bd9d441809fd2bcfc05f2510e08fc127508cac663313607495a9e1f157cb88d9

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Size

168KB
MD5

d99e93b2b0ab3a94f080df015fdf8475
SHA1

b64e68e6491c320963a31e5dfd67ee130aa26704
SHA256

bd9d441809fd2bcfc05f2510e08fc127508cac663313607495a9e1f157cb88d9
SHA512

fee408c95b607137d3cbc767373d5b0e4c9ffa463fc47beace1f000e21b049bf81476970492509c96855dce7e3d19db0ac9955cdc4ef82f69793a7f496d79072
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}\stubpath = "C:\\Windows\\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}.exe"	{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{058F5156-68E4-4363-8D85-32BB4AA792F3}	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}	{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0137FCC-D188-4aeb-9B33-65E6913A4269}	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64E1B90D-646C-4c18-8465-FAA61214AA64}\stubpath = "C:\\Windows\\{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe"	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}\stubpath = "C:\\Windows\\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe"	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}\stubpath = "C:\\Windows\\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe"	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}\stubpath = "C:\\Windows\\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe"	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}\stubpath = "C:\\Windows\\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe"	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09FF388A-EA33-4e26-8549-C6D641B13C41}	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09FF388A-EA33-4e26-8549-C6D641B13C41}\stubpath = "C:\\Windows\\{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe"	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}\stubpath = "C:\\Windows\\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe"	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}\stubpath = "C:\\Windows\\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe"	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0137FCC-D188-4aeb-9B33-65E6913A4269}\stubpath = "C:\\Windows\\{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe"	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64E1B90D-646C-4c18-8465-FAA61214AA64}	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}\stubpath = "C:\\Windows\\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe"	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{058F5156-68E4-4363-8D85-32BB4AA792F3}\stubpath = "C:\\Windows\\{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe"	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe

Executes dropped EXE 11 IoCs

pid	Process
1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe
1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe
1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe
2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe
2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe
2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe
2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe
5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe
4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe
3972	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe
4064	{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe
File created	C:\Windows\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe
File created	C:\Windows\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe
File created	C:\Windows\{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe
File created	C:\Windows\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
File created	C:\Windows\{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe
File created	C:\Windows\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe
File created	C:\Windows\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe
File created	C:\Windows\{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe
File created	C:\Windows\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe
File created	C:\Windows\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}.exe	{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe
File created	C:\Windows\{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4240	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe
Token: SeIncBasePriorityPrivilege	1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe
Token: SeIncBasePriorityPrivilege	1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe
Token: SeIncBasePriorityPrivilege	2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe
Token: SeIncBasePriorityPrivilege	2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe
Token: SeIncBasePriorityPrivilege	2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe
Token: SeIncBasePriorityPrivilege	2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe
Token: SeIncBasePriorityPrivilege	5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe
Token: SeIncBasePriorityPrivilege	4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe
Token: SeIncBasePriorityPrivilege	3972	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1224	4240	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	90
PID 4240 wrote to memory of 1224	4240	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	90
PID 4240 wrote to memory of 1224	4240	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	90
PID 4240 wrote to memory of 2740	4240	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	91
PID 4240 wrote to memory of 2740	4240	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	91
PID 4240 wrote to memory of 2740	4240	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	91
PID 1224 wrote to memory of 1620	1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe	92
PID 1224 wrote to memory of 1620	1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe	92
PID 1224 wrote to memory of 1620	1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe	92
PID 1224 wrote to memory of 676	1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe	93
PID 1224 wrote to memory of 676	1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe	93
PID 1224 wrote to memory of 676	1224	{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe	93
PID 1620 wrote to memory of 1388	1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe	96
PID 1620 wrote to memory of 1388	1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe	96
PID 1620 wrote to memory of 1388	1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe	96
PID 1620 wrote to memory of 2508	1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe	95
PID 1620 wrote to memory of 2508	1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe	95
PID 1620 wrote to memory of 2508	1620	{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe	95
PID 1388 wrote to memory of 2020	1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe	97
PID 1388 wrote to memory of 2020	1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe	97
PID 1388 wrote to memory of 2020	1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe	97
PID 1388 wrote to memory of 636	1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe	98
PID 1388 wrote to memory of 636	1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe	98
PID 1388 wrote to memory of 636	1388	{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe	98
PID 2020 wrote to memory of 2732	2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe	99
PID 2020 wrote to memory of 2732	2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe	99
PID 2020 wrote to memory of 2732	2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe	99
PID 2020 wrote to memory of 2960	2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe	100
PID 2020 wrote to memory of 2960	2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe	100
PID 2020 wrote to memory of 2960	2020	{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe	100
PID 2732 wrote to memory of 2096	2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe	101
PID 2732 wrote to memory of 2096	2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe	101
PID 2732 wrote to memory of 2096	2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe	101
PID 2732 wrote to memory of 2472	2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe	102
PID 2732 wrote to memory of 2472	2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe	102
PID 2732 wrote to memory of 2472	2732	{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe	102
PID 2096 wrote to memory of 2120	2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe	103
PID 2096 wrote to memory of 2120	2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe	103
PID 2096 wrote to memory of 2120	2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe	103
PID 2096 wrote to memory of 1280	2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe	104
PID 2096 wrote to memory of 1280	2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe	104
PID 2096 wrote to memory of 1280	2096	{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe	104
PID 2120 wrote to memory of 5024	2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe	105
PID 2120 wrote to memory of 5024	2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe	105
PID 2120 wrote to memory of 5024	2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe	105
PID 2120 wrote to memory of 1872	2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe	106
PID 2120 wrote to memory of 1872	2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe	106
PID 2120 wrote to memory of 1872	2120	{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe	106
PID 5024 wrote to memory of 4792	5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe	108
PID 5024 wrote to memory of 4792	5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe	108
PID 5024 wrote to memory of 4792	5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe	108
PID 5024 wrote to memory of 724	5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe	107
PID 5024 wrote to memory of 724	5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe	107
PID 5024 wrote to memory of 724	5024	{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe	107
PID 4792 wrote to memory of 3972	4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe	109
PID 4792 wrote to memory of 3972	4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe	109
PID 4792 wrote to memory of 3972	4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe	109
PID 4792 wrote to memory of 2124	4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe	110
PID 4792 wrote to memory of 2124	4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe	110
PID 4792 wrote to memory of 2124	4792	{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe	110
PID 3972 wrote to memory of 4064	3972	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe	111
PID 3972 wrote to memory of 4064	3972	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe	111
PID 3972 wrote to memory of 4064	3972	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe	111
PID 3972 wrote to memory of 4500	3972	{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe	112

C:\Users\Admin\AppData\Local\Temp\d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe
  C:\Windows\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe
    C:\Windows\{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B0137~1.EXE > nul
      4⤵
      PID:2508
  - - C:\Windows\{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe
      C:\Windows\{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe
        
        C:\Windows\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe
        
        C:\Windows\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe
        
        C:\Windows\{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe
        
        C:\Windows\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe
        
        C:\Windows\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E9FB~1.EXE > nul
        10⤵
        
        PID:724
        
        C:\Windows\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe
        
        C:\Windows\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe
        
        C:\Windows\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe
        
        C:\Windows\{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4064
        
        C:\Windows\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}.exe
        
        C:\Windows\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}.exe
        13⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{058F5~1.EXE > nul
        13⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22F5C~1.EXE > nul
        12⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FCA2~1.EXE > nul
        11⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7837B~1.EXE > nul
        9⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09FF3~1.EXE > nul
        8⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09ADF~1.EXE > nul
        7⤵
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D96~1.EXE > nul
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64E1B~1.EXE > nul
        5⤵
        
        PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD31D~1.EXE > nul
    3⤵
    PID:676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D99E93~1.EXE > nul
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe

Filesize
168KB

MD5
08cce4e41c96b0d10a8251bc9ba5229c

SHA1
4875fbcebf4ec9b1d52b575966f84626ca90bec5

SHA256
42d37c230f72a28caedf1eb4b81f3e3bb8a909af74194988e70546a7a9ed161f

SHA512
8ac807c2df2565b9ac4cd2ff1cb26fff86f22c076b8dca8ca775bccb5a25b31ef4d8dda7baf40193d50849d9aa51e6119f1e7a6b94152f8f43fd6423c356b5b2

Download Submit
C:\Windows\{058F5156-68E4-4363-8D85-32BB4AA792F3}.exe

Filesize
168KB

MD5
08cce4e41c96b0d10a8251bc9ba5229c

SHA1
4875fbcebf4ec9b1d52b575966f84626ca90bec5

SHA256
42d37c230f72a28caedf1eb4b81f3e3bb8a909af74194988e70546a7a9ed161f

SHA512
8ac807c2df2565b9ac4cd2ff1cb26fff86f22c076b8dca8ca775bccb5a25b31ef4d8dda7baf40193d50849d9aa51e6119f1e7a6b94152f8f43fd6423c356b5b2

Download Submit
C:\Windows\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe

Filesize
168KB

MD5
90c44b30e438315b68b4f573b4a0171e

SHA1
a5d00939b28975072b550028086cebc1bfd71bc9

SHA256
59b84910cf5cb591a8c02d465ae687151fbb27ee1c2f70c125f6107c043673d7

SHA512
b0938fdf8cb1cea063a4d2a67861b9e8b02905c4bbae61f6a05a6ed9e6a293e8115387a136debf1ecd99383da1a7b101b7ac394d5505e537d250aff43fe0cb95

Download Submit
C:\Windows\{09ADFCC5-CEA2-4166-A5EA-DB0F2FFE9ED3}.exe

Filesize
168KB

MD5
90c44b30e438315b68b4f573b4a0171e

SHA1
a5d00939b28975072b550028086cebc1bfd71bc9

SHA256
59b84910cf5cb591a8c02d465ae687151fbb27ee1c2f70c125f6107c043673d7

SHA512
b0938fdf8cb1cea063a4d2a67861b9e8b02905c4bbae61f6a05a6ed9e6a293e8115387a136debf1ecd99383da1a7b101b7ac394d5505e537d250aff43fe0cb95

Download Submit
C:\Windows\{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe

Filesize
168KB

MD5
d98f0c9876036e600b6105bdba17003f

SHA1
a1a9b57058aa2c1438ac79bbce17576af6a69713

SHA256
76342988f862b2cfcd04e07c198d0e4fb48071af22858c8d609d6e03e36f6436

SHA512
6a5460eedfbb186f97d5ecd700a3a45cd24e58c7ca75bb7ac4cb1182bb66d68f062d513729781396e55aa473536a01920ab95a590054bbcf4f3673ec172cf378

Download Submit
C:\Windows\{09FF388A-EA33-4e26-8549-C6D641B13C41}.exe

Filesize
168KB

MD5
d98f0c9876036e600b6105bdba17003f

SHA1
a1a9b57058aa2c1438ac79bbce17576af6a69713

SHA256
76342988f862b2cfcd04e07c198d0e4fb48071af22858c8d609d6e03e36f6436

SHA512
6a5460eedfbb186f97d5ecd700a3a45cd24e58c7ca75bb7ac4cb1182bb66d68f062d513729781396e55aa473536a01920ab95a590054bbcf4f3673ec172cf378

Download Submit
C:\Windows\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe

Filesize
168KB

MD5
991ecaa179bd144c9d14ad8cb5648f96

SHA1
44449ef0ca43d9502252054144191a0e54300f8f

SHA256
639017bc2b98bc066335968e8d2f0f384002ed712a4e86c1ccb6261412e9d672

SHA512
cddb24d3db2e26b0a86e3b963f866bc2f2e5f0880a75f676bc2e0fe9e5f87d74c2956de9b79d11119b6c348b2ad50e4ead0731a37c6bef068d6e1b72a7e45490

Download Submit
C:\Windows\{22F5C34A-C46C-4e68-9B5A-5683117BC0A6}.exe

Filesize
168KB

MD5
991ecaa179bd144c9d14ad8cb5648f96

SHA1
44449ef0ca43d9502252054144191a0e54300f8f

SHA256
639017bc2b98bc066335968e8d2f0f384002ed712a4e86c1ccb6261412e9d672

SHA512
cddb24d3db2e26b0a86e3b963f866bc2f2e5f0880a75f676bc2e0fe9e5f87d74c2956de9b79d11119b6c348b2ad50e4ead0731a37c6bef068d6e1b72a7e45490

Download Submit
C:\Windows\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe

Filesize
168KB

MD5
caeca3a8c907a627a6696e2b52a7259a

SHA1
ead0d355ea0f038f39cc273521266f9ac0cae4d7

SHA256
412034dd98ceac43e5f448ddde1e9d5d5404ea6892f8bb6fb807d0f101157b52

SHA512
6c1e5fad4540e751f93e535c6da1fc53fa876cfb979633c35a611233a892ee929b3a68590ca0598e3235f8112e28a4b83002fe1d06f0782132bced7a0dc1c9e2

Download Submit
C:\Windows\{3E9FB4D9-5CE8-404c-8F06-594F4B0FD806}.exe

Filesize
168KB

MD5
caeca3a8c907a627a6696e2b52a7259a

SHA1
ead0d355ea0f038f39cc273521266f9ac0cae4d7

SHA256
412034dd98ceac43e5f448ddde1e9d5d5404ea6892f8bb6fb807d0f101157b52

SHA512
6c1e5fad4540e751f93e535c6da1fc53fa876cfb979633c35a611233a892ee929b3a68590ca0598e3235f8112e28a4b83002fe1d06f0782132bced7a0dc1c9e2

Download Submit
C:\Windows\{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe

Filesize
168KB

MD5
a3f31ec3be40c91e37a4c4e25ad0557a

SHA1
464ea7abca90a3764ee0420d6d0bd0e8091e1d3d

SHA256
c7d0ff01ec99e95281b3f35e5b80fa8e86fa2cc2eee68c9b2c8e19924ac52bf6

SHA512
b06a7e3b940981a527dcca4946627abcec11698a1b7bd557bc8af110be999182e8ebebd5de645307953c9a6c6588ed22137ed28055e7d53f8dc08ac482b34c82

Download Submit
C:\Windows\{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe

Filesize
168KB

MD5
a3f31ec3be40c91e37a4c4e25ad0557a

SHA1
464ea7abca90a3764ee0420d6d0bd0e8091e1d3d

SHA256
c7d0ff01ec99e95281b3f35e5b80fa8e86fa2cc2eee68c9b2c8e19924ac52bf6

SHA512
b06a7e3b940981a527dcca4946627abcec11698a1b7bd557bc8af110be999182e8ebebd5de645307953c9a6c6588ed22137ed28055e7d53f8dc08ac482b34c82

Download Submit
C:\Windows\{64E1B90D-646C-4c18-8465-FAA61214AA64}.exe

Filesize
168KB

MD5
a3f31ec3be40c91e37a4c4e25ad0557a

SHA1
464ea7abca90a3764ee0420d6d0bd0e8091e1d3d

SHA256
c7d0ff01ec99e95281b3f35e5b80fa8e86fa2cc2eee68c9b2c8e19924ac52bf6

SHA512
b06a7e3b940981a527dcca4946627abcec11698a1b7bd557bc8af110be999182e8ebebd5de645307953c9a6c6588ed22137ed28055e7d53f8dc08ac482b34c82

Download Submit
C:\Windows\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe

Filesize
168KB

MD5
abc0807156bb77c5a5ed2c920435c9a0

SHA1
96cf75f9e3517e3fef9a74f9c12f0e2def1517c8

SHA256
2dc6ec17becc33c97495b1e4ae3d11bff2a88dc352b61f9328f05c83e718e172

SHA512
5a070e1e9069bb4ee111700d468ff8202e9afd016347e6810c05a887952838c371515900f8b8cbf1bb2b698f683c71f212804e44b83db8f7c23f27d8cd3fe666

Download Submit
C:\Windows\{7837B9F6-89C0-4ae1-88C6-1C3E8BAECF00}.exe

Filesize
168KB

MD5
abc0807156bb77c5a5ed2c920435c9a0

SHA1
96cf75f9e3517e3fef9a74f9c12f0e2def1517c8

SHA256
2dc6ec17becc33c97495b1e4ae3d11bff2a88dc352b61f9328f05c83e718e172

SHA512
5a070e1e9069bb4ee111700d468ff8202e9afd016347e6810c05a887952838c371515900f8b8cbf1bb2b698f683c71f212804e44b83db8f7c23f27d8cd3fe666

Download Submit
C:\Windows\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe

Filesize
168KB

MD5
35af6d7c7162f376378ad022d65dae71

SHA1
fe829cca0b7991920c6f74f88a82933cd88efe6e

SHA256
8331305c50504d481dd0c2c2fcff02fb7bbb0c410c7f30e2ebeac4080f5558a5

SHA512
02cbca41028046f1466797780683a8e731b7c2aecca90faf55a2e3bab96229072a38811fb981f273afb1dbaa44b2680807af5b159b79d0929f377a1db2c85788

Download Submit
C:\Windows\{8FCA279C-BEAD-4fff-B6FA-BB4CF9439AB1}.exe

Filesize
168KB

MD5
35af6d7c7162f376378ad022d65dae71

SHA1
fe829cca0b7991920c6f74f88a82933cd88efe6e

SHA256
8331305c50504d481dd0c2c2fcff02fb7bbb0c410c7f30e2ebeac4080f5558a5

SHA512
02cbca41028046f1466797780683a8e731b7c2aecca90faf55a2e3bab96229072a38811fb981f273afb1dbaa44b2680807af5b159b79d0929f377a1db2c85788

Download Submit
C:\Windows\{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe

Filesize
168KB

MD5
a187752d9ea9bbc2bfa2487a09d6d4d8

SHA1
d0a10c9be6bbfe8a03d4342e31eb76110bae042c

SHA256
fa22a300a64687acdf1d1544f37689574004ab0e8ccaac3d77be8a896b5dd1e1

SHA512
17c491c806606fb8bd2719c17cc056c727e8ff6aab47d09eb4b8e113e2709c16c7bf397e1ec5f0b319d6f829f092a72d6a4e1f13b919e8d4c47879adfb01e406

Download Submit
C:\Windows\{B0137FCC-D188-4aeb-9B33-65E6913A4269}.exe

Filesize
168KB

MD5
a187752d9ea9bbc2bfa2487a09d6d4d8

SHA1
d0a10c9be6bbfe8a03d4342e31eb76110bae042c

SHA256
fa22a300a64687acdf1d1544f37689574004ab0e8ccaac3d77be8a896b5dd1e1

SHA512
17c491c806606fb8bd2719c17cc056c727e8ff6aab47d09eb4b8e113e2709c16c7bf397e1ec5f0b319d6f829f092a72d6a4e1f13b919e8d4c47879adfb01e406

Download Submit
C:\Windows\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe

Filesize
168KB

MD5
cb4ee08ddd73a17103ae8a389f16b475

SHA1
120d5c3c777544a6243c12be4406700ed7a965c4

SHA256
f1a9c33dc381ae0ebeb60343e6da6d53ee452fce823ef8ff4b5b671a20d273f8

SHA512
b0d13f2082b808648fdf248171646d768e76444863a3a192d2b2e3f0953afeb44e981c937b35d06bd4e802ad1bfd845dcc67a13a22c47bd0da4967a19666389b

Download Submit
C:\Windows\{B6D9650F-B12D-46db-86A4-1429D22CEC3A}.exe

Filesize
168KB

MD5
cb4ee08ddd73a17103ae8a389f16b475

SHA1
120d5c3c777544a6243c12be4406700ed7a965c4

SHA256
f1a9c33dc381ae0ebeb60343e6da6d53ee452fce823ef8ff4b5b671a20d273f8

SHA512
b0d13f2082b808648fdf248171646d768e76444863a3a192d2b2e3f0953afeb44e981c937b35d06bd4e802ad1bfd845dcc67a13a22c47bd0da4967a19666389b

Download Submit
C:\Windows\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe

Filesize
168KB

MD5
37b4e03a045189d22b6cb1f5221ea355

SHA1
62cc8aca1982110ddfde0516c36c3bc92ab9caa3

SHA256
805241880a1e76a901c8c18dd7915eb408a6a3df04066152afe77df15189eb1f

SHA512
ead9876e839e1ec171469f1093b7cc9d6f68dcc3ae26bff9faa262bde19ab37df068701e06deb1af8de973f25e2ef05350af7c0a15112c8c430877ad1c91596d

Download Submit
C:\Windows\{BD31DDA0-91E8-41f7-84A5-FEE2B9AC9893}.exe

Filesize
168KB

MD5
37b4e03a045189d22b6cb1f5221ea355

SHA1
62cc8aca1982110ddfde0516c36c3bc92ab9caa3

SHA256
805241880a1e76a901c8c18dd7915eb408a6a3df04066152afe77df15189eb1f

SHA512
ead9876e839e1ec171469f1093b7cc9d6f68dcc3ae26bff9faa262bde19ab37df068701e06deb1af8de973f25e2ef05350af7c0a15112c8c430877ad1c91596d

Download Submit
C:\Windows\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}.exe

Filesize
168KB

MD5
36c4a7438254934b90d941ef9e027973

SHA1
a240dadd72d06b59a314b0e8495f3c64e0e54210

SHA256
3c20ad2ea506fd43550638e2346b35ad4fddbe201d979ee30e4309297469a393

SHA512
17ce44a6b47704adc24ef5f1c6a3b391d00b45c475e98154a537368bab7f6481709e1c03b1a87d53e0d04ecba130faec6b338f6f3a3326d0524484335a33faa3

Download Submit
C:\Windows\{D7D03A09-FBAE-4a32-B654-9C62603F5DF3}.exe

Filesize
168KB

MD5
36c4a7438254934b90d941ef9e027973

SHA1
a240dadd72d06b59a314b0e8495f3c64e0e54210

SHA256
3c20ad2ea506fd43550638e2346b35ad4fddbe201d979ee30e4309297469a393

SHA512
17ce44a6b47704adc24ef5f1c6a3b391d00b45c475e98154a537368bab7f6481709e1c03b1a87d53e0d04ecba130faec6b338f6f3a3326d0524484335a33faa3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads