0f3633c88981194c09a704a955e1ee4d4c9ee7b5c6547f546833bfb724fff679

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe
Size

408KB
MD5

672707dbc0c79114cd80b2814aab64b8
SHA1

86c6ee155be50deb4d88f99f24ddd9eaa8f47a9f
SHA256

0f3633c88981194c09a704a955e1ee4d4c9ee7b5c6547f546833bfb724fff679
SHA512

2bbec7b0dd161b12c2ba8f10618d9344c9c375eadf8f2e095f63a6be8bfc541283f357d1f0fac0b5323cb6ad34d109a78996f96872adc0bb8d0ec6ade1346bf7
SSDEEP

3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGrldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF57810B-F159-43c3-8B5B-8703E159422C}	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF57810B-F159-43c3-8B5B-8703E159422C}\stubpath = "C:\\Windows\\{AF57810B-F159-43c3-8B5B-8703E159422C}.exe"	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}\stubpath = "C:\\Windows\\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe"	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F06BC031-4314-4fd1-8BB5-750B26388244}	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EA452F4-586B-4b96-A787-6F6517C1C941}	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EA452F4-586B-4b96-A787-6F6517C1C941}\stubpath = "C:\\Windows\\{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe"	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}\stubpath = "C:\\Windows\\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe"	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}\stubpath = "C:\\Windows\\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe"	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CDEB79A-A02D-498e-B7D7-57461185F061}\stubpath = "C:\\Windows\\{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe"	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}\stubpath = "C:\\Windows\\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe"	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}\stubpath = "C:\\Windows\\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe"	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F06BC031-4314-4fd1-8BB5-750B26388244}\stubpath = "C:\\Windows\\{F06BC031-4314-4fd1-8BB5-750B26388244}.exe"	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CDEB79A-A02D-498e-B7D7-57461185F061}	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}	{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}\stubpath = "C:\\Windows\\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe"	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}\stubpath = "C:\\Windows\\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe"	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}\stubpath = "C:\\Windows\\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}.exe"	{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe
3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe
2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe
1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe
2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe
3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe
4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe
4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe
1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe
784	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe
2676	{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe
4636	{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe
File created	C:\Windows\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe
File created	C:\Windows\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe
File created	C:\Windows\{AF57810B-F159-43c3-8B5B-8703E159422C}.exe	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe
File created	C:\Windows\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe
File created	C:\Windows\{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe
File created	C:\Windows\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}.exe	{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe
File created	C:\Windows\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe
File created	C:\Windows\{F06BC031-4314-4fd1-8BB5-750B26388244}.exe	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe
File created	C:\Windows\{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe
File created	C:\Windows\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe
File created	C:\Windows\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1280	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe
Token: SeIncBasePriorityPrivilege	3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe
Token: SeIncBasePriorityPrivilege	2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe
Token: SeIncBasePriorityPrivilege	1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe
Token: SeIncBasePriorityPrivilege	2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe
Token: SeIncBasePriorityPrivilege	3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe
Token: SeIncBasePriorityPrivilege	4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe
Token: SeIncBasePriorityPrivilege	4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe
Token: SeIncBasePriorityPrivilege	1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe
Token: SeIncBasePriorityPrivilege	784	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe
Token: SeIncBasePriorityPrivilege	2676	{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4952	1280	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe	88
PID 1280 wrote to memory of 4952	1280	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe	88
PID 1280 wrote to memory of 4952	1280	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe	88
PID 1280 wrote to memory of 1556	1280	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe	89
PID 1280 wrote to memory of 1556	1280	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe	89
PID 1280 wrote to memory of 1556	1280	672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe	89
PID 4952 wrote to memory of 3380	4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe	90
PID 4952 wrote to memory of 3380	4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe	90
PID 4952 wrote to memory of 3380	4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe	90
PID 4952 wrote to memory of 5072	4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe	91
PID 4952 wrote to memory of 5072	4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe	91
PID 4952 wrote to memory of 5072	4952	{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe	91
PID 3380 wrote to memory of 2232	3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe	94
PID 3380 wrote to memory of 2232	3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe	94
PID 3380 wrote to memory of 2232	3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe	94
PID 3380 wrote to memory of 3864	3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe	93
PID 3380 wrote to memory of 3864	3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe	93
PID 3380 wrote to memory of 3864	3380	{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe	93
PID 2232 wrote to memory of 1612	2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe	95
PID 2232 wrote to memory of 1612	2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe	95
PID 2232 wrote to memory of 1612	2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe	95
PID 2232 wrote to memory of 3216	2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe	96
PID 2232 wrote to memory of 3216	2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe	96
PID 2232 wrote to memory of 3216	2232	{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe	96
PID 1612 wrote to memory of 2040	1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe	97
PID 1612 wrote to memory of 2040	1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe	97
PID 1612 wrote to memory of 2040	1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe	97
PID 1612 wrote to memory of 3788	1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe	98
PID 1612 wrote to memory of 3788	1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe	98
PID 1612 wrote to memory of 3788	1612	{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe	98
PID 2040 wrote to memory of 3176	2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe	99
PID 2040 wrote to memory of 3176	2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe	99
PID 2040 wrote to memory of 3176	2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe	99
PID 2040 wrote to memory of 2236	2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe	100
PID 2040 wrote to memory of 2236	2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe	100
PID 2040 wrote to memory of 2236	2040	{F06BC031-4314-4fd1-8BB5-750B26388244}.exe	100
PID 3176 wrote to memory of 4956	3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe	101
PID 3176 wrote to memory of 4956	3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe	101
PID 3176 wrote to memory of 4956	3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe	101
PID 3176 wrote to memory of 2812	3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe	102
PID 3176 wrote to memory of 2812	3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe	102
PID 3176 wrote to memory of 2812	3176	{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe	102
PID 4956 wrote to memory of 4408	4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe	103
PID 4956 wrote to memory of 4408	4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe	103
PID 4956 wrote to memory of 4408	4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe	103
PID 4956 wrote to memory of 1172	4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe	104
PID 4956 wrote to memory of 1172	4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe	104
PID 4956 wrote to memory of 1172	4956	{AF57810B-F159-43c3-8B5B-8703E159422C}.exe	104
PID 4408 wrote to memory of 1880	4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe	105
PID 4408 wrote to memory of 1880	4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe	105
PID 4408 wrote to memory of 1880	4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe	105
PID 4408 wrote to memory of 4284	4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe	106
PID 4408 wrote to memory of 4284	4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe	106
PID 4408 wrote to memory of 4284	4408	{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe	106
PID 1880 wrote to memory of 784	1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe	107
PID 1880 wrote to memory of 784	1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe	107
PID 1880 wrote to memory of 784	1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe	107
PID 1880 wrote to memory of 3008	1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe	108
PID 1880 wrote to memory of 3008	1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe	108
PID 1880 wrote to memory of 3008	1880	{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe	108
PID 784 wrote to memory of 2676	784	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe	109
PID 784 wrote to memory of 2676	784	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe	109
PID 784 wrote to memory of 2676	784	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe	109
PID 784 wrote to memory of 4728	784	{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe	110

C:\Users\Admin\AppData\Local\Temp\672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\672707dbc0c79114cd80b2814aab64b8_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe
  C:\Windows\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe
    C:\Windows\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{61086~1.EXE > nul
      4⤵
      PID:3864
  - - C:\Windows\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe
      C:\Windows\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe
        
        C:\Windows\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\{F06BC031-4314-4fd1-8BB5-750B26388244}.exe
        
        C:\Windows\{F06BC031-4314-4fd1-8BB5-750B26388244}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe
        
        C:\Windows\{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{AF57810B-F159-43c3-8B5B-8703E159422C}.exe
        
        C:\Windows\{AF57810B-F159-43c3-8B5B-8703E159422C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe
        
        C:\Windows\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe
        
        C:\Windows\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe
        
        C:\Windows\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe
        
        C:\Windows\{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}.exe
        
        C:\Windows\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}.exe
        13⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CDEB~1.EXE > nul
        13⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2110C~1.EXE > nul
        12⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC8B4~1.EXE > nul
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78358~1.EXE > nul
        10⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF578~1.EXE > nul
        9⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EA45~1.EXE > nul
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F06BC~1.EXE > nul
        7⤵
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ED1A~1.EXE > nul
        6⤵
        
        PID:3788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78A4C~1.EXE > nul
        5⤵
        
        PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E0F3C~1.EXE > nul
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\672707~1.EXE > nul
  2⤵
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe

Filesize
408KB

MD5
34537a50d52d79a041a5c2dceba1199f

SHA1
618f8138e39cc21cd57866ee16dd287d10bb4cd4

SHA256
7ce0b25a1a7b67cdd66532c4721ef0a97aea7aed574a9d92a1c7491a20acf0b4

SHA512
dd4608db0fa655b592ba437467f033febcff334089546a7e6df240dcaed8680a6819725bbed36b54ba8dfe87e3dcaaf647eea481ffc047c9902b37a735478d43

Download Submit
C:\Windows\{2110CB54-5359-45a7-898A-5CB9FC7C55A4}.exe

Filesize
408KB

MD5
34537a50d52d79a041a5c2dceba1199f

SHA1
618f8138e39cc21cd57866ee16dd287d10bb4cd4

SHA256
7ce0b25a1a7b67cdd66532c4721ef0a97aea7aed574a9d92a1c7491a20acf0b4

SHA512
dd4608db0fa655b592ba437467f033febcff334089546a7e6df240dcaed8680a6819725bbed36b54ba8dfe87e3dcaaf647eea481ffc047c9902b37a735478d43

Download Submit
C:\Windows\{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe

Filesize
408KB

MD5
78d1de06ce7424d4dc31fb005e18ee8d

SHA1
fc75e8f76a1f31dfa43323e44b51784e169f04cf

SHA256
7b822c7f1072476c62976aed8981afce3e9731de0691575e703e183d81e1a2ed

SHA512
bdd20570d8322ab2df28a1b1b3667960e9182425e27ec093f82b2d91bcc569491ae6af852318a5942638d4ef6af3ce308acd63c1e0fdbb81c6d0352734353edd

Download Submit
C:\Windows\{2EA452F4-586B-4b96-A787-6F6517C1C941}.exe

Filesize
408KB

MD5
78d1de06ce7424d4dc31fb005e18ee8d

SHA1
fc75e8f76a1f31dfa43323e44b51784e169f04cf

SHA256
7b822c7f1072476c62976aed8981afce3e9731de0691575e703e183d81e1a2ed

SHA512
bdd20570d8322ab2df28a1b1b3667960e9182425e27ec093f82b2d91bcc569491ae6af852318a5942638d4ef6af3ce308acd63c1e0fdbb81c6d0352734353edd

Download Submit
C:\Windows\{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe

Filesize
408KB

MD5
4d3641be44a3fcc05fb7e8cce6db0163

SHA1
36aaddbae2b423183c100a398360d7155638446f

SHA256
1668b20c18ba070ffba05bf47ca6099e94b23665e868e0abbb0b17cea374fdd3

SHA512
0c7c4ea0931abe147ba1136f62c53b08c1f7ec73845f6f1dbc169e37e05d88885ff4912939a1e73e025e40bc5ced46e6109394e24a8dc02f0cead143b1d501b3

Download Submit
C:\Windows\{5CDEB79A-A02D-498e-B7D7-57461185F061}.exe

Filesize
408KB

MD5
4d3641be44a3fcc05fb7e8cce6db0163

SHA1
36aaddbae2b423183c100a398360d7155638446f

SHA256
1668b20c18ba070ffba05bf47ca6099e94b23665e868e0abbb0b17cea374fdd3

SHA512
0c7c4ea0931abe147ba1136f62c53b08c1f7ec73845f6f1dbc169e37e05d88885ff4912939a1e73e025e40bc5ced46e6109394e24a8dc02f0cead143b1d501b3

Download Submit
C:\Windows\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe

Filesize
408KB

MD5
96d693d6b35b8d90306e7358e771476d

SHA1
136fb39e88afe57a4493f46ad7bbd351c92b8078

SHA256
d0d7a9230f36e06f7aba400c591e7d8430646a96a66ab9797d424a362f5ae055

SHA512
79b35449f1a7ca69544e84aa53904ab5cf9563542832682ed2e65b1079449a2e00b3f7064617b74c8a6d9195239bc4c72d5326b0a6941d13183a9633b193999e

Download Submit
C:\Windows\{6108620D-1D51-47bf-A9C4-C0A9A9D8D0F1}.exe

Filesize
408KB

MD5
96d693d6b35b8d90306e7358e771476d

SHA1
136fb39e88afe57a4493f46ad7bbd351c92b8078

SHA256
d0d7a9230f36e06f7aba400c591e7d8430646a96a66ab9797d424a362f5ae055

SHA512
79b35449f1a7ca69544e84aa53904ab5cf9563542832682ed2e65b1079449a2e00b3f7064617b74c8a6d9195239bc4c72d5326b0a6941d13183a9633b193999e

Download Submit
C:\Windows\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe

Filesize
408KB

MD5
3924781fa8813e891679d162e8d3c61e

SHA1
2462bbc35b2cbd85d3e3b7549d8b68f0800ac2b4

SHA256
fce7b29b2a7c012f6555b3c4189f06936768c1bed6e87f9451099124ce923a67

SHA512
6843a67fa81a8152a7052218f1dd5a76511a94f5e1220ecd682b26cc8b6bf39965bf86aeec8ef965d7c42d6584edf6900830b1140f528801464be46799a135e3

Download Submit
C:\Windows\{7835833A-EBBE-45e6-9B33-AE81F6E499D4}.exe

Filesize
408KB

MD5
3924781fa8813e891679d162e8d3c61e

SHA1
2462bbc35b2cbd85d3e3b7549d8b68f0800ac2b4

SHA256
fce7b29b2a7c012f6555b3c4189f06936768c1bed6e87f9451099124ce923a67

SHA512
6843a67fa81a8152a7052218f1dd5a76511a94f5e1220ecd682b26cc8b6bf39965bf86aeec8ef965d7c42d6584edf6900830b1140f528801464be46799a135e3

Download Submit
C:\Windows\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe

Filesize
408KB

MD5
9651372091d887081d30c08c5c3f805f

SHA1
6d4866bed0c4e4d5e775458f8e926853aeb26dcd

SHA256
ccb0e1b12ea565a78934e3d47bfec0ca757700673b91475f331d8c80d6f72ed8

SHA512
5201d5caf0ccd3427005a778394170e5533dd22064bb3c2f834ff8c31ddab8ca9235d6f883ecbdf20239b2af282f34a0020c43b5d1cc7928fab1953ffb26bea6

Download Submit
C:\Windows\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe

Filesize
408KB

MD5
9651372091d887081d30c08c5c3f805f

SHA1
6d4866bed0c4e4d5e775458f8e926853aeb26dcd

SHA256
ccb0e1b12ea565a78934e3d47bfec0ca757700673b91475f331d8c80d6f72ed8

SHA512
5201d5caf0ccd3427005a778394170e5533dd22064bb3c2f834ff8c31ddab8ca9235d6f883ecbdf20239b2af282f34a0020c43b5d1cc7928fab1953ffb26bea6

Download Submit
C:\Windows\{78A4CE0B-05DF-4bc4-9B5A-946998833CE5}.exe

Filesize
408KB

MD5
9651372091d887081d30c08c5c3f805f

SHA1
6d4866bed0c4e4d5e775458f8e926853aeb26dcd

SHA256
ccb0e1b12ea565a78934e3d47bfec0ca757700673b91475f331d8c80d6f72ed8

SHA512
5201d5caf0ccd3427005a778394170e5533dd22064bb3c2f834ff8c31ddab8ca9235d6f883ecbdf20239b2af282f34a0020c43b5d1cc7928fab1953ffb26bea6

Download Submit
C:\Windows\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe

Filesize
408KB

MD5
1d38dc87027338ac29a2df311be5efe9

SHA1
40e01d68379863330f7d0aefb91c4b7e47a53d64

SHA256
1e81e0ceab48a429d8bf073fb7254f58c392386e7b3ae667004b2e13763e38fe

SHA512
05dfdf5de029ae1b5b179993f8bfc01bc341227f4588f190b424d7f685bae242ec0a910f5831fb6c5e5622b5f227e08db45915471ccfedd4bb26207f38383cac

Download Submit
C:\Windows\{7ED1AF96-9490-41c8-A721-EA5E7D98A0F0}.exe

Filesize
408KB

MD5
1d38dc87027338ac29a2df311be5efe9

SHA1
40e01d68379863330f7d0aefb91c4b7e47a53d64

SHA256
1e81e0ceab48a429d8bf073fb7254f58c392386e7b3ae667004b2e13763e38fe

SHA512
05dfdf5de029ae1b5b179993f8bfc01bc341227f4588f190b424d7f685bae242ec0a910f5831fb6c5e5622b5f227e08db45915471ccfedd4bb26207f38383cac

Download Submit
C:\Windows\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe

Filesize
408KB

MD5
b4eeb21d5b360f43a7ddda2ebb0a213a

SHA1
ad91b7b5673d0885742864797d09b7c654594798

SHA256
3388104938ea7f819a609e7580ab55fc845cc239f331684b137a4e40fea37569

SHA512
540900b35818af0f1a3093d4665eeeda711886ea535d7a50ae1def7b7b774484bc595538d90bbe23c8a34e5bda4892fe58eefb937dcee24804711586d8a4a9c2

Download Submit
C:\Windows\{AC8B4B83-28B5-4e53-9D7D-5BB9E42175FF}.exe

Filesize
408KB

MD5
b4eeb21d5b360f43a7ddda2ebb0a213a

SHA1
ad91b7b5673d0885742864797d09b7c654594798

SHA256
3388104938ea7f819a609e7580ab55fc845cc239f331684b137a4e40fea37569

SHA512
540900b35818af0f1a3093d4665eeeda711886ea535d7a50ae1def7b7b774484bc595538d90bbe23c8a34e5bda4892fe58eefb937dcee24804711586d8a4a9c2

Download Submit
C:\Windows\{AF57810B-F159-43c3-8B5B-8703E159422C}.exe

Filesize
408KB

MD5
2c6bd184420aed5d2b3873fcaebbfcec

SHA1
a502439f46666a55a888d0f85b7234094ecd1703

SHA256
95fc711f58debc671f184b5240d04cd48645672c485a1c90c369671861f0887b

SHA512
ab12d96cbc5119b7063b172e32f1fff826307f208ff2871c8dc63c75e8da786bedc80239541b747c3418e157e5a3fa8075e9a5bdd670c211842134ec585747c2

Download Submit
C:\Windows\{AF57810B-F159-43c3-8B5B-8703E159422C}.exe

Filesize
408KB

MD5
2c6bd184420aed5d2b3873fcaebbfcec

SHA1
a502439f46666a55a888d0f85b7234094ecd1703

SHA256
95fc711f58debc671f184b5240d04cd48645672c485a1c90c369671861f0887b

SHA512
ab12d96cbc5119b7063b172e32f1fff826307f208ff2871c8dc63c75e8da786bedc80239541b747c3418e157e5a3fa8075e9a5bdd670c211842134ec585747c2

Download Submit
C:\Windows\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe

Filesize
408KB

MD5
3bb222c7d574e65bfd198271abcc23da

SHA1
d96bb8e85e077f2d19baa4778369bf25e1722176

SHA256
5a62b53aedb63e770e6ed9323fa15ff3efa0441d68b909403e4d2e85f55ce333

SHA512
aba85ce40041b432005f58ce61d879b1d06d3d5cab549fb35bf9c7faf96928ebc29dcfb781ee13a9799c47ea3654eece77443aa53219f4fc59c702ed69104b04

Download Submit
C:\Windows\{E0F3CD98-CBB5-4c08-AAE9-2AD88AEFB37E}.exe

Filesize
408KB

MD5
3bb222c7d574e65bfd198271abcc23da

SHA1
d96bb8e85e077f2d19baa4778369bf25e1722176

SHA256
5a62b53aedb63e770e6ed9323fa15ff3efa0441d68b909403e4d2e85f55ce333

SHA512
aba85ce40041b432005f58ce61d879b1d06d3d5cab549fb35bf9c7faf96928ebc29dcfb781ee13a9799c47ea3654eece77443aa53219f4fc59c702ed69104b04

Download Submit
C:\Windows\{F06BC031-4314-4fd1-8BB5-750B26388244}.exe

Filesize
408KB

MD5
dd560e565ed270f988c51780f0c7a41a

SHA1
393e3f16bbae4a3e995e8e8a7a12b772cde0e85b

SHA256
4d06974e3015d9593d0ec8f9a273a607caab7ef1e2a9d88575b750137b736ed3

SHA512
399a3e16f21462b19213495abcbd46ee99e9e987d3408bd383830ad986f22e8b6407ddf3adf1c3038386fdc3acb2f710e8a736167c2ba86f59d3131b52f71dcd

Download Submit
C:\Windows\{F06BC031-4314-4fd1-8BB5-750B26388244}.exe

Filesize
408KB

MD5
dd560e565ed270f988c51780f0c7a41a

SHA1
393e3f16bbae4a3e995e8e8a7a12b772cde0e85b

SHA256
4d06974e3015d9593d0ec8f9a273a607caab7ef1e2a9d88575b750137b736ed3

SHA512
399a3e16f21462b19213495abcbd46ee99e9e987d3408bd383830ad986f22e8b6407ddf3adf1c3038386fdc3acb2f710e8a736167c2ba86f59d3131b52f71dcd

Download Submit
C:\Windows\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}.exe

Filesize
408KB

MD5
7d0cd9b7263b12653b93a99810a6fd10

SHA1
3b874bdecbff6ff8876742eb703b0c16f5474485

SHA256
af5ca29dc08f5a906da9507328f442522a69371da834f31ecbf46bc35015c6b8

SHA512
60df48983256091cef670cd03d44214b7bddb7da8b51245799f8b8c7e5bb8b7781cb8a58b6bdc1fef6002213d9323dcb2f6ca8b19f32eb2994377886b2a962a2

Download Submit
C:\Windows\{F5FD4F77-6D10-4d48-8816-3AA1A9838F63}.exe

Filesize
408KB

MD5
7d0cd9b7263b12653b93a99810a6fd10

SHA1
3b874bdecbff6ff8876742eb703b0c16f5474485

SHA256
af5ca29dc08f5a906da9507328f442522a69371da834f31ecbf46bc35015c6b8

SHA512
60df48983256091cef670cd03d44214b7bddb7da8b51245799f8b8c7e5bb8b7781cb8a58b6bdc1fef6002213d9323dcb2f6ca8b19f32eb2994377886b2a962a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads