c5cd44292970870d42a878d44d5e4ea219c3c83b602a2ac7967a96f5f17f89df

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Size

380KB
MD5

7cfbf6f1aaa6026a57804ac67a268e57
SHA1

311ff0824af4eb39e4658cf6c3777a0738e535d5
SHA256

c5cd44292970870d42a878d44d5e4ea219c3c83b602a2ac7967a96f5f17f89df
SHA512

50a27edf298ccfcd24fe615245b3404e13ca0f5e86f7bf714dcf064da1944dbb886cead942104821731d0c489e5c918265eea37c4adc5d3b50c8a4c3bff029a9
SSDEEP

3072:mEGh0oplPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGnl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}\stubpath = "C:\\Windows\\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe"	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}\stubpath = "C:\\Windows\\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe"	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18849758-DA3F-4d32-B355-467517DBBB87}\stubpath = "C:\\Windows\\{18849758-DA3F-4d32-B355-467517DBBB87}.exe"	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD52873F-6057-481c-AB38-22BCDF1B80E8}	{18849758-DA3F-4d32-B355-467517DBBB87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36FC1589-40A8-40f3-A082-6A05AAA62A54}\stubpath = "C:\\Windows\\{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe"	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF740924-03DA-4b76-96A1-167155BBA4AA}	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}\stubpath = "C:\\Windows\\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}.exe"	{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065BCD81-8BC7-463e-998D-F2A1BA551323}	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36FC1589-40A8-40f3-A082-6A05AAA62A54}	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18849758-DA3F-4d32-B355-467517DBBB87}	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD52873F-6057-481c-AB38-22BCDF1B80E8}\stubpath = "C:\\Windows\\{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe"	{18849758-DA3F-4d32-B355-467517DBBB87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}	{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{337862F2-94DF-4e22-9161-8B141C3057BE}	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F258ABD-AA68-43a4-A168-B5951A029091}\stubpath = "C:\\Windows\\{5F258ABD-AA68-43a4-A168-B5951A029091}.exe"	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065BCD81-8BC7-463e-998D-F2A1BA551323}\stubpath = "C:\\Windows\\{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe"	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F258ABD-AA68-43a4-A168-B5951A029091}	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF740924-03DA-4b76-96A1-167155BBA4AA}\stubpath = "C:\\Windows\\{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe"	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}\stubpath = "C:\\Windows\\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe"	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{337862F2-94DF-4e22-9161-8B141C3057BE}\stubpath = "C:\\Windows\\{337862F2-94DF-4e22-9161-8B141C3057BE}.exe"	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}\stubpath = "C:\\Windows\\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe"	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe
1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe
2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe
4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe
2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe
2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe
396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe
2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe
2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe
1868	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe
688	{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe
2188	{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe
File created	C:\Windows\{337862F2-94DF-4e22-9161-8B141C3057BE}.exe	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
File created	C:\Windows\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe
File created	C:\Windows\{5F258ABD-AA68-43a4-A168-B5951A029091}.exe	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe
File created	C:\Windows\{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe
File created	C:\Windows\{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe	{18849758-DA3F-4d32-B355-467517DBBB87}.exe
File created	C:\Windows\{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe
File created	C:\Windows\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe
File created	C:\Windows\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}.exe	{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe
File created	C:\Windows\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe
File created	C:\Windows\{18849758-DA3F-4d32-B355-467517DBBB87}.exe	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe
File created	C:\Windows\{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4760	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe
Token: SeIncBasePriorityPrivilege	1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe
Token: SeIncBasePriorityPrivilege	2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe
Token: SeIncBasePriorityPrivilege	4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe
Token: SeIncBasePriorityPrivilege	2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe
Token: SeManageVolumePrivilege	4120	svchost.exe
Token: SeIncBasePriorityPrivilege	2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe
Token: SeIncBasePriorityPrivilege	396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe
Token: SeIncBasePriorityPrivilege	2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe
Token: SeIncBasePriorityPrivilege	2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe
Token: SeIncBasePriorityPrivilege	1868	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe
Token: SeIncBasePriorityPrivilege	688	{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3248	4760	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	96
PID 4760 wrote to memory of 3248	4760	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	96
PID 4760 wrote to memory of 3248	4760	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	96
PID 4760 wrote to memory of 4352	4760	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	97
PID 4760 wrote to memory of 4352	4760	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	97
PID 4760 wrote to memory of 4352	4760	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	97
PID 3248 wrote to memory of 1864	3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe	98
PID 3248 wrote to memory of 1864	3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe	98
PID 3248 wrote to memory of 1864	3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe	98
PID 3248 wrote to memory of 4116	3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe	99
PID 3248 wrote to memory of 4116	3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe	99
PID 3248 wrote to memory of 4116	3248	{337862F2-94DF-4e22-9161-8B141C3057BE}.exe	99
PID 1864 wrote to memory of 2312	1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe	106
PID 1864 wrote to memory of 2312	1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe	106
PID 1864 wrote to memory of 2312	1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe	106
PID 1864 wrote to memory of 3944	1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe	107
PID 1864 wrote to memory of 3944	1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe	107
PID 1864 wrote to memory of 3944	1864	{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe	107
PID 2312 wrote to memory of 4644	2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe	110
PID 2312 wrote to memory of 4644	2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe	110
PID 2312 wrote to memory of 4644	2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe	110
PID 2312 wrote to memory of 744	2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe	111
PID 2312 wrote to memory of 744	2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe	111
PID 2312 wrote to memory of 744	2312	{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe	111
PID 4644 wrote to memory of 2632	4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe	112
PID 4644 wrote to memory of 2632	4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe	112
PID 4644 wrote to memory of 2632	4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe	112
PID 4644 wrote to memory of 1864	4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe	113
PID 4644 wrote to memory of 1864	4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe	113
PID 4644 wrote to memory of 1864	4644	{5F258ABD-AA68-43a4-A168-B5951A029091}.exe	113
PID 2632 wrote to memory of 2144	2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe	115
PID 2632 wrote to memory of 2144	2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe	115
PID 2632 wrote to memory of 2144	2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe	115
PID 2632 wrote to memory of 1488	2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe	116
PID 2632 wrote to memory of 1488	2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe	116
PID 2632 wrote to memory of 1488	2632	{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe	116
PID 2144 wrote to memory of 396	2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe	123
PID 2144 wrote to memory of 396	2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe	123
PID 2144 wrote to memory of 396	2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe	123
PID 2144 wrote to memory of 856	2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe	124
PID 2144 wrote to memory of 856	2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe	124
PID 2144 wrote to memory of 856	2144	{18849758-DA3F-4d32-B355-467517DBBB87}.exe	124
PID 396 wrote to memory of 2788	396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe	125
PID 396 wrote to memory of 2788	396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe	125
PID 396 wrote to memory of 2788	396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe	125
PID 396 wrote to memory of 4332	396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe	126
PID 396 wrote to memory of 4332	396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe	126
PID 396 wrote to memory of 4332	396	{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe	126
PID 2788 wrote to memory of 2056	2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe	127
PID 2788 wrote to memory of 2056	2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe	127
PID 2788 wrote to memory of 2056	2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe	127
PID 2788 wrote to memory of 2300	2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe	128
PID 2788 wrote to memory of 2300	2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe	128
PID 2788 wrote to memory of 2300	2788	{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe	128
PID 2056 wrote to memory of 1868	2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe	129
PID 2056 wrote to memory of 1868	2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe	129
PID 2056 wrote to memory of 1868	2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe	129
PID 2056 wrote to memory of 1816	2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe	130
PID 2056 wrote to memory of 1816	2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe	130
PID 2056 wrote to memory of 1816	2056	{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe	130
PID 1868 wrote to memory of 688	1868	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe	131
PID 1868 wrote to memory of 688	1868	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe	131
PID 1868 wrote to memory of 688	1868	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe	131
PID 1868 wrote to memory of 628	1868	{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe	132

C:\Users\Admin\AppData\Local\Temp\2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\{337862F2-94DF-4e22-9161-8B141C3057BE}.exe
  C:\Windows\{337862F2-94DF-4e22-9161-8B141C3057BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe
    C:\Windows\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe
      C:\Windows\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\{5F258ABD-AA68-43a4-A168-B5951A029091}.exe
        
        C:\Windows\{5F258ABD-AA68-43a4-A168-B5951A029091}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe
        
        C:\Windows\{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{18849758-DA3F-4d32-B355-467517DBBB87}.exe
        
        C:\Windows\{18849758-DA3F-4d32-B355-467517DBBB87}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe
        
        C:\Windows\{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe
        
        C:\Windows\{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe
        
        C:\Windows\{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe
        
        C:\Windows\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe
        
        C:\Windows\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}.exe
        
        C:\Windows\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}.exe
        13⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B048~1.EXE > nul
        13⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AED5~1.EXE > nul
        12⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF740~1.EXE > nul
        11⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36FC1~1.EXE > nul
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD528~1.EXE > nul
        9⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18849~1.EXE > nul
        8⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{065BC~1.EXE > nul
        7⤵
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F258~1.EXE > nul
        6⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A2A4~1.EXE > nul
        5⤵
        
        PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{88C2B~1.EXE > nul
      4⤵
      PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{33786~1.EXE > nul
    3⤵
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4352

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe

Filesize
380KB

MD5
91c1208f3f18fb412218879028b7c181

SHA1
cb6b8c5c050db2e60c9a1f80827493847d6e7db8

SHA256
19f6094c1ed9d740645d02b7fb658826d659bb69a14ef8b5203c0d4b8ef464dd

SHA512
b41291375fb51bdd091479e1728df9d901c287f7f6f8e21047bb54ae4788ba902389d30179a29b5a6a54d1e8c1e147de11ae79632541c656877e4e2455823e11

Download Submit
C:\Windows\{065BCD81-8BC7-463e-998D-F2A1BA551323}.exe

Filesize
380KB

MD5
91c1208f3f18fb412218879028b7c181

SHA1
cb6b8c5c050db2e60c9a1f80827493847d6e7db8

SHA256
19f6094c1ed9d740645d02b7fb658826d659bb69a14ef8b5203c0d4b8ef464dd

SHA512
b41291375fb51bdd091479e1728df9d901c287f7f6f8e21047bb54ae4788ba902389d30179a29b5a6a54d1e8c1e147de11ae79632541c656877e4e2455823e11

Download Submit
C:\Windows\{18849758-DA3F-4d32-B355-467517DBBB87}.exe

Filesize
380KB

MD5
7a1aab324d5822e822253674fa945fe3

SHA1
9d740ce2d4b5935d4a19c944c441f915bdf22180

SHA256
0bed4fdfab015fcd65160b465dec5295f34813de699a2918f36db71fb2958792

SHA512
dfa52eb4f573e063d077e0fe9e99cc532e78d2b7f95252a907f1c1f14d7b9aa97a69113fd351e611bb0b23c1d47857502b75b6295b3e136de285d61c005387a2

Download Submit
C:\Windows\{18849758-DA3F-4d32-B355-467517DBBB87}.exe

Filesize
380KB

MD5
7a1aab324d5822e822253674fa945fe3

SHA1
9d740ce2d4b5935d4a19c944c441f915bdf22180

SHA256
0bed4fdfab015fcd65160b465dec5295f34813de699a2918f36db71fb2958792

SHA512
dfa52eb4f573e063d077e0fe9e99cc532e78d2b7f95252a907f1c1f14d7b9aa97a69113fd351e611bb0b23c1d47857502b75b6295b3e136de285d61c005387a2

Download Submit
C:\Windows\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe

Filesize
380KB

MD5
1aa64c7b44400eba41f92333af7f6e4a

SHA1
65ac0238becc9023af1a03d66744677008961db1

SHA256
20b72aa7ec963dea57774585fb578cd2a2c4711786051a8ba43d91800ae49b55

SHA512
96556710093d6cb57630d735928c4ff49ed055adcfd1a946467a1c20083749623d1c1cebe118b3a6ed655562691b89c3219f257412dfcc5dccc3676f2a802a91

Download Submit
C:\Windows\{2B048EE3-6AF7-4af0-A381-8C1076E6A8FF}.exe

Filesize
380KB

MD5
1aa64c7b44400eba41f92333af7f6e4a

SHA1
65ac0238becc9023af1a03d66744677008961db1

SHA256
20b72aa7ec963dea57774585fb578cd2a2c4711786051a8ba43d91800ae49b55

SHA512
96556710093d6cb57630d735928c4ff49ed055adcfd1a946467a1c20083749623d1c1cebe118b3a6ed655562691b89c3219f257412dfcc5dccc3676f2a802a91

Download Submit
C:\Windows\{337862F2-94DF-4e22-9161-8B141C3057BE}.exe

Filesize
380KB

MD5
a24dd18c69024c5ab9f7de1ae1e59d1a

SHA1
e36a50281b5c47793fa9ec0be7709ba8ff26013e

SHA256
f2921a8cd48dc428e41dddf4e1bfeab47cbbade1474d9446a47b5d55ca702e4c

SHA512
2da30b5fbd64034970357ea2e59ec128d22f0a89af7b1991f4359c8664253394c12a2736f953fd9a50d27a5c095861e4f2fb6eb8a859537c620a2d91584738c3

Download Submit
C:\Windows\{337862F2-94DF-4e22-9161-8B141C3057BE}.exe

Filesize
380KB

MD5
a24dd18c69024c5ab9f7de1ae1e59d1a

SHA1
e36a50281b5c47793fa9ec0be7709ba8ff26013e

SHA256
f2921a8cd48dc428e41dddf4e1bfeab47cbbade1474d9446a47b5d55ca702e4c

SHA512
2da30b5fbd64034970357ea2e59ec128d22f0a89af7b1991f4359c8664253394c12a2736f953fd9a50d27a5c095861e4f2fb6eb8a859537c620a2d91584738c3

Download Submit
C:\Windows\{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe

Filesize
380KB

MD5
27ba50db21d59e83d97cd994acdc7100

SHA1
22f2c3b9f646baed3b176c890a7631bb0431428d

SHA256
a26b84fb631174c7a447f5e7b38d45554c49a8d29b06318a8474e8ea3d4af061

SHA512
1bac757b97a72482cf5ea3b6d2d43247c24019193bc0c1932298c8579523c59beff5447a30f05c08f690ea1f806a9461a5f2353bd3a90a73a7256406a5819387

Download Submit
C:\Windows\{36FC1589-40A8-40f3-A082-6A05AAA62A54}.exe

Filesize
380KB

MD5
27ba50db21d59e83d97cd994acdc7100

SHA1
22f2c3b9f646baed3b176c890a7631bb0431428d

SHA256
a26b84fb631174c7a447f5e7b38d45554c49a8d29b06318a8474e8ea3d4af061

SHA512
1bac757b97a72482cf5ea3b6d2d43247c24019193bc0c1932298c8579523c59beff5447a30f05c08f690ea1f806a9461a5f2353bd3a90a73a7256406a5819387

Download Submit
C:\Windows\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe

Filesize
380KB

MD5
84f0b50df074a4b4cc1d8ecd91881550

SHA1
29009741f97772d3ebc1456f9aa0f846ecb3a451

SHA256
12009c5687eb4a7ad2e3e952ac4085d341c77a983012b8e6cd50111e54aac038

SHA512
c6530ed5eb90fbf3b7fe937d38f43e44c99ee74c800324257443d9796784554130198e74d2877b1ba41766709a8e076db4c16323f5821aeb7513e7fbb35827e5

Download Submit
C:\Windows\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe

Filesize
380KB

MD5
84f0b50df074a4b4cc1d8ecd91881550

SHA1
29009741f97772d3ebc1456f9aa0f846ecb3a451

SHA256
12009c5687eb4a7ad2e3e952ac4085d341c77a983012b8e6cd50111e54aac038

SHA512
c6530ed5eb90fbf3b7fe937d38f43e44c99ee74c800324257443d9796784554130198e74d2877b1ba41766709a8e076db4c16323f5821aeb7513e7fbb35827e5

Download Submit
C:\Windows\{3A2A4137-F199-4350-9F1F-A07A72CE70E8}.exe

Filesize
380KB

MD5
84f0b50df074a4b4cc1d8ecd91881550

SHA1
29009741f97772d3ebc1456f9aa0f846ecb3a451

SHA256
12009c5687eb4a7ad2e3e952ac4085d341c77a983012b8e6cd50111e54aac038

SHA512
c6530ed5eb90fbf3b7fe937d38f43e44c99ee74c800324257443d9796784554130198e74d2877b1ba41766709a8e076db4c16323f5821aeb7513e7fbb35827e5

Download Submit
C:\Windows\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe

Filesize
380KB

MD5
c5bebf9567372d493425812d400b5cb4

SHA1
930dfaa88f74370d54923690ed4c86470bff0357

SHA256
414f3c532c3c81886a33a6dba9e67c788c3557c998815ef5ccf8d613c452fe7a

SHA512
1a6307d4552fe9a011db7a96ac3ec9edeac691c9c5c047136e5fb0c402ff870775857442a17bf0341b4baf988b28e9c7cc8c35f4671fb6831346d10cf3d18412

Download Submit
C:\Windows\{4AED5AF6-4833-4019-A032-6BFF44B8EC85}.exe

Filesize
380KB

MD5
c5bebf9567372d493425812d400b5cb4

SHA1
930dfaa88f74370d54923690ed4c86470bff0357

SHA256
414f3c532c3c81886a33a6dba9e67c788c3557c998815ef5ccf8d613c452fe7a

SHA512
1a6307d4552fe9a011db7a96ac3ec9edeac691c9c5c047136e5fb0c402ff870775857442a17bf0341b4baf988b28e9c7cc8c35f4671fb6831346d10cf3d18412

Download Submit
C:\Windows\{5F258ABD-AA68-43a4-A168-B5951A029091}.exe

Filesize
380KB

MD5
6d9d27bd0d6c9fd38f264e0efc924f2f

SHA1
b55afcf511c85a6e9f50bc7abb80bde8195d627b

SHA256
ee20667468a98047624c744609e0465616dfdd111e3934b9208f032aa0a5b9bd

SHA512
81a2645f521db5c658053b5ae5833b2585f31727b6fba26c45a2a8e46f964afcf63f98f2b16f05b12ed72cab8e527350d65863898a29d5723e1c4b724ff8a5a9

Download Submit
C:\Windows\{5F258ABD-AA68-43a4-A168-B5951A029091}.exe

Filesize
380KB

MD5
6d9d27bd0d6c9fd38f264e0efc924f2f

SHA1
b55afcf511c85a6e9f50bc7abb80bde8195d627b

SHA256
ee20667468a98047624c744609e0465616dfdd111e3934b9208f032aa0a5b9bd

SHA512
81a2645f521db5c658053b5ae5833b2585f31727b6fba26c45a2a8e46f964afcf63f98f2b16f05b12ed72cab8e527350d65863898a29d5723e1c4b724ff8a5a9

Download Submit
C:\Windows\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe

Filesize
380KB

MD5
a07d391a59193690305a3e7ea79ab0f6

SHA1
cc3cbae3753a23d94c0d8b85e9e14ebfae5a6630

SHA256
48ceca6ecccdf24b0f580204a475b7bd17028426b331eef223c0e2e5d361832e

SHA512
66c456b64f8f18410083f8f696561399ca894839d19d59fd31d38bd67c617a25981f947dd025374b8ca5b37fb05e645c1b595dd94e6dab8db988a72ed61a67ce

Download Submit
C:\Windows\{88C2B3A1-D4D8-4525-9CC5-AF225546605F}.exe

Filesize
380KB

MD5
a07d391a59193690305a3e7ea79ab0f6

SHA1
cc3cbae3753a23d94c0d8b85e9e14ebfae5a6630

SHA256
48ceca6ecccdf24b0f580204a475b7bd17028426b331eef223c0e2e5d361832e

SHA512
66c456b64f8f18410083f8f696561399ca894839d19d59fd31d38bd67c617a25981f947dd025374b8ca5b37fb05e645c1b595dd94e6dab8db988a72ed61a67ce

Download Submit
C:\Windows\{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe

Filesize
380KB

MD5
d0b638324beb2b9faff71911caeeaa71

SHA1
d4d87ad78bb2e3b362562fc2067b4f502668a68b

SHA256
fefb4d0127bc28c9f839d1540a836af688de739a49bd6a504ad988a593cf730a

SHA512
a59d0ed22c7d3a9396a2ccd36a1bbfdd54b2dacd0a64505e19ba30afe182586aa5f8e0ff87ee2608b1b1b62152424b8a7d48de675a7fdc90883fb7f968958494

Download Submit
C:\Windows\{DD52873F-6057-481c-AB38-22BCDF1B80E8}.exe

Filesize
380KB

MD5
d0b638324beb2b9faff71911caeeaa71

SHA1
d4d87ad78bb2e3b362562fc2067b4f502668a68b

SHA256
fefb4d0127bc28c9f839d1540a836af688de739a49bd6a504ad988a593cf730a

SHA512
a59d0ed22c7d3a9396a2ccd36a1bbfdd54b2dacd0a64505e19ba30afe182586aa5f8e0ff87ee2608b1b1b62152424b8a7d48de675a7fdc90883fb7f968958494

Download Submit
C:\Windows\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}.exe

Filesize
380KB

MD5
27f77e63b0ba54f3993b0df8df4bac15

SHA1
d628b99c075e33940e79ebd1a756f9d1e1bb9620

SHA256
f6d29277cb6bc246fa0a1ef8892615ee09ea96818d63668764b121546746764f

SHA512
4be9ad78f27410a04cea0d45a16249b67eebe4d4b3de636cb9f24a94ff8280ac71a84719a54f93ba3124b424d8562630a9a52baa6600045d762394d3903ab9d9

Download Submit
C:\Windows\{EA1113EC-4AC0-4968-92B8-E6FF3617FB44}.exe

Filesize
380KB

MD5
27f77e63b0ba54f3993b0df8df4bac15

SHA1
d628b99c075e33940e79ebd1a756f9d1e1bb9620

SHA256
f6d29277cb6bc246fa0a1ef8892615ee09ea96818d63668764b121546746764f

SHA512
4be9ad78f27410a04cea0d45a16249b67eebe4d4b3de636cb9f24a94ff8280ac71a84719a54f93ba3124b424d8562630a9a52baa6600045d762394d3903ab9d9

Download Submit
C:\Windows\{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe

Filesize
380KB

MD5
8307633a29bda9d23cb2f12d69165972

SHA1
73560a13060a2daa746cafaa1d3d28779b17cbb3

SHA256
ffd1a58b05a82b87f6ecff105b870158f0d0bff58ed1a5632bd3a9e073f858a6

SHA512
78e747354fa36d6b8c7b4775e68da05868ee8ef2e9cb56286fbaea9cb4f301f15518dfb10fa5b482d4598a89d6877baec9f9102005ef223c915bf7fb039da275

Download Submit
C:\Windows\{FF740924-03DA-4b76-96A1-167155BBA4AA}.exe

Filesize
380KB

MD5
8307633a29bda9d23cb2f12d69165972

SHA1
73560a13060a2daa746cafaa1d3d28779b17cbb3

SHA256
ffd1a58b05a82b87f6ecff105b870158f0d0bff58ed1a5632bd3a9e073f858a6

SHA512
78e747354fa36d6b8c7b4775e68da05868ee8ef2e9cb56286fbaea9cb4f301f15518dfb10fa5b482d4598a89d6877baec9f9102005ef223c915bf7fb039da275

Download Submit
memory/4120-40-0x000002117B240000-0x000002117B250000-memory.dmp

Filesize
64KB

Download
memory/4120-24-0x000002117B140000-0x000002117B150000-memory.dmp

Filesize
64KB

Download
memory/4120-59-0x000002117F560000-0x000002117F561000-memory.dmp

Filesize
4KB

Download
memory/4120-56-0x000002117F530000-0x000002117F531000-memory.dmp

Filesize
4KB

Download
memory/4120-58-0x000002117F560000-0x000002117F561000-memory.dmp

Filesize
4KB

Download
memory/4120-60-0x000002117F670000-0x000002117F671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads