716e8906db9d2380

Download Submit
C:\Windows\{BE4566C1-31C1-4f4b-BC8A-9974C8B1BFF9}.exe

Filesize
372KB

MD5
e046106a6952d09e32426159fcbebf47

SHA1
78f71e607c519eec57c69c3be0aa094d685bbad0

SHA256
b3bf7e77a323e93bb47c485ae9c2822b01c2a6169ab08b929487566839473fe1

SHA512
8ac8ea4e12353474fb757e54e2c36f23d4d04bab82b8c42ca519e53de4386bb4a8c0c95040aa53c016d349dbc1ee35012aafca579e6c951e716e8906db9d2380

Download Submit
C:\Windows\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe

Filesize
372KB

MD5
79a5b1b47a4d8f451d0f6cdc1abeadf0

SHA1
88accb3b1ed0b5e8bd1922cfcdc701d040f889e0

SHA256
c9a9b31bf8d4723b8c349ae65803b327eb98cbef0e41ce57a1cb8b0a9b8116f2

SHA512
58638ebe98baef30b85450ac14236c122ebb7ac470ae2664978ee24a026fe0779a5457ff188ebf5f7a1c325076e536fb94101d6a727196e311ca36c78060a4ec

Download Submit
C:\Windows\{DE77C3DB-E2ED-4e7d-A067-86C5F01E0C49}.exe

Filesize
372KB

MD5
79a5b1b47a4d8f451d0f6cdc1abeadf0

SHA1
88accb3b1ed0b5e8bd1922cfcdc701d040f889e0

SHA256
c9a9b31bf8d4723b8c349ae65803b327eb98cbef0e41ce57a1cb8b0a9b8116f2

SHA512
58638ebe98baef30b85450ac14236c122ebb7ac470ae2664978ee24a026fe0779a5457ff188ebf5f7a1c325076e536fb94101d6a727196e311ca36c78060a4ec

Download Submit
C:\Windows\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe

Filesize
372KB

MD5
ceb39e9cef9c71556051155c09994312

SHA1
d827632576556b645f95ee41c70bddfc78321257

SHA256
70266343242b63a1e69059caed327400dd351a9d1dc8f3e08623222e69ec2035

SHA512
550d5723450990eca9e8410dc8fa109a04f65f75e64ee0224e97c634788bbe661ac7c67e40fb1fbfa4c00b00e74df2f65df69f6a2d97b523e5ee716dd6a1c152

Download Submit
C:\Windows\{DECB241D-F7E3-43bf-8EC6-94A4B963DC1C}.exe

Filesize
372KB

MD5
ceb39e9cef9c71556051155c09994312

SHA1
d827632576556b645f95ee41c70bddfc78321257

SHA256
70266343242b63a1e69059caed327400dd351a9d1dc8f3e08623222e69ec2035

SHA512
550d5723450990eca9e8410dc8fa109a04f65f75e64ee0224e97c634788bbe661ac7c67e40fb1fbfa4c00b00e74df2f65df69f6a2d97b523e5ee716dd6a1c152

Download Submit
C:\Windows\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe

Filesize
372KB

MD5
791c1b43068279645df0e5222d251ea5

SHA1
720e6888ee68f393716b4505fbd4147fe01f63de

SHA256
917f14b7d243a269fc66799dd67d09c9eb9d30b1a88d5a0718c6a8a7aeb9ccd3

SHA512
d2b6eee2cd805328968526981e3fbe22334cab9c9ceb3148453ddda89abbc6295448869160eee95f3ee32d5ea21c4522b393344eba96fc22c1d2eb1567f5de71

Download Submit
C:\Windows\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe

Filesize
372KB

MD5
791c1b43068279645df0e5222d251ea5

SHA1
720e6888ee68f393716b4505fbd4147fe01f63de

SHA256
917f14b7d243a269fc66799dd67d09c9eb9d30b1a88d5a0718c6a8a7aeb9ccd3

SHA512
d2b6eee2cd805328968526981e3fbe22334cab9c9ceb3148453ddda89abbc6295448869160eee95f3ee32d5ea21c4522b393344eba96fc22c1d2eb1567f5de71

Download Submit
C:\Windows\{F369F9ED-2B46-4267-AFB3-81C46D438DF4}.exe

Filesize
372KB

MD5
791c1b43068279645df0e5222d251ea5

SHA1
720e6888ee68f393716b4505fbd4147fe01f63de

SHA256
917f14b7d243a269fc66799dd67d09c9eb9d30b1a88d5a0718c6a8a7aeb9ccd3

SHA512
d2b6eee2cd805328968526981e3fbe22334cab9c9ceb3148453ddda89abbc6295448869160eee95f3ee32d5ea21c4522b393344eba96fc22c1d2eb1567f5de71

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads