6da2b4bc35a578b28c8df45c7d73cfa54f4c7f97d1df6226c9986c1882d45a4c

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2023, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe
Size

408KB
MD5

41b1006f34bfa0828bb39749b71328ae
SHA1

cf255a48b243d2ea739e5733affd11d43eb16432
SHA256

6da2b4bc35a578b28c8df45c7d73cfa54f4c7f97d1df6226c9986c1882d45a4c
SHA512

5375c627a9bb2330e6882a8ce2c15281a5d1838970be498daa856b19eacc49732b41769e20048411f1bf9b92733948d0e96c08b260a2d9f480ec161c6910842f
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG+ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}\stubpath = "C:\\Windows\\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe"	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBEDB451-840D-4785-95C6-B5DF708C73E6}	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C60BE3B8-70C0-471e-92CF-66226806806F}\stubpath = "C:\\Windows\\{C60BE3B8-70C0-471e-92CF-66226806806F}.exe"	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47FD1D23-AECA-4411-8DC6-0053A42BA594}\stubpath = "C:\\Windows\\{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe"	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}\stubpath = "C:\\Windows\\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe"	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}\stubpath = "C:\\Windows\\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe"	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A0073C-5C9D-4458-8D38-AE891147A14D}\stubpath = "C:\\Windows\\{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe"	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBEDB451-840D-4785-95C6-B5DF708C73E6}\stubpath = "C:\\Windows\\{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe"	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}\stubpath = "C:\\Windows\\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe"	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F133280-7F01-4b0c-90AD-4EA95897BD41}	{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15ABEE98-3746-4d89-AC72-C62B635A6364}\stubpath = "C:\\Windows\\{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe"	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}\stubpath = "C:\\Windows\\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe"	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C60BE3B8-70C0-471e-92CF-66226806806F}	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A0073C-5C9D-4458-8D38-AE891147A14D}	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F133280-7F01-4b0c-90AD-4EA95897BD41}\stubpath = "C:\\Windows\\{2F133280-7F01-4b0c-90AD-4EA95897BD41}.exe"	{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15ABEE98-3746-4d89-AC72-C62B635A6364}	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}\stubpath = "C:\\Windows\\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe"	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47FD1D23-AECA-4411-8DC6-0053A42BA594}	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe

Executes dropped EXE 12 IoCs

pid	Process
2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe
4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe
1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe
3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe
3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe
4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe
1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe
1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe
1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe
2168	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe
2620	{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe
3296	{2F133280-7F01-4b0c-90AD-4EA95897BD41}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C60BE3B8-70C0-471e-92CF-66226806806F}.exe	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe
File created	C:\Windows\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe
File created	C:\Windows\{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe
File created	C:\Windows\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe
File created	C:\Windows\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe
File created	C:\Windows\{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe
File created	C:\Windows\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe
File created	C:\Windows\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe
File created	C:\Windows\{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe
File created	C:\Windows\{2F133280-7F01-4b0c-90AD-4EA95897BD41}.exe	{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe
File created	C:\Windows\{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe
File created	C:\Windows\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5040	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe
Token: SeIncBasePriorityPrivilege	4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe
Token: SeIncBasePriorityPrivilege	1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe
Token: SeIncBasePriorityPrivilege	3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe
Token: SeIncBasePriorityPrivilege	3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe
Token: SeIncBasePriorityPrivilege	4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe
Token: SeIncBasePriorityPrivilege	1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe
Token: SeIncBasePriorityPrivilege	1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe
Token: SeIncBasePriorityPrivilege	1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe
Token: SeIncBasePriorityPrivilege	2168	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe
Token: SeIncBasePriorityPrivilege	2620	{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2348	5040	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe	89
PID 5040 wrote to memory of 2348	5040	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe	89
PID 5040 wrote to memory of 2348	5040	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe	89
PID 5040 wrote to memory of 1596	5040	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe	90
PID 5040 wrote to memory of 1596	5040	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe	90
PID 5040 wrote to memory of 1596	5040	41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe	90
PID 2348 wrote to memory of 4272	2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe	91
PID 2348 wrote to memory of 4272	2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe	91
PID 2348 wrote to memory of 4272	2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe	91
PID 2348 wrote to memory of 4012	2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe	92
PID 2348 wrote to memory of 4012	2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe	92
PID 2348 wrote to memory of 4012	2348	{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe	92
PID 4272 wrote to memory of 1872	4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe	94
PID 4272 wrote to memory of 1872	4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe	94
PID 4272 wrote to memory of 1872	4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe	94
PID 4272 wrote to memory of 2928	4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe	95
PID 4272 wrote to memory of 2928	4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe	95
PID 4272 wrote to memory of 2928	4272	{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe	95
PID 1872 wrote to memory of 3764	1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe	96
PID 1872 wrote to memory of 3764	1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe	96
PID 1872 wrote to memory of 3764	1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe	96
PID 1872 wrote to memory of 3940	1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe	97
PID 1872 wrote to memory of 3940	1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe	97
PID 1872 wrote to memory of 3940	1872	{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe	97
PID 3764 wrote to memory of 3360	3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe	98
PID 3764 wrote to memory of 3360	3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe	98
PID 3764 wrote to memory of 3360	3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe	98
PID 3764 wrote to memory of 3668	3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe	99
PID 3764 wrote to memory of 3668	3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe	99
PID 3764 wrote to memory of 3668	3764	{C60BE3B8-70C0-471e-92CF-66226806806F}.exe	99
PID 3360 wrote to memory of 4960	3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe	100
PID 3360 wrote to memory of 4960	3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe	100
PID 3360 wrote to memory of 4960	3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe	100
PID 3360 wrote to memory of 3532	3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe	101
PID 3360 wrote to memory of 3532	3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe	101
PID 3360 wrote to memory of 3532	3360	{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe	101
PID 4960 wrote to memory of 1404	4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe	102
PID 4960 wrote to memory of 1404	4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe	102
PID 4960 wrote to memory of 1404	4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe	102
PID 4960 wrote to memory of 3792	4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe	103
PID 4960 wrote to memory of 3792	4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe	103
PID 4960 wrote to memory of 3792	4960	{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe	103
PID 1404 wrote to memory of 1920	1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe	104
PID 1404 wrote to memory of 1920	1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe	104
PID 1404 wrote to memory of 1920	1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe	104
PID 1404 wrote to memory of 2300	1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe	105
PID 1404 wrote to memory of 2300	1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe	105
PID 1404 wrote to memory of 2300	1404	{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe	105
PID 1920 wrote to memory of 1016	1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe	106
PID 1920 wrote to memory of 1016	1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe	106
PID 1920 wrote to memory of 1016	1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe	106
PID 1920 wrote to memory of 4672	1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe	107
PID 1920 wrote to memory of 4672	1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe	107
PID 1920 wrote to memory of 4672	1920	{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe	107
PID 1016 wrote to memory of 2168	1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe	108
PID 1016 wrote to memory of 2168	1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe	108
PID 1016 wrote to memory of 2168	1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe	108
PID 1016 wrote to memory of 3280	1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe	109
PID 1016 wrote to memory of 3280	1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe	109
PID 1016 wrote to memory of 3280	1016	{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe	109
PID 2168 wrote to memory of 2620	2168	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe	110
PID 2168 wrote to memory of 2620	2168	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe	110
PID 2168 wrote to memory of 2620	2168	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe	110
PID 2168 wrote to memory of 3844	2168	{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe	111

C:\Users\Admin\AppData\Local\Temp\41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\41b1006f34bfa0828bb39749b71328ae_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe
  C:\Windows\{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe
    C:\Windows\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe
      C:\Windows\{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\{C60BE3B8-70C0-471e-92CF-66226806806F}.exe
        
        C:\Windows\{C60BE3B8-70C0-471e-92CF-66226806806F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe
        
        C:\Windows\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe
        
        C:\Windows\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe
        
        C:\Windows\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe
        
        C:\Windows\{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe
        
        C:\Windows\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe
        
        C:\Windows\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe
        
        C:\Windows\{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{2F133280-7F01-4b0c-90AD-4EA95897BD41}.exe
        
        C:\Windows\{2F133280-7F01-4b0c-90AD-4EA95897BD41}.exe
        13⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A00~1.EXE > nul
        13⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DB33~1.EXE > nul
        12⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE09B~1.EXE > nul
        11⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47FD1~1.EXE > nul
        10⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7C34~1.EXE > nul
        9⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49AC1~1.EXE > nul
        8⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADF2B~1.EXE > nul
        7⤵
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C60BE~1.EXE > nul
        6⤵
        
        PID:3668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBEDB~1.EXE > nul
        5⤵
        
        PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{154EC~1.EXE > nul
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{15ABE~1.EXE > nul
    3⤵
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\41B100~1.EXE > nul
  2⤵
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe

Filesize
408KB

MD5
9627f2b09c78c2c83bc248b7790605a5

SHA1
02f1cd36f6ad0ee26b892d039b39851118b9d286

SHA256
8b76cfb3a0c628bca7773968e0a79739cd55fd959632ae5b34d4782b5dfe5a92

SHA512
a84ab120ded3457eebc9036479df984ffd7555e482f616d2caebd7cb4703e9620f0c115ed05c24c69cea6d0a70b09ff49aa68adbbda16011dddda3635a975aca

Download Submit
C:\Windows\{154EC162-4FE4-4077-8306-CB9BFDE6F05E}.exe

Filesize
408KB

MD5
9627f2b09c78c2c83bc248b7790605a5

SHA1
02f1cd36f6ad0ee26b892d039b39851118b9d286

SHA256
8b76cfb3a0c628bca7773968e0a79739cd55fd959632ae5b34d4782b5dfe5a92

SHA512
a84ab120ded3457eebc9036479df984ffd7555e482f616d2caebd7cb4703e9620f0c115ed05c24c69cea6d0a70b09ff49aa68adbbda16011dddda3635a975aca

Download Submit
C:\Windows\{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe

Filesize
408KB

MD5
9a52672d15b3ba243cea85235bdf1ece

SHA1
2e8dd9dd62aa63d8387f60a160f6f1443161fada

SHA256
78c4bf91007c71cfdb8ec3bb774be28dc2cf770bc96342ad140e946836e171ac

SHA512
4e461ecc4076f125abac7f1d0c286bc88d4377ecb77c148cf28b176d0aadf2bd5fd13341d7c5b5d8ec10f189eae7f8e0b7f4c9f4031ac6aaa8d961fd89119bd1

Download Submit
C:\Windows\{15ABEE98-3746-4d89-AC72-C62B635A6364}.exe

Filesize
408KB

MD5
9a52672d15b3ba243cea85235bdf1ece

SHA1
2e8dd9dd62aa63d8387f60a160f6f1443161fada

SHA256
78c4bf91007c71cfdb8ec3bb774be28dc2cf770bc96342ad140e946836e171ac

SHA512
4e461ecc4076f125abac7f1d0c286bc88d4377ecb77c148cf28b176d0aadf2bd5fd13341d7c5b5d8ec10f189eae7f8e0b7f4c9f4031ac6aaa8d961fd89119bd1

Download Submit
C:\Windows\{2F133280-7F01-4b0c-90AD-4EA95897BD41}.exe

Filesize
408KB

MD5
bc96733a7054f83aabcefffac45dd161

SHA1
141b21d9d49053a35676c57fff884e8b87e0c017

SHA256
b53beacb17a9d2658a79c62c6d0677833a2d520a2deff4d3441fe5a335462ee6

SHA512
1862282a79d1dbca46b7139e125fd6e48d6b0034751204482c7d363751f05e185e13d2017848cff3734948357a3b3a985c98f14afeac5a66c904f53b9488afb0

Download Submit
C:\Windows\{2F133280-7F01-4b0c-90AD-4EA95897BD41}.exe

Filesize
408KB

MD5
bc96733a7054f83aabcefffac45dd161

SHA1
141b21d9d49053a35676c57fff884e8b87e0c017

SHA256
b53beacb17a9d2658a79c62c6d0677833a2d520a2deff4d3441fe5a335462ee6

SHA512
1862282a79d1dbca46b7139e125fd6e48d6b0034751204482c7d363751f05e185e13d2017848cff3734948357a3b3a985c98f14afeac5a66c904f53b9488afb0

Download Submit
C:\Windows\{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe

Filesize
408KB

MD5
c13eaedcaf74e0fff176f2d1ea8085b8

SHA1
952b1f01f64a1afc2e848e81dc415e4747ef455f

SHA256
96ed6914a6fe34a20c9b53a0a8e695b79165bfda20eae7fa01c57d0ee8758c1f

SHA512
b00a73d9fb002639992b4b6f15fc2792abdff84027d93618a78c9dfb3afcfe16ce2edfa367c803e09865c25e63948834ab96161fb30a81792275f8b19d9b7ed5

Download Submit
C:\Windows\{47FD1D23-AECA-4411-8DC6-0053A42BA594}.exe

Filesize
408KB

MD5
c13eaedcaf74e0fff176f2d1ea8085b8

SHA1
952b1f01f64a1afc2e848e81dc415e4747ef455f

SHA256
96ed6914a6fe34a20c9b53a0a8e695b79165bfda20eae7fa01c57d0ee8758c1f

SHA512
b00a73d9fb002639992b4b6f15fc2792abdff84027d93618a78c9dfb3afcfe16ce2edfa367c803e09865c25e63948834ab96161fb30a81792275f8b19d9b7ed5

Download Submit
C:\Windows\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe

Filesize
408KB

MD5
356ef916d0a40b7ca9747ac00de33ecc

SHA1
265f9fd8ae682defd0ab01e9f0e1fd6fb532d077

SHA256
e58a423536d485f2d0410ea0d33e734ed95fad929a6869096c3c71f01d311239

SHA512
3a16c0a432507bcc0618a5d20c9d685c2e84d30acbf409fe29bf3fb5a811368a1c6f71d9cd7aa0dd84fcf857c0cedf5538ac95f1245e53d658f1f8f2746f4981

Download Submit
C:\Windows\{49AC1483-65D9-4f7e-8B17-D244B0F1F2F2}.exe

Filesize
408KB

MD5
356ef916d0a40b7ca9747ac00de33ecc

SHA1
265f9fd8ae682defd0ab01e9f0e1fd6fb532d077

SHA256
e58a423536d485f2d0410ea0d33e734ed95fad929a6869096c3c71f01d311239

SHA512
3a16c0a432507bcc0618a5d20c9d685c2e84d30acbf409fe29bf3fb5a811368a1c6f71d9cd7aa0dd84fcf857c0cedf5538ac95f1245e53d658f1f8f2746f4981

Download Submit
C:\Windows\{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe

Filesize
408KB

MD5
5b16ae897927451242e7b00e9e59e605

SHA1
d404cae86005b86846144cb6b24570d06ba1c2b8

SHA256
afc813ed67a32889e2667dbbdb04fe513ec6d2bef678039e4ba4ca2178f63c4c

SHA512
ae36f52843447dd7c08c2a17bc8a54ffd562f1eed71c37e1712423013963df23c05cb5e36ba1330424fabc07b1e6997683c65be04b8cb3a27fd90dcd5401c65b

Download Submit
C:\Windows\{53A0073C-5C9D-4458-8D38-AE891147A14D}.exe

Filesize
408KB

MD5
5b16ae897927451242e7b00e9e59e605

SHA1
d404cae86005b86846144cb6b24570d06ba1c2b8

SHA256
afc813ed67a32889e2667dbbdb04fe513ec6d2bef678039e4ba4ca2178f63c4c

SHA512
ae36f52843447dd7c08c2a17bc8a54ffd562f1eed71c37e1712423013963df23c05cb5e36ba1330424fabc07b1e6997683c65be04b8cb3a27fd90dcd5401c65b

Download Submit
C:\Windows\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe

Filesize
408KB

MD5
de38d0c426cea7ea04d70593d18f6b4e

SHA1
fb16a156ff6fd1a1b36cb975b55bc36294ef453e

SHA256
8ed86e6232072dced26e5ebed78688472135ea36b9671852865dc909cae74a28

SHA512
eaac8534c39f78cd93bee0ac939f2f8f3cc2c31839b9723017f1aadee76976058978b0993fa0c8ddcbafca1a9a46b4e6d461de0490d0b1de246e8b3dbee7955e

Download Submit
C:\Windows\{7DB333E2-7E52-42fa-BA67-5C7D216E1343}.exe

Filesize
408KB

MD5
de38d0c426cea7ea04d70593d18f6b4e

SHA1
fb16a156ff6fd1a1b36cb975b55bc36294ef453e

SHA256
8ed86e6232072dced26e5ebed78688472135ea36b9671852865dc909cae74a28

SHA512
eaac8534c39f78cd93bee0ac939f2f8f3cc2c31839b9723017f1aadee76976058978b0993fa0c8ddcbafca1a9a46b4e6d461de0490d0b1de246e8b3dbee7955e

Download Submit
C:\Windows\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe

Filesize
408KB

MD5
20141ed27b79291877e91220ad232eb2

SHA1
b9e78b322cc54e327853ea9619f1d2aa40f87ad5

SHA256
eb93546437d412d7bc40e219918f8760cc8078961e285fdf99e178a146839af0

SHA512
6987f99a59806fdb7b6cfd5aac7de9740beb277bde4b28f25ed7d720703c5b60d3478714c2c63ee35ec7935b14e18baaab7c4517721bc4581dd3059fcc8d01c9

Download Submit
C:\Windows\{ADF2B3E2-B8F9-4b8e-BD01-4B0CD56E5643}.exe

Filesize
408KB

MD5
20141ed27b79291877e91220ad232eb2

SHA1
b9e78b322cc54e327853ea9619f1d2aa40f87ad5

SHA256
eb93546437d412d7bc40e219918f8760cc8078961e285fdf99e178a146839af0

SHA512
6987f99a59806fdb7b6cfd5aac7de9740beb277bde4b28f25ed7d720703c5b60d3478714c2c63ee35ec7935b14e18baaab7c4517721bc4581dd3059fcc8d01c9

Download Submit
C:\Windows\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe

Filesize
408KB

MD5
e8f6fdc59cdc9d058ce2f70b360e6582

SHA1
da4e979d893b53fb0683710be5072bc7666178fe

SHA256
1b90f13665802d45c2c64f02f083c737e5fc05958ff4494559dd2e944a2e38aa

SHA512
ef9e71ea2322696216c1b1e0243fb70c2c5a7008fcc4a9ebf9e781442541f3ea0368f7acf5f2443a5e14575873533ce006c912b1d4fa8f611d07de0acece96ff

Download Submit
C:\Windows\{B7C34A1E-8FF2-4aff-9A6A-008C0A87E1A2}.exe

Filesize
408KB

MD5
e8f6fdc59cdc9d058ce2f70b360e6582

SHA1
da4e979d893b53fb0683710be5072bc7666178fe

SHA256
1b90f13665802d45c2c64f02f083c737e5fc05958ff4494559dd2e944a2e38aa

SHA512
ef9e71ea2322696216c1b1e0243fb70c2c5a7008fcc4a9ebf9e781442541f3ea0368f7acf5f2443a5e14575873533ce006c912b1d4fa8f611d07de0acece96ff

Download Submit
C:\Windows\{C60BE3B8-70C0-471e-92CF-66226806806F}.exe

Filesize
408KB

MD5
098f28467e93fd941e375efdb50ac6af

SHA1
7ef23763121541509a0032127f808a44cad0d341

SHA256
ee468d0c432363308c66302ba6d2884314bcf2ce2f12abf7717edb4515df60dd

SHA512
b0fa068c860d44970b2088a75da3dad80c3a739e9789908f69b00278868090b2edd67d5d6ff0516bfa9d28f9349ab623b2ef6dc4386d504b12ae9a854cba52a8

Download Submit
C:\Windows\{C60BE3B8-70C0-471e-92CF-66226806806F}.exe

Filesize
408KB

MD5
098f28467e93fd941e375efdb50ac6af

SHA1
7ef23763121541509a0032127f808a44cad0d341

SHA256
ee468d0c432363308c66302ba6d2884314bcf2ce2f12abf7717edb4515df60dd

SHA512
b0fa068c860d44970b2088a75da3dad80c3a739e9789908f69b00278868090b2edd67d5d6ff0516bfa9d28f9349ab623b2ef6dc4386d504b12ae9a854cba52a8

Download Submit
C:\Windows\{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe

Filesize
408KB

MD5
7a6503cd43a868d2b6f020bd7d4e6239

SHA1
e258ef13593a2d492e87187b4c6d3ecd305107be

SHA256
cca659d04ec07ef6d28e0b38023ef579ee3b7ba89b1d1a39c2f01c0073f730fb

SHA512
78632806daea9cc1fffa70e53afed3c0a7ed4b5586871970d4c08b38551995b1e8425eb491bdef8ae23c5d06117a13994f7606014acd14f3095d513f79571567

Download Submit
C:\Windows\{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe

Filesize
408KB

MD5
7a6503cd43a868d2b6f020bd7d4e6239

SHA1
e258ef13593a2d492e87187b4c6d3ecd305107be

SHA256
cca659d04ec07ef6d28e0b38023ef579ee3b7ba89b1d1a39c2f01c0073f730fb

SHA512
78632806daea9cc1fffa70e53afed3c0a7ed4b5586871970d4c08b38551995b1e8425eb491bdef8ae23c5d06117a13994f7606014acd14f3095d513f79571567

Download Submit
C:\Windows\{CBEDB451-840D-4785-95C6-B5DF708C73E6}.exe

Filesize
408KB

MD5
7a6503cd43a868d2b6f020bd7d4e6239

SHA1
e258ef13593a2d492e87187b4c6d3ecd305107be

SHA256
cca659d04ec07ef6d28e0b38023ef579ee3b7ba89b1d1a39c2f01c0073f730fb

SHA512
78632806daea9cc1fffa70e53afed3c0a7ed4b5586871970d4c08b38551995b1e8425eb491bdef8ae23c5d06117a13994f7606014acd14f3095d513f79571567

Download Submit
C:\Windows\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe

Filesize
408KB

MD5
746f2b6e008de0267fee973fc2a489bb

SHA1
e4d8d7de6b69f86fcca870cfec75e3e4d0b914e4

SHA256
d250e8c28615169b4f5a4ca36daea87566323147da38f62e9ad522cc3bdb144d

SHA512
cc0be5cfba5766ea30c5845be66382bbe0c01daaa4e273525da2f26fe0a9b2897d665e33d3033a589787d8edbb7f594eed668bcf8c84aa97f91b10123095589c

Download Submit
C:\Windows\{DE09BD14-F6CF-4b09-AD4A-9C6F8D0AC873}.exe

Filesize
408KB

MD5
746f2b6e008de0267fee973fc2a489bb

SHA1
e4d8d7de6b69f86fcca870cfec75e3e4d0b914e4

SHA256
d250e8c28615169b4f5a4ca36daea87566323147da38f62e9ad522cc3bdb144d

SHA512
cc0be5cfba5766ea30c5845be66382bbe0c01daaa4e273525da2f26fe0a9b2897d665e33d3033a589787d8edbb7f594eed668bcf8c84aa97f91b10123095589c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads