f0bb2095aeb287a742282cfc775337118a49428084127ba7b0070828ce385237

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe
Size

204KB
MD5

31aeb2827541444aa95556dee82050ca
SHA1

659c97014209ad61393a9a8c5aa6be5833a80fc7
SHA256

f0bb2095aeb287a742282cfc775337118a49428084127ba7b0070828ce385237
SHA512

233d222e469b290f427d3af12eb572271ac2946ec37187aca8a0afc56cd23dd86e0b16c304a8a73ef1825aeeb7b5a918a107520bcaeb1700db840be2a63cb8b5
SSDEEP

1536:1EGh0oPl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F61A8C17-03D9-455f-8E13-2EC503C7101B}	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}\stubpath = "C:\\Windows\\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe"	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}\stubpath = "C:\\Windows\\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe"	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{119335C4-14D1-4564-985E-73637866A06C}	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF710A39-F331-4ef2-BA40-604F284163A4}	{119335C4-14D1-4564-985E-73637866A06C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}\stubpath = "C:\\Windows\\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe"	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C97859-718D-4ae3-B3E9-286169FC0FC3}	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F61A8C17-03D9-455f-8E13-2EC503C7101B}\stubpath = "C:\\Windows\\{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe"	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD636A2-E873-4c0f-985C-599A8B753290}	{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{119335C4-14D1-4564-985E-73637866A06C}\stubpath = "C:\\Windows\\{119335C4-14D1-4564-985E-73637866A06C}.exe"	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}\stubpath = "C:\\Windows\\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe"	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C97859-718D-4ae3-B3E9-286169FC0FC3}\stubpath = "C:\\Windows\\{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe"	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}\stubpath = "C:\\Windows\\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe"	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF710A39-F331-4ef2-BA40-604F284163A4}\stubpath = "C:\\Windows\\{FF710A39-F331-4ef2-BA40-604F284163A4}.exe"	{119335C4-14D1-4564-985E-73637866A06C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F3196B-FE79-4b72-929C-8117DE8B2B61}	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD636A2-E873-4c0f-985C-599A8B753290}\stubpath = "C:\\Windows\\{4DD636A2-E873-4c0f-985C-599A8B753290}.exe"	{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44F3196B-FE79-4b72-929C-8117DE8B2B61}\stubpath = "C:\\Windows\\{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe"	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}\stubpath = "C:\\Windows\\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe"	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe

Executes dropped EXE 12 IoCs

pid	Process
4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe
1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe
3676	{119335C4-14D1-4564-985E-73637866A06C}.exe
2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe
1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe
556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe
2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe
1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe
3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe
3032	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe
2744	{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe
2160	{4DD636A2-E873-4c0f-985C-599A8B753290}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe
File created	C:\Windows\{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe
File created	C:\Windows\{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe
File created	C:\Windows\{4DD636A2-E873-4c0f-985C-599A8B753290}.exe	{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe
File created	C:\Windows\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe
File created	C:\Windows\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe
File created	C:\Windows\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe
File created	C:\Windows\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe
File created	C:\Windows\{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe
File created	C:\Windows\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe
File created	C:\Windows\{119335C4-14D1-4564-985E-73637866A06C}.exe	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe
File created	C:\Windows\{FF710A39-F331-4ef2-BA40-604F284163A4}.exe	{119335C4-14D1-4564-985E-73637866A06C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2848	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe
Token: SeIncBasePriorityPrivilege	1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe
Token: SeIncBasePriorityPrivilege	3676	{119335C4-14D1-4564-985E-73637866A06C}.exe
Token: SeIncBasePriorityPrivilege	2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe
Token: SeIncBasePriorityPrivilege	1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe
Token: SeIncBasePriorityPrivilege	556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe
Token: SeIncBasePriorityPrivilege	2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe
Token: SeIncBasePriorityPrivilege	1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe
Token: SeIncBasePriorityPrivilege	3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe
Token: SeIncBasePriorityPrivilege	3032	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe
Token: SeIncBasePriorityPrivilege	2744	{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 4400	2848	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe	88
PID 2848 wrote to memory of 4400	2848	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe	88
PID 2848 wrote to memory of 4400	2848	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe	88
PID 2848 wrote to memory of 4168	2848	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe	89
PID 2848 wrote to memory of 4168	2848	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe	89
PID 2848 wrote to memory of 4168	2848	31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe	89
PID 4400 wrote to memory of 1964	4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe	91
PID 4400 wrote to memory of 1964	4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe	91
PID 4400 wrote to memory of 1964	4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe	91
PID 4400 wrote to memory of 4724	4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe	92
PID 4400 wrote to memory of 4724	4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe	92
PID 4400 wrote to memory of 4724	4400	{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe	92
PID 1964 wrote to memory of 3676	1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe	94
PID 1964 wrote to memory of 3676	1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe	94
PID 1964 wrote to memory of 3676	1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe	94
PID 1964 wrote to memory of 2064	1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe	95
PID 1964 wrote to memory of 2064	1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe	95
PID 1964 wrote to memory of 2064	1964	{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe	95
PID 3676 wrote to memory of 2204	3676	{119335C4-14D1-4564-985E-73637866A06C}.exe	96
PID 3676 wrote to memory of 2204	3676	{119335C4-14D1-4564-985E-73637866A06C}.exe	96
PID 3676 wrote to memory of 2204	3676	{119335C4-14D1-4564-985E-73637866A06C}.exe	96
PID 3676 wrote to memory of 4720	3676	{119335C4-14D1-4564-985E-73637866A06C}.exe	97
PID 3676 wrote to memory of 4720	3676	{119335C4-14D1-4564-985E-73637866A06C}.exe	97
PID 3676 wrote to memory of 4720	3676	{119335C4-14D1-4564-985E-73637866A06C}.exe	97
PID 2204 wrote to memory of 1208	2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe	98
PID 2204 wrote to memory of 1208	2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe	98
PID 2204 wrote to memory of 1208	2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe	98
PID 2204 wrote to memory of 4708	2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe	99
PID 2204 wrote to memory of 4708	2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe	99
PID 2204 wrote to memory of 4708	2204	{FF710A39-F331-4ef2-BA40-604F284163A4}.exe	99
PID 1208 wrote to memory of 556	1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe	100
PID 1208 wrote to memory of 556	1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe	100
PID 1208 wrote to memory of 556	1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe	100
PID 1208 wrote to memory of 876	1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe	101
PID 1208 wrote to memory of 876	1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe	101
PID 1208 wrote to memory of 876	1208	{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe	101
PID 556 wrote to memory of 2836	556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe	102
PID 556 wrote to memory of 2836	556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe	102
PID 556 wrote to memory of 2836	556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe	102
PID 556 wrote to memory of 2124	556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe	103
PID 556 wrote to memory of 2124	556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe	103
PID 556 wrote to memory of 2124	556	{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe	103
PID 2836 wrote to memory of 1076	2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe	104
PID 2836 wrote to memory of 1076	2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe	104
PID 2836 wrote to memory of 1076	2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe	104
PID 2836 wrote to memory of 1568	2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe	105
PID 2836 wrote to memory of 1568	2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe	105
PID 2836 wrote to memory of 1568	2836	{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe	105
PID 1076 wrote to memory of 3936	1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe	106
PID 1076 wrote to memory of 3936	1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe	106
PID 1076 wrote to memory of 3936	1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe	106
PID 1076 wrote to memory of 4808	1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe	107
PID 1076 wrote to memory of 4808	1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe	107
PID 1076 wrote to memory of 4808	1076	{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe	107
PID 3936 wrote to memory of 3032	3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe	108
PID 3936 wrote to memory of 3032	3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe	108
PID 3936 wrote to memory of 3032	3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe	108
PID 3936 wrote to memory of 2996	3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe	109
PID 3936 wrote to memory of 2996	3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe	109
PID 3936 wrote to memory of 2996	3936	{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe	109
PID 3032 wrote to memory of 2744	3032	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe	110
PID 3032 wrote to memory of 2744	3032	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe	110
PID 3032 wrote to memory of 2744	3032	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe	110
PID 3032 wrote to memory of 3888	3032	{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe	111

C:\Users\Admin\AppData\Local\Temp\31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\31aeb2827541444aa95556dee82050ca_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe
  C:\Windows\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe
    C:\Windows\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\{119335C4-14D1-4564-985E-73637866A06C}.exe
      C:\Windows\{119335C4-14D1-4564-985E-73637866A06C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\{FF710A39-F331-4ef2-BA40-604F284163A4}.exe
        
        C:\Windows\{FF710A39-F331-4ef2-BA40-604F284163A4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe
        
        C:\Windows\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe
        
        C:\Windows\{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe
        
        C:\Windows\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe
        
        C:\Windows\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe
        
        C:\Windows\{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe
        
        C:\Windows\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe
        
        C:\Windows\{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{4DD636A2-E873-4c0f-985C-599A8B753290}.exe
        
        C:\Windows\{4DD636A2-E873-4c0f-985C-599A8B753290}.exe
        13⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F61A8~1.EXE > nul
        13⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDB9~1.EXE > nul
        12⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32C97~1.EXE > nul
        11⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3547~1.EXE > nul
        10⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4DAD~1.EXE > nul
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F31~1.EXE > nul
        8⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E067B~1.EXE > nul
        7⤵
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF710~1.EXE > nul
        6⤵
        
        PID:4708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11933~1.EXE > nul
        5⤵
        
        PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B789~1.EXE > nul
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72C27~1.EXE > nul
    3⤵
    PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\31AEB2~1.EXE > nul
  2⤵
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{119335C4-14D1-4564-985E-73637866A06C}.exe

Filesize
204KB

MD5
6dfe845ae11205f6d476f6354bbafcdb

SHA1
5cd6bfa2d4bb3a78ff703df6b125de18e4e94235

SHA256
35b6b80071a784e2b65c5fc653a9972af6a678f815fdde1d76c91860beb1bd4b

SHA512
3a331b3652375ddb46f11ebc0e556ffd24b403e10f5dd9fd4979b26071efb0b4dcdd27af7f124f1418739efc03cea38aa017083a3bcdf78ca4db36da004c5287

Download Submit
C:\Windows\{119335C4-14D1-4564-985E-73637866A06C}.exe

Filesize
204KB

MD5
6dfe845ae11205f6d476f6354bbafcdb

SHA1
5cd6bfa2d4bb3a78ff703df6b125de18e4e94235

SHA256
35b6b80071a784e2b65c5fc653a9972af6a678f815fdde1d76c91860beb1bd4b

SHA512
3a331b3652375ddb46f11ebc0e556ffd24b403e10f5dd9fd4979b26071efb0b4dcdd27af7f124f1418739efc03cea38aa017083a3bcdf78ca4db36da004c5287

Download Submit
C:\Windows\{119335C4-14D1-4564-985E-73637866A06C}.exe

Filesize
204KB

MD5
6dfe845ae11205f6d476f6354bbafcdb

SHA1
5cd6bfa2d4bb3a78ff703df6b125de18e4e94235

SHA256
35b6b80071a784e2b65c5fc653a9972af6a678f815fdde1d76c91860beb1bd4b

SHA512
3a331b3652375ddb46f11ebc0e556ffd24b403e10f5dd9fd4979b26071efb0b4dcdd27af7f124f1418739efc03cea38aa017083a3bcdf78ca4db36da004c5287

Download Submit
C:\Windows\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe

Filesize
204KB

MD5
3896475148cf1cf4cfd992466942b5fe

SHA1
d2a0b63ef7074bc0cf5a4322f123b835d6532009

SHA256
5c2cd8214a2c6cdacaf94cc1d944422869cc5b846cb3116ab6a250e5292acfe0

SHA512
2995c242f4ec5dad729445b7651873f9d10093af78662107a33cb81260f7896e06ac49450c6a6bcf4077d2e74ab30b64bbe611e80c516d49a34b2f2c2697004d

Download Submit
C:\Windows\{1B7895C5-E35F-4314-9187-BBD665C6C3AC}.exe

Filesize
204KB

MD5
3896475148cf1cf4cfd992466942b5fe

SHA1
d2a0b63ef7074bc0cf5a4322f123b835d6532009

SHA256
5c2cd8214a2c6cdacaf94cc1d944422869cc5b846cb3116ab6a250e5292acfe0

SHA512
2995c242f4ec5dad729445b7651873f9d10093af78662107a33cb81260f7896e06ac49450c6a6bcf4077d2e74ab30b64bbe611e80c516d49a34b2f2c2697004d

Download Submit
C:\Windows\{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe

Filesize
204KB

MD5
05230b8d2fbf479586045c4a4253de24

SHA1
7355f7a575592646dcb30ab312f340fe913ecc4a

SHA256
052d7106388640df4a26ad34dcd83d3432b88647d5352f7248342f98c65159d0

SHA512
bf0ffa57b1efa53d5790def7f6ebb1fc3409dfa3ac55a10e5a9d08064193f3871457cb31dcc5be9b9528940d1e9be1b06c84724dc970ffb81f89b4f379933353

Download Submit
C:\Windows\{32C97859-718D-4ae3-B3E9-286169FC0FC3}.exe

Filesize
204KB

MD5
05230b8d2fbf479586045c4a4253de24

SHA1
7355f7a575592646dcb30ab312f340fe913ecc4a

SHA256
052d7106388640df4a26ad34dcd83d3432b88647d5352f7248342f98c65159d0

SHA512
bf0ffa57b1efa53d5790def7f6ebb1fc3409dfa3ac55a10e5a9d08064193f3871457cb31dcc5be9b9528940d1e9be1b06c84724dc970ffb81f89b4f379933353

Download Submit
C:\Windows\{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe

Filesize
204KB

MD5
c6125a5d37fbb3b927db291a3a120aa1

SHA1
390b7dd5b0eacd76d33c8b3ef4fc0ba5001a7a4b

SHA256
629585c94d5ade7907ec90ba6de56fc4e03e89359343960d7d6982a86e12f609

SHA512
48fd72a5aa292d112e1f7fb2088cab6244e2f950c8b0863da695903229b43201a1b684068793b43166152e87b4df8564ac439d8aa235010dc1e19625a4c51a23

Download Submit
C:\Windows\{44F3196B-FE79-4b72-929C-8117DE8B2B61}.exe

Filesize
204KB

MD5
c6125a5d37fbb3b927db291a3a120aa1

SHA1
390b7dd5b0eacd76d33c8b3ef4fc0ba5001a7a4b

SHA256
629585c94d5ade7907ec90ba6de56fc4e03e89359343960d7d6982a86e12f609

SHA512
48fd72a5aa292d112e1f7fb2088cab6244e2f950c8b0863da695903229b43201a1b684068793b43166152e87b4df8564ac439d8aa235010dc1e19625a4c51a23

Download Submit
C:\Windows\{4DD636A2-E873-4c0f-985C-599A8B753290}.exe

Filesize
204KB

MD5
8e3c8d8cf46cab2b91e68854d6efecc5

SHA1
7c8313aabddd19ddfb6f0bb3792ca796bf68c9ec

SHA256
42388494f18c1258495ea6d8df4cf9f7e55d75c82e2121044684e5638910e90c

SHA512
4b0997a2489e105d711f9f186c038e8b7c642b7b0d0e2060a30c4381c694a9ad8cff3ef076632efada6123e71b19465cdde1484e86047c27490eb480dd69f351

Download Submit
C:\Windows\{4DD636A2-E873-4c0f-985C-599A8B753290}.exe

Filesize
204KB

MD5
8e3c8d8cf46cab2b91e68854d6efecc5

SHA1
7c8313aabddd19ddfb6f0bb3792ca796bf68c9ec

SHA256
42388494f18c1258495ea6d8df4cf9f7e55d75c82e2121044684e5638910e90c

SHA512
4b0997a2489e105d711f9f186c038e8b7c642b7b0d0e2060a30c4381c694a9ad8cff3ef076632efada6123e71b19465cdde1484e86047c27490eb480dd69f351

Download Submit
C:\Windows\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe

Filesize
204KB

MD5
5a1516059a53d7e67f6ed9b8b989d4e0

SHA1
1a8501abce3f4cb473e09394ee651f43aa92d49f

SHA256
8fff3b07a3494adf13446a51fb975f29280b0c71f30ad9a58289d309307173a5

SHA512
f76430dda77b9d093d36e3445cc96b83b2c30082b01b03ff2df06ad335dc5fa56294b966d16eff35bd2543bab730f7c6ef2144e79debdbc65c638d5012459c14

Download Submit
C:\Windows\{6DDB9F58-AD5A-421b-9A7E-31004EC950CB}.exe

Filesize
204KB

MD5
5a1516059a53d7e67f6ed9b8b989d4e0

SHA1
1a8501abce3f4cb473e09394ee651f43aa92d49f

SHA256
8fff3b07a3494adf13446a51fb975f29280b0c71f30ad9a58289d309307173a5

SHA512
f76430dda77b9d093d36e3445cc96b83b2c30082b01b03ff2df06ad335dc5fa56294b966d16eff35bd2543bab730f7c6ef2144e79debdbc65c638d5012459c14

Download Submit
C:\Windows\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe

Filesize
204KB

MD5
fecaf5fcf2ea2018fd92bf7d94d370d1

SHA1
187146853c9977dcc76c296915ab09d3fe65aeac

SHA256
4f9d17eec93633dcd47913c4e972b067be3a6f843bdfbc88991ff547b483771f

SHA512
f07d40a35c24df222492a1effb036f39bc942919c5ebd24c19272296fc81e8c741b967477cbb697efbe11b7f154768ddcded05200d61359e4e971db1840cabf6

Download Submit
C:\Windows\{72C27FF4-32D0-41a2-9A3D-957CB12D2107}.exe

Filesize
204KB

MD5
fecaf5fcf2ea2018fd92bf7d94d370d1

SHA1
187146853c9977dcc76c296915ab09d3fe65aeac

SHA256
4f9d17eec93633dcd47913c4e972b067be3a6f843bdfbc88991ff547b483771f

SHA512
f07d40a35c24df222492a1effb036f39bc942919c5ebd24c19272296fc81e8c741b967477cbb697efbe11b7f154768ddcded05200d61359e4e971db1840cabf6

Download Submit
C:\Windows\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe

Filesize
204KB

MD5
f1567d2537c922dcca89e24289a75084

SHA1
964134ce9ee454d9f61f2e707685c544b2826421

SHA256
e00095d83272bd1b20391ee7870a55a3dc6522b28010403fd9157a7f562de9f8

SHA512
ca0cbd6efc9a72898c8ee86316ad181cc11baa582a1739a04c2e45e4eac2ffd366710a9c782afb1bd68174a252f16cf24c7ad633bedb803e40d1420ecc2841af

Download Submit
C:\Windows\{C35472C2-AF2F-454d-8AF0-A66C47CA7CF2}.exe

Filesize
204KB

MD5
f1567d2537c922dcca89e24289a75084

SHA1
964134ce9ee454d9f61f2e707685c544b2826421

SHA256
e00095d83272bd1b20391ee7870a55a3dc6522b28010403fd9157a7f562de9f8

SHA512
ca0cbd6efc9a72898c8ee86316ad181cc11baa582a1739a04c2e45e4eac2ffd366710a9c782afb1bd68174a252f16cf24c7ad633bedb803e40d1420ecc2841af

Download Submit
C:\Windows\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe

Filesize
204KB

MD5
61b6aa2812e9847d7b801aca5792f8c7

SHA1
38b276d692824c3863615265cccf70e0cafaa362

SHA256
52f5c24f7abb54a87f65dd8288e37af624ad458e1e8e888dbb8227282e117c58

SHA512
1069d1022982cad5df9cf16d3302ebcf2b027336844046a6c5bc3fa89862cb210a73c2ecce88727f29121c09eade0f8f30120f21174dadb7e349c09972710cc3

Download Submit
C:\Windows\{D4DAD8E5-8F1C-4cb1-9B3E-7EAC0CEBD745}.exe

Filesize
204KB

MD5
61b6aa2812e9847d7b801aca5792f8c7

SHA1
38b276d692824c3863615265cccf70e0cafaa362

SHA256
52f5c24f7abb54a87f65dd8288e37af624ad458e1e8e888dbb8227282e117c58

SHA512
1069d1022982cad5df9cf16d3302ebcf2b027336844046a6c5bc3fa89862cb210a73c2ecce88727f29121c09eade0f8f30120f21174dadb7e349c09972710cc3

Download Submit
C:\Windows\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe

Filesize
204KB

MD5
7d395fb6bc57e0d836dc10faf7f8f73a

SHA1
fb9c2bc22cd907223a97c635c75b37e4aaf0c7a0

SHA256
36d875fed4a9a309dd3abd2218002875e02216190739c52c80db1eb19e574f5e

SHA512
67daf5716807b910b119c20bbaebabbbc62cb5dd684f29ad0ea31f367128d86a506ba90fcdb121cd54778f5481823f337ee5573115970805c9d6a7e24b59cd30

Download Submit
C:\Windows\{E067B8C1-E5AB-4b22-94A1-8C552CFD5179}.exe

Filesize
204KB

MD5
7d395fb6bc57e0d836dc10faf7f8f73a

SHA1
fb9c2bc22cd907223a97c635c75b37e4aaf0c7a0

SHA256
36d875fed4a9a309dd3abd2218002875e02216190739c52c80db1eb19e574f5e

SHA512
67daf5716807b910b119c20bbaebabbbc62cb5dd684f29ad0ea31f367128d86a506ba90fcdb121cd54778f5481823f337ee5573115970805c9d6a7e24b59cd30

Download Submit
C:\Windows\{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe

Filesize
204KB

MD5
48405d860e3acc48024969d0b50c5c4a

SHA1
06f60e6b73bf70a425d43930a45d58aa384d920f

SHA256
b555541e4a82b6580fda7a77a69e88ab7c9d30f62671ebf2bc979dd5556853cd

SHA512
235c2f9ba0a20d73ce37504a11d6baad21bdf1c2280fd21c8b90ad3cfccfcef82cdd9364eebf2793accb8929a598dc8d426163def13149394ec4e24b419ff4ca

Download Submit
C:\Windows\{F61A8C17-03D9-455f-8E13-2EC503C7101B}.exe

Filesize
204KB

MD5
48405d860e3acc48024969d0b50c5c4a

SHA1
06f60e6b73bf70a425d43930a45d58aa384d920f

SHA256
b555541e4a82b6580fda7a77a69e88ab7c9d30f62671ebf2bc979dd5556853cd

SHA512
235c2f9ba0a20d73ce37504a11d6baad21bdf1c2280fd21c8b90ad3cfccfcef82cdd9364eebf2793accb8929a598dc8d426163def13149394ec4e24b419ff4ca

Download Submit
C:\Windows\{FF710A39-F331-4ef2-BA40-604F284163A4}.exe

Filesize
204KB

MD5
c4d2cc82a502515efc5d2c0f5b4460a6

SHA1
e7422a425f5fb5f8fe78831db77e345ce8dfce4c

SHA256
18d52c111cbfff87d6ec79b3dac0ce965cbff2895dc7a19a329c86dc8bb1a51e

SHA512
76304580a307316704b3417cb68385459b2717ba0711a50f307d8b4cdf673ee38681960a55a0eb571d96739ee175ee8fa3694767f13cbb3d507545657a7f60fc

Download Submit
C:\Windows\{FF710A39-F331-4ef2-BA40-604F284163A4}.exe

Filesize
204KB

MD5
c4d2cc82a502515efc5d2c0f5b4460a6

SHA1
e7422a425f5fb5f8fe78831db77e345ce8dfce4c

SHA256
18d52c111cbfff87d6ec79b3dac0ce965cbff2895dc7a19a329c86dc8bb1a51e

SHA512
76304580a307316704b3417cb68385459b2717ba0711a50f307d8b4cdf673ee38681960a55a0eb571d96739ee175ee8fa3694767f13cbb3d507545657a7f60fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads