c820bebaccaba0437b98a73187f7bd891e6aaf41e20158981b663c2af081bf8b

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Size

380KB
MD5

9f941e42c1e3b078e1cbe92d24fa039c
SHA1

71c65435d724937a130e1888a6b949c9744e5c5b
SHA256

c820bebaccaba0437b98a73187f7bd891e6aaf41e20158981b663c2af081bf8b
SHA512

00cec308d452a7aa94bc3e92fa4c5f1cba9334ad49118e012acdb8422e2ff9e47f75a90ce8e7d39c236b931a2c28729e23afb4cb122f951349e4fba4c3c14c8a
SSDEEP

3072:mEGh0oSlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGkl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83592EA5-0664-447a-A2F0-82DB79C6438D}\stubpath = "C:\\Windows\\{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe"	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AE77406-683C-4fdb-8844-4B757941CF1E}	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ADA90B3-2185-498c-8E95-8C61140530FC}	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83592EA5-0664-447a-A2F0-82DB79C6438D}	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}\stubpath = "C:\\Windows\\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe"	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BBB862-EE14-47c0-9557-D3EEBF767D77}\stubpath = "C:\\Windows\\{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe"	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63179942-A5C9-4b94-ACD9-5EBD2B920198}	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63179942-A5C9-4b94-ACD9-5EBD2B920198}\stubpath = "C:\\Windows\\{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe"	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}\stubpath = "C:\\Windows\\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe"	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AE77406-683C-4fdb-8844-4B757941CF1E}\stubpath = "C:\\Windows\\{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe"	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}\stubpath = "C:\\Windows\\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe"	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}\stubpath = "C:\\Windows\\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}.exe"	{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}\stubpath = "C:\\Windows\\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe"	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BBB862-EE14-47c0-9557-D3EEBF767D77}	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13B786C3-F0BA-491f-9963-BDE664E02507}	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}\stubpath = "C:\\Windows\\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe"	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13B786C3-F0BA-491f-9963-BDE664E02507}\stubpath = "C:\\Windows\\{13B786C3-F0BA-491f-9963-BDE664E02507}.exe"	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}	{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ADA90B3-2185-498c-8E95-8C61140530FC}\stubpath = "C:\\Windows\\{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe"	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe
4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe
5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe
4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe
1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe
552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe
4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe
2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe
3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe
2316	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe
1848	{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe
3648	{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe
File created	C:\Windows\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe
File created	C:\Windows\{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe
File created	C:\Windows\{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe
File created	C:\Windows\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe
File created	C:\Windows\{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
File created	C:\Windows\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe
File created	C:\Windows\{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe
File created	C:\Windows\{13B786C3-F0BA-491f-9963-BDE664E02507}.exe	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe
File created	C:\Windows\{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe
File created	C:\Windows\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe
File created	C:\Windows\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}.exe	{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe
Token: SeIncBasePriorityPrivilege	4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe
Token: SeIncBasePriorityPrivilege	5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe
Token: SeIncBasePriorityPrivilege	4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe
Token: SeIncBasePriorityPrivilege	1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe
Token: SeIncBasePriorityPrivilege	552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe
Token: SeIncBasePriorityPrivilege	4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe
Token: SeIncBasePriorityPrivilege	2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe
Token: SeIncBasePriorityPrivilege	3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe
Token: SeIncBasePriorityPrivilege	2316	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe
Token: SeIncBasePriorityPrivilege	1848	{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3524	2236	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	89
PID 2236 wrote to memory of 3524	2236	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	89
PID 2236 wrote to memory of 3524	2236	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	89
PID 2236 wrote to memory of 448	2236	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	90
PID 2236 wrote to memory of 448	2236	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	90
PID 2236 wrote to memory of 448	2236	9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe	90
PID 3524 wrote to memory of 4384	3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe	91
PID 3524 wrote to memory of 4384	3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe	91
PID 3524 wrote to memory of 4384	3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe	91
PID 3524 wrote to memory of 3388	3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe	92
PID 3524 wrote to memory of 3388	3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe	92
PID 3524 wrote to memory of 3388	3524	{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe	92
PID 4384 wrote to memory of 5032	4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe	94
PID 4384 wrote to memory of 5032	4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe	94
PID 4384 wrote to memory of 5032	4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe	94
PID 4384 wrote to memory of 3664	4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe	95
PID 4384 wrote to memory of 3664	4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe	95
PID 4384 wrote to memory of 3664	4384	{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe	95
PID 5032 wrote to memory of 4344	5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe	96
PID 5032 wrote to memory of 4344	5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe	96
PID 5032 wrote to memory of 4344	5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe	96
PID 5032 wrote to memory of 4628	5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe	97
PID 5032 wrote to memory of 4628	5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe	97
PID 5032 wrote to memory of 4628	5032	{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe	97
PID 4344 wrote to memory of 1668	4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe	98
PID 4344 wrote to memory of 1668	4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe	98
PID 4344 wrote to memory of 1668	4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe	98
PID 4344 wrote to memory of 2400	4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe	99
PID 4344 wrote to memory of 2400	4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe	99
PID 4344 wrote to memory of 2400	4344	{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe	99
PID 1668 wrote to memory of 552	1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe	100
PID 1668 wrote to memory of 552	1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe	100
PID 1668 wrote to memory of 552	1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe	100
PID 1668 wrote to memory of 2796	1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe	101
PID 1668 wrote to memory of 2796	1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe	101
PID 1668 wrote to memory of 2796	1668	{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe	101
PID 552 wrote to memory of 4200	552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe	102
PID 552 wrote to memory of 4200	552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe	102
PID 552 wrote to memory of 4200	552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe	102
PID 552 wrote to memory of 4244	552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe	103
PID 552 wrote to memory of 4244	552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe	103
PID 552 wrote to memory of 4244	552	{13B786C3-F0BA-491f-9963-BDE664E02507}.exe	103
PID 4200 wrote to memory of 2032	4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe	104
PID 4200 wrote to memory of 2032	4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe	104
PID 4200 wrote to memory of 2032	4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe	104
PID 4200 wrote to memory of 1572	4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe	105
PID 4200 wrote to memory of 1572	4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe	105
PID 4200 wrote to memory of 1572	4200	{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe	105
PID 2032 wrote to memory of 3808	2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe	106
PID 2032 wrote to memory of 3808	2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe	106
PID 2032 wrote to memory of 3808	2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe	106
PID 2032 wrote to memory of 4976	2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe	107
PID 2032 wrote to memory of 4976	2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe	107
PID 2032 wrote to memory of 4976	2032	{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe	107
PID 3808 wrote to memory of 2316	3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe	108
PID 3808 wrote to memory of 2316	3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe	108
PID 3808 wrote to memory of 2316	3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe	108
PID 3808 wrote to memory of 512	3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe	109
PID 3808 wrote to memory of 512	3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe	109
PID 3808 wrote to memory of 512	3808	{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe	109
PID 2316 wrote to memory of 1848	2316	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe	110
PID 2316 wrote to memory of 1848	2316	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe	110
PID 2316 wrote to memory of 1848	2316	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe	110
PID 2316 wrote to memory of 4028	2316	{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe	111

C:\Users\Admin\AppData\Local\Temp\9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9f941e42c1e3b078e1cbe92d24fa039c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe
  C:\Windows\{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe
    C:\Windows\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe
      C:\Windows\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe
        
        C:\Windows\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe
        
        C:\Windows\{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{13B786C3-F0BA-491f-9963-BDE664E02507}.exe
        
        C:\Windows\{13B786C3-F0BA-491f-9963-BDE664E02507}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe
        
        C:\Windows\{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe
        
        C:\Windows\{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe
        
        C:\Windows\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe
        
        C:\Windows\{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe
        
        C:\Windows\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}.exe
        
        C:\Windows\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}.exe
        13⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D3E8~1.EXE > nul
        13⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AE77~1.EXE > nul
        12⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0CAB~1.EXE > nul
        11⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63179~1.EXE > nul
        10⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83592~1.EXE > nul
        9⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13B78~1.EXE > nul
        8⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47BBB~1.EXE > nul
        7⤵
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B584~1.EXE > nul
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA84F~1.EXE > nul
        5⤵
        
        PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DE27~1.EXE > nul
      4⤵
      PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8ADA9~1.EXE > nul
    3⤵
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9F941E~1.EXE > nul
  2⤵
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13B786C3-F0BA-491f-9963-BDE664E02507}.exe

Filesize
380KB

MD5
df8db5ec8eb1b7ec9d20c1c33b2d20cb

SHA1
6bd7b304323182e1bb387dc39edce442f2f7477d

SHA256
5b4ac3b577646fc5b9b327c4fdaac871ce2f0e8b0b6e39cb9b5c57e5ce931079

SHA512
0517486b8011e7b488d786d05a31afeeed54003fb97ff01fe979df398530e77258d06c08157d379697d8154d4d0edd5c48a527a8b8fb4cd1b28cb543b579c37d

Download Submit
C:\Windows\{13B786C3-F0BA-491f-9963-BDE664E02507}.exe

Filesize
380KB

MD5
df8db5ec8eb1b7ec9d20c1c33b2d20cb

SHA1
6bd7b304323182e1bb387dc39edce442f2f7477d

SHA256
5b4ac3b577646fc5b9b327c4fdaac871ce2f0e8b0b6e39cb9b5c57e5ce931079

SHA512
0517486b8011e7b488d786d05a31afeeed54003fb97ff01fe979df398530e77258d06c08157d379697d8154d4d0edd5c48a527a8b8fb4cd1b28cb543b579c37d

Download Submit
C:\Windows\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe

Filesize
380KB

MD5
da5c82760f76f88dbc33b26c738b64e0

SHA1
129b49bd1367d93024aecaf474b19c48379832a0

SHA256
c5ef8c6672d2720befacfdd66a12cf5b7f4a3f980f7dfa95c7e3d7dde6334963

SHA512
606052e7f3345d2438177626f37b9dd734cdf840f5c62a0b42549ad343997f9cbd3548e3a71f2c8f9ff0c76f1102f7db02abb81836e1cd08636d7ef02e67270e

Download Submit
C:\Windows\{1DE2758E-EF3E-4b4d-8814-A7538D78EDF7}.exe

Filesize
380KB

MD5
da5c82760f76f88dbc33b26c738b64e0

SHA1
129b49bd1367d93024aecaf474b19c48379832a0

SHA256
c5ef8c6672d2720befacfdd66a12cf5b7f4a3f980f7dfa95c7e3d7dde6334963

SHA512
606052e7f3345d2438177626f37b9dd734cdf840f5c62a0b42549ad343997f9cbd3548e3a71f2c8f9ff0c76f1102f7db02abb81836e1cd08636d7ef02e67270e

Download Submit
C:\Windows\{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe

Filesize
380KB

MD5
627d4d47b594c17222ac67f3dd875ab7

SHA1
2809b1e937aac6727a18d83fb2ac0c21d3b84e3f

SHA256
789dfca13b3dfcc8f674d5dba0022a14651fde98c05f82cb03a8b3d4a943840f

SHA512
f6ed554b3a22e402a5665c407c7038600c040c03e0065b96a0aed335690177df2f34398ef9f7aa41bca432ab1507a315b6a6ba9defef1eda12a1f93508833c8f

Download Submit
C:\Windows\{47BBB862-EE14-47c0-9557-D3EEBF767D77}.exe

Filesize
380KB

MD5
627d4d47b594c17222ac67f3dd875ab7

SHA1
2809b1e937aac6727a18d83fb2ac0c21d3b84e3f

SHA256
789dfca13b3dfcc8f674d5dba0022a14651fde98c05f82cb03a8b3d4a943840f

SHA512
f6ed554b3a22e402a5665c407c7038600c040c03e0065b96a0aed335690177df2f34398ef9f7aa41bca432ab1507a315b6a6ba9defef1eda12a1f93508833c8f

Download Submit
C:\Windows\{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe

Filesize
380KB

MD5
7f6ec072f4fde56942a4330d868db04b

SHA1
937189bb0e98e2f62e7f0c2edb782818435068d9

SHA256
7b65bc6de63a42f6bc9077048c369d01adcc8a9b9754dff5b3affa7faa94b105

SHA512
506736630f0bfe6ca73a080f21a3aa1ab5f5f48b885721f3bbadc78137c289681067e95302af593a6879929a6cb707e83e8d70b943e62e5c00cf534ad33e61cb

Download Submit
C:\Windows\{63179942-A5C9-4b94-ACD9-5EBD2B920198}.exe

Filesize
380KB

MD5
7f6ec072f4fde56942a4330d868db04b

SHA1
937189bb0e98e2f62e7f0c2edb782818435068d9

SHA256
7b65bc6de63a42f6bc9077048c369d01adcc8a9b9754dff5b3affa7faa94b105

SHA512
506736630f0bfe6ca73a080f21a3aa1ab5f5f48b885721f3bbadc78137c289681067e95302af593a6879929a6cb707e83e8d70b943e62e5c00cf534ad33e61cb

Download Submit
C:\Windows\{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe

Filesize
380KB

MD5
fad43e9a824ab43825bc9ffbf36cb4e7

SHA1
8542a81b305b9b679452964133aa875aa9307812

SHA256
a548805a7051dec19e65d9ecda8e50582fc722d990fda740a66d676c8e198a24

SHA512
bae77000e0b16c826ae56b2a97270fa6850afee6dd4ffd6f3219dd138c19bffe30b7de1c54349915f466f4f07616f88501b7ca665975f31e04100f54173c5e59

Download Submit
C:\Windows\{6AE77406-683C-4fdb-8844-4B757941CF1E}.exe

Filesize
380KB

MD5
fad43e9a824ab43825bc9ffbf36cb4e7

SHA1
8542a81b305b9b679452964133aa875aa9307812

SHA256
a548805a7051dec19e65d9ecda8e50582fc722d990fda740a66d676c8e198a24

SHA512
bae77000e0b16c826ae56b2a97270fa6850afee6dd4ffd6f3219dd138c19bffe30b7de1c54349915f466f4f07616f88501b7ca665975f31e04100f54173c5e59

Download Submit
C:\Windows\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe

Filesize
380KB

MD5
032b9ab4291f41a5826d975eed291161

SHA1
11759a53a961113c38b38f84f9f46cd6e661b706

SHA256
b4cc9ef8fed03b8c392bd01acc32857a7f4ce71bf8be617fd11de7d676066d8a

SHA512
3cccb2812d79f233d5b0e06b218721de20b842bf13f4a71267d8fd36d1d2d74b94c1d172bc4c0df6bf3799ec70a0ec3dfdbf634a6878d4d2fd12595eb1db1539

Download Submit
C:\Windows\{6D3E8D23-F06A-449d-A6E9-4D52601C2771}.exe

Filesize
380KB

MD5
032b9ab4291f41a5826d975eed291161

SHA1
11759a53a961113c38b38f84f9f46cd6e661b706

SHA256
b4cc9ef8fed03b8c392bd01acc32857a7f4ce71bf8be617fd11de7d676066d8a

SHA512
3cccb2812d79f233d5b0e06b218721de20b842bf13f4a71267d8fd36d1d2d74b94c1d172bc4c0df6bf3799ec70a0ec3dfdbf634a6878d4d2fd12595eb1db1539

Download Submit
C:\Windows\{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe

Filesize
380KB

MD5
00c69d7d30b7c06f47639d916fd4f7ec

SHA1
a7809f27cd94ba4a0ffa8c953c5aa274ed25f4ad

SHA256
e6ca21d1e75b3a69c65d57b748790691f2d3c2b260a78b856e4d91e8f072f51a

SHA512
3f2b8021f8482e02055f6a0a94709bb11b4916df9d28027fd4ffe6a48948c270624b48e6d738f90e6e612400e511189ad7bac9b4e32743827f713a7a75c21bff

Download Submit
C:\Windows\{83592EA5-0664-447a-A2F0-82DB79C6438D}.exe

Filesize
380KB

MD5
00c69d7d30b7c06f47639d916fd4f7ec

SHA1
a7809f27cd94ba4a0ffa8c953c5aa274ed25f4ad

SHA256
e6ca21d1e75b3a69c65d57b748790691f2d3c2b260a78b856e4d91e8f072f51a

SHA512
3f2b8021f8482e02055f6a0a94709bb11b4916df9d28027fd4ffe6a48948c270624b48e6d738f90e6e612400e511189ad7bac9b4e32743827f713a7a75c21bff

Download Submit
C:\Windows\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}.exe

Filesize
380KB

MD5
9437594e5c483d94fb51208979eb55db

SHA1
4ba0795107882df91770ac984c8b7186a66b1ed9

SHA256
959e1bb230f736d4b9a3620f2da70ab1ab199ec90103e02da4d4a8b41e71a91d

SHA512
33436a6a6f5142bfd38df469ca38b48eb6e838f505905fa1c04ffc1a6e9b2ac4fdb332fe188abfcb669ac8771ebd78a2bdc00d003d71aeeba1d4cecbe536a109

Download Submit
C:\Windows\{85DA501E-D8BB-4f12-B6BC-D5CE379FE42C}.exe

Filesize
380KB

MD5
9437594e5c483d94fb51208979eb55db

SHA1
4ba0795107882df91770ac984c8b7186a66b1ed9

SHA256
959e1bb230f736d4b9a3620f2da70ab1ab199ec90103e02da4d4a8b41e71a91d

SHA512
33436a6a6f5142bfd38df469ca38b48eb6e838f505905fa1c04ffc1a6e9b2ac4fdb332fe188abfcb669ac8771ebd78a2bdc00d003d71aeeba1d4cecbe536a109

Download Submit
C:\Windows\{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe

Filesize
380KB

MD5
678b2c61eb6cf401c895c4f2e1bdb16a

SHA1
0f72e076de07c0cefa07d98997a9bdc4be1536da

SHA256
f647485c9db83b2143fe2d46c6d1d61d6bc82e152b7cf14d7eb54b3e9acb786b

SHA512
da4f72bae0ca62ae384f3310db1f49426020d5be4ca62c674addd3b9eb76af83833e19d77f3310fce836511d6d79f8d71f49aaaef423af839664bde88b6f06fe

Download Submit
C:\Windows\{8ADA90B3-2185-498c-8E95-8C61140530FC}.exe

Filesize
380KB

MD5
678b2c61eb6cf401c895c4f2e1bdb16a

SHA1
0f72e076de07c0cefa07d98997a9bdc4be1536da

SHA256
f647485c9db83b2143fe2d46c6d1d61d6bc82e152b7cf14d7eb54b3e9acb786b

SHA512
da4f72bae0ca62ae384f3310db1f49426020d5be4ca62c674addd3b9eb76af83833e19d77f3310fce836511d6d79f8d71f49aaaef423af839664bde88b6f06fe

Download Submit
C:\Windows\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe

Filesize
380KB

MD5
098144441c09bd5a05ea5cff4c28fe37

SHA1
e3d7478f056b048463238c15a209045fe20bc13f

SHA256
73e7138606fdec2ac3965e1d600999a74df0231cd84c5f457bd5c269422bf63a

SHA512
76ed9f82e4304944cc1ea82fee9f375dfee5b3fc6f041ac9007ceb3c4b640fc46fe9b35c7f813cd550684630d0d9c3330c951f4ef8bce7ef7f07d5b0443b0760

Download Submit
C:\Windows\{8B584C03-9CF2-40ce-BDD1-26FBFBFFDE0A}.exe

Filesize
380KB

MD5
098144441c09bd5a05ea5cff4c28fe37

SHA1
e3d7478f056b048463238c15a209045fe20bc13f

SHA256
73e7138606fdec2ac3965e1d600999a74df0231cd84c5f457bd5c269422bf63a

SHA512
76ed9f82e4304944cc1ea82fee9f375dfee5b3fc6f041ac9007ceb3c4b640fc46fe9b35c7f813cd550684630d0d9c3330c951f4ef8bce7ef7f07d5b0443b0760

Download Submit
C:\Windows\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe

Filesize
380KB

MD5
4f1c1328322b9e5dd48304d9c64a1ae2

SHA1
bc6b06bb629dc50678bdeeced2ba11722e5589ad

SHA256
0fc3d9a0d0a7cdc857900d2f36f9068f36150fbd969c4bce94ffa856bd721874

SHA512
bff781012b112b71e11a76cc881a7e335a0b0739208c176926931b5f768fcbe96faeee2e74c03d3fd2e423db74c970e97aa9ff0d6097c0555a468af90e104269

Download Submit
C:\Windows\{E0CAB6D2-E35F-4de3-BC41-C353E20A07D0}.exe

Filesize
380KB

MD5
4f1c1328322b9e5dd48304d9c64a1ae2

SHA1
bc6b06bb629dc50678bdeeced2ba11722e5589ad

SHA256
0fc3d9a0d0a7cdc857900d2f36f9068f36150fbd969c4bce94ffa856bd721874

SHA512
bff781012b112b71e11a76cc881a7e335a0b0739208c176926931b5f768fcbe96faeee2e74c03d3fd2e423db74c970e97aa9ff0d6097c0555a468af90e104269

Download Submit
C:\Windows\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe

Filesize
380KB

MD5
245f6b9da5044a05b4e3ab465260d765

SHA1
2488100c6bbe01bc9101f1c23c316e7c33f598ed

SHA256
7c6a0d9b205edc49eb8872e69629674830b114770b15c5402e4755b34507f148

SHA512
2b07543228d41166134045559636fc422014075a167553a5faf6d7ab6b0623831469f1a246ede1d55a61625d3a7259ef6e4cc23522094c36ee9721a9fef7b8d4

Download Submit
C:\Windows\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe

Filesize
380KB

MD5
245f6b9da5044a05b4e3ab465260d765

SHA1
2488100c6bbe01bc9101f1c23c316e7c33f598ed

SHA256
7c6a0d9b205edc49eb8872e69629674830b114770b15c5402e4755b34507f148

SHA512
2b07543228d41166134045559636fc422014075a167553a5faf6d7ab6b0623831469f1a246ede1d55a61625d3a7259ef6e4cc23522094c36ee9721a9fef7b8d4

Download Submit
C:\Windows\{FA84F9AC-B47E-48f2-ABD0-FD44BDD9CCDA}.exe

Filesize
380KB

MD5
245f6b9da5044a05b4e3ab465260d765

SHA1
2488100c6bbe01bc9101f1c23c316e7c33f598ed

SHA256
7c6a0d9b205edc49eb8872e69629674830b114770b15c5402e4755b34507f148

SHA512
2b07543228d41166134045559636fc422014075a167553a5faf6d7ab6b0623831469f1a246ede1d55a61625d3a7259ef6e4cc23522094c36ee9721a9fef7b8d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads