d42026b48f811e055217910cf4361096a7ef305fa17cc3409f4dcec67008cf9f

Analysis

max time kernel
150s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe
Size

408KB
MD5

9e9b61c02ce1e40c96b4d579376da9bd
SHA1

b6eb877c8a21d0b6a265a17cfb276af516c8fd6f
SHA256

d42026b48f811e055217910cf4361096a7ef305fa17cc3409f4dcec67008cf9f
SHA512

83a662c5a6cc71d385b97ff275e078340d4716fd4dbdec06f5c9f2e93c87dfd046136a45f5e85838226bd6eee0d3168a7656cd7401232ae17c1395be1b84d718
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGbldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85D553B0-3807-4dff-AEF5-D4A65199C24C}	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}\stubpath = "C:\\Windows\\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe"	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}\stubpath = "C:\\Windows\\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe"	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}\stubpath = "C:\\Windows\\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe"	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}\stubpath = "C:\\Windows\\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe"	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852FD343-716E-4611-A92F-4C15C4BECBEC}	{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}\stubpath = "C:\\Windows\\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe"	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85D553B0-3807-4dff-AEF5-D4A65199C24C}\stubpath = "C:\\Windows\\{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe"	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}\stubpath = "C:\\Windows\\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe"	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852FD343-716E-4611-A92F-4C15C4BECBEC}\stubpath = "C:\\Windows\\{852FD343-716E-4611-A92F-4C15C4BECBEC}.exe"	{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C2ED2BA-E466-4455-907B-2413B94199B3}	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}\stubpath = "C:\\Windows\\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe"	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BDB1627-861D-4466-9EDE-9700CB65D439}	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BDB1627-861D-4466-9EDE-9700CB65D439}\stubpath = "C:\\Windows\\{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe"	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}\stubpath = "C:\\Windows\\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe"	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C2ED2BA-E466-4455-907B-2413B94199B3}\stubpath = "C:\\Windows\\{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe"	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe

Executes dropped EXE 12 IoCs

pid	Process
3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe
2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe
3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe
4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe
4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe
4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe
2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe
4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe
948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe
1388	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe
4176	{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe
3676	{852FD343-716E-4611-A92F-4C15C4BECBEC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{852FD343-716E-4611-A92F-4C15C4BECBEC}.exe	{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe
File created	C:\Windows\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe
File created	C:\Windows\{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe
File created	C:\Windows\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe
File created	C:\Windows\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe
File created	C:\Windows\{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe
File created	C:\Windows\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe
File created	C:\Windows\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe
File created	C:\Windows\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe
File created	C:\Windows\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe
File created	C:\Windows\{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe
File created	C:\Windows\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3344	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe
Token: SeIncBasePriorityPrivilege	2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe
Token: SeIncBasePriorityPrivilege	3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe
Token: SeIncBasePriorityPrivilege	4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe
Token: SeIncBasePriorityPrivilege	4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe
Token: SeIncBasePriorityPrivilege	4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe
Token: SeIncBasePriorityPrivilege	2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe
Token: SeIncBasePriorityPrivilege	4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe
Token: SeIncBasePriorityPrivilege	948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe
Token: SeIncBasePriorityPrivilege	1388	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe
Token: SeIncBasePriorityPrivilege	4176	{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 3428	3344	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe	88
PID 3344 wrote to memory of 3428	3344	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe	88
PID 3344 wrote to memory of 3428	3344	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe	88
PID 3344 wrote to memory of 4240	3344	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe	89
PID 3344 wrote to memory of 4240	3344	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe	89
PID 3344 wrote to memory of 4240	3344	9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe	89
PID 3428 wrote to memory of 2420	3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe	92
PID 3428 wrote to memory of 2420	3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe	92
PID 3428 wrote to memory of 2420	3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe	92
PID 3428 wrote to memory of 2156	3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe	93
PID 3428 wrote to memory of 2156	3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe	93
PID 3428 wrote to memory of 2156	3428	{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe	93
PID 2420 wrote to memory of 3924	2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe	96
PID 2420 wrote to memory of 3924	2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe	96
PID 2420 wrote to memory of 3924	2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe	96
PID 2420 wrote to memory of 4384	2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe	95
PID 2420 wrote to memory of 4384	2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe	95
PID 2420 wrote to memory of 4384	2420	{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe	95
PID 3924 wrote to memory of 4704	3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe	97
PID 3924 wrote to memory of 4704	3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe	97
PID 3924 wrote to memory of 4704	3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe	97
PID 3924 wrote to memory of 4188	3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe	98
PID 3924 wrote to memory of 4188	3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe	98
PID 3924 wrote to memory of 4188	3924	{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe	98
PID 4704 wrote to memory of 4592	4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe	99
PID 4704 wrote to memory of 4592	4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe	99
PID 4704 wrote to memory of 4592	4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe	99
PID 4704 wrote to memory of 64	4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe	100
PID 4704 wrote to memory of 64	4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe	100
PID 4704 wrote to memory of 64	4704	{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe	100
PID 4592 wrote to memory of 4572	4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe	101
PID 4592 wrote to memory of 4572	4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe	101
PID 4592 wrote to memory of 4572	4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe	101
PID 4592 wrote to memory of 3624	4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe	102
PID 4592 wrote to memory of 3624	4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe	102
PID 4592 wrote to memory of 3624	4592	{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe	102
PID 4572 wrote to memory of 2788	4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe	103
PID 4572 wrote to memory of 2788	4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe	103
PID 4572 wrote to memory of 2788	4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe	103
PID 4572 wrote to memory of 1612	4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe	104
PID 4572 wrote to memory of 1612	4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe	104
PID 4572 wrote to memory of 1612	4572	{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe	104
PID 2788 wrote to memory of 4008	2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe	105
PID 2788 wrote to memory of 4008	2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe	105
PID 2788 wrote to memory of 4008	2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe	105
PID 2788 wrote to memory of 2388	2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe	106
PID 2788 wrote to memory of 2388	2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe	106
PID 2788 wrote to memory of 2388	2788	{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe	106
PID 4008 wrote to memory of 948	4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe	107
PID 4008 wrote to memory of 948	4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe	107
PID 4008 wrote to memory of 948	4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe	107
PID 4008 wrote to memory of 2512	4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe	108
PID 4008 wrote to memory of 2512	4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe	108
PID 4008 wrote to memory of 2512	4008	{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe	108
PID 948 wrote to memory of 1388	948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe	109
PID 948 wrote to memory of 1388	948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe	109
PID 948 wrote to memory of 1388	948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe	109
PID 948 wrote to memory of 4100	948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe	110
PID 948 wrote to memory of 4100	948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe	110
PID 948 wrote to memory of 4100	948	{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe	110
PID 1388 wrote to memory of 4176	1388	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe	111
PID 1388 wrote to memory of 4176	1388	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe	111
PID 1388 wrote to memory of 4176	1388	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe	111
PID 1388 wrote to memory of 3580	1388	{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe	112

C:\Users\Admin\AppData\Local\Temp\9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9e9b61c02ce1e40c96b4d579376da9bd_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe
  C:\Windows\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe
    C:\Windows\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B9B3~1.EXE > nul
      4⤵
      PID:4384
  - - C:\Windows\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe
      C:\Windows\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe
        
        C:\Windows\{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe
        
        C:\Windows\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe
        
        C:\Windows\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe
        
        C:\Windows\{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe
        
        C:\Windows\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe
        
        C:\Windows\{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe
        
        C:\Windows\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe
        
        C:\Windows\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\{852FD343-716E-4611-A92F-4C15C4BECBEC}.exe
        
        C:\Windows\{852FD343-716E-4611-A92F-4C15C4BECBEC}.exe
        13⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{139D6~1.EXE > nul
        13⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B54B~1.EXE > nul
        12⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDB1~1.EXE > nul
        11⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31EF0~1.EXE > nul
        10⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C2ED~1.EXE > nul
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE0B6~1.EXE > nul
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{598EB~1.EXE > nul
        7⤵
        
        PID:3624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85D55~1.EXE > nul
        6⤵
        
        PID:64
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{875AB~1.EXE > nul
        5⤵
        
        PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F84F2~1.EXE > nul
    3⤵
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E9B61~1.EXE > nul
  2⤵
  PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe

Filesize
408KB

MD5
7dad272e386d3121e171a64f5849027e

SHA1
1195369888b162557f3dd16e77a5b9dadc90860c

SHA256
f930cc7e493ac657db22e944f5c0eebb79cd5824ceb4572e8d28577674db98dd

SHA512
bec0ab9282c0a042391e730bc9651d9173361b6e9845012ad0f28bef002fd64a0730b1939fc09402128fc0c571db081b22adcfb2d7207648aa8357abe75a8967

Download Submit
C:\Windows\{139D6330-1D02-49a9-B2FE-A3A80A654B5E}.exe

Filesize
408KB

MD5
7dad272e386d3121e171a64f5849027e

SHA1
1195369888b162557f3dd16e77a5b9dadc90860c

SHA256
f930cc7e493ac657db22e944f5c0eebb79cd5824ceb4572e8d28577674db98dd

SHA512
bec0ab9282c0a042391e730bc9651d9173361b6e9845012ad0f28bef002fd64a0730b1939fc09402128fc0c571db081b22adcfb2d7207648aa8357abe75a8967

Download Submit
C:\Windows\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe

Filesize
408KB

MD5
46e74ed63379145db82436e71bdfbae0

SHA1
4028c240fe8c64d49d33c1ca4726e3a6d82ab6db

SHA256
df0904b4166fd37828cb6d8dd352a04266a5b7f6d6f56004015dd3b4aa08cd69

SHA512
0daac2a2b29a324903c6eae4ab5833c8cc34c64ba2f33069c6036c6e6429e57e88a2ee55a256bf070ed9b260f5e24e7e9cf333bc6b264e514a1a712462dd74af

Download Submit
C:\Windows\{1B54B3D1-2CE9-4c9b-A3E6-FB8E54516F52}.exe

Filesize
408KB

MD5
46e74ed63379145db82436e71bdfbae0

SHA1
4028c240fe8c64d49d33c1ca4726e3a6d82ab6db

SHA256
df0904b4166fd37828cb6d8dd352a04266a5b7f6d6f56004015dd3b4aa08cd69

SHA512
0daac2a2b29a324903c6eae4ab5833c8cc34c64ba2f33069c6036c6e6429e57e88a2ee55a256bf070ed9b260f5e24e7e9cf333bc6b264e514a1a712462dd74af

Download Submit
C:\Windows\{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe

Filesize
408KB

MD5
19b808836fecf0624195225974241f04

SHA1
c759b74ba5fd85da3cb2264fc2be1770792af3b1

SHA256
bc58592dcf8147c380b8188a518a3824f53cb50c803d4b35ae567b3c1152a3e7

SHA512
b1e8b4309ed890884bd11c276be84d7577e58d545947d0ed249d1ea3f0fb39955db9c42b6f7a490d6a94c31350c41dc54eaeb6e0625b05c04d8c2edcc5504959

Download Submit
C:\Windows\{1C2ED2BA-E466-4455-907B-2413B94199B3}.exe

Filesize
408KB

MD5
19b808836fecf0624195225974241f04

SHA1
c759b74ba5fd85da3cb2264fc2be1770792af3b1

SHA256
bc58592dcf8147c380b8188a518a3824f53cb50c803d4b35ae567b3c1152a3e7

SHA512
b1e8b4309ed890884bd11c276be84d7577e58d545947d0ed249d1ea3f0fb39955db9c42b6f7a490d6a94c31350c41dc54eaeb6e0625b05c04d8c2edcc5504959

Download Submit
C:\Windows\{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe

Filesize
408KB

MD5
5cb9a9f05e5800d629992fb6146a6908

SHA1
38a850926545afc4ba9cc425fc885a22e5c11e9b

SHA256
9d5087cd06b01b4faf2adba52b750ee9a90500b662acf7de4f3aa432351d9d8d

SHA512
41500afb777ddd8d1b76fd828af4882639436c4d06ef57606ed88fe2d0a8833eb5c339f1b76578b4d029e9caa2e545dd4e7412c4b14bd2a2e29f462dffdf5821

Download Submit
C:\Windows\{2BDB1627-861D-4466-9EDE-9700CB65D439}.exe

Filesize
408KB

MD5
5cb9a9f05e5800d629992fb6146a6908

SHA1
38a850926545afc4ba9cc425fc885a22e5c11e9b

SHA256
9d5087cd06b01b4faf2adba52b750ee9a90500b662acf7de4f3aa432351d9d8d

SHA512
41500afb777ddd8d1b76fd828af4882639436c4d06ef57606ed88fe2d0a8833eb5c339f1b76578b4d029e9caa2e545dd4e7412c4b14bd2a2e29f462dffdf5821

Download Submit
C:\Windows\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe

Filesize
408KB

MD5
6b23e15e2d7de7e07a3eb4c937672073

SHA1
70996c34db81f42606ed36d8378847fff1552437

SHA256
4eabc20401bf2f31a9cc74f39a2005bca98ab64d1ae33a403ebc678da18de265

SHA512
dbbb00fdba5ee7aaf0f3b331626b2e30792b6fe7e39c1b5654ef5129769370e990fb04ecade449f4a6b3ff0f7d9c25e20bad1eb36adf95d94bd54748599014af

Download Submit
C:\Windows\{31EF0F42-6FC4-47c6-8E7F-889E32099A7D}.exe

Filesize
408KB

MD5
6b23e15e2d7de7e07a3eb4c937672073

SHA1
70996c34db81f42606ed36d8378847fff1552437

SHA256
4eabc20401bf2f31a9cc74f39a2005bca98ab64d1ae33a403ebc678da18de265

SHA512
dbbb00fdba5ee7aaf0f3b331626b2e30792b6fe7e39c1b5654ef5129769370e990fb04ecade449f4a6b3ff0f7d9c25e20bad1eb36adf95d94bd54748599014af

Download Submit
C:\Windows\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe

Filesize
408KB

MD5
80a911b10a1c6d5cde738ddb883a0048

SHA1
db3997803ebe4f5a9c1f542108e29dbdcd5885b8

SHA256
22205c6dd3dcab492eebd0b2b86a72c24c4e6f59cd7e44b449cf7fa0773b77e7

SHA512
5daa974abb264e93ac4c656a1188d0dda4dc6a80a4d45d1cd9a2a5814c12e03def4f85660870a3d91232b193e41be801a76fdeebec7cf53a94615b915a1b38ac

Download Submit
C:\Windows\{4B9B34D3-8C2C-4c5b-9643-527F37BD249C}.exe

Filesize
408KB

MD5
80a911b10a1c6d5cde738ddb883a0048

SHA1
db3997803ebe4f5a9c1f542108e29dbdcd5885b8

SHA256
22205c6dd3dcab492eebd0b2b86a72c24c4e6f59cd7e44b449cf7fa0773b77e7

SHA512
5daa974abb264e93ac4c656a1188d0dda4dc6a80a4d45d1cd9a2a5814c12e03def4f85660870a3d91232b193e41be801a76fdeebec7cf53a94615b915a1b38ac

Download Submit
C:\Windows\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe

Filesize
408KB

MD5
ae3a0117f49a778bb40edc78fcd0d334

SHA1
edac1faa46bbc4a14c0ff70c5b6c6c4bfef5ae43

SHA256
e44f4f53dcd8f0bf9e556c8ea4c7a539235722e375ae334cc1f57dc9d5bdcc3b

SHA512
8e886eb1b330caf834b443b86aa32746dbcbfcbabd9bbfc980b172e0e561d39431f9313d0923569f2cef6cee9025a34f8efb48fce75bdf4a78188b9f6d14e104

Download Submit
C:\Windows\{598EB4F4-468D-4ead-92F3-D41DD529A6F5}.exe

Filesize
408KB

MD5
ae3a0117f49a778bb40edc78fcd0d334

SHA1
edac1faa46bbc4a14c0ff70c5b6c6c4bfef5ae43

SHA256
e44f4f53dcd8f0bf9e556c8ea4c7a539235722e375ae334cc1f57dc9d5bdcc3b

SHA512
8e886eb1b330caf834b443b86aa32746dbcbfcbabd9bbfc980b172e0e561d39431f9313d0923569f2cef6cee9025a34f8efb48fce75bdf4a78188b9f6d14e104

Download Submit
C:\Windows\{852FD343-716E-4611-A92F-4C15C4BECBEC}.exe

Filesize
408KB

MD5
e782d6cf4bee28c41f177e7876b5a46a

SHA1
c29133ba3e9301d6cd9c85550c16d373ddac2f20

SHA256
2322abadd4291c85ba49e0b287aff5646c2d161789265093735b31733aa8ac70

SHA512
e41a99571ad19110991315370fa9e6e6af8df81b1558a77810b770e75a537f5a8105625affde0236e1ef870d090ad827dfe1cb52bca4e928148dd235e037c29d

Download Submit
C:\Windows\{852FD343-716E-4611-A92F-4C15C4BECBEC}.exe

Filesize
408KB

MD5
e782d6cf4bee28c41f177e7876b5a46a

SHA1
c29133ba3e9301d6cd9c85550c16d373ddac2f20

SHA256
2322abadd4291c85ba49e0b287aff5646c2d161789265093735b31733aa8ac70

SHA512
e41a99571ad19110991315370fa9e6e6af8df81b1558a77810b770e75a537f5a8105625affde0236e1ef870d090ad827dfe1cb52bca4e928148dd235e037c29d

Download Submit
C:\Windows\{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe

Filesize
408KB

MD5
9765d4ddabde7856a405915054a63438

SHA1
d753fcf9513d4ee197d913e26e43b27ae1ec1f73

SHA256
40cb02b95a6f9f1b59e35f8805a655b82f5f7165e5c4752ce22ae904441d8093

SHA512
72a32f7f1aa4134d06249a55795c4cf24c6a3a00677e7754a8cd6202eb760318eb1db98482acd08d87f052094bea1231628965c6f15d0085d93c4da0fd4de51a

Download Submit
C:\Windows\{85D553B0-3807-4dff-AEF5-D4A65199C24C}.exe

Filesize
408KB

MD5
9765d4ddabde7856a405915054a63438

SHA1
d753fcf9513d4ee197d913e26e43b27ae1ec1f73

SHA256
40cb02b95a6f9f1b59e35f8805a655b82f5f7165e5c4752ce22ae904441d8093

SHA512
72a32f7f1aa4134d06249a55795c4cf24c6a3a00677e7754a8cd6202eb760318eb1db98482acd08d87f052094bea1231628965c6f15d0085d93c4da0fd4de51a

Download Submit
C:\Windows\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe

Filesize
408KB

MD5
d649533435c69ff79f0a4d6b3f7cba7e

SHA1
d8f34ad282e4a7409b88a121e612f57eb27f85c8

SHA256
ec871752a13db51143549caf8405cec6adb919d83727ba0a13cf1d962f6f973c

SHA512
a7944b2cf4fcbe8eea5d556ce5213d9f35434c5a48d20d8b7db565e0b4f637da718d5cafa71303f8ae492ab331cf597f66b55d7028ad64eab08e79bda012fab4

Download Submit
C:\Windows\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe

Filesize
408KB

MD5
d649533435c69ff79f0a4d6b3f7cba7e

SHA1
d8f34ad282e4a7409b88a121e612f57eb27f85c8

SHA256
ec871752a13db51143549caf8405cec6adb919d83727ba0a13cf1d962f6f973c

SHA512
a7944b2cf4fcbe8eea5d556ce5213d9f35434c5a48d20d8b7db565e0b4f637da718d5cafa71303f8ae492ab331cf597f66b55d7028ad64eab08e79bda012fab4

Download Submit
C:\Windows\{875ABC3B-602F-4db3-A2A1-4F4FB6EE0307}.exe

Filesize
408KB

MD5
d649533435c69ff79f0a4d6b3f7cba7e

SHA1
d8f34ad282e4a7409b88a121e612f57eb27f85c8

SHA256
ec871752a13db51143549caf8405cec6adb919d83727ba0a13cf1d962f6f973c

SHA512
a7944b2cf4fcbe8eea5d556ce5213d9f35434c5a48d20d8b7db565e0b4f637da718d5cafa71303f8ae492ab331cf597f66b55d7028ad64eab08e79bda012fab4

Download Submit
C:\Windows\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe

Filesize
408KB

MD5
cd3b412ef84aa1fd4fe26815e80a77ea

SHA1
eec963e03dc2ed9429e3ca0891c3b32dcb99fc52

SHA256
57fe24f081e8fb83cc72b74c8365766a6a189a87c825c7705b29920e620d7fdb

SHA512
e1327846d7fcf160248376704e3e7cdd7fa31aa5449c958d860c634297193e287d6089daabf0e9a6c9e190d737cf9eb0d3575e1986cede3f936c853899fd7b97

Download Submit
C:\Windows\{CE0B6D75-A195-4585-AFBA-E7475ECCF0C8}.exe

Filesize
408KB

MD5
cd3b412ef84aa1fd4fe26815e80a77ea

SHA1
eec963e03dc2ed9429e3ca0891c3b32dcb99fc52

SHA256
57fe24f081e8fb83cc72b74c8365766a6a189a87c825c7705b29920e620d7fdb

SHA512
e1327846d7fcf160248376704e3e7cdd7fa31aa5449c958d860c634297193e287d6089daabf0e9a6c9e190d737cf9eb0d3575e1986cede3f936c853899fd7b97

Download Submit
C:\Windows\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe

Filesize
408KB

MD5
5a872786b8430d5ce55c811564cff597

SHA1
92fbff174243014e821213f41203e92bb0a3bb8d

SHA256
46551ae7755040e03562134eae9a93690d1a8ea8868fb414501abf5d85582d41

SHA512
f1e3f0387fe261d65c23cbdde17e4f1350e06e99bf2cb96312707a83d2b2092c04f66f34aac40fbb7ab62abb222320b859b637a4cbc0950d1cd46070e08c863f

Download Submit
C:\Windows\{F84F22A1-FE2F-4017-A8D3-1A94A83763A7}.exe

Filesize
408KB

MD5
5a872786b8430d5ce55c811564cff597

SHA1
92fbff174243014e821213f41203e92bb0a3bb8d

SHA256
46551ae7755040e03562134eae9a93690d1a8ea8868fb414501abf5d85582d41

SHA512
f1e3f0387fe261d65c23cbdde17e4f1350e06e99bf2cb96312707a83d2b2092c04f66f34aac40fbb7ab62abb222320b859b637a4cbc0950d1cd46070e08c863f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads