b11624631a77de1dc09acd430aec8ac12f457d1851045f93ed3f5f5dc28cc5f5

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Size

372KB
MD5

3f1bd3c7f516afaf62ddb898002bd7c3
SHA1

ee3465891ffddb154ae186b409cd3e0d571c9fc9
SHA256

b11624631a77de1dc09acd430aec8ac12f457d1851045f93ed3f5f5dc28cc5f5
SHA512

574d4889f2b2f645196bf000ccc86edd4faeede6a26fa222cb42b1486ba991b85528cc3c6da237604f1ca01cfdd80bba06502329cf17eb6e0964639d6253d83a
SSDEEP

3072:CEGh0oPmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG8l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8989814E-1A32-4961-8011-0F34715C20FD}\stubpath = "C:\\Windows\\{8989814E-1A32-4961-8011-0F34715C20FD}.exe"	{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8041336F-A414-43e5-98AC-7C380799AE49}	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}	{8041336F-A414-43e5-98AC-7C380799AE49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}\stubpath = "C:\\Windows\\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe"	{8041336F-A414-43e5-98AC-7C380799AE49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}\stubpath = "C:\\Windows\\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe"	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}\stubpath = "C:\\Windows\\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe"	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}\stubpath = "C:\\Windows\\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe"	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}\stubpath = "C:\\Windows\\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe"	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8041336F-A414-43e5-98AC-7C380799AE49}\stubpath = "C:\\Windows\\{8041336F-A414-43e5-98AC-7C380799AE49}.exe"	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}\stubpath = "C:\\Windows\\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe"	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}\stubpath = "C:\\Windows\\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe"	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}\stubpath = "C:\\Windows\\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe"	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41604733-7DF1-4a4e-8EF9-B20435710EB3}\stubpath = "C:\\Windows\\{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe"	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41604733-7DF1-4a4e-8EF9-B20435710EB3}	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8989814E-1A32-4961-8011-0F34715C20FD}	{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}\stubpath = "C:\\Windows\\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe"	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe

Executes dropped EXE 12 IoCs

pid	Process
212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe
2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe
4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe
2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe
1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe
4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe
3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe
4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe
1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe
4616	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe
5024	{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe
4428	{8989814E-1A32-4961-8011-0F34715C20FD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe
File created	C:\Windows\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe
File created	C:\Windows\{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe
File created	C:\Windows\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe
File created	C:\Windows\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
File created	C:\Windows\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe
File created	C:\Windows\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe
File created	C:\Windows\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe
File created	C:\Windows\{8041336F-A414-43e5-98AC-7C380799AE49}.exe	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe
File created	C:\Windows\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe	{8041336F-A414-43e5-98AC-7C380799AE49}.exe
File created	C:\Windows\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe
File created	C:\Windows\{8989814E-1A32-4961-8011-0F34715C20FD}.exe	{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4832	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe
Token: SeIncBasePriorityPrivilege	2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe
Token: SeIncBasePriorityPrivilege	4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe
Token: SeIncBasePriorityPrivilege	2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe
Token: SeIncBasePriorityPrivilege	1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe
Token: SeIncBasePriorityPrivilege	4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe
Token: SeIncBasePriorityPrivilege	3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe
Token: SeIncBasePriorityPrivilege	4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe
Token: SeIncBasePriorityPrivilege	1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe
Token: SeIncBasePriorityPrivilege	4616	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe
Token: SeIncBasePriorityPrivilege	5024	{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 212	4832	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	90
PID 4832 wrote to memory of 212	4832	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	90
PID 4832 wrote to memory of 212	4832	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	90
PID 4832 wrote to memory of 3716	4832	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	91
PID 4832 wrote to memory of 3716	4832	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	91
PID 4832 wrote to memory of 3716	4832	3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe	91
PID 212 wrote to memory of 2424	212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe	92
PID 212 wrote to memory of 2424	212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe	92
PID 212 wrote to memory of 2424	212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe	92
PID 212 wrote to memory of 4644	212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe	93
PID 212 wrote to memory of 4644	212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe	93
PID 212 wrote to memory of 4644	212	{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe	93
PID 2424 wrote to memory of 4396	2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe	95
PID 2424 wrote to memory of 4396	2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe	95
PID 2424 wrote to memory of 4396	2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe	95
PID 2424 wrote to memory of 3668	2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe	96
PID 2424 wrote to memory of 3668	2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe	96
PID 2424 wrote to memory of 3668	2424	{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe	96
PID 4396 wrote to memory of 2232	4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe	97
PID 4396 wrote to memory of 2232	4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe	97
PID 4396 wrote to memory of 2232	4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe	97
PID 4396 wrote to memory of 4796	4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe	98
PID 4396 wrote to memory of 4796	4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe	98
PID 4396 wrote to memory of 4796	4396	{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe	98
PID 2232 wrote to memory of 1668	2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe	99
PID 2232 wrote to memory of 1668	2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe	99
PID 2232 wrote to memory of 1668	2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe	99
PID 2232 wrote to memory of 2400	2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe	100
PID 2232 wrote to memory of 2400	2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe	100
PID 2232 wrote to memory of 2400	2232	{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe	100
PID 1668 wrote to memory of 4120	1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe	101
PID 1668 wrote to memory of 4120	1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe	101
PID 1668 wrote to memory of 4120	1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe	101
PID 1668 wrote to memory of 4680	1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe	102
PID 1668 wrote to memory of 4680	1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe	102
PID 1668 wrote to memory of 4680	1668	{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe	102
PID 4120 wrote to memory of 3104	4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe	103
PID 4120 wrote to memory of 3104	4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe	103
PID 4120 wrote to memory of 3104	4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe	103
PID 4120 wrote to memory of 1888	4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe	104
PID 4120 wrote to memory of 1888	4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe	104
PID 4120 wrote to memory of 1888	4120	{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe	104
PID 3104 wrote to memory of 4148	3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe	105
PID 3104 wrote to memory of 4148	3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe	105
PID 3104 wrote to memory of 4148	3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe	105
PID 3104 wrote to memory of 1928	3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe	106
PID 3104 wrote to memory of 1928	3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe	106
PID 3104 wrote to memory of 1928	3104	{8041336F-A414-43e5-98AC-7C380799AE49}.exe	106
PID 4148 wrote to memory of 1476	4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe	107
PID 4148 wrote to memory of 1476	4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe	107
PID 4148 wrote to memory of 1476	4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe	107
PID 4148 wrote to memory of 1972	4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe	108
PID 4148 wrote to memory of 1972	4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe	108
PID 4148 wrote to memory of 1972	4148	{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe	108
PID 1476 wrote to memory of 4616	1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe	110
PID 1476 wrote to memory of 4616	1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe	110
PID 1476 wrote to memory of 4616	1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe	110
PID 1476 wrote to memory of 4860	1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe	109
PID 1476 wrote to memory of 4860	1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe	109
PID 1476 wrote to memory of 4860	1476	{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe	109
PID 4616 wrote to memory of 5024	4616	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe	111
PID 4616 wrote to memory of 5024	4616	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe	111
PID 4616 wrote to memory of 5024	4616	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe	111
PID 4616 wrote to memory of 4784	4616	{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe	112

C:\Users\Admin\AppData\Local\Temp\3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3f1bd3c7f516afaf62ddb898002bd7c3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe
  C:\Windows\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe
    C:\Windows\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe
      C:\Windows\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe
        
        C:\Windows\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe
        
        C:\Windows\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe
        
        C:\Windows\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\{8041336F-A414-43e5-98AC-7C380799AE49}.exe
        
        C:\Windows\{8041336F-A414-43e5-98AC-7C380799AE49}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe
        
        C:\Windows\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe
        
        C:\Windows\{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41604~1.EXE > nul
        11⤵
        
        PID:4860
        
        C:\Windows\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe
        
        C:\Windows\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe
        
        C:\Windows\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Windows\{8989814E-1A32-4961-8011-0F34715C20FD}.exe
        
        C:\Windows\{8989814E-1A32-4961-8011-0F34715C20FD}.exe
        13⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{785A8~1.EXE > nul
        13⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C21~1.EXE > nul
        12⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BC04~1.EXE > nul
        10⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80413~1.EXE > nul
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1381F~1.EXE > nul
        8⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B6E~1.EXE > nul
        7⤵
        
        PID:4680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48C0D~1.EXE > nul
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A75DB~1.EXE > nul
        5⤵
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{52A41~1.EXE > nul
      4⤵
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C68~1.EXE > nul
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3F1BD3~1.EXE > nul
  2⤵
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe

Filesize
372KB

MD5
00fede686e9e41c46dbbe85c2d64abd0

SHA1
33c916d56bc9458ab90c7cdf2f4abde7f169f13b

SHA256
5e88b0c1848be24d79be4b06900eac53c24101f9cfe10a67227f634c2abb0927

SHA512
ac551a15b8964c1efaf354a68cae1cc9a899fb9c1d4e4b41d76affb75475167ad774e498951d61d021f8a24346872fd3d666b0daff83bc48fbafb9859476f5f1

Download Submit
C:\Windows\{1381F1B9-7F7B-46d6-9FA7-48D080D568F8}.exe

Filesize
372KB

MD5
00fede686e9e41c46dbbe85c2d64abd0

SHA1
33c916d56bc9458ab90c7cdf2f4abde7f169f13b

SHA256
5e88b0c1848be24d79be4b06900eac53c24101f9cfe10a67227f634c2abb0927

SHA512
ac551a15b8964c1efaf354a68cae1cc9a899fb9c1d4e4b41d76affb75475167ad774e498951d61d021f8a24346872fd3d666b0daff83bc48fbafb9859476f5f1

Download Submit
C:\Windows\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe

Filesize
372KB

MD5
4dffad3d69e71b203248fa9dee1b7a0a

SHA1
d6d54b0bcd268c4abe741eca5ceac3543e160c93

SHA256
26c557ba34a8462e2c0d8d4c15a5811594129e69afcc2c37f64e5668f52c965c

SHA512
65b8649a3aba6582f4272800103522069d1b50555ff3730485c74fc269e2849220c23baa886a8aa217021255d615e69c9f26dda78012fbddb6ff104141235e17

Download Submit
C:\Windows\{29C216AB-130F-4a20-B10E-2DC9EC7E87A5}.exe

Filesize
372KB

MD5
4dffad3d69e71b203248fa9dee1b7a0a

SHA1
d6d54b0bcd268c4abe741eca5ceac3543e160c93

SHA256
26c557ba34a8462e2c0d8d4c15a5811594129e69afcc2c37f64e5668f52c965c

SHA512
65b8649a3aba6582f4272800103522069d1b50555ff3730485c74fc269e2849220c23baa886a8aa217021255d615e69c9f26dda78012fbddb6ff104141235e17

Download Submit
C:\Windows\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe

Filesize
372KB

MD5
2c120af7db035ad5508cf6f6207f9627

SHA1
c06f2035f9e32dfd034fb9035094f8b3f4dd531f

SHA256
58be797381a3f67eae3535b1cdcc57bcbee572b3a1ba9f65997fce3a7e9c58db

SHA512
9904586ef350c6d95389daec55c70b0d775a7c2306fc5b48492d729f15403c34e0d02a0af4c9d8083463168ec9cf5db02b8ffc3c68ee8987143bdf77f82862db

Download Submit
C:\Windows\{3BC04FD0-E81C-4f92-8181-8E1B57FFB88A}.exe

Filesize
372KB

MD5
2c120af7db035ad5508cf6f6207f9627

SHA1
c06f2035f9e32dfd034fb9035094f8b3f4dd531f

SHA256
58be797381a3f67eae3535b1cdcc57bcbee572b3a1ba9f65997fce3a7e9c58db

SHA512
9904586ef350c6d95389daec55c70b0d775a7c2306fc5b48492d729f15403c34e0d02a0af4c9d8083463168ec9cf5db02b8ffc3c68ee8987143bdf77f82862db

Download Submit
C:\Windows\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe

Filesize
372KB

MD5
a59503e27332ea2b9315c68b7d826d9a

SHA1
8ee86c2579cb4ddafab80559aa4d1b093aed2e4d

SHA256
6b16fe6c297646ff6d64400a9b205435eaa8d5bfbc7986c113fc00276982d7bd

SHA512
6271ce21961f82e6c347bb1b2a4dbe2455d7659b5d4a0c2749a19349c4a6eb0506ec81ec2b06c1f8e1d13092ddbb0615a3e469728009e37a25db54544db9aeab

Download Submit
C:\Windows\{40B6E51D-B662-4b9d-B7A7-596AA31CF546}.exe

Filesize
372KB

MD5
a59503e27332ea2b9315c68b7d826d9a

SHA1
8ee86c2579cb4ddafab80559aa4d1b093aed2e4d

SHA256
6b16fe6c297646ff6d64400a9b205435eaa8d5bfbc7986c113fc00276982d7bd

SHA512
6271ce21961f82e6c347bb1b2a4dbe2455d7659b5d4a0c2749a19349c4a6eb0506ec81ec2b06c1f8e1d13092ddbb0615a3e469728009e37a25db54544db9aeab

Download Submit
C:\Windows\{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe

Filesize
372KB

MD5
78abc40a0a08664c945423dd03cbb854

SHA1
262f023685c7113c928ca36b4e9ad8b813966ea4

SHA256
4e8b7373de2e6e09100458b8462821393a55e9a13b052f6c291d98668cd32e32

SHA512
45bf6dfd9e89cb4be7d70064fec05ada1e195ba5a33e344bb952cc0e466cee30bda0a53b4963d50a64418ff2d8a7501626f87fd67cf56b5b267ac51e926acd18

Download Submit
C:\Windows\{41604733-7DF1-4a4e-8EF9-B20435710EB3}.exe

Filesize
372KB

MD5
78abc40a0a08664c945423dd03cbb854

SHA1
262f023685c7113c928ca36b4e9ad8b813966ea4

SHA256
4e8b7373de2e6e09100458b8462821393a55e9a13b052f6c291d98668cd32e32

SHA512
45bf6dfd9e89cb4be7d70064fec05ada1e195ba5a33e344bb952cc0e466cee30bda0a53b4963d50a64418ff2d8a7501626f87fd67cf56b5b267ac51e926acd18

Download Submit
C:\Windows\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe

Filesize
372KB

MD5
b68a351d869a64ae6d7ed5545ab8e38a

SHA1
95c0c8e64cb9cebe8172909109ec419683ca1df0

SHA256
1046642fc7afc705ebe3fae815c2f248a85d246e647ff6e8ee61866712b9fe7a

SHA512
898aa31fbe83a4dd5aa0d9da422a8bd56075d1abb1f159132f7abd54c3805926f083ef761ecf3b94af44a1c3760cd669dd1c1234975f5c8d77fc10620c19982d

Download Submit
C:\Windows\{48C0DAD4-1C5B-4c1e-83CE-DD6CB1B215CB}.exe

Filesize
372KB

MD5
b68a351d869a64ae6d7ed5545ab8e38a

SHA1
95c0c8e64cb9cebe8172909109ec419683ca1df0

SHA256
1046642fc7afc705ebe3fae815c2f248a85d246e647ff6e8ee61866712b9fe7a

SHA512
898aa31fbe83a4dd5aa0d9da422a8bd56075d1abb1f159132f7abd54c3805926f083ef761ecf3b94af44a1c3760cd669dd1c1234975f5c8d77fc10620c19982d

Download Submit
C:\Windows\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe

Filesize
372KB

MD5
c884faf1d45bb74e7397591062470f4d

SHA1
911b944edfe4dd621298d21ed363cbb958c54ef2

SHA256
8ae9f886fcc1a452ed26850524dc94f59a3f1bd577098e7e757c384a854ab5c3

SHA512
75cb7b13b4add90b3abd436ee9ad39a2c01fdbee5630c6bd04289263cb2a2c5b17443da5609e1f46c5ab87e6cb8222c34ec5da1780999e24f31f2fc295e8b1c2

Download Submit
C:\Windows\{52A41E63-9A9A-4fdc-BACA-ACDB051EF09D}.exe

Filesize
372KB

MD5
c884faf1d45bb74e7397591062470f4d

SHA1
911b944edfe4dd621298d21ed363cbb958c54ef2

SHA256
8ae9f886fcc1a452ed26850524dc94f59a3f1bd577098e7e757c384a854ab5c3

SHA512
75cb7b13b4add90b3abd436ee9ad39a2c01fdbee5630c6bd04289263cb2a2c5b17443da5609e1f46c5ab87e6cb8222c34ec5da1780999e24f31f2fc295e8b1c2

Download Submit
C:\Windows\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe

Filesize
372KB

MD5
d4b0d57bacff95a5ec6336d5843cb35f

SHA1
755402e16f6aab0a0e81b3aaa60771cc538a7483

SHA256
35b947738686f34053f681c58cc646c73df1d6d44809703e1c12a4b1d97ccbca

SHA512
c576ab36c2224e96f7bf8d9cd8efed323cde28a730e655320850c04c37e702e8ea66c5b60f67dd36936314378210fc34d1b0c08b713e124c1faef76c2df4fcec

Download Submit
C:\Windows\{785A8EFC-4722-4b29-9DC8-77C7995F3D64}.exe

Filesize
372KB

MD5
d4b0d57bacff95a5ec6336d5843cb35f

SHA1
755402e16f6aab0a0e81b3aaa60771cc538a7483

SHA256
35b947738686f34053f681c58cc646c73df1d6d44809703e1c12a4b1d97ccbca

SHA512
c576ab36c2224e96f7bf8d9cd8efed323cde28a730e655320850c04c37e702e8ea66c5b60f67dd36936314378210fc34d1b0c08b713e124c1faef76c2df4fcec

Download Submit
C:\Windows\{8041336F-A414-43e5-98AC-7C380799AE49}.exe

Filesize
372KB

MD5
19662f7ed6a04bf6172e44732775eabb

SHA1
13a6e97bdce725c29840e937574d853537891b94

SHA256
95ff3a4079f4858672740fe2bfdcaf9ba349e81dc005678cc98331c5bad2fd8a

SHA512
85891c8adc82d0f7b9273608ed39cb15283efe99add944c655a908372854451b815fca0d7f2de0840cdb46424ce2b53315bf1435fcf9d0d84eb5a83ee54998e8

Download Submit
C:\Windows\{8041336F-A414-43e5-98AC-7C380799AE49}.exe

Filesize
372KB

MD5
19662f7ed6a04bf6172e44732775eabb

SHA1
13a6e97bdce725c29840e937574d853537891b94

SHA256
95ff3a4079f4858672740fe2bfdcaf9ba349e81dc005678cc98331c5bad2fd8a

SHA512
85891c8adc82d0f7b9273608ed39cb15283efe99add944c655a908372854451b815fca0d7f2de0840cdb46424ce2b53315bf1435fcf9d0d84eb5a83ee54998e8

Download Submit
C:\Windows\{8989814E-1A32-4961-8011-0F34715C20FD}.exe

Filesize
372KB

MD5
d8f57323de5516545bcbf96039fae379

SHA1
d6ce649bf10c9f1eb1387e26fcbf308cb9c33fdf

SHA256
46d195872407541ab58479608e88011803a3a268126f6dc661f99f9b1b993a21

SHA512
eae69852d8fb40bad0d1aed23189396e87cc001a1e662919e7045b5d84c3fd60c120faaea531bd803d061d4d41788be12ebd8e4b65a6766944dddf4c9760dc05

Download Submit
C:\Windows\{8989814E-1A32-4961-8011-0F34715C20FD}.exe

Filesize
372KB

MD5
d8f57323de5516545bcbf96039fae379

SHA1
d6ce649bf10c9f1eb1387e26fcbf308cb9c33fdf

SHA256
46d195872407541ab58479608e88011803a3a268126f6dc661f99f9b1b993a21

SHA512
eae69852d8fb40bad0d1aed23189396e87cc001a1e662919e7045b5d84c3fd60c120faaea531bd803d061d4d41788be12ebd8e4b65a6766944dddf4c9760dc05

Download Submit
C:\Windows\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe

Filesize
372KB

MD5
d7be66a24c8e2f3b6e418687103bd0a6

SHA1
ba398f8ca8b9598ed41316213595a0a7b7e4ba38

SHA256
55d9a0286a6b11deb88459740fe719f4e4dba25b0685f4699322397d6745461a

SHA512
88e7dff0f38c069d78f52cdd5e12957a1360b2b5898fd3e31d4f0099f525d6e1c0166196d5bf39103f05a695675ba85df8359343eed970534112968287f72215

Download Submit
C:\Windows\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe

Filesize
372KB

MD5
d7be66a24c8e2f3b6e418687103bd0a6

SHA1
ba398f8ca8b9598ed41316213595a0a7b7e4ba38

SHA256
55d9a0286a6b11deb88459740fe719f4e4dba25b0685f4699322397d6745461a

SHA512
88e7dff0f38c069d78f52cdd5e12957a1360b2b5898fd3e31d4f0099f525d6e1c0166196d5bf39103f05a695675ba85df8359343eed970534112968287f72215

Download Submit
C:\Windows\{A75DBF3A-AFEF-4d8b-B7B1-F5F332C1AE1A}.exe

Filesize
372KB

MD5
d7be66a24c8e2f3b6e418687103bd0a6

SHA1
ba398f8ca8b9598ed41316213595a0a7b7e4ba38

SHA256
55d9a0286a6b11deb88459740fe719f4e4dba25b0685f4699322397d6745461a

SHA512
88e7dff0f38c069d78f52cdd5e12957a1360b2b5898fd3e31d4f0099f525d6e1c0166196d5bf39103f05a695675ba85df8359343eed970534112968287f72215

Download Submit
C:\Windows\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe

Filesize
372KB

MD5
df06c82ebfd0bc0faf3f2433f7fbd361

SHA1
ae064dfde03d58cfee31b8680bea7181a9c87d10

SHA256
4515639eba198a76d927f8c5d7b35e0f6b2d8773fb3404dd41ccd18bf340e221

SHA512
d260de2935a85662ecdb7bfaee0e8b2aa17efa2b63d2537322ac1243c6e2ff76895f72515bfbd55ea1c99ce6aae3ad174c0623e0e0f45926136a856a221e9c68

Download Submit
C:\Windows\{E2C6823F-F80F-4cf5-B622-2C483B3DCAC4}.exe

Filesize
372KB

MD5
df06c82ebfd0bc0faf3f2433f7fbd361

SHA1
ae064dfde03d58cfee31b8680bea7181a9c87d10

SHA256
4515639eba198a76d927f8c5d7b35e0f6b2d8773fb3404dd41ccd18bf340e221

SHA512
d260de2935a85662ecdb7bfaee0e8b2aa17efa2b63d2537322ac1243c6e2ff76895f72515bfbd55ea1c99ce6aae3ad174c0623e0e0f45926136a856a221e9c68

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads