018aa2213df50fffcc96b30d175569308924c456111af887d65206388e93ba5a

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 16:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Size

204KB
MD5

16fc1b54814f00d0284d76b8d672bf55
SHA1

1bb7b9ed08747b95e92fcd1f5196a0f173480dc9
SHA256

018aa2213df50fffcc96b30d175569308924c456111af887d65206388e93ba5a
SHA512

bd31e0876168716d9c4da9a631ad43c44b5453dc4135f4b5706638dcfa7363d78a2ec7d8f850ee9ffd62cdb6df1aba16792e0c551d8d89380b54617752b25d26
SSDEEP

1536:1EGh0oul15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oul1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}\stubpath = "C:\\Windows\\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe"	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076E12FF-7391-4df9-A75D-6178195F704E}\stubpath = "C:\\Windows\\{076E12FF-7391-4df9-A75D-6178195F704E}.exe"	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}\stubpath = "C:\\Windows\\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe"	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}\stubpath = "C:\\Windows\\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe"	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}\stubpath = "C:\\Windows\\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe"	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}\stubpath = "C:\\Windows\\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe"	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}\stubpath = "C:\\Windows\\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe"	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}\stubpath = "C:\\Windows\\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe"	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B29F43-5725-40a0-85EC-13D05584EDE5}\stubpath = "C:\\Windows\\{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe"	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076E12FF-7391-4df9-A75D-6178195F704E}	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25E19D6-0226-491d-9F00-4532046F7A1E}	{076E12FF-7391-4df9-A75D-6178195F704E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25E19D6-0226-491d-9F00-4532046F7A1E}\stubpath = "C:\\Windows\\{F25E19D6-0226-491d-9F00-4532046F7A1E}.exe"	{076E12FF-7391-4df9-A75D-6178195F704E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}\stubpath = "C:\\Windows\\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe"	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B29F43-5725-40a0-85EC-13D05584EDE5}	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}\stubpath = "C:\\Windows\\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe"	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe

Executes dropped EXE 12 IoCs

pid	Process
2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe
4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe
884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe
552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe
3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe
1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe
1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe
4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe
3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe
4988	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe
5048	{076E12FF-7391-4df9-A75D-6178195F704E}.exe
1396	{F25E19D6-0226-491d-9F00-4532046F7A1E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
File created	C:\Windows\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe
File created	C:\Windows\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe
File created	C:\Windows\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe
File created	C:\Windows\{076E12FF-7391-4df9-A75D-6178195F704E}.exe	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe
File created	C:\Windows\{F25E19D6-0226-491d-9F00-4532046F7A1E}.exe	{076E12FF-7391-4df9-A75D-6178195F704E}.exe
File created	C:\Windows\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe
File created	C:\Windows\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe
File created	C:\Windows\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe
File created	C:\Windows\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe
File created	C:\Windows\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe
File created	C:\Windows\{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3936	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe
Token: SeIncBasePriorityPrivilege	4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe
Token: SeIncBasePriorityPrivilege	884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe
Token: SeIncBasePriorityPrivilege	552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe
Token: SeIncBasePriorityPrivilege	3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe
Token: SeIncBasePriorityPrivilege	1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe
Token: SeIncBasePriorityPrivilege	1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe
Token: SeIncBasePriorityPrivilege	4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe
Token: SeIncBasePriorityPrivilege	3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe
Token: SeIncBasePriorityPrivilege	4988	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe
Token: SeIncBasePriorityPrivilege	5048	{076E12FF-7391-4df9-A75D-6178195F704E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2884	3936	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	86
PID 3936 wrote to memory of 2884	3936	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	86
PID 3936 wrote to memory of 2884	3936	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	86
PID 3936 wrote to memory of 4168	3936	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	87
PID 3936 wrote to memory of 4168	3936	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	87
PID 3936 wrote to memory of 4168	3936	16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe	87
PID 2884 wrote to memory of 4292	2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe	91
PID 2884 wrote to memory of 4292	2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe	91
PID 2884 wrote to memory of 4292	2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe	91
PID 2884 wrote to memory of 2204	2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe	92
PID 2884 wrote to memory of 2204	2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe	92
PID 2884 wrote to memory of 2204	2884	{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe	92
PID 4292 wrote to memory of 884	4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe	95
PID 4292 wrote to memory of 884	4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe	95
PID 4292 wrote to memory of 884	4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe	95
PID 4292 wrote to memory of 1816	4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe	94
PID 4292 wrote to memory of 1816	4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe	94
PID 4292 wrote to memory of 1816	4292	{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe	94
PID 884 wrote to memory of 552	884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe	96
PID 884 wrote to memory of 552	884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe	96
PID 884 wrote to memory of 552	884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe	96
PID 884 wrote to memory of 4820	884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe	97
PID 884 wrote to memory of 4820	884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe	97
PID 884 wrote to memory of 4820	884	{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe	97
PID 552 wrote to memory of 3880	552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe	98
PID 552 wrote to memory of 3880	552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe	98
PID 552 wrote to memory of 3880	552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe	98
PID 552 wrote to memory of 8	552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe	99
PID 552 wrote to memory of 8	552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe	99
PID 552 wrote to memory of 8	552	{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe	99
PID 3880 wrote to memory of 1868	3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe	100
PID 3880 wrote to memory of 1868	3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe	100
PID 3880 wrote to memory of 1868	3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe	100
PID 3880 wrote to memory of 4716	3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe	101
PID 3880 wrote to memory of 4716	3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe	101
PID 3880 wrote to memory of 4716	3880	{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe	101
PID 1868 wrote to memory of 1444	1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe	102
PID 1868 wrote to memory of 1444	1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe	102
PID 1868 wrote to memory of 1444	1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe	102
PID 1868 wrote to memory of 4336	1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe	103
PID 1868 wrote to memory of 4336	1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe	103
PID 1868 wrote to memory of 4336	1868	{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe	103
PID 1444 wrote to memory of 4584	1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe	104
PID 1444 wrote to memory of 4584	1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe	104
PID 1444 wrote to memory of 4584	1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe	104
PID 1444 wrote to memory of 532	1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe	105
PID 1444 wrote to memory of 532	1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe	105
PID 1444 wrote to memory of 532	1444	{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe	105
PID 4584 wrote to memory of 3460	4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe	107
PID 4584 wrote to memory of 3460	4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe	107
PID 4584 wrote to memory of 3460	4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe	107
PID 4584 wrote to memory of 1220	4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe	106
PID 4584 wrote to memory of 1220	4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe	106
PID 4584 wrote to memory of 1220	4584	{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe	106
PID 3460 wrote to memory of 4988	3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe	108
PID 3460 wrote to memory of 4988	3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe	108
PID 3460 wrote to memory of 4988	3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe	108
PID 3460 wrote to memory of 3232	3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe	109
PID 3460 wrote to memory of 3232	3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe	109
PID 3460 wrote to memory of 3232	3460	{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe	109
PID 4988 wrote to memory of 5048	4988	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe	110
PID 4988 wrote to memory of 5048	4988	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe	110
PID 4988 wrote to memory of 5048	4988	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe	110
PID 4988 wrote to memory of 2988	4988	{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe	111

C:\Users\Admin\AppData\Local\Temp\16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\16fc1b54814f00d0284d76b8d672bf55_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe
  C:\Windows\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe
    C:\Windows\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{13D0D~1.EXE > nul
      4⤵
      PID:1816
  - - C:\Windows\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe
      C:\Windows\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe
        
        C:\Windows\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe
        
        C:\Windows\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe
        
        C:\Windows\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe
        
        C:\Windows\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe
        
        C:\Windows\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCE9E~1.EXE > nul
        10⤵
        
        PID:1220
        
        C:\Windows\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe
        
        C:\Windows\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe
        
        C:\Windows\{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{076E12FF-7391-4df9-A75D-6178195F704E}.exe
        
        C:\Windows\{076E12FF-7391-4df9-A75D-6178195F704E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\{F25E19D6-0226-491d-9F00-4532046F7A1E}.exe
        
        C:\Windows\{F25E19D6-0226-491d-9F00-4532046F7A1E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{076E1~1.EXE > nul
        13⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B29~1.EXE > nul
        12⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4C94~1.EXE > nul
        11⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EC45~1.EXE > nul
        9⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{168AB~1.EXE > nul
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7411C~1.EXE > nul
        7⤵
        
        PID:4716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A9BF~1.EXE > nul
        6⤵
        
        PID:8
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF984~1.EXE > nul
        5⤵
        
        PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51ADC~1.EXE > nul
    3⤵
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\16FC1B~1.EXE > nul
  2⤵
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{076E12FF-7391-4df9-A75D-6178195F704E}.exe

Filesize
204KB

MD5
5375adf7807f4c896d6c5a92f044a3d4

SHA1
f67f76dfc42dcdc05b65a7b917cda89333ff0515

SHA256
201fcdea1d6565afdad73c23b22b15cb542a5d77213441dfef00f7a960223328

SHA512
ad99fde0123eba1c9120db305bbb939cc7ee5280177ecdd3d21bdc8ebaa78f8d8aae6e03d5c37cb67f15f66a03d727e3c5c940ef5b82dcc7333c77a8b5f55eda

Download Submit
C:\Windows\{076E12FF-7391-4df9-A75D-6178195F704E}.exe

Filesize
204KB

MD5
5375adf7807f4c896d6c5a92f044a3d4

SHA1
f67f76dfc42dcdc05b65a7b917cda89333ff0515

SHA256
201fcdea1d6565afdad73c23b22b15cb542a5d77213441dfef00f7a960223328

SHA512
ad99fde0123eba1c9120db305bbb939cc7ee5280177ecdd3d21bdc8ebaa78f8d8aae6e03d5c37cb67f15f66a03d727e3c5c940ef5b82dcc7333c77a8b5f55eda

Download Submit
C:\Windows\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe

Filesize
204KB

MD5
889a1b5abd34d2de3cf680fa3b7c04e7

SHA1
83d8c0de50dc8d3f16d9ff5ca9402b563affb1f1

SHA256
f94ddaf7f8d1156b355b68707eb86d4bf758bd012b6db12ac258902d61d710d1

SHA512
10a2ed144f66513a1777263557f88e39192e985ad92613534caded40df23d2b2c23995ee6113dde02e57a6413282a8e5c88f60761e34dba96853b307f8a3a772

Download Submit
C:\Windows\{0A9BF9C3-35A3-4c31-AF8A-4AA7A54F7D04}.exe

Filesize
204KB

MD5
889a1b5abd34d2de3cf680fa3b7c04e7

SHA1
83d8c0de50dc8d3f16d9ff5ca9402b563affb1f1

SHA256
f94ddaf7f8d1156b355b68707eb86d4bf758bd012b6db12ac258902d61d710d1

SHA512
10a2ed144f66513a1777263557f88e39192e985ad92613534caded40df23d2b2c23995ee6113dde02e57a6413282a8e5c88f60761e34dba96853b307f8a3a772

Download Submit
C:\Windows\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe

Filesize
204KB

MD5
a6f74e69e2999a182baf2766d468bf3c

SHA1
9d3f0e5556c9a1d2cff492999ca87b248b950116

SHA256
752959af5a41c25a38532e82c803d9feeef0e736c804b58bc9bf557668cbf0f3

SHA512
f7bd727a16d4a2bc49096ba82604f2ecb64978a806c9f0571682b687fc683107282bb22ab134e9024882a78dd98cb660a4ae317020163a4d55ec8be516c48bca

Download Submit
C:\Windows\{13D0DA19-C210-4fc4-BB79-947F46BFDC2E}.exe

Filesize
204KB

MD5
a6f74e69e2999a182baf2766d468bf3c

SHA1
9d3f0e5556c9a1d2cff492999ca87b248b950116

SHA256
752959af5a41c25a38532e82c803d9feeef0e736c804b58bc9bf557668cbf0f3

SHA512
f7bd727a16d4a2bc49096ba82604f2ecb64978a806c9f0571682b687fc683107282bb22ab134e9024882a78dd98cb660a4ae317020163a4d55ec8be516c48bca

Download Submit
C:\Windows\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe

Filesize
204KB

MD5
0922920cb2589d68c20433dc135b0851

SHA1
9135ffcd7575a17c57fa220e527fd0fdbfbbd3d9

SHA256
dc0278f33fee3890de86265343f12fe8ec2378012a44cdda7602cce97845493d

SHA512
8e9452e23c85ee53ec1c9d53a1484f8f7997b27996625681dc79e65ef64bac73f68d1b5622858df0bdb89a5ae023b2aa7ede8436252935d077024086560933ee

Download Submit
C:\Windows\{168ABDD9-BD96-4e00-8E0A-40AF019C381F}.exe

Filesize
204KB

MD5
0922920cb2589d68c20433dc135b0851

SHA1
9135ffcd7575a17c57fa220e527fd0fdbfbbd3d9

SHA256
dc0278f33fee3890de86265343f12fe8ec2378012a44cdda7602cce97845493d

SHA512
8e9452e23c85ee53ec1c9d53a1484f8f7997b27996625681dc79e65ef64bac73f68d1b5622858df0bdb89a5ae023b2aa7ede8436252935d077024086560933ee

Download Submit
C:\Windows\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe

Filesize
204KB

MD5
65a5c555edf17ae38a9c3482f84a6f29

SHA1
8f5d652122d21cd85656155efb9754f49aa3230d

SHA256
4a7344334a1815cb52fd7fa6bab06f51a71fe0fb5a830ec774084457faf83214

SHA512
295d659878efb3d5a4b3662f3e44ba26dc045ec3ebe52db7868d2175d91d6c5a322b3d219e7c17530ac3e816a31fc894d7cf89b2a63944172fded2fb58b01dee

Download Submit
C:\Windows\{2EC45916-09BA-42ef-A8B5-A264CDA5F3A7}.exe

Filesize
204KB

MD5
65a5c555edf17ae38a9c3482f84a6f29

SHA1
8f5d652122d21cd85656155efb9754f49aa3230d

SHA256
4a7344334a1815cb52fd7fa6bab06f51a71fe0fb5a830ec774084457faf83214

SHA512
295d659878efb3d5a4b3662f3e44ba26dc045ec3ebe52db7868d2175d91d6c5a322b3d219e7c17530ac3e816a31fc894d7cf89b2a63944172fded2fb58b01dee

Download Submit
C:\Windows\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe

Filesize
204KB

MD5
a6a48a338f7705cc503aa38e45674b7f

SHA1
0f1814f1b6d7d46e1f6dd21ba3ad54b553f88e09

SHA256
cfe7197e66a148539f1878cd23d3c7e1329d6343f096bd3e5e387580d253753e

SHA512
e7beed5d8b44a5729a1568cdf6db928063cac3bb2848c179300b3fec6942cbb1ab6eb83fd5ad7292b62dc3b1aaa5d8dc15354e58e2e96abd93d53ddb60ab6bef

Download Submit
C:\Windows\{51ADC173-0218-4fdc-8489-E8F52B8A3A67}.exe

Filesize
204KB

MD5
a6a48a338f7705cc503aa38e45674b7f

SHA1
0f1814f1b6d7d46e1f6dd21ba3ad54b553f88e09

SHA256
cfe7197e66a148539f1878cd23d3c7e1329d6343f096bd3e5e387580d253753e

SHA512
e7beed5d8b44a5729a1568cdf6db928063cac3bb2848c179300b3fec6942cbb1ab6eb83fd5ad7292b62dc3b1aaa5d8dc15354e58e2e96abd93d53ddb60ab6bef

Download Submit
C:\Windows\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe

Filesize
204KB

MD5
31270c55de3539e0191788996fa6f673

SHA1
a7d4cc8934b9ebe792f4d81ad27c10a858932fd0

SHA256
38735ecf66c8368bba1590fae480673ecab71c64c60d20bd9bb3ccaaa9f4997a

SHA512
0aa1f6bc2328cd979e7c76dc78e43affd4215a9a2e51a3411f37d86eba40dd0bb0c2ae2ed4540476ec74cbea491e0c5cbce038bac5e27366e09bb0200fafe17e

Download Submit
C:\Windows\{7411C8C4-41A0-48fb-8375-6D8627FAB5A5}.exe

Filesize
204KB

MD5
31270c55de3539e0191788996fa6f673

SHA1
a7d4cc8934b9ebe792f4d81ad27c10a858932fd0

SHA256
38735ecf66c8368bba1590fae480673ecab71c64c60d20bd9bb3ccaaa9f4997a

SHA512
0aa1f6bc2328cd979e7c76dc78e43affd4215a9a2e51a3411f37d86eba40dd0bb0c2ae2ed4540476ec74cbea491e0c5cbce038bac5e27366e09bb0200fafe17e

Download Submit
C:\Windows\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe

Filesize
204KB

MD5
a9816a1f0c8712b1609665f1e83c494d

SHA1
6930a97bf982e6c76d57d4bcd3bdfac5da649925

SHA256
d268325737f50fb0d852fef11de89afc11f2c7ddfad9e559888b7731f2c004c8

SHA512
9aaeb8263f81febe9a755ab3b7cf33da6a49a5e7f9213b760f837663f43a2c6462e1cdd51239cc0dac26522dd3ba51e03fd412912aead3bb7537da2108097d9c

Download Submit
C:\Windows\{A4C94567-97E7-4a6f-AA50-0008D67DCACA}.exe

Filesize
204KB

MD5
a9816a1f0c8712b1609665f1e83c494d

SHA1
6930a97bf982e6c76d57d4bcd3bdfac5da649925

SHA256
d268325737f50fb0d852fef11de89afc11f2c7ddfad9e559888b7731f2c004c8

SHA512
9aaeb8263f81febe9a755ab3b7cf33da6a49a5e7f9213b760f837663f43a2c6462e1cdd51239cc0dac26522dd3ba51e03fd412912aead3bb7537da2108097d9c

Download Submit
C:\Windows\{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe

Filesize
204KB

MD5
3f89247ebded9b93ccb7f349150221eb

SHA1
4b18022770ad4c1ab209a7441293e27117cb6162

SHA256
f60d7ac47282b2d917254f815bcff2629ad687f2dafa6dc11f7990ebca7e3c28

SHA512
44e606efe8f51be25f06776b2b0c452dadeeccea9505bae0613f87bd18dee533c466645c2ea066db1fc6e343f1e795675b71717e01d211db838e2bff71926bb1

Download Submit
C:\Windows\{D0B29F43-5725-40a0-85EC-13D05584EDE5}.exe

Filesize
204KB

MD5
3f89247ebded9b93ccb7f349150221eb

SHA1
4b18022770ad4c1ab209a7441293e27117cb6162

SHA256
f60d7ac47282b2d917254f815bcff2629ad687f2dafa6dc11f7990ebca7e3c28

SHA512
44e606efe8f51be25f06776b2b0c452dadeeccea9505bae0613f87bd18dee533c466645c2ea066db1fc6e343f1e795675b71717e01d211db838e2bff71926bb1

Download Submit
C:\Windows\{F25E19D6-0226-491d-9F00-4532046F7A1E}.exe

Filesize
204KB

MD5
4677b7f899a7b832c03d3f74ea33fea9

SHA1
f8b1d527c395507c1d41a8ef7f0bab8bcb9441c3

SHA256
b9fdc96b426522591c77c2c58dec434098846e0b7f9cdf205c369e251ae3bc28

SHA512
6bfc5326785111c8aa331dd4afad8797c636233c5bde54033d50cdad5c562c718ef1d35e5a4bf3ae79d6e9112b561dff61936d23a54d909e60c07aa15a907e87

Download Submit
C:\Windows\{F25E19D6-0226-491d-9F00-4532046F7A1E}.exe

Filesize
204KB

MD5
4677b7f899a7b832c03d3f74ea33fea9

SHA1
f8b1d527c395507c1d41a8ef7f0bab8bcb9441c3

SHA256
b9fdc96b426522591c77c2c58dec434098846e0b7f9cdf205c369e251ae3bc28

SHA512
6bfc5326785111c8aa331dd4afad8797c636233c5bde54033d50cdad5c562c718ef1d35e5a4bf3ae79d6e9112b561dff61936d23a54d909e60c07aa15a907e87

Download Submit
C:\Windows\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe

Filesize
204KB

MD5
b765daa75db1e2dc345eac315220de77

SHA1
e4b6373d19998c4e51446f211c2759b5c49675fa

SHA256
7ce26749fc9866366330023f0a5a68bc4571a8081757c81b135f96d7729e5647

SHA512
a897e3bee4fa2a927f9ed6cf161bedba5cb6c12335e2d053f5200ea36417a0b37f71740051479253f6863527fcb8e70de6ba4246ef7a94f0cd0619838db545ae

Download Submit
C:\Windows\{FCE9ED83-D21B-4398-B30E-2F3ABC1B21C7}.exe

Filesize
204KB

MD5
b765daa75db1e2dc345eac315220de77

SHA1
e4b6373d19998c4e51446f211c2759b5c49675fa

SHA256
7ce26749fc9866366330023f0a5a68bc4571a8081757c81b135f96d7729e5647

SHA512
a897e3bee4fa2a927f9ed6cf161bedba5cb6c12335e2d053f5200ea36417a0b37f71740051479253f6863527fcb8e70de6ba4246ef7a94f0cd0619838db545ae

Download Submit
C:\Windows\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe

Filesize
204KB

MD5
c02a6b79c127dd3201ee59bd7c7d3741

SHA1
a729a5c0d8b4ea36627311685fd30ea4a39c559a

SHA256
6dcd435893d471bbf20b9505cbcc9124d43423216065aed87cbf58ab82aea19b

SHA512
5656f607809f218fde8d474d969d84586f8a69b924750dc250454660397c35373933a466b3de33ce0b7c81a47b96461f2256c6cc90671dda373af90a764cf4b9

Download Submit
C:\Windows\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe

Filesize
204KB

MD5
c02a6b79c127dd3201ee59bd7c7d3741

SHA1
a729a5c0d8b4ea36627311685fd30ea4a39c559a

SHA256
6dcd435893d471bbf20b9505cbcc9124d43423216065aed87cbf58ab82aea19b

SHA512
5656f607809f218fde8d474d969d84586f8a69b924750dc250454660397c35373933a466b3de33ce0b7c81a47b96461f2256c6cc90671dda373af90a764cf4b9

Download Submit
C:\Windows\{FF984379-A1EA-4ee3-8801-34E40A1BC86C}.exe

Filesize
204KB

MD5
c02a6b79c127dd3201ee59bd7c7d3741

SHA1
a729a5c0d8b4ea36627311685fd30ea4a39c559a

SHA256
6dcd435893d471bbf20b9505cbcc9124d43423216065aed87cbf58ab82aea19b

SHA512
5656f607809f218fde8d474d969d84586f8a69b924750dc250454660397c35373933a466b3de33ce0b7c81a47b96461f2256c6cc90671dda373af90a764cf4b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads