be8e9eb0cf688f1f6eb31fb990134c75afa6d38a0c49e21103521a716f9b2d43

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Size

168KB
MD5

85a008b877c00b98c4245b7fb1d39144
SHA1

a5c10a4dba629d42281063458b03a524ef73e3c8
SHA256

be8e9eb0cf688f1f6eb31fb990134c75afa6d38a0c49e21103521a716f9b2d43
SHA512

9e07ffd071a2a9cf2e84af84cd5298854f235bf7489b6c13a271b37fa5c249e8145b85c3d4967788f3981a5efc68a2971560eb2f4f03fd51561a09aac68dcd37
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB8365A8-AA09-4250-8952-58C084F4DA7E}\stubpath = "C:\\Windows\\{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe"	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E96A7A5-3986-4473-B088-247C9D7A18EF}\stubpath = "C:\\Windows\\{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe"	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79E60773-B79E-4a17-86E6-46E48A9464C7}\stubpath = "C:\\Windows\\{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe"	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C2C4FD-2547-4e00-8886-7C5724D9045C}	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}\stubpath = "C:\\Windows\\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe"	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}\stubpath = "C:\\Windows\\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe"	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C2C4FD-2547-4e00-8886-7C5724D9045C}\stubpath = "C:\\Windows\\{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe"	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}	{84269716-C662-409a-AEA2-C6789295DA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF2B7695-858A-48b5-BFB8-2591CE883A13}	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB8365A8-AA09-4250-8952-58C084F4DA7E}	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E96A7A5-3986-4473-B088-247C9D7A18EF}	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79E60773-B79E-4a17-86E6-46E48A9464C7}	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84269716-C662-409a-AEA2-C6789295DA1A}	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF2B7695-858A-48b5-BFB8-2591CE883A13}\stubpath = "C:\\Windows\\{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe"	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}\stubpath = "C:\\Windows\\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe"	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84269716-C662-409a-AEA2-C6789295DA1A}\stubpath = "C:\\Windows\\{84269716-C662-409a-AEA2-C6789295DA1A}.exe"	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}\stubpath = "C:\\Windows\\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe"	{84269716-C662-409a-AEA2-C6789295DA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C06F2B-A43B-421a-97C9-F20BF5141651}	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7C06F2B-A43B-421a-97C9-F20BF5141651}\stubpath = "C:\\Windows\\{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe"	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7095F584-C0AB-4de1-A9B1-080DF979C83E}	{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7095F584-C0AB-4de1-A9B1-080DF979C83E}\stubpath = "C:\\Windows\\{7095F584-C0AB-4de1-A9B1-080DF979C83E}.exe"	{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe

Executes dropped EXE 12 IoCs

pid	Process
864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe
2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe
1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe
5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe
2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe
1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe
3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe
4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe
3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe
2576	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe
4688	{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe
384	{7095F584-C0AB-4de1-A9B1-080DF979C83E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
File created	C:\Windows\{84269716-C662-409a-AEA2-C6789295DA1A}.exe	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe
File created	C:\Windows\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe
File created	C:\Windows\{7095F584-C0AB-4de1-A9B1-080DF979C83E}.exe	{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe
File created	C:\Windows\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe	{84269716-C662-409a-AEA2-C6789295DA1A}.exe
File created	C:\Windows\{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe
File created	C:\Windows\{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe
File created	C:\Windows\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe
File created	C:\Windows\{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe
File created	C:\Windows\{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe
File created	C:\Windows\{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe
File created	C:\Windows\{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1332	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe
Token: SeIncBasePriorityPrivilege	2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe
Token: SeIncBasePriorityPrivilege	1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe
Token: SeIncBasePriorityPrivilege	5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe
Token: SeIncBasePriorityPrivilege	2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe
Token: SeIncBasePriorityPrivilege	1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe
Token: SeIncBasePriorityPrivilege	3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe
Token: SeIncBasePriorityPrivilege	4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe
Token: SeIncBasePriorityPrivilege	3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe
Token: SeIncBasePriorityPrivilege	2576	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe
Token: SeIncBasePriorityPrivilege	4688	{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 864	1332	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	88
PID 1332 wrote to memory of 864	1332	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	88
PID 1332 wrote to memory of 864	1332	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	88
PID 1332 wrote to memory of 2888	1332	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	89
PID 1332 wrote to memory of 2888	1332	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	89
PID 1332 wrote to memory of 2888	1332	85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe	89
PID 864 wrote to memory of 2060	864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe	92
PID 864 wrote to memory of 2060	864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe	92
PID 864 wrote to memory of 2060	864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe	92
PID 864 wrote to memory of 5044	864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe	93
PID 864 wrote to memory of 5044	864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe	93
PID 864 wrote to memory of 5044	864	{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe	93
PID 2060 wrote to memory of 1960	2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe	95
PID 2060 wrote to memory of 1960	2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe	95
PID 2060 wrote to memory of 1960	2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe	95
PID 2060 wrote to memory of 908	2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe	96
PID 2060 wrote to memory of 908	2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe	96
PID 2060 wrote to memory of 908	2060	{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe	96
PID 1960 wrote to memory of 5064	1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe	97
PID 1960 wrote to memory of 5064	1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe	97
PID 1960 wrote to memory of 5064	1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe	97
PID 1960 wrote to memory of 2776	1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe	98
PID 1960 wrote to memory of 2776	1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe	98
PID 1960 wrote to memory of 2776	1960	{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe	98
PID 5064 wrote to memory of 2200	5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe	99
PID 5064 wrote to memory of 2200	5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe	99
PID 5064 wrote to memory of 2200	5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe	99
PID 5064 wrote to memory of 4140	5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe	100
PID 5064 wrote to memory of 4140	5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe	100
PID 5064 wrote to memory of 4140	5064	{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe	100
PID 2200 wrote to memory of 1088	2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe	101
PID 2200 wrote to memory of 1088	2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe	101
PID 2200 wrote to memory of 1088	2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe	101
PID 2200 wrote to memory of 1028	2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe	102
PID 2200 wrote to memory of 1028	2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe	102
PID 2200 wrote to memory of 1028	2200	{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe	102
PID 1088 wrote to memory of 3768	1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe	103
PID 1088 wrote to memory of 3768	1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe	103
PID 1088 wrote to memory of 3768	1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe	103
PID 1088 wrote to memory of 3652	1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe	104
PID 1088 wrote to memory of 3652	1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe	104
PID 1088 wrote to memory of 3652	1088	{84269716-C662-409a-AEA2-C6789295DA1A}.exe	104
PID 3768 wrote to memory of 4528	3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe	105
PID 3768 wrote to memory of 4528	3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe	105
PID 3768 wrote to memory of 4528	3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe	105
PID 3768 wrote to memory of 2300	3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe	106
PID 3768 wrote to memory of 2300	3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe	106
PID 3768 wrote to memory of 2300	3768	{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe	106
PID 4528 wrote to memory of 3208	4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe	107
PID 4528 wrote to memory of 3208	4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe	107
PID 4528 wrote to memory of 3208	4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe	107
PID 4528 wrote to memory of 4612	4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe	108
PID 4528 wrote to memory of 4612	4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe	108
PID 4528 wrote to memory of 4612	4528	{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe	108
PID 3208 wrote to memory of 2576	3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe	109
PID 3208 wrote to memory of 2576	3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe	109
PID 3208 wrote to memory of 2576	3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe	109
PID 3208 wrote to memory of 4200	3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe	110
PID 3208 wrote to memory of 4200	3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe	110
PID 3208 wrote to memory of 4200	3208	{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe	110
PID 2576 wrote to memory of 4688	2576	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe	111
PID 2576 wrote to memory of 4688	2576	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe	111
PID 2576 wrote to memory of 4688	2576	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe	111
PID 2576 wrote to memory of 1804	2576	{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe	112

C:\Users\Admin\AppData\Local\Temp\85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\85a008b877c00b98c4245b7fb1d39144_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe
  C:\Windows\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe
    C:\Windows\{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe
      C:\Windows\{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe
        
        C:\Windows\{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe
        
        C:\Windows\{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{84269716-C662-409a-AEA2-C6789295DA1A}.exe
        
        C:\Windows\{84269716-C662-409a-AEA2-C6789295DA1A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe
        
        C:\Windows\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe
        
        C:\Windows\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe
        
        C:\Windows\{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe
        
        C:\Windows\{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe
        
        C:\Windows\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
        
        C:\Windows\{7095F584-C0AB-4de1-A9B1-080DF979C83E}.exe
        
        C:\Windows\{7095F584-C0AB-4de1-A9B1-080DF979C83E}.exe
        13⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70F50~1.EXE > nul
        13⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF2B7~1.EXE > nul
        12⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C06~1.EXE > nul
        11⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DC3B~1.EXE > nul
        10⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE939~1.EXE > nul
        9⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84269~1.EXE > nul
        8⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28C2C~1.EXE > nul
        7⤵
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79E60~1.EXE > nul
        6⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E96A~1.EXE > nul
        5⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB836~1.EXE > nul
      4⤵
      PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{08DCA~1.EXE > nul
    3⤵
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\85A008~1.EXE > nul
  2⤵
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe

Filesize
168KB

MD5
66031a405d16fad24fc7b617abde62ee

SHA1
3d59ccc11915f35aacc6856642af6d87facdab60

SHA256
57e4b015a76e4ecb26590cea9aacdbc8fbb5864eb5f93ac1a42d8de5140a7efe

SHA512
e21ab06b82346c3597ed63388115d801a931ce1338475bcb475b3d9d7c7618631b89c0f81ab3bfeca9e32e9e73fe5b1e4b6bf506429c949bd79e1204453144aa

Download Submit
C:\Windows\{08DCAEF3-BAA2-4973-A6BF-E3AFD2227CFC}.exe

Filesize
168KB

MD5
66031a405d16fad24fc7b617abde62ee

SHA1
3d59ccc11915f35aacc6856642af6d87facdab60

SHA256
57e4b015a76e4ecb26590cea9aacdbc8fbb5864eb5f93ac1a42d8de5140a7efe

SHA512
e21ab06b82346c3597ed63388115d801a931ce1338475bcb475b3d9d7c7618631b89c0f81ab3bfeca9e32e9e73fe5b1e4b6bf506429c949bd79e1204453144aa

Download Submit
C:\Windows\{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe

Filesize
168KB

MD5
47f6441f61bd763cd07f80f88f83b99f

SHA1
19bbe59be70654c40969a74feb76f0bb145427d1

SHA256
4ef76abde8aa68b3acbbbf0799ea1d5dbb7677ce0fb00275410acf33ad13ad1a

SHA512
1413930cb1601fce149c1d8e06db1826ebae1dcd84466d8a4ef7b06edd54135aab819273fbb9b6d8c77a1cad1a5509c5f9701737a6d96c7e4113e0c412f56543

Download Submit
C:\Windows\{28C2C4FD-2547-4e00-8886-7C5724D9045C}.exe

Filesize
168KB

MD5
47f6441f61bd763cd07f80f88f83b99f

SHA1
19bbe59be70654c40969a74feb76f0bb145427d1

SHA256
4ef76abde8aa68b3acbbbf0799ea1d5dbb7677ce0fb00275410acf33ad13ad1a

SHA512
1413930cb1601fce149c1d8e06db1826ebae1dcd84466d8a4ef7b06edd54135aab819273fbb9b6d8c77a1cad1a5509c5f9701737a6d96c7e4113e0c412f56543

Download Submit
C:\Windows\{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe

Filesize
168KB

MD5
5956a970242f662c12d53a2c9649a384

SHA1
fd274c878fe7d5c9dc28d8054afb85a81fd73425

SHA256
b036e09d87f35ac11be13628156b6039f16fc9d932b440960573826a6e94f81f

SHA512
e261cf73f03983a0f2a5b5f69f7421b1b7400bfe8954f34dfe1594150fcb5b354749e75714e25dcf590d8394fb053fd1a964413d160c7167a851476fd7fbbb9b

Download Submit
C:\Windows\{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe

Filesize
168KB

MD5
5956a970242f662c12d53a2c9649a384

SHA1
fd274c878fe7d5c9dc28d8054afb85a81fd73425

SHA256
b036e09d87f35ac11be13628156b6039f16fc9d932b440960573826a6e94f81f

SHA512
e261cf73f03983a0f2a5b5f69f7421b1b7400bfe8954f34dfe1594150fcb5b354749e75714e25dcf590d8394fb053fd1a964413d160c7167a851476fd7fbbb9b

Download Submit
C:\Windows\{2E96A7A5-3986-4473-B088-247C9D7A18EF}.exe

Filesize
168KB

MD5
5956a970242f662c12d53a2c9649a384

SHA1
fd274c878fe7d5c9dc28d8054afb85a81fd73425

SHA256
b036e09d87f35ac11be13628156b6039f16fc9d932b440960573826a6e94f81f

SHA512
e261cf73f03983a0f2a5b5f69f7421b1b7400bfe8954f34dfe1594150fcb5b354749e75714e25dcf590d8394fb053fd1a964413d160c7167a851476fd7fbbb9b

Download Submit
C:\Windows\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe

Filesize
168KB

MD5
79665a0e4696e5e5442e8af7ace09943

SHA1
911a5d374cd526edaceb57aba36d4e01c4380fc0

SHA256
7b1ce5532eb27d6ec95f991457438175745f1a56d82416606d8bc858b6f8aaff

SHA512
82fc18714e3baba380763f0428a6e1847c43ab8964efdb4ea15166f2cdddb2e686cbb3503ca1e476294bafdb98e9e102d0925a457c54d45ac1a38fc0739dbd6f

Download Submit
C:\Windows\{5DC3BDB1-5FCD-4dfb-9C17-9A11D4030078}.exe

Filesize
168KB

MD5
79665a0e4696e5e5442e8af7ace09943

SHA1
911a5d374cd526edaceb57aba36d4e01c4380fc0

SHA256
7b1ce5532eb27d6ec95f991457438175745f1a56d82416606d8bc858b6f8aaff

SHA512
82fc18714e3baba380763f0428a6e1847c43ab8964efdb4ea15166f2cdddb2e686cbb3503ca1e476294bafdb98e9e102d0925a457c54d45ac1a38fc0739dbd6f

Download Submit
C:\Windows\{7095F584-C0AB-4de1-A9B1-080DF979C83E}.exe

Filesize
168KB

MD5
452a00d45746ca95b31cca07ff012249

SHA1
2f91abd938ce838ad956a15b0970bce5bc131a7f

SHA256
f6818e1b3e84942463e3c526d3bc55968683b41306458e5159ec3da38b61b2bd

SHA512
f332a80214a263f266931b05f6b16781b49c3398b71265df2d74458f4a4f1d317662749d7d8f61405ff8cd43186b472f22dbdf436e668f8aa552083356569c79

Download Submit
C:\Windows\{7095F584-C0AB-4de1-A9B1-080DF979C83E}.exe

Filesize
168KB

MD5
452a00d45746ca95b31cca07ff012249

SHA1
2f91abd938ce838ad956a15b0970bce5bc131a7f

SHA256
f6818e1b3e84942463e3c526d3bc55968683b41306458e5159ec3da38b61b2bd

SHA512
f332a80214a263f266931b05f6b16781b49c3398b71265df2d74458f4a4f1d317662749d7d8f61405ff8cd43186b472f22dbdf436e668f8aa552083356569c79

Download Submit
C:\Windows\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe

Filesize
168KB

MD5
dcf182d4e84830b52ff14c3e2cdd4003

SHA1
7e174963f82d524e0236135eba118e0400924f13

SHA256
b0674fab2c62137e3aa6a86930c69b7dc88e5f32443ec5322706ac13902c0cc6

SHA512
b70d10527fe0c21a72d3e278702be383d148c9838abee29426055c7b2108677c88218383e17ad6a3c660f88523cdff55bf86bbf55df222ee4d37c0907314b002

Download Submit
C:\Windows\{70F50C99-4331-49e1-94EA-8BF1A9F86AF5}.exe

Filesize
168KB

MD5
dcf182d4e84830b52ff14c3e2cdd4003

SHA1
7e174963f82d524e0236135eba118e0400924f13

SHA256
b0674fab2c62137e3aa6a86930c69b7dc88e5f32443ec5322706ac13902c0cc6

SHA512
b70d10527fe0c21a72d3e278702be383d148c9838abee29426055c7b2108677c88218383e17ad6a3c660f88523cdff55bf86bbf55df222ee4d37c0907314b002

Download Submit
C:\Windows\{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe

Filesize
168KB

MD5
fc02f546001686f4552db53334715f87

SHA1
a058dcbd8fa42534a98b7ab88f45dd122cf25715

SHA256
4cc66966c9a3c01e7d1989af2862c331e8d923d7a9ce35d04bbd337f20815918

SHA512
36ab1b4b68c34fd8b8ef3e8e048ee06eca76b67b35d2628c0fbf5b7b638322c159bb971d0f38ce6902776e35f7be5578ebebd66a15e85c2de6683ff792a7643a

Download Submit
C:\Windows\{79E60773-B79E-4a17-86E6-46E48A9464C7}.exe

Filesize
168KB

MD5
fc02f546001686f4552db53334715f87

SHA1
a058dcbd8fa42534a98b7ab88f45dd122cf25715

SHA256
4cc66966c9a3c01e7d1989af2862c331e8d923d7a9ce35d04bbd337f20815918

SHA512
36ab1b4b68c34fd8b8ef3e8e048ee06eca76b67b35d2628c0fbf5b7b638322c159bb971d0f38ce6902776e35f7be5578ebebd66a15e85c2de6683ff792a7643a

Download Submit
C:\Windows\{84269716-C662-409a-AEA2-C6789295DA1A}.exe

Filesize
168KB

MD5
c76c4f08123f0297ba8cffe5611c308e

SHA1
d7fad301e6f4e6608e5dd5a2bc31a00f032e93db

SHA256
b97420835ad7cb79cc7d82d1b6536f9a00ab78912dea5be077a1f0aba9fc69f8

SHA512
47394c8605fdd3a370b5fc22b831a213f310b9d24aea4e89b3480d13339994ed8ab5f949fe8c2808527dd6609ef0ac0bc3ccc08d7cbedb44fdc620a93208f89b

Download Submit
C:\Windows\{84269716-C662-409a-AEA2-C6789295DA1A}.exe

Filesize
168KB

MD5
c76c4f08123f0297ba8cffe5611c308e

SHA1
d7fad301e6f4e6608e5dd5a2bc31a00f032e93db

SHA256
b97420835ad7cb79cc7d82d1b6536f9a00ab78912dea5be077a1f0aba9fc69f8

SHA512
47394c8605fdd3a370b5fc22b831a213f310b9d24aea4e89b3480d13339994ed8ab5f949fe8c2808527dd6609ef0ac0bc3ccc08d7cbedb44fdc620a93208f89b

Download Submit
C:\Windows\{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe

Filesize
168KB

MD5
1d4ff114c8f861bb8406ea2d990a99b6

SHA1
0b732f32029c73346f7c52099ab48de0c689a73f

SHA256
2819a2aa51a75d27cfc308c460248a61f98fb0bd8c883bafa93fb70dd5039510

SHA512
f3cd2d97dca74682247625929822af502315f5004974e1fd9ebf7cbd8c655f70fadddcdf64c6a4aa60def08918f4f507285c34c1866fa44390cb830346529663

Download Submit
C:\Windows\{A7C06F2B-A43B-421a-97C9-F20BF5141651}.exe

Filesize
168KB

MD5
1d4ff114c8f861bb8406ea2d990a99b6

SHA1
0b732f32029c73346f7c52099ab48de0c689a73f

SHA256
2819a2aa51a75d27cfc308c460248a61f98fb0bd8c883bafa93fb70dd5039510

SHA512
f3cd2d97dca74682247625929822af502315f5004974e1fd9ebf7cbd8c655f70fadddcdf64c6a4aa60def08918f4f507285c34c1866fa44390cb830346529663

Download Submit
C:\Windows\{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe

Filesize
168KB

MD5
26cb62299e53cee21d1756e8cc6ff91f

SHA1
94556b695b37671850feec428a09d301763f13f4

SHA256
da4640da01d477b089d7e2646636e19b32b7ee5dddbae2639e9b481856c7d889

SHA512
b01bc51757892914f6b8bfcb5b8d0afa6bf1d832c325761d7e828d4df58517183db5bcc4c5584823537f00c5f1bfee8e77b11efe4f118169a0100f44996993f2

Download Submit
C:\Windows\{CB8365A8-AA09-4250-8952-58C084F4DA7E}.exe

Filesize
168KB

MD5
26cb62299e53cee21d1756e8cc6ff91f

SHA1
94556b695b37671850feec428a09d301763f13f4

SHA256
da4640da01d477b089d7e2646636e19b32b7ee5dddbae2639e9b481856c7d889

SHA512
b01bc51757892914f6b8bfcb5b8d0afa6bf1d832c325761d7e828d4df58517183db5bcc4c5584823537f00c5f1bfee8e77b11efe4f118169a0100f44996993f2

Download Submit
C:\Windows\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe

Filesize
168KB

MD5
35093599ae0fe14f4622c39de478326b

SHA1
22b1df0a435e353d45a986a73bcb3eea4de176e6

SHA256
340c7971b0d8115206eeac833d683847cea60a27ac3333f473d4cbdd8051decd

SHA512
6b929081ac37cc4bf692f84f60c0d122853fa5d2dab33fb08a90954067fca37e0242b3db8d99e70aa2722f4e0146847e6c057191890287eeca440874b73d5295

Download Submit
C:\Windows\{FE93918B-C288-4e7a-85F0-EBED107B7F5C}.exe

Filesize
168KB

MD5
35093599ae0fe14f4622c39de478326b

SHA1
22b1df0a435e353d45a986a73bcb3eea4de176e6

SHA256
340c7971b0d8115206eeac833d683847cea60a27ac3333f473d4cbdd8051decd

SHA512
6b929081ac37cc4bf692f84f60c0d122853fa5d2dab33fb08a90954067fca37e0242b3db8d99e70aa2722f4e0146847e6c057191890287eeca440874b73d5295

Download Submit
C:\Windows\{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe

Filesize
168KB

MD5
574d103ac8bfbf6a17a1da1f38c8dc3a

SHA1
bd5a1140002cf6942026a99b6a008cc54450f8b2

SHA256
7ff8282446e41e550afffc4895eafd44e3c5bb32b458da0563e71f8284361f7e

SHA512
236da9ae9d059e9f620613b25a3f009b312ef2af9b15fa64a4fcb0ebf1caaa3c6b4047ac8f389a7a606c708100faa0a0210a6aac0c2daf60cf54629778fe80f6

Download Submit
C:\Windows\{FF2B7695-858A-48b5-BFB8-2591CE883A13}.exe

Filesize
168KB

MD5
574d103ac8bfbf6a17a1da1f38c8dc3a

SHA1
bd5a1140002cf6942026a99b6a008cc54450f8b2

SHA256
7ff8282446e41e550afffc4895eafd44e3c5bb32b458da0563e71f8284361f7e

SHA512
236da9ae9d059e9f620613b25a3f009b312ef2af9b15fa64a4fcb0ebf1caaa3c6b4047ac8f389a7a606c708100faa0a0210a6aac0c2daf60cf54629778fe80f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads