9104762c3497d386fafdc44983db7f043cb002e60e97b81c96ffcc547a913e46

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Size

192KB
MD5

7a83ff093fbf1692c5ada43f993d272c
SHA1

d724cc05d90bc1a3df54266190e5fe798b0a9fad
SHA256

9104762c3497d386fafdc44983db7f043cb002e60e97b81c96ffcc547a913e46
SHA512

12028ebcc360fa40fb515124a06dc197aa9689a9c5fdd97dfb57140e674009b61a0e8d2e0c5ae23d57818c396d1d69a5fff830503ef1832ccd7df08466fa4b2d
SSDEEP

1536:1EGh0o2l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o2l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}\stubpath = "C:\\Windows\\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe"	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}\stubpath = "C:\\Windows\\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe"	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}\stubpath = "C:\\Windows\\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe"	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D225004-0BCD-4cd8-92D8-60035205379D}\stubpath = "C:\\Windows\\{4D225004-0BCD-4cd8-92D8-60035205379D}.exe"	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}\stubpath = "C:\\Windows\\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}.exe"	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21B198A-5BAF-4703-A40B-A3A788BCD813}\stubpath = "C:\\Windows\\{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe"	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}\stubpath = "C:\\Windows\\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe"	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}\stubpath = "C:\\Windows\\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe"	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}\stubpath = "C:\\Windows\\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe"	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D225004-0BCD-4cd8-92D8-60035205379D}	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}\stubpath = "C:\\Windows\\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe"	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}\stubpath = "C:\\Windows\\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe"	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21B198A-5BAF-4703-A40B-A3A788BCD813}	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe

Executes dropped EXE 11 IoCs

pid	Process
3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe
4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe
548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe
3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe
4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe
3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe
1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe
544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe
4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe
4396	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe
4444	{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe
File created	C:\Windows\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe
File created	C:\Windows\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe
File created	C:\Windows\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe
File created	C:\Windows\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe
File created	C:\Windows\{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe
File created	C:\Windows\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe
File created	C:\Windows\{4D225004-0BCD-4cd8-92D8-60035205379D}.exe	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe
File created	C:\Windows\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}.exe	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe
File created	C:\Windows\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
File created	C:\Windows\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2792	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe
Token: SeIncBasePriorityPrivilege	4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe
Token: SeIncBasePriorityPrivilege	548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe
Token: SeIncBasePriorityPrivilege	3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe
Token: SeIncBasePriorityPrivilege	4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe
Token: SeIncBasePriorityPrivilege	3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe
Token: SeIncBasePriorityPrivilege	1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe
Token: SeIncBasePriorityPrivilege	544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe
Token: SeIncBasePriorityPrivilege	4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe
Token: SeIncBasePriorityPrivilege	4396	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3580	2792	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	88
PID 2792 wrote to memory of 3580	2792	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	88
PID 2792 wrote to memory of 3580	2792	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	88
PID 2792 wrote to memory of 732	2792	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	89
PID 2792 wrote to memory of 732	2792	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	89
PID 2792 wrote to memory of 732	2792	7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe	89
PID 3580 wrote to memory of 4656	3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe	91
PID 3580 wrote to memory of 4656	3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe	91
PID 3580 wrote to memory of 4656	3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe	91
PID 3580 wrote to memory of 4672	3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe	92
PID 3580 wrote to memory of 4672	3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe	92
PID 3580 wrote to memory of 4672	3580	{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe	92
PID 4656 wrote to memory of 548	4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe	93
PID 4656 wrote to memory of 548	4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe	93
PID 4656 wrote to memory of 548	4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe	93
PID 4656 wrote to memory of 4412	4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe	94
PID 4656 wrote to memory of 4412	4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe	94
PID 4656 wrote to memory of 4412	4656	{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe	94
PID 548 wrote to memory of 3824	548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe	95
PID 548 wrote to memory of 3824	548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe	95
PID 548 wrote to memory of 3824	548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe	95
PID 548 wrote to memory of 684	548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe	96
PID 548 wrote to memory of 684	548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe	96
PID 548 wrote to memory of 684	548	{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe	96
PID 3824 wrote to memory of 4692	3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe	97
PID 3824 wrote to memory of 4692	3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe	97
PID 3824 wrote to memory of 4692	3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe	97
PID 3824 wrote to memory of 3392	3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe	98
PID 3824 wrote to memory of 3392	3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe	98
PID 3824 wrote to memory of 3392	3824	{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe	98
PID 4692 wrote to memory of 3664	4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe	99
PID 4692 wrote to memory of 3664	4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe	99
PID 4692 wrote to memory of 3664	4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe	99
PID 4692 wrote to memory of 2912	4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe	100
PID 4692 wrote to memory of 2912	4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe	100
PID 4692 wrote to memory of 2912	4692	{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe	100
PID 3664 wrote to memory of 1740	3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe	101
PID 3664 wrote to memory of 1740	3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe	101
PID 3664 wrote to memory of 1740	3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe	101
PID 3664 wrote to memory of 3148	3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe	102
PID 3664 wrote to memory of 3148	3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe	102
PID 3664 wrote to memory of 3148	3664	{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe	102
PID 1740 wrote to memory of 544	1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe	103
PID 1740 wrote to memory of 544	1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe	103
PID 1740 wrote to memory of 544	1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe	103
PID 1740 wrote to memory of 4924	1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe	104
PID 1740 wrote to memory of 4924	1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe	104
PID 1740 wrote to memory of 4924	1740	{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe	104
PID 544 wrote to memory of 4124	544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe	105
PID 544 wrote to memory of 4124	544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe	105
PID 544 wrote to memory of 4124	544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe	105
PID 544 wrote to memory of 4232	544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe	106
PID 544 wrote to memory of 4232	544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe	106
PID 544 wrote to memory of 4232	544	{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe	106
PID 4124 wrote to memory of 4396	4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe	107
PID 4124 wrote to memory of 4396	4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe	107
PID 4124 wrote to memory of 4396	4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe	107
PID 4124 wrote to memory of 4028	4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe	108
PID 4124 wrote to memory of 4028	4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe	108
PID 4124 wrote to memory of 4028	4124	{4D225004-0BCD-4cd8-92D8-60035205379D}.exe	108
PID 4396 wrote to memory of 4444	4396	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe	109
PID 4396 wrote to memory of 4444	4396	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe	109
PID 4396 wrote to memory of 4444	4396	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe	109
PID 4396 wrote to memory of 4428	4396	{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe	110

C:\Users\Admin\AppData\Local\Temp\7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7a83ff093fbf1692c5ada43f993d272c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe
  C:\Windows\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe
    C:\Windows\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe
      C:\Windows\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe
        
        C:\Windows\{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe
        
        C:\Windows\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe
        
        C:\Windows\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe
        
        C:\Windows\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe
        
        C:\Windows\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{4D225004-0BCD-4cd8-92D8-60035205379D}.exe
        
        C:\Windows\{4D225004-0BCD-4cd8-92D8-60035205379D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe
        
        C:\Windows\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}.exe
        
        C:\Windows\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}.exe
        12⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D02E9~1.EXE > nul
        12⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D225~1.EXE > nul
        11⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A899~1.EXE > nul
        10⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54BC9~1.EXE > nul
        9⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD20F~1.EXE > nul
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF08~1.EXE > nul
        7⤵
        
        PID:2912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C21B1~1.EXE > nul
        6⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D61F6~1.EXE > nul
        5⤵
        
        PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D428~1.EXE > nul
      4⤵
      PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A10D~1.EXE > nul
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7A83FF~1.EXE > nul
  2⤵
  PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe

Filesize
192KB

MD5
43bd00ecf419b9b1148df046f9efc910

SHA1
f303f814b53939d78d3692c562f79750f7c41556

SHA256
8c47017b70d4dc6185ee6f7c9d369540adc17c9b0f4dde819afb745d8b01a827

SHA512
791d2c168e5f6a448bcde42102def4a3b68ab111540adec616391337faccec99da5cce647d85e222b094e8647f3f10df4299a72f15252cf5bc3ebdf5e5ffd91d

Download Submit
C:\Windows\{3A899F25-DE13-4b60-8CB1-7CA2A061DC9A}.exe

Filesize
192KB

MD5
43bd00ecf419b9b1148df046f9efc910

SHA1
f303f814b53939d78d3692c562f79750f7c41556

SHA256
8c47017b70d4dc6185ee6f7c9d369540adc17c9b0f4dde819afb745d8b01a827

SHA512
791d2c168e5f6a448bcde42102def4a3b68ab111540adec616391337faccec99da5cce647d85e222b094e8647f3f10df4299a72f15252cf5bc3ebdf5e5ffd91d

Download Submit
C:\Windows\{4D225004-0BCD-4cd8-92D8-60035205379D}.exe

Filesize
192KB

MD5
0872b3592d8e5740a2ce92a3aa2e420b

SHA1
1384243240a5e7362c8ccb3ff38f06a8a68f70d8

SHA256
2dee7ea02377a257deefaf7c3edd6c9b4d321a6dd190c6b4bd3e6cd90c9ce13c

SHA512
4565765cf7ce589bd5cd4e0ee5ef2a9aba7fafef9407036e60385829b05f4a63812b066e533055454cc9b98c1e6578539b1992b2c7e7608ae503fd4c787b8394

Download Submit
C:\Windows\{4D225004-0BCD-4cd8-92D8-60035205379D}.exe

Filesize
192KB

MD5
0872b3592d8e5740a2ce92a3aa2e420b

SHA1
1384243240a5e7362c8ccb3ff38f06a8a68f70d8

SHA256
2dee7ea02377a257deefaf7c3edd6c9b4d321a6dd190c6b4bd3e6cd90c9ce13c

SHA512
4565765cf7ce589bd5cd4e0ee5ef2a9aba7fafef9407036e60385829b05f4a63812b066e533055454cc9b98c1e6578539b1992b2c7e7608ae503fd4c787b8394

Download Submit
C:\Windows\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe

Filesize
192KB

MD5
9edf32d89b1d68fa4b60972e659d0314

SHA1
d49aa507e4d34234b3a84c7ed2da1adfe11de928

SHA256
b8124daaf5a4897bfeab259ee77e2d420796606fdb3257a77f80efc5ca01451f

SHA512
0cfcf4bb469a1c3b06f8841a493853d27164695893a3b01f670b1a8bf8a3fa4fb439f271cd96e878b476522b598594569c74b60e472fab61f9b6c4450376e403

Download Submit
C:\Windows\{4D4281E7-381B-4faf-BF6B-709EFCDEC75E}.exe

Filesize
192KB

MD5
9edf32d89b1d68fa4b60972e659d0314

SHA1
d49aa507e4d34234b3a84c7ed2da1adfe11de928

SHA256
b8124daaf5a4897bfeab259ee77e2d420796606fdb3257a77f80efc5ca01451f

SHA512
0cfcf4bb469a1c3b06f8841a493853d27164695893a3b01f670b1a8bf8a3fa4fb439f271cd96e878b476522b598594569c74b60e472fab61f9b6c4450376e403

Download Submit
C:\Windows\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe

Filesize
192KB

MD5
cf94822f7b54f2929974d4e55b2a61c6

SHA1
acf6fc9262cc7f52d596c99f1edbfd55d05b5b57

SHA256
57a763138c5d10be3a99d16e11e0cbf6f6c48341c948d6ba4bcaa7c4740763a5

SHA512
c52198a8592979ead6a7dc3d2854ee3c0e34ae37f946994cce34f1600fb914497a7ab38d85b57312f674cd6f6b7c9a1275892527117f025292e43dd594fdaacc

Download Submit
C:\Windows\{54BC9EC6-4EE9-43b2-BE8B-7EF7AC89B4AB}.exe

Filesize
192KB

MD5
cf94822f7b54f2929974d4e55b2a61c6

SHA1
acf6fc9262cc7f52d596c99f1edbfd55d05b5b57

SHA256
57a763138c5d10be3a99d16e11e0cbf6f6c48341c948d6ba4bcaa7c4740763a5

SHA512
c52198a8592979ead6a7dc3d2854ee3c0e34ae37f946994cce34f1600fb914497a7ab38d85b57312f674cd6f6b7c9a1275892527117f025292e43dd594fdaacc

Download Submit
C:\Windows\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe

Filesize
192KB

MD5
b18a61c480c59d49600681f1c701932e

SHA1
d1c8734e6e71fe6c7670bf0a78b5f45e341d7d41

SHA256
3ff73ef9d7d12ed45caf62631b018bb77621e4a90fd5d533c624c9b78dec6770

SHA512
f93daf8c4e1359895b92687739ffdafee134a7f4ad129aa9546d229e69e5b7c4f0be5cd61619c536c10a63f0fd7492a87f7b209a2007f2c75c0eb3e4b7426ccf

Download Submit
C:\Windows\{7A10D3AA-DE77-4a2e-AA21-305C874E3195}.exe

Filesize
192KB

MD5
b18a61c480c59d49600681f1c701932e

SHA1
d1c8734e6e71fe6c7670bf0a78b5f45e341d7d41

SHA256
3ff73ef9d7d12ed45caf62631b018bb77621e4a90fd5d533c624c9b78dec6770

SHA512
f93daf8c4e1359895b92687739ffdafee134a7f4ad129aa9546d229e69e5b7c4f0be5cd61619c536c10a63f0fd7492a87f7b209a2007f2c75c0eb3e4b7426ccf

Download Submit
C:\Windows\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}.exe

Filesize
192KB

MD5
420b5214d9aae59f55cebe5be7f72b42

SHA1
93751c50d37e75eda7a5b03db6f9a0b6399d431e

SHA256
73e1498113bac214ff476c0fa55da50ceafddf6b7adafeb08ac494bc2dc5ac9a

SHA512
d756cc4b34452c24c1d07f87dd9a7dccf0d10b3856a43ca97c3cb3f96540d65e92e97ad09524b10800612bcab1e0ec8fbcc3b8367c17ae0d19f5e45ec2ccb9cf

Download Submit
C:\Windows\{AACF6344-24AF-4b56-BDC2-B77A2218FAE8}.exe

Filesize
192KB

MD5
420b5214d9aae59f55cebe5be7f72b42

SHA1
93751c50d37e75eda7a5b03db6f9a0b6399d431e

SHA256
73e1498113bac214ff476c0fa55da50ceafddf6b7adafeb08ac494bc2dc5ac9a

SHA512
d756cc4b34452c24c1d07f87dd9a7dccf0d10b3856a43ca97c3cb3f96540d65e92e97ad09524b10800612bcab1e0ec8fbcc3b8367c17ae0d19f5e45ec2ccb9cf

Download Submit
C:\Windows\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe

Filesize
192KB

MD5
609b45d735296c09beb2a4a63a42789e

SHA1
9037d38f54b95af4086959b42e609bb0d27ee69a

SHA256
ea852ad102d260861fa9ddc1b3805dd92a837e6c8c6cb7774126ff0dfb4b1612

SHA512
17758660cd2f6cb28aaea0c1b68de1e3e98bf815f6897399dbccee712b22f37126b5d018210fb8415322dd848314e97208dd5e0236b4a6da956d63e55eabb7c0

Download Submit
C:\Windows\{AFF08455-70B5-4e5d-BA0C-1CF08E3D8D7D}.exe

Filesize
192KB

MD5
609b45d735296c09beb2a4a63a42789e

SHA1
9037d38f54b95af4086959b42e609bb0d27ee69a

SHA256
ea852ad102d260861fa9ddc1b3805dd92a837e6c8c6cb7774126ff0dfb4b1612

SHA512
17758660cd2f6cb28aaea0c1b68de1e3e98bf815f6897399dbccee712b22f37126b5d018210fb8415322dd848314e97208dd5e0236b4a6da956d63e55eabb7c0

Download Submit
C:\Windows\{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe

Filesize
192KB

MD5
fcb357723d8030db7a614342516c4fb8

SHA1
434165e3f7428ac6f2fc8bc9aeca8ebf79637935

SHA256
83c67f9dc20d41681a42883528603a9a2bddfd7402f4cd74c376f1ddafdaac1c

SHA512
9bfa22965e8400b3379b2349b79bb64f9e19fb274805aa0608de507f4f2c070ccab486bb59d740596157e1d732cfbc3d822f5dff6fb7e00485cfc911617ff26b

Download Submit
C:\Windows\{C21B198A-5BAF-4703-A40B-A3A788BCD813}.exe

Filesize
192KB

MD5
fcb357723d8030db7a614342516c4fb8

SHA1
434165e3f7428ac6f2fc8bc9aeca8ebf79637935

SHA256
83c67f9dc20d41681a42883528603a9a2bddfd7402f4cd74c376f1ddafdaac1c

SHA512
9bfa22965e8400b3379b2349b79bb64f9e19fb274805aa0608de507f4f2c070ccab486bb59d740596157e1d732cfbc3d822f5dff6fb7e00485cfc911617ff26b

Download Submit
C:\Windows\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe

Filesize
192KB

MD5
6899fc09ab2fd419c07ad134f2040e11

SHA1
c991804d93134f7c806ecae5bd2e6e50fa0d102e

SHA256
4685e0e8303ce5e7f989033a43e7af12862049c0ae05679808d912affaef4d2f

SHA512
20afd8e753dd7de4a87c5b5cf3ab164bb89e71313b9f1ef2ed9573eebef87b9bb6c6fab6e1ebd961fd34d618d5db9d63ecec5f7f82776ff9e5e7ec81f2a6bd14

Download Submit
C:\Windows\{D02E9832-7BCA-41d7-8DAE-BB9BF9AABCF5}.exe

Filesize
192KB

MD5
6899fc09ab2fd419c07ad134f2040e11

SHA1
c991804d93134f7c806ecae5bd2e6e50fa0d102e

SHA256
4685e0e8303ce5e7f989033a43e7af12862049c0ae05679808d912affaef4d2f

SHA512
20afd8e753dd7de4a87c5b5cf3ab164bb89e71313b9f1ef2ed9573eebef87b9bb6c6fab6e1ebd961fd34d618d5db9d63ecec5f7f82776ff9e5e7ec81f2a6bd14

Download Submit
C:\Windows\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe

Filesize
192KB

MD5
ed3296b99ebe5cf7065005d17487c0f4

SHA1
414ee8c87b7e452d23593c878896280eb42d6f6c

SHA256
43809562dd368dcd92c4b8eef9ebc15491471f26c25ce41e702b1331b289beb5

SHA512
57dfea9d59509f5b885d465fd1f9480b4620c8786514a0b93f5f858b636e35852a4ec920aae640df5b8a192c026d094f631966754933eb8e944704664be53284

Download Submit
C:\Windows\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe

Filesize
192KB

MD5
ed3296b99ebe5cf7065005d17487c0f4

SHA1
414ee8c87b7e452d23593c878896280eb42d6f6c

SHA256
43809562dd368dcd92c4b8eef9ebc15491471f26c25ce41e702b1331b289beb5

SHA512
57dfea9d59509f5b885d465fd1f9480b4620c8786514a0b93f5f858b636e35852a4ec920aae640df5b8a192c026d094f631966754933eb8e944704664be53284

Download Submit
C:\Windows\{D61F6BC6-7FE3-400b-82C1-76C175AB8AA5}.exe

Filesize
192KB

MD5
ed3296b99ebe5cf7065005d17487c0f4

SHA1
414ee8c87b7e452d23593c878896280eb42d6f6c

SHA256
43809562dd368dcd92c4b8eef9ebc15491471f26c25ce41e702b1331b289beb5

SHA512
57dfea9d59509f5b885d465fd1f9480b4620c8786514a0b93f5f858b636e35852a4ec920aae640df5b8a192c026d094f631966754933eb8e944704664be53284

Download Submit
C:\Windows\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe

Filesize
192KB

MD5
ba803bd58aad08d4fdfe10f6712877ad

SHA1
6f57d82bc0e601a6b25d0599d2208f9c3f91489b

SHA256
ecd23fa945aa5a7a2c34919d3a5771d8592f0ec88ae260e4e678ff9bd1965562

SHA512
87d9ee0f00f5bec7ea05f5a269d152af4fdf5ea071efcf275a900f9fd7e2c6ea5527597ff37ad9e9f4f6700a44f0c5140dd2e53f9ca57b14c601b1c37f3ec614

Download Submit
C:\Windows\{DD20F2AD-57DD-4383-BE36-F4A31DEAD348}.exe

Filesize
192KB

MD5
ba803bd58aad08d4fdfe10f6712877ad

SHA1
6f57d82bc0e601a6b25d0599d2208f9c3f91489b

SHA256
ecd23fa945aa5a7a2c34919d3a5771d8592f0ec88ae260e4e678ff9bd1965562

SHA512
87d9ee0f00f5bec7ea05f5a269d152af4fdf5ea071efcf275a900f9fd7e2c6ea5527597ff37ad9e9f4f6700a44f0c5140dd2e53f9ca57b14c601b1c37f3ec614

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads