508cd5b6b3c97484cd9f3af60164fe98488bd4dfed938808208f8abd4629042d

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 13:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe
Size

168KB
MD5

a18e52bc0088450ee6731e39e2377d3c
SHA1

42c6944c31befd223f7969995a826969fcd26575
SHA256

508cd5b6b3c97484cd9f3af60164fe98488bd4dfed938808208f8abd4629042d
SHA512

58242fe09ac1261c17debaad6e3a9d6ec3e70b99d75a83566fb2354bc452d38afc3eec969ff8b4d1a29c420a98a1b740179dbeebc171f19fb768b9fb25e4cef4
SSDEEP

1536:1EGh0oelq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oelqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AF478E3-74E1-4a4d-8157-68454E880F64}\stubpath = "C:\\Windows\\{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe"	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D19421D-0D39-4512-A537-D46EF80BBAC7}	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D19421D-0D39-4512-A537-D46EF80BBAC7}\stubpath = "C:\\Windows\\{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe"	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB34E71-0B0D-40c0-8E0E-24F226823332}	{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}\stubpath = "C:\\Windows\\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe"	{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F14B131-D7FA-4575-A55F-CE3B337CD04A}\stubpath = "C:\\Windows\\{6F14B131-D7FA-4575-A55F-CE3B337CD04A}.exe"	{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}\stubpath = "C:\\Windows\\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe"	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CD2BD63-D4CB-4407-9460-1503673389B6}	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}	{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AF478E3-74E1-4a4d-8157-68454E880F64}	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65D7305C-2014-47e3-A915-25803796446C}	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}	{65D7305C-2014-47e3-A915-25803796446C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}\stubpath = "C:\\Windows\\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe"	{65D7305C-2014-47e3-A915-25803796446C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}\stubpath = "C:\\Windows\\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe"	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C349E70-ACF6-485b-B226-A3C9447B265F}	{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F14B131-D7FA-4575-A55F-CE3B337CD04A}	{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CD2BD63-D4CB-4407-9460-1503673389B6}\stubpath = "C:\\Windows\\{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe"	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}\stubpath = "C:\\Windows\\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe"	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65D7305C-2014-47e3-A915-25803796446C}\stubpath = "C:\\Windows\\{65D7305C-2014-47e3-A915-25803796446C}.exe"	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C349E70-ACF6-485b-B226-A3C9447B265F}\stubpath = "C:\\Windows\\{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe"	{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB34E71-0B0D-40c0-8E0E-24F226823332}\stubpath = "C:\\Windows\\{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe"	{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe
2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe
1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe
2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe
2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe
1636	{65D7305C-2014-47e3-A915-25803796446C}.exe
336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe
1196	{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe
1480	{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe
2428	{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe
2988	{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe
1980	{6F14B131-D7FA-4575-A55F-CE3B337CD04A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe	{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe
File created	C:\Windows\{6F14B131-D7FA-4575-A55F-CE3B337CD04A}.exe	{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe
File created	C:\Windows\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe
File created	C:\Windows\{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe
File created	C:\Windows\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	{65D7305C-2014-47e3-A915-25803796446C}.exe
File created	C:\Windows\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe
File created	C:\Windows\{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe	{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe
File created	C:\Windows\{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe
File created	C:\Windows\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe
File created	C:\Windows\{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe
File created	C:\Windows\{65D7305C-2014-47e3-A915-25803796446C}.exe	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe
File created	C:\Windows\{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe	{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe
Token: SeIncBasePriorityPrivilege	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe
Token: SeIncBasePriorityPrivilege	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe
Token: SeIncBasePriorityPrivilege	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe
Token: SeIncBasePriorityPrivilege	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe
Token: SeIncBasePriorityPrivilege	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe
Token: SeIncBasePriorityPrivilege	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe
Token: SeIncBasePriorityPrivilege	1196	{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe
Token: SeIncBasePriorityPrivilege	1480	{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe
Token: SeIncBasePriorityPrivilege	2428	{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe
Token: SeIncBasePriorityPrivilege	2988	{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2252	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	28
PID 1796 wrote to memory of 2252	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	28
PID 1796 wrote to memory of 2252	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	28
PID 1796 wrote to memory of 2252	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	28
PID 1796 wrote to memory of 2980	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	29
PID 1796 wrote to memory of 2980	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	29
PID 1796 wrote to memory of 2980	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	29
PID 1796 wrote to memory of 2980	1796	a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe	29
PID 2252 wrote to memory of 2824	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	30
PID 2252 wrote to memory of 2824	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	30
PID 2252 wrote to memory of 2824	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	30
PID 2252 wrote to memory of 2824	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	30
PID 2252 wrote to memory of 2932	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	31
PID 2252 wrote to memory of 2932	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	31
PID 2252 wrote to memory of 2932	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	31
PID 2252 wrote to memory of 2932	2252	{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe	31
PID 2824 wrote to memory of 1076	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	34
PID 2824 wrote to memory of 1076	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	34
PID 2824 wrote to memory of 1076	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	34
PID 2824 wrote to memory of 1076	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	34
PID 2824 wrote to memory of 2860	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	35
PID 2824 wrote to memory of 2860	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	35
PID 2824 wrote to memory of 2860	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	35
PID 2824 wrote to memory of 2860	2824	{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe	35
PID 1076 wrote to memory of 2848	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	36
PID 1076 wrote to memory of 2848	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	36
PID 1076 wrote to memory of 2848	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	36
PID 1076 wrote to memory of 2848	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	36
PID 1076 wrote to memory of 2744	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	37
PID 1076 wrote to memory of 2744	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	37
PID 1076 wrote to memory of 2744	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	37
PID 1076 wrote to memory of 2744	1076	{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe	37
PID 2848 wrote to memory of 2700	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	38
PID 2848 wrote to memory of 2700	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	38
PID 2848 wrote to memory of 2700	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	38
PID 2848 wrote to memory of 2700	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	38
PID 2848 wrote to memory of 2760	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	39
PID 2848 wrote to memory of 2760	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	39
PID 2848 wrote to memory of 2760	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	39
PID 2848 wrote to memory of 2760	2848	{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe	39
PID 2700 wrote to memory of 1636	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	40
PID 2700 wrote to memory of 1636	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	40
PID 2700 wrote to memory of 1636	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	40
PID 2700 wrote to memory of 1636	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	40
PID 2700 wrote to memory of 2156	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	41
PID 2700 wrote to memory of 2156	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	41
PID 2700 wrote to memory of 2156	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	41
PID 2700 wrote to memory of 2156	2700	{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe	41
PID 1636 wrote to memory of 336	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	42
PID 1636 wrote to memory of 336	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	42
PID 1636 wrote to memory of 336	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	42
PID 1636 wrote to memory of 336	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	42
PID 1636 wrote to memory of 984	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	43
PID 1636 wrote to memory of 984	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	43
PID 1636 wrote to memory of 984	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	43
PID 1636 wrote to memory of 984	1636	{65D7305C-2014-47e3-A915-25803796446C}.exe	43
PID 336 wrote to memory of 1196	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	44
PID 336 wrote to memory of 1196	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	44
PID 336 wrote to memory of 1196	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	44
PID 336 wrote to memory of 1196	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	44
PID 336 wrote to memory of 1632	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	45
PID 336 wrote to memory of 1632	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	45
PID 336 wrote to memory of 1632	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	45
PID 336 wrote to memory of 1632	336	{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe	45

C:\Users\Admin\AppData\Local\Temp\a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a18e52bc0088450ee6731e39e2377d3c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe
  C:\Windows\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe
    C:\Windows\{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe
      C:\Windows\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe
        
        C:\Windows\{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe
        
        C:\Windows\{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{65D7305C-2014-47e3-A915-25803796446C}.exe
        
        C:\Windows\{65D7305C-2014-47e3-A915-25803796446C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe
        
        C:\Windows\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe
        
        C:\Windows\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe
        
        C:\Windows\{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe
        
        C:\Windows\{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe
        
        C:\Windows\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{6F14B131-D7FA-4575-A55F-CE3B337CD04A}.exe
        
        C:\Windows\{6F14B131-D7FA-4575-A55F-CE3B337CD04A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A96CF~1.EXE > nul
        13⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB34~1.EXE > nul
        12⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C349~1.EXE > nul
        11⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10BC9~1.EXE > nul
        10⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A9C1~1.EXE > nul
        9⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65D73~1.EXE > nul
        8⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D194~1.EXE > nul
        7⤵
        
        PID:2156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF47~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26A36~1.EXE > nul
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD2B~1.EXE > nul
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{08B91~1.EXE > nul
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A18E52~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe

Filesize
168KB

MD5
a4abd5a87389f9a52220ffa229d6142c

SHA1
3ef3d1fdf553ca1d70b50d2666edfb63b4447528

SHA256
5bb678a0e57a3ea5d8d88f85cec8223cf41439bd237a1cb9c8acd32342296a9d

SHA512
cdcd148c6bfd7b05f6aa1c68c48c189de230b34716cce4fe470ec8b81ddcedb0eb2e2314185dabd903a71ea23a0e1e7e807a5a21decf026509c2c2ea102f6386

Download Submit
C:\Windows\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe

Filesize
168KB

MD5
a4abd5a87389f9a52220ffa229d6142c

SHA1
3ef3d1fdf553ca1d70b50d2666edfb63b4447528

SHA256
5bb678a0e57a3ea5d8d88f85cec8223cf41439bd237a1cb9c8acd32342296a9d

SHA512
cdcd148c6bfd7b05f6aa1c68c48c189de230b34716cce4fe470ec8b81ddcedb0eb2e2314185dabd903a71ea23a0e1e7e807a5a21decf026509c2c2ea102f6386

Download Submit
C:\Windows\{08B9106C-5B9F-4ac6-9744-F25432BF73A4}.exe

Filesize
168KB

MD5
a4abd5a87389f9a52220ffa229d6142c

SHA1
3ef3d1fdf553ca1d70b50d2666edfb63b4447528

SHA256
5bb678a0e57a3ea5d8d88f85cec8223cf41439bd237a1cb9c8acd32342296a9d

SHA512
cdcd148c6bfd7b05f6aa1c68c48c189de230b34716cce4fe470ec8b81ddcedb0eb2e2314185dabd903a71ea23a0e1e7e807a5a21decf026509c2c2ea102f6386

Download Submit
C:\Windows\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe

Filesize
168KB

MD5
88e71f84d1bc32e55c9bd75423317b8a

SHA1
6f5736eef992253565fb71298f91cac44c5ca379

SHA256
3d0ad614b0b90b693b99f5251dbf5d051c1923550174eeb446d61667ebb818b9

SHA512
5a21fe72543dfef939c01aacf77fbde9d88b6c1a364b51fafff5b601b23dc3652c434571806f9152a64e7d57747a15a65eabb5030dcfc2f30bc666d68afb204f

Download Submit
C:\Windows\{0A9C1891-AF4B-4d6c-9C35-54D9E0E79B7C}.exe

Filesize
168KB

MD5
88e71f84d1bc32e55c9bd75423317b8a

SHA1
6f5736eef992253565fb71298f91cac44c5ca379

SHA256
3d0ad614b0b90b693b99f5251dbf5d051c1923550174eeb446d61667ebb818b9

SHA512
5a21fe72543dfef939c01aacf77fbde9d88b6c1a364b51fafff5b601b23dc3652c434571806f9152a64e7d57747a15a65eabb5030dcfc2f30bc666d68afb204f

Download Submit
C:\Windows\{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe

Filesize
168KB

MD5
7cdf90fbd2aef3b69d381fb8e7f95ccd

SHA1
33afd23ccff289eb89340ae8cf8284f183488c29

SHA256
7149202fa85a45d81fa7f0674bec95f73a3afc4d8a0dbebd5db3e6a36d1ca0d9

SHA512
c41c7d50ee64943c36b696cbe49bfa48fef8c3904a822d6f2cdbdc2dd51f94cc9a61afa8cd75ba78694d3dbdd5b5cf76fdc1f126a20fda22fe273a12ec3b74ce

Download Submit
C:\Windows\{0AF478E3-74E1-4a4d-8157-68454E880F64}.exe

Filesize
168KB

MD5
7cdf90fbd2aef3b69d381fb8e7f95ccd

SHA1
33afd23ccff289eb89340ae8cf8284f183488c29

SHA256
7149202fa85a45d81fa7f0674bec95f73a3afc4d8a0dbebd5db3e6a36d1ca0d9

SHA512
c41c7d50ee64943c36b696cbe49bfa48fef8c3904a822d6f2cdbdc2dd51f94cc9a61afa8cd75ba78694d3dbdd5b5cf76fdc1f126a20fda22fe273a12ec3b74ce

Download Submit
C:\Windows\{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe

Filesize
168KB

MD5
d7bc9ee129bac33914c58c1c7426558d

SHA1
d190314f637d7dff3da7ebddde78867590c111d3

SHA256
baa1e50e2541a37068675ad0506ae0e0fef3cc431a988dc0b1ee12772a76b28b

SHA512
549ff38a49b4a24b5ed1f44eb34cf87dffcea031cfb19b85ebe464467a1126bbe15052fd098be216a968c1f7a6716ec8d888da8ebd5fc393a1aaef1f19387ea3

Download Submit
C:\Windows\{0D19421D-0D39-4512-A537-D46EF80BBAC7}.exe

Filesize
168KB

MD5
d7bc9ee129bac33914c58c1c7426558d

SHA1
d190314f637d7dff3da7ebddde78867590c111d3

SHA256
baa1e50e2541a37068675ad0506ae0e0fef3cc431a988dc0b1ee12772a76b28b

SHA512
549ff38a49b4a24b5ed1f44eb34cf87dffcea031cfb19b85ebe464467a1126bbe15052fd098be216a968c1f7a6716ec8d888da8ebd5fc393a1aaef1f19387ea3

Download Submit
C:\Windows\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe

Filesize
168KB

MD5
4338260224b7cc46c61e283e3fdc3322

SHA1
82dbdfa5f2983a4414c4dd4f2afbe7a908844141

SHA256
ec42a2efe4e975a558a1ab05d87b41d5aea74712bd191cb00ed63aaf60e9ccb2

SHA512
552896cbc0680474c653f38c22e8f76d64b5b55b86e485a567bd7a9e70fd5b824d04ecd0169d7fb5e1a43732e8edf91c54b6166d5a69acf0bc47df0a69b15044

Download Submit
C:\Windows\{10BC9050-2CD5-4b96-BC0C-4E6231F4CCF0}.exe

Filesize
168KB

MD5
4338260224b7cc46c61e283e3fdc3322

SHA1
82dbdfa5f2983a4414c4dd4f2afbe7a908844141

SHA256
ec42a2efe4e975a558a1ab05d87b41d5aea74712bd191cb00ed63aaf60e9ccb2

SHA512
552896cbc0680474c653f38c22e8f76d64b5b55b86e485a567bd7a9e70fd5b824d04ecd0169d7fb5e1a43732e8edf91c54b6166d5a69acf0bc47df0a69b15044

Download Submit
C:\Windows\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe

Filesize
168KB

MD5
0a0f799a2e206edea0927b79511f9e5a

SHA1
07a38a140bb4059d6c37449a6b885948d6fcba56

SHA256
a5692a5c118ee4920971ba09b24d542f80bd08277d20ce7405694d686e65aef6

SHA512
6949220451106c746560a349ba3efbd9faefe859aaf4d64ba9c61907fb082597afb9c1ffabb04eaff6960bb97c9b61fb1c7d5ddacf256b2ddf3c729383f61a0d

Download Submit
C:\Windows\{26A36DB9-F0F3-4df6-AFFD-C05170F55DA7}.exe

Filesize
168KB

MD5
0a0f799a2e206edea0927b79511f9e5a

SHA1
07a38a140bb4059d6c37449a6b885948d6fcba56

SHA256
a5692a5c118ee4920971ba09b24d542f80bd08277d20ce7405694d686e65aef6

SHA512
6949220451106c746560a349ba3efbd9faefe859aaf4d64ba9c61907fb082597afb9c1ffabb04eaff6960bb97c9b61fb1c7d5ddacf256b2ddf3c729383f61a0d

Download Submit
C:\Windows\{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe

Filesize
168KB

MD5
5b557ed8b2f9f7ec28fa767f7e083f10

SHA1
dc184bb2f8e7e746c6ed56a65f0829e561ace5ae

SHA256
2a913c8bca361ac36b08453284a2810249e66c69d3a6ee9caa069538d9e03d5f

SHA512
76ae58dc765078aa96449a2d44ca75946c647bfe391a26cff5c914f718262e0998df25d737d28d87e325f12542ef19070c8572ee91c09c4fd83fd27c892ab311

Download Submit
C:\Windows\{4C349E70-ACF6-485b-B226-A3C9447B265F}.exe

Filesize
168KB

MD5
5b557ed8b2f9f7ec28fa767f7e083f10

SHA1
dc184bb2f8e7e746c6ed56a65f0829e561ace5ae

SHA256
2a913c8bca361ac36b08453284a2810249e66c69d3a6ee9caa069538d9e03d5f

SHA512
76ae58dc765078aa96449a2d44ca75946c647bfe391a26cff5c914f718262e0998df25d737d28d87e325f12542ef19070c8572ee91c09c4fd83fd27c892ab311

Download Submit
C:\Windows\{65D7305C-2014-47e3-A915-25803796446C}.exe

Filesize
168KB

MD5
0ad78070c5f09f3e752fb0e0d4f61df2

SHA1
3538fb89dae8a984360937587a3a500f9b0ed3cc

SHA256
82fbaf58276ab69fdce19c9f6458451a08a4e2281ff19f8a8f089587d449439d

SHA512
994dc06786028e9f51500e9afa5ce8c844e665b3a0647e8c27c8ddd0dc78347e1eae86588c31bcdc30e39d8d13d3f5759d39dfe1de789aefbf907b1e1aa83133

Download Submit
C:\Windows\{65D7305C-2014-47e3-A915-25803796446C}.exe

Filesize
168KB

MD5
0ad78070c5f09f3e752fb0e0d4f61df2

SHA1
3538fb89dae8a984360937587a3a500f9b0ed3cc

SHA256
82fbaf58276ab69fdce19c9f6458451a08a4e2281ff19f8a8f089587d449439d

SHA512
994dc06786028e9f51500e9afa5ce8c844e665b3a0647e8c27c8ddd0dc78347e1eae86588c31bcdc30e39d8d13d3f5759d39dfe1de789aefbf907b1e1aa83133

Download Submit
C:\Windows\{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe

Filesize
168KB

MD5
37d9183643e5e136831d3719c95c1f8e

SHA1
6ae15489f1927b0063e322a7d27ab2ec801d18c9

SHA256
7d611614aa40173fac1708e4d5151b68d631d49528b55293bc0adf30e8c3335f

SHA512
4e2dcbf6c6b3f28dd4a4f4615519e65f742c64b8b6c239a358981af8f7aebe12d3ff32dbcc141769d8fe2f1c89e92796e582016f9346326816cc41edbb735dcd

Download Submit
C:\Windows\{6AB34E71-0B0D-40c0-8E0E-24F226823332}.exe

Filesize
168KB

MD5
37d9183643e5e136831d3719c95c1f8e

SHA1
6ae15489f1927b0063e322a7d27ab2ec801d18c9

SHA256
7d611614aa40173fac1708e4d5151b68d631d49528b55293bc0adf30e8c3335f

SHA512
4e2dcbf6c6b3f28dd4a4f4615519e65f742c64b8b6c239a358981af8f7aebe12d3ff32dbcc141769d8fe2f1c89e92796e582016f9346326816cc41edbb735dcd

Download Submit
C:\Windows\{6F14B131-D7FA-4575-A55F-CE3B337CD04A}.exe

Filesize
168KB

MD5
e5f4cefe0beb606db956b320315e74cb

SHA1
6c0820a7d48f03fd174beae31344c19b33656791

SHA256
71d0bd0fd0bdd467118e196e462b3fb50d47d1490e285f6b7d9001827a59bf23

SHA512
b67ea32c42a6202c0e33a77436892d19fd7de1eec90898cee5eedd7c47c05ce78787f1d7ecc1e2f6ba0fd560a5087002dcdb0a7c86427f534e4293a1516848d1

Download Submit
C:\Windows\{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe

Filesize
168KB

MD5
5ab49559b23c67b13dcab92eec8daa9a

SHA1
a4ffa4ded1ac4d8e1e13561b587b73f3d7131e08

SHA256
aaf67fe4f8786bf62ea89a9006ac6875414923237b27f763a28c360051b9752d

SHA512
80d8c773c4f33f18337a81ef9b3f87bf6420fbc8007ef57197ef498d73eb90cf7d1a4b8dff84662f481e29acdac0114a0565f909de0e2210964b07b1c4b7990c

Download Submit
C:\Windows\{7CD2BD63-D4CB-4407-9460-1503673389B6}.exe

Filesize
168KB

MD5
5ab49559b23c67b13dcab92eec8daa9a

SHA1
a4ffa4ded1ac4d8e1e13561b587b73f3d7131e08

SHA256
aaf67fe4f8786bf62ea89a9006ac6875414923237b27f763a28c360051b9752d

SHA512
80d8c773c4f33f18337a81ef9b3f87bf6420fbc8007ef57197ef498d73eb90cf7d1a4b8dff84662f481e29acdac0114a0565f909de0e2210964b07b1c4b7990c

Download Submit
C:\Windows\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe

Filesize
168KB

MD5
2e978e7cbdc4cabda3279cc693b70d3f

SHA1
b1136ecf8762b837837f3e1974d6d97314b2ab4c

SHA256
0afa944a673e99e0e3bbd86745e9da38787187643207577abb6a060be38730e2

SHA512
767200cfb3979ef54ebbe533ffddc665c963977f1ed3da3328f7444dcfa17c4173b6e8d289d08eb05a1456fe3e202c56fbd96ddf778d5448aa2bf82abd0a5a62

Download Submit
C:\Windows\{A96CF706-52B1-4a9a-87F0-5F9F47A8E5A8}.exe

Filesize
168KB

MD5
2e978e7cbdc4cabda3279cc693b70d3f

SHA1
b1136ecf8762b837837f3e1974d6d97314b2ab4c

SHA256
0afa944a673e99e0e3bbd86745e9da38787187643207577abb6a060be38730e2

SHA512
767200cfb3979ef54ebbe533ffddc665c963977f1ed3da3328f7444dcfa17c4173b6e8d289d08eb05a1456fe3e202c56fbd96ddf778d5448aa2bf82abd0a5a62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads