2be240d5c4b6fef2ed50321831eec3cbd4efbcda0f4ab8924a205609923ad44b

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 16:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Size

408KB
MD5

33d4a6b04ae32fef5bb32ceca235318e
SHA1

75cf4f5e307db803a5f5719c37b59a62b9885d0b
SHA256

2be240d5c4b6fef2ed50321831eec3cbd4efbcda0f4ab8924a205609923ad44b
SHA512

462f6e23ef1a0a486cb5f5e5cb664ff8b665a2dce07dccf9f43557dfab69ae181ace1fbc12df2bb2f009c0f7099d0cb0eda46fbc9a745cedca639633b0c02bb3
SSDEEP

3072:CEGh0opl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}\stubpath = "C:\\Windows\\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe"	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95262169-5898-4849-9810-27DB9A14ABAC}	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95262169-5898-4849-9810-27DB9A14ABAC}\stubpath = "C:\\Windows\\{95262169-5898-4849-9810-27DB9A14ABAC}.exe"	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F26D283F-7E1B-4efb-8924-4284338C85DA}	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}\stubpath = "C:\\Windows\\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe"	{95262169-5898-4849-9810-27DB9A14ABAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}\stubpath = "C:\\Windows\\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe"	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EC449C-8B9C-43a3-A180-E0055F17973B}	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57BFA82E-E121-4eef-A8B4-C728C0B41701}	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66FB9F75-488C-4f75-B09C-471505BDAA62}\stubpath = "C:\\Windows\\{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe"	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937F0050-EE34-4e36-BB7E-A863407E40DE}\stubpath = "C:\\Windows\\{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe"	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}\stubpath = "C:\\Windows\\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe"	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}\stubpath = "C:\\Windows\\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe"	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}	{95262169-5898-4849-9810-27DB9A14ABAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EC449C-8B9C-43a3-A180-E0055F17973B}\stubpath = "C:\\Windows\\{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe"	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57BFA82E-E121-4eef-A8B4-C728C0B41701}\stubpath = "C:\\Windows\\{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe"	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}	{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}\stubpath = "C:\\Windows\\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}.exe"	{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F26D283F-7E1B-4efb-8924-4284338C85DA}\stubpath = "C:\\Windows\\{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe"	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937F0050-EE34-4e36-BB7E-A863407E40DE}	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66FB9F75-488C-4f75-B09C-471505BDAA62}	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe

Executes dropped EXE 12 IoCs

pid	Process
3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe
3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe
1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe
820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe
4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe
3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe
1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe
1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe
4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe
1780	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe
460	{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe
3092	{F27C6B5E-6758-45a4-BD0D-D28E313A6666}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe	{95262169-5898-4849-9810-27DB9A14ABAC}.exe
File created	C:\Windows\{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe
File created	C:\Windows\{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
File created	C:\Windows\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe
File created	C:\Windows\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe
File created	C:\Windows\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe
File created	C:\Windows\{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe
File created	C:\Windows\{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe
File created	C:\Windows\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}.exe	{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe
File created	C:\Windows\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe
File created	C:\Windows\{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe
File created	C:\Windows\{95262169-5898-4849-9810-27DB9A14ABAC}.exe	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	484	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe
Token: SeIncBasePriorityPrivilege	3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe
Token: SeIncBasePriorityPrivilege	1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe
Token: SeIncBasePriorityPrivilege	820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe
Token: SeIncBasePriorityPrivilege	4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe
Token: SeIncBasePriorityPrivilege	3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe
Token: SeIncBasePriorityPrivilege	1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe
Token: SeIncBasePriorityPrivilege	1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe
Token: SeIncBasePriorityPrivilege	4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe
Token: SeIncBasePriorityPrivilege	1780	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe
Token: SeIncBasePriorityPrivilege	460	{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 3644	484	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	88
PID 484 wrote to memory of 3644	484	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	88
PID 484 wrote to memory of 3644	484	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	88
PID 484 wrote to memory of 3876	484	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	89
PID 484 wrote to memory of 3876	484	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	89
PID 484 wrote to memory of 3876	484	33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe	89
PID 3644 wrote to memory of 3960	3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe	90
PID 3644 wrote to memory of 3960	3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe	90
PID 3644 wrote to memory of 3960	3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe	90
PID 3644 wrote to memory of 4472	3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe	91
PID 3644 wrote to memory of 4472	3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe	91
PID 3644 wrote to memory of 4472	3644	{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe	91
PID 3960 wrote to memory of 1012	3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe	93
PID 3960 wrote to memory of 1012	3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe	93
PID 3960 wrote to memory of 1012	3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe	93
PID 3960 wrote to memory of 4352	3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe	94
PID 3960 wrote to memory of 4352	3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe	94
PID 3960 wrote to memory of 4352	3960	{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe	94
PID 1012 wrote to memory of 820	1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe	95
PID 1012 wrote to memory of 820	1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe	95
PID 1012 wrote to memory of 820	1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe	95
PID 1012 wrote to memory of 4164	1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe	96
PID 1012 wrote to memory of 4164	1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe	96
PID 1012 wrote to memory of 4164	1012	{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe	96
PID 820 wrote to memory of 4024	820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe	97
PID 820 wrote to memory of 4024	820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe	97
PID 820 wrote to memory of 4024	820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe	97
PID 820 wrote to memory of 2928	820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe	98
PID 820 wrote to memory of 2928	820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe	98
PID 820 wrote to memory of 2928	820	{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe	98
PID 4024 wrote to memory of 3004	4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe	99
PID 4024 wrote to memory of 3004	4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe	99
PID 4024 wrote to memory of 3004	4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe	99
PID 4024 wrote to memory of 3420	4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe	100
PID 4024 wrote to memory of 3420	4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe	100
PID 4024 wrote to memory of 3420	4024	{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe	100
PID 3004 wrote to memory of 1304	3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe	101
PID 3004 wrote to memory of 1304	3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe	101
PID 3004 wrote to memory of 1304	3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe	101
PID 3004 wrote to memory of 1868	3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe	102
PID 3004 wrote to memory of 1868	3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe	102
PID 3004 wrote to memory of 1868	3004	{95262169-5898-4849-9810-27DB9A14ABAC}.exe	102
PID 1304 wrote to memory of 1532	1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe	103
PID 1304 wrote to memory of 1532	1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe	103
PID 1304 wrote to memory of 1532	1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe	103
PID 1304 wrote to memory of 4644	1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe	104
PID 1304 wrote to memory of 4644	1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe	104
PID 1304 wrote to memory of 4644	1304	{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe	104
PID 1532 wrote to memory of 4968	1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe	105
PID 1532 wrote to memory of 4968	1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe	105
PID 1532 wrote to memory of 4968	1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe	105
PID 1532 wrote to memory of 3476	1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe	106
PID 1532 wrote to memory of 3476	1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe	106
PID 1532 wrote to memory of 3476	1532	{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe	106
PID 4968 wrote to memory of 1780	4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe	107
PID 4968 wrote to memory of 1780	4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe	107
PID 4968 wrote to memory of 1780	4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe	107
PID 4968 wrote to memory of 4224	4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe	108
PID 4968 wrote to memory of 4224	4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe	108
PID 4968 wrote to memory of 4224	4968	{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe	108
PID 1780 wrote to memory of 460	1780	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe	110
PID 1780 wrote to memory of 460	1780	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe	110
PID 1780 wrote to memory of 460	1780	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe	110
PID 1780 wrote to memory of 4152	1780	{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe	109

C:\Users\Admin\AppData\Local\Temp\33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\33d4a6b04ae32fef5bb32ceca235318e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe
  C:\Windows\{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe
    C:\Windows\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe
      C:\Windows\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe
        
        C:\Windows\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Windows\{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe
        
        C:\Windows\{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{95262169-5898-4849-9810-27DB9A14ABAC}.exe
        
        C:\Windows\{95262169-5898-4849-9810-27DB9A14ABAC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe
        
        C:\Windows\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe
        
        C:\Windows\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe
        
        C:\Windows\{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe
        
        C:\Windows\{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57BFA~1.EXE > nul
        12⤵
        
        PID:4152
        
        C:\Windows\{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe
        
        C:\Windows\{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
        
        C:\Windows\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}.exe
        
        C:\Windows\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}.exe
        13⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66FB9~1.EXE > nul
        13⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74EC4~1.EXE > nul
        11⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E58E2~1.EXE > nul
        10⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AEEC~1.EXE > nul
        9⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95262~1.EXE > nul
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937F0~1.EXE > nul
        7⤵
        
        PID:3420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC15~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D39A~1.EXE > nul
        5⤵
        
        PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC08E~1.EXE > nul
      4⤵
      PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F26D2~1.EXE > nul
    3⤵
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\33D4A6~1.EXE > nul
  2⤵
  PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe

Filesize
408KB

MD5
e68a12301e827db706ee3886db5a1751

SHA1
70571792f2e84b95b7881f06022f7da625bc08b2

SHA256
06cb360744f34f262af4b8bc3b0ea73b8ef5251c4e2bf6ddf97398498e21a0b4

SHA512
061a127683febff1c63725642d3d777c85a88503a54228c73abf48e6b75edda9e591641d6e8f1498c8858df61f37ed47f52fc25b8be155a64308820e615cb55f

Download Submit
C:\Windows\{0AEECFCF-7272-4185-AEEF-72F2B4F511BE}.exe

Filesize
408KB

MD5
e68a12301e827db706ee3886db5a1751

SHA1
70571792f2e84b95b7881f06022f7da625bc08b2

SHA256
06cb360744f34f262af4b8bc3b0ea73b8ef5251c4e2bf6ddf97398498e21a0b4

SHA512
061a127683febff1c63725642d3d777c85a88503a54228c73abf48e6b75edda9e591641d6e8f1498c8858df61f37ed47f52fc25b8be155a64308820e615cb55f

Download Submit
C:\Windows\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe

Filesize
408KB

MD5
487d7cdbb7f9e30e1373a3b3bf665b09

SHA1
843d4970b0d55873b4719d568841501c0c5c8e26

SHA256
fe535f5a0adbc6b0039117880f0db820691db6a42cd22d974d2f7c4d131bd4d9

SHA512
ca4edc8d100df875cee2a8c4be855b0aa8d9097265f36228721c3ce83dcfe9b7c019bb2c2fd8eeae50aa0117b910aa20affaa337ceedbe44c8794a9ddb50c81c

Download Submit
C:\Windows\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe

Filesize
408KB

MD5
487d7cdbb7f9e30e1373a3b3bf665b09

SHA1
843d4970b0d55873b4719d568841501c0c5c8e26

SHA256
fe535f5a0adbc6b0039117880f0db820691db6a42cd22d974d2f7c4d131bd4d9

SHA512
ca4edc8d100df875cee2a8c4be855b0aa8d9097265f36228721c3ce83dcfe9b7c019bb2c2fd8eeae50aa0117b910aa20affaa337ceedbe44c8794a9ddb50c81c

Download Submit
C:\Windows\{4D39A971-2C11-4c85-AAB2-2405F179CF2D}.exe

Filesize
408KB

MD5
487d7cdbb7f9e30e1373a3b3bf665b09

SHA1
843d4970b0d55873b4719d568841501c0c5c8e26

SHA256
fe535f5a0adbc6b0039117880f0db820691db6a42cd22d974d2f7c4d131bd4d9

SHA512
ca4edc8d100df875cee2a8c4be855b0aa8d9097265f36228721c3ce83dcfe9b7c019bb2c2fd8eeae50aa0117b910aa20affaa337ceedbe44c8794a9ddb50c81c

Download Submit
C:\Windows\{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe

Filesize
408KB

MD5
2e8e27e3e1e82b7483a15a21288d4a7a

SHA1
db1f2a201cab12e5df698470dd3c24ea8c742f10

SHA256
ecaa4d34cc01c56644df2da87756df0c588374f4f65ed5e3c8a28b5982987a0c

SHA512
a1ba986a6fc30bfbbaae39de591b4ff58f62bbeb90fa4cbe8fe070f343c0523a63723be5bc897702b033c773a3b105c46e2ddcfd811e489256dca86b97f1eecd

Download Submit
C:\Windows\{57BFA82E-E121-4eef-A8B4-C728C0B41701}.exe

Filesize
408KB

MD5
2e8e27e3e1e82b7483a15a21288d4a7a

SHA1
db1f2a201cab12e5df698470dd3c24ea8c742f10

SHA256
ecaa4d34cc01c56644df2da87756df0c588374f4f65ed5e3c8a28b5982987a0c

SHA512
a1ba986a6fc30bfbbaae39de591b4ff58f62bbeb90fa4cbe8fe070f343c0523a63723be5bc897702b033c773a3b105c46e2ddcfd811e489256dca86b97f1eecd

Download Submit
C:\Windows\{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe

Filesize
408KB

MD5
a145e6748983dc56f332fca88dcd800e

SHA1
01338b1a8ffdba725e37f24622ddb95f057a514e

SHA256
80793cbdc1852dd6457d14ff779168d5f9b4410be91abae56fe6bca4645fde90

SHA512
d19ea966de22edef3f7c36b3cfe54dca25e2dc5756dfe57c46822d0e82fd7f4dec2f1ade4fe0369c5c5798e437174f1dcd1da33dabeba2f18b2beb0aad7b6e1a

Download Submit
C:\Windows\{66FB9F75-488C-4f75-B09C-471505BDAA62}.exe

Filesize
408KB

MD5
a145e6748983dc56f332fca88dcd800e

SHA1
01338b1a8ffdba725e37f24622ddb95f057a514e

SHA256
80793cbdc1852dd6457d14ff779168d5f9b4410be91abae56fe6bca4645fde90

SHA512
d19ea966de22edef3f7c36b3cfe54dca25e2dc5756dfe57c46822d0e82fd7f4dec2f1ade4fe0369c5c5798e437174f1dcd1da33dabeba2f18b2beb0aad7b6e1a

Download Submit
C:\Windows\{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe

Filesize
408KB

MD5
426179a8891631eb704a9bda967cfd99

SHA1
c31f1cf78be2398356ac907804a24f945aeb8c28

SHA256
569846065b2fb1d920d3f00a7005210ffb1e1d19b824f4ddb7483efde2bad732

SHA512
0da9ce9d1a401899460d5f318ac41954bacd6bd95abd4cf10b2b5407c24add0f5a16c8d4d7fc1758be20e8da6c07daca7b7361b09a13466eaec081fe8c6fffb3

Download Submit
C:\Windows\{74EC449C-8B9C-43a3-A180-E0055F17973B}.exe

Filesize
408KB

MD5
426179a8891631eb704a9bda967cfd99

SHA1
c31f1cf78be2398356ac907804a24f945aeb8c28

SHA256
569846065b2fb1d920d3f00a7005210ffb1e1d19b824f4ddb7483efde2bad732

SHA512
0da9ce9d1a401899460d5f318ac41954bacd6bd95abd4cf10b2b5407c24add0f5a16c8d4d7fc1758be20e8da6c07daca7b7361b09a13466eaec081fe8c6fffb3

Download Submit
C:\Windows\{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe

Filesize
408KB

MD5
e07118bd166fe44604b8d9e32cdcc322

SHA1
75b9f7ee5b8f2e5375ec733093fe86b106642537

SHA256
c44ba5e1b53ac9dda7cddc78b70c4f412fdc7242b33d4099faac30e98ec04399

SHA512
04ee6a645de3aa451e096cde11dc081e11c0f644cc312248c1b29c575c4dcca2c7fb1ccf861c138abc3517108d93de6910c06b1b0c9e6f1678954ae6ffb71968

Download Submit
C:\Windows\{937F0050-EE34-4e36-BB7E-A863407E40DE}.exe

Filesize
408KB

MD5
e07118bd166fe44604b8d9e32cdcc322

SHA1
75b9f7ee5b8f2e5375ec733093fe86b106642537

SHA256
c44ba5e1b53ac9dda7cddc78b70c4f412fdc7242b33d4099faac30e98ec04399

SHA512
04ee6a645de3aa451e096cde11dc081e11c0f644cc312248c1b29c575c4dcca2c7fb1ccf861c138abc3517108d93de6910c06b1b0c9e6f1678954ae6ffb71968

Download Submit
C:\Windows\{95262169-5898-4849-9810-27DB9A14ABAC}.exe

Filesize
408KB

MD5
5fee2cec158fba7814f68b0ca85cff83

SHA1
f686c799ed4c6854b58d40551afddfe7b42d9a7d

SHA256
bda92d0d0e419ea9d3e6c5758208043ca8f1d361bb5a334dc31be457a9f95481

SHA512
abce235d49a3c2d5360fff354a2f8f0492010e117d130e8f22aa2720270188458ca737f398c5690df335b84a990768199a2f5707a6878a4abc218d5092d2b2da

Download Submit
C:\Windows\{95262169-5898-4849-9810-27DB9A14ABAC}.exe

Filesize
408KB

MD5
5fee2cec158fba7814f68b0ca85cff83

SHA1
f686c799ed4c6854b58d40551afddfe7b42d9a7d

SHA256
bda92d0d0e419ea9d3e6c5758208043ca8f1d361bb5a334dc31be457a9f95481

SHA512
abce235d49a3c2d5360fff354a2f8f0492010e117d130e8f22aa2720270188458ca737f398c5690df335b84a990768199a2f5707a6878a4abc218d5092d2b2da

Download Submit
C:\Windows\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe

Filesize
408KB

MD5
7e16e8d2762d9d2eeb9c2cbfb2206fe5

SHA1
f891cc0110d9794cc5ce226e7164e99ba4032f6d

SHA256
f682923e716c456b1712480181cd95cdcc5608697fd224bd0ba607a998497f89

SHA512
406606e3f1e2be824c78fbe8ca10f1dcfb0b80d1ebea77788d85512e1577bc05d1ba216332aa4e6c8c042a5321022ff46100a4d3029cad06e5f312b5dac0f8b7

Download Submit
C:\Windows\{E58E2F74-4B1B-49f5-A463-DE7B0A33B45C}.exe

Filesize
408KB

MD5
7e16e8d2762d9d2eeb9c2cbfb2206fe5

SHA1
f891cc0110d9794cc5ce226e7164e99ba4032f6d

SHA256
f682923e716c456b1712480181cd95cdcc5608697fd224bd0ba607a998497f89

SHA512
406606e3f1e2be824c78fbe8ca10f1dcfb0b80d1ebea77788d85512e1577bc05d1ba216332aa4e6c8c042a5321022ff46100a4d3029cad06e5f312b5dac0f8b7

Download Submit
C:\Windows\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe

Filesize
408KB

MD5
7d17e67dde75316aa8f65f7c2fc5cd18

SHA1
e8331e1a2906d09da69ecd3df75f6266a10d986a

SHA256
697b7d3cb45dabe5b32ca40b530631f3f2636584a0a00ff8fa13ec0762e29360

SHA512
4cea6b5504468bbe5e73e6458e7903f15a7aa98cde360f937ecbec178a256db7f3eef893769ec2ddca398d3eee26cc181aa89fa5faba27fa370527d3fe1e6ce7

Download Submit
C:\Windows\{EC08EA65-7699-4ff4-AA7A-95A3BBD0824E}.exe

Filesize
408KB

MD5
7d17e67dde75316aa8f65f7c2fc5cd18

SHA1
e8331e1a2906d09da69ecd3df75f6266a10d986a

SHA256
697b7d3cb45dabe5b32ca40b530631f3f2636584a0a00ff8fa13ec0762e29360

SHA512
4cea6b5504468bbe5e73e6458e7903f15a7aa98cde360f937ecbec178a256db7f3eef893769ec2ddca398d3eee26cc181aa89fa5faba27fa370527d3fe1e6ce7

Download Submit
C:\Windows\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe

Filesize
408KB

MD5
ed3fb8608203453f823c92f9f6a3ab74

SHA1
57e0f052343b7248b9b318672b9fa77783514836

SHA256
fd81cfb67926fb92f42b786c087ed644889f179e379df455e2c9f5a7388a1356

SHA512
427020397f6f6aa85303c983e3b38a84885a773d3c90ca17bf95e369efc27e3e0d86c87a654c3a89bcb6c6ec98105341009eb05599f601019f9744191c5f78b6

Download Submit
C:\Windows\{EEC152C5-CFB8-4b59-BA3C-5DC3973193EA}.exe

Filesize
408KB

MD5
ed3fb8608203453f823c92f9f6a3ab74

SHA1
57e0f052343b7248b9b318672b9fa77783514836

SHA256
fd81cfb67926fb92f42b786c087ed644889f179e379df455e2c9f5a7388a1356

SHA512
427020397f6f6aa85303c983e3b38a84885a773d3c90ca17bf95e369efc27e3e0d86c87a654c3a89bcb6c6ec98105341009eb05599f601019f9744191c5f78b6

Download Submit
C:\Windows\{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe

Filesize
408KB

MD5
e5d20ebd39c4b626c8b20813041d00a0

SHA1
49427760bbe877ff626977fed7947bff61ec3c35

SHA256
77bc72a9395263c42ca0a3ac1851a1d65c80cb893eddbac801ba472ebcfadff7

SHA512
9fae280b2c85dad699a97687f4b133eeae138aa046b470a28de7153b057da723007f3a27e450210c861347d472c586238ccf64f10ccb8d6717691beb9f877e2d

Download Submit
C:\Windows\{F26D283F-7E1B-4efb-8924-4284338C85DA}.exe

Filesize
408KB

MD5
e5d20ebd39c4b626c8b20813041d00a0

SHA1
49427760bbe877ff626977fed7947bff61ec3c35

SHA256
77bc72a9395263c42ca0a3ac1851a1d65c80cb893eddbac801ba472ebcfadff7

SHA512
9fae280b2c85dad699a97687f4b133eeae138aa046b470a28de7153b057da723007f3a27e450210c861347d472c586238ccf64f10ccb8d6717691beb9f877e2d

Download Submit
C:\Windows\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}.exe

Filesize
408KB

MD5
a75853044281a6f20714734418c1abc9

SHA1
ff34758918e25685eec311c439b55da72cfb15e0

SHA256
7817a1107bc40b386934ca10ad6a017281a2f78f8ec8978686cb7b819d5b6fd7

SHA512
9b09f60938686cb219e4d430053a9b173b315b11b3eef2a7f000aebb0205dc99773fa3cb8ff6e893339a5654848c2bf740e90952eb54c6e4139d7800cad09c7e

Download Submit
C:\Windows\{F27C6B5E-6758-45a4-BD0D-D28E313A6666}.exe

Filesize
408KB

MD5
a75853044281a6f20714734418c1abc9

SHA1
ff34758918e25685eec311c439b55da72cfb15e0

SHA256
7817a1107bc40b386934ca10ad6a017281a2f78f8ec8978686cb7b819d5b6fd7

SHA512
9b09f60938686cb219e4d430053a9b173b315b11b3eef2a7f000aebb0205dc99773fa3cb8ff6e893339a5654848c2bf740e90952eb54c6e4139d7800cad09c7e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads