7cc166e48aab4d7a81e20d32775e077c44348e39469ec53dc9a8fc4c998d77f2

Analysis

max time kernel
163s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe
Size

192KB
MD5

9d1fd27c748ae89a2920989bcf690ade
SHA1

8f4995496363c74e9bd209f05ea39fbc80eea304
SHA256

7cc166e48aab4d7a81e20d32775e077c44348e39469ec53dc9a8fc4c998d77f2
SHA512

4d040d52201e434ac3effd17ee10e29628ae0098a35c90f3e1ad6e1e3804ab285557ff3f79c8603578646af759eb7928915ff99d18709a51641e98239f38b52e
SSDEEP

1536:1EGh0o2l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o2l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC669DB-86FF-498a-8B62-1B126F88F440}	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC669DB-86FF-498a-8B62-1B126F88F440}\stubpath = "C:\\Windows\\{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe"	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73F7E9BA-DD21-4410-A53A-CB183E43C053}\stubpath = "C:\\Windows\\{73F7E9BA-DD21-4410-A53A-CB183E43C053}.exe"	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}\stubpath = "C:\\Windows\\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe"	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}\stubpath = "C:\\Windows\\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe"	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F10A96C-F27E-4153-9672-30B3B253C3E3}\stubpath = "C:\\Windows\\{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe"	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}\stubpath = "C:\\Windows\\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe"	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73F7E9BA-DD21-4410-A53A-CB183E43C053}	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}\stubpath = "C:\\Windows\\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe"	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}\stubpath = "C:\\Windows\\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe"	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}\stubpath = "C:\\Windows\\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe"	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}\stubpath = "C:\\Windows\\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe"	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}\stubpath = "C:\\Windows\\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe"	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F10A96C-F27E-4153-9672-30B3B253C3E3}	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe

Executes dropped EXE 11 IoCs

pid	Process
1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe
4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe
4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe
2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe
3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe
1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe
4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe
1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe
1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe
4992	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe
4196	{73F7E9BA-DD21-4410-A53A-CB183E43C053}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe
File created	C:\Windows\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe
File created	C:\Windows\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe
File created	C:\Windows\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe
File created	C:\Windows\{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe
File created	C:\Windows\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe
File created	C:\Windows\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe
File created	C:\Windows\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe
File created	C:\Windows\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe
File created	C:\Windows\{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe
File created	C:\Windows\{73F7E9BA-DD21-4410-A53A-CB183E43C053}.exe	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4876	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe
Token: SeIncBasePriorityPrivilege	4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe
Token: SeIncBasePriorityPrivilege	4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe
Token: SeIncBasePriorityPrivilege	2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe
Token: SeIncBasePriorityPrivilege	3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe
Token: SeIncBasePriorityPrivilege	1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe
Token: SeIncBasePriorityPrivilege	4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe
Token: SeIncBasePriorityPrivilege	1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe
Token: SeIncBasePriorityPrivilege	1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe
Token: SeIncBasePriorityPrivilege	4992	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1688	4876	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe	88
PID 4876 wrote to memory of 1688	4876	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe	88
PID 4876 wrote to memory of 1688	4876	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe	88
PID 4876 wrote to memory of 444	4876	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe	89
PID 4876 wrote to memory of 444	4876	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe	89
PID 4876 wrote to memory of 444	4876	9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe	89
PID 1688 wrote to memory of 4684	1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe	92
PID 1688 wrote to memory of 4684	1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe	92
PID 1688 wrote to memory of 4684	1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe	92
PID 1688 wrote to memory of 2912	1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe	93
PID 1688 wrote to memory of 2912	1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe	93
PID 1688 wrote to memory of 2912	1688	{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe	93
PID 4684 wrote to memory of 4188	4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe	94
PID 4684 wrote to memory of 4188	4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe	94
PID 4684 wrote to memory of 4188	4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe	94
PID 4684 wrote to memory of 5056	4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe	95
PID 4684 wrote to memory of 5056	4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe	95
PID 4684 wrote to memory of 5056	4684	{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe	95
PID 4188 wrote to memory of 2348	4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe	96
PID 4188 wrote to memory of 2348	4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe	96
PID 4188 wrote to memory of 2348	4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe	96
PID 4188 wrote to memory of 1260	4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe	97
PID 4188 wrote to memory of 1260	4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe	97
PID 4188 wrote to memory of 1260	4188	{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe	97
PID 2348 wrote to memory of 3712	2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe	98
PID 2348 wrote to memory of 3712	2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe	98
PID 2348 wrote to memory of 3712	2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe	98
PID 2348 wrote to memory of 3900	2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe	99
PID 2348 wrote to memory of 3900	2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe	99
PID 2348 wrote to memory of 3900	2348	{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe	99
PID 3712 wrote to memory of 1212	3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe	100
PID 3712 wrote to memory of 1212	3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe	100
PID 3712 wrote to memory of 1212	3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe	100
PID 3712 wrote to memory of 4680	3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe	101
PID 3712 wrote to memory of 4680	3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe	101
PID 3712 wrote to memory of 4680	3712	{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe	101
PID 1212 wrote to memory of 4024	1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe	102
PID 1212 wrote to memory of 4024	1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe	102
PID 1212 wrote to memory of 4024	1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe	102
PID 1212 wrote to memory of 5028	1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe	103
PID 1212 wrote to memory of 5028	1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe	103
PID 1212 wrote to memory of 5028	1212	{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe	103
PID 4024 wrote to memory of 1416	4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe	105
PID 4024 wrote to memory of 1416	4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe	105
PID 4024 wrote to memory of 1416	4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe	105
PID 4024 wrote to memory of 4404	4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe	104
PID 4024 wrote to memory of 4404	4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe	104
PID 4024 wrote to memory of 4404	4024	{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe	104
PID 1416 wrote to memory of 1360	1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe	106
PID 1416 wrote to memory of 1360	1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe	106
PID 1416 wrote to memory of 1360	1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe	106
PID 1416 wrote to memory of 2576	1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe	107
PID 1416 wrote to memory of 2576	1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe	107
PID 1416 wrote to memory of 2576	1416	{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe	107
PID 1360 wrote to memory of 4992	1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe	108
PID 1360 wrote to memory of 4992	1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe	108
PID 1360 wrote to memory of 4992	1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe	108
PID 1360 wrote to memory of 4792	1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe	109
PID 1360 wrote to memory of 4792	1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe	109
PID 1360 wrote to memory of 4792	1360	{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe	109
PID 4992 wrote to memory of 4196	4992	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe	110
PID 4992 wrote to memory of 4196	4992	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe	110
PID 4992 wrote to memory of 4196	4992	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe	110
PID 4992 wrote to memory of 872	4992	{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe	111

C:\Users\Admin\AppData\Local\Temp\9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9d1fd27c748ae89a2920989bcf690ade_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe
  C:\Windows\{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe
    C:\Windows\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe
      C:\Windows\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Windows\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe
        
        C:\Windows\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe
        
        C:\Windows\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe
        
        C:\Windows\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe
        
        C:\Windows\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99A77~1.EXE > nul
        9⤵
        
        PID:4404
        
        C:\Windows\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe
        
        C:\Windows\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe
        
        C:\Windows\{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe
        
        C:\Windows\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{73F7E9BA-DD21-4410-A53A-CB183E43C053}.exe
        
        C:\Windows\{73F7E9BA-DD21-4410-A53A-CB183E43C053}.exe
        12⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88A6D~1.EXE > nul
        12⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC66~1.EXE > nul
        11⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E54B5~1.EXE > nul
        10⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC0E~1.EXE > nul
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC3CA~1.EXE > nul
        7⤵
        
        PID:4680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D28A4~1.EXE > nul
        6⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5070D~1.EXE > nul
        5⤵
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E880~1.EXE > nul
      4⤵
      PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1F10A~1.EXE > nul
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9D1FD2~1.EXE > nul
  2⤵
  PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe

Filesize
192KB

MD5
d2bdc180cfd14a81558363ea9af65c30

SHA1
d13a0359c15cc451083ccd6818131052d45c2122

SHA256
1240452be6a310ec9e568b67f65fb7d77d837da8f964b9693f9c617ae6a5ccde

SHA512
36bb930581d48726ff6e855a4aa205599d3b4650bd8823cab6b772960c2de71e286ebe83a121d3b52c4b0c9dbcc24abbf1ddab8a378de539420d7761b840ff69

Download Submit
C:\Windows\{1DC0EA79-B4BC-4540-8CBD-9D618A45B11F}.exe

Filesize
192KB

MD5
d2bdc180cfd14a81558363ea9af65c30

SHA1
d13a0359c15cc451083ccd6818131052d45c2122

SHA256
1240452be6a310ec9e568b67f65fb7d77d837da8f964b9693f9c617ae6a5ccde

SHA512
36bb930581d48726ff6e855a4aa205599d3b4650bd8823cab6b772960c2de71e286ebe83a121d3b52c4b0c9dbcc24abbf1ddab8a378de539420d7761b840ff69

Download Submit
C:\Windows\{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe

Filesize
192KB

MD5
c30fd16c936092a1e26417daded019c8

SHA1
50cc4908c918fe1239b8b0b6ac8499122b03906b

SHA256
145cf89a6085100446a0f3ebb3bf8e26f1b56ea2e74673b378a6782f39e059d6

SHA512
39e245743bc058fc4df968b12879e87e2dbb12f51b87a3fc84c9817e9cc36743756a6d473b0db46d268bb4957531ae71275cdeca3e68ef4ae1dac175681f30b1

Download Submit
C:\Windows\{1F10A96C-F27E-4153-9672-30B3B253C3E3}.exe

Filesize
192KB

MD5
c30fd16c936092a1e26417daded019c8

SHA1
50cc4908c918fe1239b8b0b6ac8499122b03906b

SHA256
145cf89a6085100446a0f3ebb3bf8e26f1b56ea2e74673b378a6782f39e059d6

SHA512
39e245743bc058fc4df968b12879e87e2dbb12f51b87a3fc84c9817e9cc36743756a6d473b0db46d268bb4957531ae71275cdeca3e68ef4ae1dac175681f30b1

Download Submit
C:\Windows\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe

Filesize
192KB

MD5
b7bca6973ef7b06363be6a4b074e76fb

SHA1
83d3235d9e84132b6e56c43122e491d2a2bfb730

SHA256
38886928461f9410cae2d59d8e65ee6a8ebb2593815c81a6afbc10e6114cfbcf

SHA512
97b5747057d0f6d2891f3f2a8339f37c22d6edcb735255cae563a347ec5b0e54969d41318eb61309233ca9a70fd58b1ee9f4a0bbe3a0ce856da0ea1454c8a1ad

Download Submit
C:\Windows\{3E8807B9-0A1A-4685-964E-00FFC30D92F6}.exe

Filesize
192KB

MD5
b7bca6973ef7b06363be6a4b074e76fb

SHA1
83d3235d9e84132b6e56c43122e491d2a2bfb730

SHA256
38886928461f9410cae2d59d8e65ee6a8ebb2593815c81a6afbc10e6114cfbcf

SHA512
97b5747057d0f6d2891f3f2a8339f37c22d6edcb735255cae563a347ec5b0e54969d41318eb61309233ca9a70fd58b1ee9f4a0bbe3a0ce856da0ea1454c8a1ad

Download Submit
C:\Windows\{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe

Filesize
192KB

MD5
1ee277a355de0a33832fb8c71f384e81

SHA1
27665c8947367538300e77f7f130d387eb0cdf07

SHA256
b4ffdf0e3f4d75fbc03df59afa98e0304d93da184aa99356c78aa7746ef22745

SHA512
a033314370ba3ed31fc769d8e2c8fe54d06a3f17fe6a5d77a7c6aec6acde281c3b592aa8e57e1ecb0c0ca41b49ff5e75006c584d378f8172adcf012f81574d1d

Download Submit
C:\Windows\{4AC669DB-86FF-498a-8B62-1B126F88F440}.exe

Filesize
192KB

MD5
1ee277a355de0a33832fb8c71f384e81

SHA1
27665c8947367538300e77f7f130d387eb0cdf07

SHA256
b4ffdf0e3f4d75fbc03df59afa98e0304d93da184aa99356c78aa7746ef22745

SHA512
a033314370ba3ed31fc769d8e2c8fe54d06a3f17fe6a5d77a7c6aec6acde281c3b592aa8e57e1ecb0c0ca41b49ff5e75006c584d378f8172adcf012f81574d1d

Download Submit
C:\Windows\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe

Filesize
192KB

MD5
88dcb20837400ed3b9dd7ebc2304b134

SHA1
3b63ebdecccad6d92763598f2b8ebf10079c11f3

SHA256
c108eb600fdedf34beb3e124cf3294ad2bc82082e2c3fa8fd90e87d7e0e900ee

SHA512
41b5f561b9502f720bf8c83a7c6d3a7f9db569cb356d5a0be32f65fc3f74f5c91b845682d0fa278ac29d8c3958b9be3a5aaf1d8e1b3c7f8f8d9cd849a4a23004

Download Submit
C:\Windows\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe

Filesize
192KB

MD5
88dcb20837400ed3b9dd7ebc2304b134

SHA1
3b63ebdecccad6d92763598f2b8ebf10079c11f3

SHA256
c108eb600fdedf34beb3e124cf3294ad2bc82082e2c3fa8fd90e87d7e0e900ee

SHA512
41b5f561b9502f720bf8c83a7c6d3a7f9db569cb356d5a0be32f65fc3f74f5c91b845682d0fa278ac29d8c3958b9be3a5aaf1d8e1b3c7f8f8d9cd849a4a23004

Download Submit
C:\Windows\{5070D9B9-370C-4bf5-9D16-5D60E7FD0108}.exe

Filesize
192KB

MD5
88dcb20837400ed3b9dd7ebc2304b134

SHA1
3b63ebdecccad6d92763598f2b8ebf10079c11f3

SHA256
c108eb600fdedf34beb3e124cf3294ad2bc82082e2c3fa8fd90e87d7e0e900ee

SHA512
41b5f561b9502f720bf8c83a7c6d3a7f9db569cb356d5a0be32f65fc3f74f5c91b845682d0fa278ac29d8c3958b9be3a5aaf1d8e1b3c7f8f8d9cd849a4a23004

Download Submit
C:\Windows\{73F7E9BA-DD21-4410-A53A-CB183E43C053}.exe

Filesize
192KB

MD5
54f58d220a65975d99e10b434aefca98

SHA1
25d26a494c27b814187dd2eebeb8f9072743bec7

SHA256
c34917bac9fc6e2aa836760e5cf23c90c875ceaa494815e0d21854629bd94ce4

SHA512
b8aefef89ff256aa4cb4e9570445cc9b76f15dd994cb681ac5f241ce61218dd9fee114e8a11472d91cd68b6e21c5e447e816841ce654ceee84f29f2f7e88ead7

Download Submit
C:\Windows\{73F7E9BA-DD21-4410-A53A-CB183E43C053}.exe

Filesize
192KB

MD5
54f58d220a65975d99e10b434aefca98

SHA1
25d26a494c27b814187dd2eebeb8f9072743bec7

SHA256
c34917bac9fc6e2aa836760e5cf23c90c875ceaa494815e0d21854629bd94ce4

SHA512
b8aefef89ff256aa4cb4e9570445cc9b76f15dd994cb681ac5f241ce61218dd9fee114e8a11472d91cd68b6e21c5e447e816841ce654ceee84f29f2f7e88ead7

Download Submit
C:\Windows\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe

Filesize
192KB

MD5
34369387135dbbb174a52d633ac2efb8

SHA1
d57530dd0f4795ec8e2f1cd4dee6c2a4be43cf5f

SHA256
97e324285500567f6bc890c1e75d369e48fdbcdc753a00e763b9fa459c5ec5af

SHA512
eee24b093bd0152791d095476204992cc3b6bc6fa869d55c5617c298a2243d558de9dd7130973312bef075ee98d6b0d4844000252b37cdb186c5d982076f8f43

Download Submit
C:\Windows\{88A6DAE4-8AC4-4a57-A838-7A3EAA8D3DB4}.exe

Filesize
192KB

MD5
34369387135dbbb174a52d633ac2efb8

SHA1
d57530dd0f4795ec8e2f1cd4dee6c2a4be43cf5f

SHA256
97e324285500567f6bc890c1e75d369e48fdbcdc753a00e763b9fa459c5ec5af

SHA512
eee24b093bd0152791d095476204992cc3b6bc6fa869d55c5617c298a2243d558de9dd7130973312bef075ee98d6b0d4844000252b37cdb186c5d982076f8f43

Download Submit
C:\Windows\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe

Filesize
192KB

MD5
9ac4cd9dc32477e141c440998aa1ae47

SHA1
0af9b797623616de87edf45c3e07360d905fc424

SHA256
2e7d67949e3850b6a9d3b2fdb5e7aa1d6c7b7388cc0a0b37bb2ca3abe534fb6b

SHA512
76c2c9c81af1bfe6b2ba71583a6f012604f0b95e6afa7377d1e65bc8817883e560a4123af0735b825f5e747747d055482b6541b70a848ec0b9ddaa06f3c8557d

Download Submit
C:\Windows\{99A77DA8-367F-4674-87EF-1C7DF5647BA8}.exe

Filesize
192KB

MD5
9ac4cd9dc32477e141c440998aa1ae47

SHA1
0af9b797623616de87edf45c3e07360d905fc424

SHA256
2e7d67949e3850b6a9d3b2fdb5e7aa1d6c7b7388cc0a0b37bb2ca3abe534fb6b

SHA512
76c2c9c81af1bfe6b2ba71583a6f012604f0b95e6afa7377d1e65bc8817883e560a4123af0735b825f5e747747d055482b6541b70a848ec0b9ddaa06f3c8557d

Download Submit
C:\Windows\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe

Filesize
192KB

MD5
855aa41731425f35a5f60cddb6026e6d

SHA1
d45cb986156bb50f25bb6717fb01dbd82e2b9f5e

SHA256
650255164fa8343fc045ebf49bbe1b29c11dd17741239416043aa1b150e68f97

SHA512
1e8785634670557f3e3e05cd2016eb1ed2da1ba248da5285efe3be16f1b55bb00d706660006ca5f92297ad6ae9bb4b2dc278fc5411c5909f869c7c1b48484a63

Download Submit
C:\Windows\{CC3CA76C-DC39-45a1-9D62-3AE1D95F7B2D}.exe

Filesize
192KB

MD5
855aa41731425f35a5f60cddb6026e6d

SHA1
d45cb986156bb50f25bb6717fb01dbd82e2b9f5e

SHA256
650255164fa8343fc045ebf49bbe1b29c11dd17741239416043aa1b150e68f97

SHA512
1e8785634670557f3e3e05cd2016eb1ed2da1ba248da5285efe3be16f1b55bb00d706660006ca5f92297ad6ae9bb4b2dc278fc5411c5909f869c7c1b48484a63

Download Submit
C:\Windows\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe

Filesize
192KB

MD5
43827189e3aaa8ec3eaec8ebf0bfe422

SHA1
6adfb33b844e4021ff81a8022fe2a7861b3bc456

SHA256
689b819e3b2e2f353f8b9b2103521596a4be29ebd74be9ee9be5d5892196056e

SHA512
a1cc553d19de766df121b4bebdfb24e5268f4048188aaaa930ff2a5fa2582b2f7731693ee5716a96f1fabf7254e985fcb7617eb12e1f6867043da21ac7c2f6bb

Download Submit
C:\Windows\{D28A48FB-AE31-4f13-9E95-6CAB32E2B3F9}.exe

Filesize
192KB

MD5
43827189e3aaa8ec3eaec8ebf0bfe422

SHA1
6adfb33b844e4021ff81a8022fe2a7861b3bc456

SHA256
689b819e3b2e2f353f8b9b2103521596a4be29ebd74be9ee9be5d5892196056e

SHA512
a1cc553d19de766df121b4bebdfb24e5268f4048188aaaa930ff2a5fa2582b2f7731693ee5716a96f1fabf7254e985fcb7617eb12e1f6867043da21ac7c2f6bb

Download Submit
C:\Windows\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe

Filesize
192KB

MD5
ebf77ffe42254eafae420ba40c9eb21e

SHA1
317fd95328016c0f6f4ea906fc4f34a633af97b1

SHA256
2ff146ec1141f84b3a481f4f7c53528706111b494212db4e2b1d57ccc57db589

SHA512
89d36c21f505dbadd95134e24294ba0b0c7d7f77031185d390cb8913552b0123eb14089be3dae04e705c29f1eb65a6bab6ed06405bc34df80a8520a1afe6c8bb

Download Submit
C:\Windows\{E54B52F8-1E49-4018-B72B-E97DF01A0DAA}.exe

Filesize
192KB

MD5
ebf77ffe42254eafae420ba40c9eb21e

SHA1
317fd95328016c0f6f4ea906fc4f34a633af97b1

SHA256
2ff146ec1141f84b3a481f4f7c53528706111b494212db4e2b1d57ccc57db589

SHA512
89d36c21f505dbadd95134e24294ba0b0c7d7f77031185d390cb8913552b0123eb14089be3dae04e705c29f1eb65a6bab6ed06405bc34df80a8520a1afe6c8bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads