8023c50f1d21ad93bcaee6e8138ffbf32e9f2d9bc5184074ef3c3740f5f962ac

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 14:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe
Size

204KB
MD5

2e74b425e584af90092a83ddaee75f9c
SHA1

34e11d62b57fcfab51708b8b120c89ce142d6963
SHA256

8023c50f1d21ad93bcaee6e8138ffbf32e9f2d9bc5184074ef3c3740f5f962ac
SHA512

32e881c2fe2b09bd12b70b42a6daabd074d1f7bbc8a406c7c707a76354911ebfa423eed245a21d28e606b1452df5d1b0a9473617d0ad10c0c6d3820321c4046d
SSDEEP

1536:1EGh0oSl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oSl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465BEB8A-A687-4244-8989-3924BD2CE6C4}\stubpath = "C:\\Windows\\{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe"	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09E93EF-0539-4687-B87C-8941D70D6C5F}	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A4EA91-6141-43db-BE5C-D53D234F296E}	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}\stubpath = "C:\\Windows\\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe"	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465BEB8A-A687-4244-8989-3924BD2CE6C4}	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09E93EF-0539-4687-B87C-8941D70D6C5F}\stubpath = "C:\\Windows\\{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe"	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}\stubpath = "C:\\Windows\\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe"	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C08F2D59-C150-4deb-98DC-98D0FE09255C}	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C08F2D59-C150-4deb-98DC-98D0FE09255C}\stubpath = "C:\\Windows\\{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe"	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}\stubpath = "C:\\Windows\\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}.exe"	{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}\stubpath = "C:\\Windows\\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe"	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9440147B-93A5-484f-B04D-B07D2B2E29DC}\stubpath = "C:\\Windows\\{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe"	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}\stubpath = "C:\\Windows\\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe"	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}\stubpath = "C:\\Windows\\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe"	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}\stubpath = "C:\\Windows\\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe"	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A4EA91-6141-43db-BE5C-D53D234F296E}\stubpath = "C:\\Windows\\{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe"	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9440147B-93A5-484f-B04D-B07D2B2E29DC}	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}	{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe
1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe
4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe
3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe
4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe
4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe
408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe
2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe
3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe
5116	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe
2608	{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe
3772	{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe
File created	C:\Windows\{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe
File created	C:\Windows\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe
File created	C:\Windows\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe
File created	C:\Windows\{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe
File created	C:\Windows\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe
File created	C:\Windows\{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe
File created	C:\Windows\{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe
File created	C:\Windows\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe
File created	C:\Windows\{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe
File created	C:\Windows\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe
File created	C:\Windows\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}.exe	{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3904	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe
Token: SeIncBasePriorityPrivilege	1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe
Token: SeIncBasePriorityPrivilege	4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe
Token: SeIncBasePriorityPrivilege	3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe
Token: SeIncBasePriorityPrivilege	4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe
Token: SeIncBasePriorityPrivilege	4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe
Token: SeIncBasePriorityPrivilege	408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe
Token: SeIncBasePriorityPrivilege	2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe
Token: SeIncBasePriorityPrivilege	3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe
Token: SeIncBasePriorityPrivilege	5116	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe
Token: SeIncBasePriorityPrivilege	2608	{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2264	3904	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe	90
PID 3904 wrote to memory of 2264	3904	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe	90
PID 3904 wrote to memory of 2264	3904	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe	90
PID 3904 wrote to memory of 2448	3904	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe	91
PID 3904 wrote to memory of 2448	3904	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe	91
PID 3904 wrote to memory of 2448	3904	2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe	91
PID 2264 wrote to memory of 1832	2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe	92
PID 2264 wrote to memory of 1832	2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe	92
PID 2264 wrote to memory of 1832	2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe	92
PID 2264 wrote to memory of 3860	2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe	93
PID 2264 wrote to memory of 3860	2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe	93
PID 2264 wrote to memory of 3860	2264	{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe	93
PID 1832 wrote to memory of 4304	1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe	95
PID 1832 wrote to memory of 4304	1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe	95
PID 1832 wrote to memory of 4304	1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe	95
PID 1832 wrote to memory of 1404	1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe	96
PID 1832 wrote to memory of 1404	1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe	96
PID 1832 wrote to memory of 1404	1832	{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe	96
PID 4304 wrote to memory of 3076	4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe	97
PID 4304 wrote to memory of 3076	4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe	97
PID 4304 wrote to memory of 3076	4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe	97
PID 4304 wrote to memory of 3656	4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe	98
PID 4304 wrote to memory of 3656	4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe	98
PID 4304 wrote to memory of 3656	4304	{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe	98
PID 3076 wrote to memory of 4216	3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe	99
PID 3076 wrote to memory of 4216	3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe	99
PID 3076 wrote to memory of 4216	3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe	99
PID 3076 wrote to memory of 3680	3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe	100
PID 3076 wrote to memory of 3680	3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe	100
PID 3076 wrote to memory of 3680	3076	{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe	100
PID 4216 wrote to memory of 4764	4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe	101
PID 4216 wrote to memory of 4764	4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe	101
PID 4216 wrote to memory of 4764	4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe	101
PID 4216 wrote to memory of 4556	4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe	102
PID 4216 wrote to memory of 4556	4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe	102
PID 4216 wrote to memory of 4556	4216	{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe	102
PID 4764 wrote to memory of 408	4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe	103
PID 4764 wrote to memory of 408	4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe	103
PID 4764 wrote to memory of 408	4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe	103
PID 4764 wrote to memory of 4656	4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe	104
PID 4764 wrote to memory of 4656	4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe	104
PID 4764 wrote to memory of 4656	4764	{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe	104
PID 408 wrote to memory of 2816	408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe	105
PID 408 wrote to memory of 2816	408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe	105
PID 408 wrote to memory of 2816	408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe	105
PID 408 wrote to memory of 4248	408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe	106
PID 408 wrote to memory of 4248	408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe	106
PID 408 wrote to memory of 4248	408	{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe	106
PID 2816 wrote to memory of 3172	2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe	107
PID 2816 wrote to memory of 3172	2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe	107
PID 2816 wrote to memory of 3172	2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe	107
PID 2816 wrote to memory of 3044	2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe	108
PID 2816 wrote to memory of 3044	2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe	108
PID 2816 wrote to memory of 3044	2816	{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe	108
PID 3172 wrote to memory of 5116	3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe	109
PID 3172 wrote to memory of 5116	3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe	109
PID 3172 wrote to memory of 5116	3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe	109
PID 3172 wrote to memory of 3448	3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe	110
PID 3172 wrote to memory of 3448	3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe	110
PID 3172 wrote to memory of 3448	3172	{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe	110
PID 5116 wrote to memory of 2608	5116	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe	111
PID 5116 wrote to memory of 2608	5116	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe	111
PID 5116 wrote to memory of 2608	5116	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe	111
PID 5116 wrote to memory of 3124	5116	{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe	112

C:\Users\Admin\AppData\Local\Temp\2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2e74b425e584af90092a83ddaee75f9c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe
  C:\Windows\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe
    C:\Windows\{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe
      C:\Windows\{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Windows\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe
        
        C:\Windows\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - C:\Windows\{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe
        
        C:\Windows\{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe
        
        C:\Windows\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe
        
        C:\Windows\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe
        
        C:\Windows\{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe
        
        C:\Windows\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe
        
        C:\Windows\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe
        
        C:\Windows\{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}.exe
        
        C:\Windows\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}.exe
        13⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C08F2~1.EXE > nul
        13⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C2E~1.EXE > nul
        12⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC4E~1.EXE > nul
        11⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94401~1.EXE > nul
        10⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA23A~1.EXE > nul
        9⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE5B2~1.EXE > nul
        8⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1A4E~1.EXE > nul
        7⤵
        
        PID:4556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD68~1.EXE > nul
        6⤵
        
        PID:3680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F09E9~1.EXE > nul
        5⤵
        
        PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{465BE~1.EXE > nul
      4⤵
      PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{99E24~1.EXE > nul
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E74B4~1.EXE > nul
  2⤵
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe

Filesize
204KB

MD5
8dcf5702beb38e6dc6e5a5da55e29781

SHA1
3fb39e6df057035bfaa2df480dad00b8d9a42ab3

SHA256
c57710a21ebf98a62ff33b595d1727006c0fcf885f906c06be86e1998d1a44e6

SHA512
cf267944d2e35e6de38d33791773830581ec6944319854090cae7bbfeda0e2a7b76e793e08dbf6916ca252b9c76240d81c21a1882d1157335dd148cdd495098e

Download Submit
C:\Windows\{465BEB8A-A687-4244-8989-3924BD2CE6C4}.exe

Filesize
204KB

MD5
8dcf5702beb38e6dc6e5a5da55e29781

SHA1
3fb39e6df057035bfaa2df480dad00b8d9a42ab3

SHA256
c57710a21ebf98a62ff33b595d1727006c0fcf885f906c06be86e1998d1a44e6

SHA512
cf267944d2e35e6de38d33791773830581ec6944319854090cae7bbfeda0e2a7b76e793e08dbf6916ca252b9c76240d81c21a1882d1157335dd148cdd495098e

Download Submit
C:\Windows\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}.exe

Filesize
204KB

MD5
fd4a7696bb9c65dec4c934710b3ff001

SHA1
dfd5da353ae7d1ee4e51071a01f7144e0c27a868

SHA256
adf237a633490a2e18961673285142459b21adb590165af1050510958ebbf576

SHA512
829c1857bbc481572185b48e0713a0ef04298e1a4e7d3a7b85cba5202af4226c2acae910ed602393293f477432284f6eb00c5d929af19143a25b72510614d5c2

Download Submit
C:\Windows\{755E97E1-4F2C-4d50-AAE2-EC0379A689F6}.exe

Filesize
204KB

MD5
fd4a7696bb9c65dec4c934710b3ff001

SHA1
dfd5da353ae7d1ee4e51071a01f7144e0c27a868

SHA256
adf237a633490a2e18961673285142459b21adb590165af1050510958ebbf576

SHA512
829c1857bbc481572185b48e0713a0ef04298e1a4e7d3a7b85cba5202af4226c2acae910ed602393293f477432284f6eb00c5d929af19143a25b72510614d5c2

Download Submit
C:\Windows\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe

Filesize
204KB

MD5
3c67267fc17a0c204da5d013430f77c1

SHA1
9366806263afd88e69da8b14da18740c03601b1b

SHA256
1d2d6f98cae60d6681aebb50e4df70cf389e1800ba970572f008927d7cb5ae71

SHA512
f5f16310db33ba137fc30e4a367374e74bd6d1f229959a583b965c46edaa93ba9cc9ac27e7a12231774efc7c7ba136dcee8226b9586149c2591267f934ec238f

Download Submit
C:\Windows\{8CC4E418-1EF5-405d-BC53-ECABD15A2EC2}.exe

Filesize
204KB

MD5
3c67267fc17a0c204da5d013430f77c1

SHA1
9366806263afd88e69da8b14da18740c03601b1b

SHA256
1d2d6f98cae60d6681aebb50e4df70cf389e1800ba970572f008927d7cb5ae71

SHA512
f5f16310db33ba137fc30e4a367374e74bd6d1f229959a583b965c46edaa93ba9cc9ac27e7a12231774efc7c7ba136dcee8226b9586149c2591267f934ec238f

Download Submit
C:\Windows\{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe

Filesize
204KB

MD5
29d3adb85c243d5ca65d9a9c16e09f0e

SHA1
3ce96f71e52ee6c4136d8b7f2065578c59b1c4a7

SHA256
63000bc80a9383a0eeb777985d91897a5d99a24d9fecdbaa5727566bee32b95e

SHA512
bd7930ec6be00e202e3d9c7ef3ab5b8c79a65234e0b5cfbbc78d1bf2bc175c822ae8dec3b7646c25189164a9ce516d4f091e6424a1c8c27d67fab7ddf4947706

Download Submit
C:\Windows\{9440147B-93A5-484f-B04D-B07D2B2E29DC}.exe

Filesize
204KB

MD5
29d3adb85c243d5ca65d9a9c16e09f0e

SHA1
3ce96f71e52ee6c4136d8b7f2065578c59b1c4a7

SHA256
63000bc80a9383a0eeb777985d91897a5d99a24d9fecdbaa5727566bee32b95e

SHA512
bd7930ec6be00e202e3d9c7ef3ab5b8c79a65234e0b5cfbbc78d1bf2bc175c822ae8dec3b7646c25189164a9ce516d4f091e6424a1c8c27d67fab7ddf4947706

Download Submit
C:\Windows\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe

Filesize
204KB

MD5
663a8cf3e93aed087c80a6a96dba29d8

SHA1
f22ef30e9cb0a8f1b17602cf8a9ddebb2606c66d

SHA256
425b8cd35f06bdbba88d1598a068bba1047e935db8017fc4d9171d770c7168bc

SHA512
65669a54c8385ce3c13c3626c4d12c1e11a1309e6e9be8204051d2e145f21ea5b462f3016912a0946bdb0af2c4227c14369a94b36cd64d715eece59248e3623d

Download Submit
C:\Windows\{99E24742-7E81-43d1-9C6F-CD5063A78EA2}.exe

Filesize
204KB

MD5
663a8cf3e93aed087c80a6a96dba29d8

SHA1
f22ef30e9cb0a8f1b17602cf8a9ddebb2606c66d

SHA256
425b8cd35f06bdbba88d1598a068bba1047e935db8017fc4d9171d770c7168bc

SHA512
65669a54c8385ce3c13c3626c4d12c1e11a1309e6e9be8204051d2e145f21ea5b462f3016912a0946bdb0af2c4227c14369a94b36cd64d715eece59248e3623d

Download Submit
C:\Windows\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe

Filesize
204KB

MD5
d049ecaabc404d482fe40327aa2697b5

SHA1
a0057d339fd5761c9852e1cdbe38ea5e2fe70005

SHA256
355b8a78394fd818b06d6355d8336e04056cb765ea04aed81037a3701512c7f7

SHA512
b194a260f25813564bb87ab5e5bd6661b9767283cd5066658b1a071adfb8b31dd9b024eff5edd80087f816f80f01a6c135bd3765f28dc45bf14f0cf0820eecc5

Download Submit
C:\Windows\{AA23A75E-0D5E-41a3-8228-F6EC8A992F9B}.exe

Filesize
204KB

MD5
d049ecaabc404d482fe40327aa2697b5

SHA1
a0057d339fd5761c9852e1cdbe38ea5e2fe70005

SHA256
355b8a78394fd818b06d6355d8336e04056cb765ea04aed81037a3701512c7f7

SHA512
b194a260f25813564bb87ab5e5bd6661b9767283cd5066658b1a071adfb8b31dd9b024eff5edd80087f816f80f01a6c135bd3765f28dc45bf14f0cf0820eecc5

Download Submit
C:\Windows\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe

Filesize
204KB

MD5
693dbcbbcd15565bec0d3730ae7a357f

SHA1
1c50a3338aef3c98239e2c4fbedd0c2e625be5a0

SHA256
2c26ece8a30e7fe1bc7c92d02b646f9070dd45bc39f8e562aaca655ba7f50bbd

SHA512
fd1564fbe720b25fc205763c5d15a2bb1ca5f33656df208b8aa42c4f91f064f7f3e537adbc50cff02efb46f3538a2e196a257878a0ede10d6949afec3411f46b

Download Submit
C:\Windows\{ABD68383-69E4-4dd8-8FBD-123CE0B2E937}.exe

Filesize
204KB

MD5
693dbcbbcd15565bec0d3730ae7a357f

SHA1
1c50a3338aef3c98239e2c4fbedd0c2e625be5a0

SHA256
2c26ece8a30e7fe1bc7c92d02b646f9070dd45bc39f8e562aaca655ba7f50bbd

SHA512
fd1564fbe720b25fc205763c5d15a2bb1ca5f33656df208b8aa42c4f91f064f7f3e537adbc50cff02efb46f3538a2e196a257878a0ede10d6949afec3411f46b

Download Submit
C:\Windows\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe

Filesize
204KB

MD5
36c64d643405a46e2c346fdb1bac6b1d

SHA1
b9219f01d852672a2a6e30bfbed2f75e6bcacd92

SHA256
e43afd528e028052cfda61e22093a657e9354b1a65443eb5ec3f3cccfd941896

SHA512
0c66e3e61739e64c74e78d4c242640d36a7fc45198463d465e20357c67d8117bf40b22dcb26456b4ac0b234a43cbe5948dd505743f066a75c35fdeac4a75ce7d

Download Submit
C:\Windows\{BE5B2963-EA41-485a-AA6A-22AD45ACF1DB}.exe

Filesize
204KB

MD5
36c64d643405a46e2c346fdb1bac6b1d

SHA1
b9219f01d852672a2a6e30bfbed2f75e6bcacd92

SHA256
e43afd528e028052cfda61e22093a657e9354b1a65443eb5ec3f3cccfd941896

SHA512
0c66e3e61739e64c74e78d4c242640d36a7fc45198463d465e20357c67d8117bf40b22dcb26456b4ac0b234a43cbe5948dd505743f066a75c35fdeac4a75ce7d

Download Submit
C:\Windows\{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe

Filesize
204KB

MD5
03774ff78eab817deb015bf89fcc085e

SHA1
c8a9d1af949ac89cf7f9b58e8472d56eb54037d3

SHA256
ebc65079bec275da8bc337014356604e65f756243c95ff2ab58c4cecd9b769ce

SHA512
0328e1f761add4ca1acf5dd9b5ff0b1352e42fd19c410d9b858b998fe6b58c31fb478244cd597a7f80956a7664e39a0de01ab588d98c57d66b21339f68881470

Download Submit
C:\Windows\{C08F2D59-C150-4deb-98DC-98D0FE09255C}.exe

Filesize
204KB

MD5
03774ff78eab817deb015bf89fcc085e

SHA1
c8a9d1af949ac89cf7f9b58e8472d56eb54037d3

SHA256
ebc65079bec275da8bc337014356604e65f756243c95ff2ab58c4cecd9b769ce

SHA512
0328e1f761add4ca1acf5dd9b5ff0b1352e42fd19c410d9b858b998fe6b58c31fb478244cd597a7f80956a7664e39a0de01ab588d98c57d66b21339f68881470

Download Submit
C:\Windows\{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe

Filesize
204KB

MD5
3939ac45406f4d502f27c15e1751bf45

SHA1
46edd4fe4ff2c473fb3461d830e7bb7c99199863

SHA256
c0cf733e31c8374a6f6afab76dedb4108124bc3ef591421aba1f8ed099b0f0a9

SHA512
b24df3698eaf9838178f4b16f102b93766c1b776b25d902f0fb609e99777941e8a4ba2173b810a54345ee7baebad4bf98ac9ba2f15e3200ff366b3e89f149daa

Download Submit
C:\Windows\{C1A4EA91-6141-43db-BE5C-D53D234F296E}.exe

Filesize
204KB

MD5
3939ac45406f4d502f27c15e1751bf45

SHA1
46edd4fe4ff2c473fb3461d830e7bb7c99199863

SHA256
c0cf733e31c8374a6f6afab76dedb4108124bc3ef591421aba1f8ed099b0f0a9

SHA512
b24df3698eaf9838178f4b16f102b93766c1b776b25d902f0fb609e99777941e8a4ba2173b810a54345ee7baebad4bf98ac9ba2f15e3200ff366b3e89f149daa

Download Submit
C:\Windows\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe

Filesize
204KB

MD5
6834c1e41a4fd49bfbd44d4592a489f7

SHA1
e590327dc589dc5080b4a7f01890e5c8d5a17319

SHA256
b12437ba960220a8d96a6f02fea2a487f0acfa8ab69e22ea3573abd852b22fcc

SHA512
d93726e28a30db2a6ee1a3c1fbdaaf28a8bf488f062534c88dbf6d4b3f01dd5e693e1e2e32fc1711c5672b7322860f4fdbdfb2df1300fb67040ada60615d9194

Download Submit
C:\Windows\{E4C2E1C5-F79B-4031-BEF1-6E32E36BAF37}.exe

Filesize
204KB

MD5
6834c1e41a4fd49bfbd44d4592a489f7

SHA1
e590327dc589dc5080b4a7f01890e5c8d5a17319

SHA256
b12437ba960220a8d96a6f02fea2a487f0acfa8ab69e22ea3573abd852b22fcc

SHA512
d93726e28a30db2a6ee1a3c1fbdaaf28a8bf488f062534c88dbf6d4b3f01dd5e693e1e2e32fc1711c5672b7322860f4fdbdfb2df1300fb67040ada60615d9194

Download Submit
C:\Windows\{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe

Filesize
204KB

MD5
f7d252a734db499f37027e4bfc60f49a

SHA1
eb667a0a5fc6772104f6efdad61104d20e22f65e

SHA256
b589ad2e02304e7ea4dae23ee6f450c72ab961503fd44cd880250ec52d0205fa

SHA512
e33da0555519f58526aaa8f53708bf56ede2c1a303d100b0d01ec278b86558378e7912747d7b64858bd2e780ef33abd38d1b5ac474332732dcfc4dec41e78cf1

Download Submit
C:\Windows\{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe

Filesize
204KB

MD5
f7d252a734db499f37027e4bfc60f49a

SHA1
eb667a0a5fc6772104f6efdad61104d20e22f65e

SHA256
b589ad2e02304e7ea4dae23ee6f450c72ab961503fd44cd880250ec52d0205fa

SHA512
e33da0555519f58526aaa8f53708bf56ede2c1a303d100b0d01ec278b86558378e7912747d7b64858bd2e780ef33abd38d1b5ac474332732dcfc4dec41e78cf1

Download Submit
C:\Windows\{F09E93EF-0539-4687-B87C-8941D70D6C5F}.exe

Filesize
204KB

MD5
f7d252a734db499f37027e4bfc60f49a

SHA1
eb667a0a5fc6772104f6efdad61104d20e22f65e

SHA256
b589ad2e02304e7ea4dae23ee6f450c72ab961503fd44cd880250ec52d0205fa

SHA512
e33da0555519f58526aaa8f53708bf56ede2c1a303d100b0d01ec278b86558378e7912747d7b64858bd2e780ef33abd38d1b5ac474332732dcfc4dec41e78cf1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads