46074938a34b50606798a0a2d013d7dfb8b320c8941daf1bd7da20a9a5be806d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2023 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe
Size

168KB
MD5

a489688a1858d8ad980fb434b2c613af
SHA1

0b8b27ade1621c56d55e474a6538635d9ae51ff6
SHA256

46074938a34b50606798a0a2d013d7dfb8b320c8941daf1bd7da20a9a5be806d
SHA512

cb0edc60aba3f67b9273873b583a2b4cee3cb186171d325db6e2d0f641b735bf1b35d81d3b44e013bf0bc4a63810814b6a8326d4f4b1cf7a1fecbb18b7af2441
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69290832-5AF8-4333-A07C-EF9F5911FDBD}\stubpath = "C:\\Windows\\{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe"	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}\stubpath = "C:\\Windows\\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe"	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}\stubpath = "C:\\Windows\\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe"	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}\stubpath = "C:\\Windows\\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe"	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}	{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0930667-7AB4-421a-9260-52C45502F6D8}	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B056D625-6B08-48d2-A1C6-24A04C4900E7}\stubpath = "C:\\Windows\\{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe"	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}\stubpath = "C:\\Windows\\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}.exe"	{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}\stubpath = "C:\\Windows\\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe"	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96CDC951-93F6-4b07-B7CD-10D826006852}\stubpath = "C:\\Windows\\{96CDC951-93F6-4b07-B7CD-10D826006852}.exe"	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0930667-7AB4-421a-9260-52C45502F6D8}\stubpath = "C:\\Windows\\{C0930667-7AB4-421a-9260-52C45502F6D8}.exe"	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B056D625-6B08-48d2-A1C6-24A04C4900E7}	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}\stubpath = "C:\\Windows\\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe"	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69290832-5AF8-4333-A07C-EF9F5911FDBD}	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}\stubpath = "C:\\Windows\\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe"	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96CDC951-93F6-4b07-B7CD-10D826006852}	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}\stubpath = "C:\\Windows\\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe"	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe

Executes dropped EXE 12 IoCs

pid	Process
4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe
5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe
4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe
832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe
4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe
4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe
2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe
652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe
1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe
4016	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe
1836	{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe
4596	{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe
File created	C:\Windows\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe
File created	C:\Windows\{96CDC951-93F6-4b07-B7CD-10D826006852}.exe	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe
File created	C:\Windows\{C0930667-7AB4-421a-9260-52C45502F6D8}.exe	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe
File created	C:\Windows\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe
File created	C:\Windows\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe
File created	C:\Windows\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}.exe	{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe
File created	C:\Windows\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe
File created	C:\Windows\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe
File created	C:\Windows\{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe
File created	C:\Windows\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe
File created	C:\Windows\{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3288	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe
Token: SeIncBasePriorityPrivilege	5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe
Token: SeIncBasePriorityPrivilege	4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe
Token: SeIncBasePriorityPrivilege	832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe
Token: SeIncBasePriorityPrivilege	4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe
Token: SeIncBasePriorityPrivilege	4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe
Token: SeIncBasePriorityPrivilege	2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe
Token: SeIncBasePriorityPrivilege	652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe
Token: SeIncBasePriorityPrivilege	1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe
Token: SeIncBasePriorityPrivilege	4016	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe
Token: SeIncBasePriorityPrivilege	1836	{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 4156	3288	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe	88
PID 3288 wrote to memory of 4156	3288	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe	88
PID 3288 wrote to memory of 4156	3288	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe	88
PID 3288 wrote to memory of 4812	3288	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe	89
PID 3288 wrote to memory of 4812	3288	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe	89
PID 3288 wrote to memory of 4812	3288	a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe	89
PID 4156 wrote to memory of 5028	4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe	92
PID 4156 wrote to memory of 5028	4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe	92
PID 4156 wrote to memory of 5028	4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe	92
PID 4156 wrote to memory of 564	4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe	93
PID 4156 wrote to memory of 564	4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe	93
PID 4156 wrote to memory of 564	4156	{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe	93
PID 5028 wrote to memory of 4660	5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe	95
PID 5028 wrote to memory of 4660	5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe	95
PID 5028 wrote to memory of 4660	5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe	95
PID 5028 wrote to memory of 3372	5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe	96
PID 5028 wrote to memory of 3372	5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe	96
PID 5028 wrote to memory of 3372	5028	{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe	96
PID 4660 wrote to memory of 832	4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe	97
PID 4660 wrote to memory of 832	4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe	97
PID 4660 wrote to memory of 832	4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe	97
PID 4660 wrote to memory of 2344	4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe	98
PID 4660 wrote to memory of 2344	4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe	98
PID 4660 wrote to memory of 2344	4660	{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe	98
PID 832 wrote to memory of 4376	832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe	100
PID 832 wrote to memory of 4376	832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe	100
PID 832 wrote to memory of 4376	832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe	100
PID 832 wrote to memory of 4232	832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe	99
PID 832 wrote to memory of 4232	832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe	99
PID 832 wrote to memory of 4232	832	{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe	99
PID 4376 wrote to memory of 4204	4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe	101
PID 4376 wrote to memory of 4204	4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe	101
PID 4376 wrote to memory of 4204	4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe	101
PID 4376 wrote to memory of 3196	4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe	102
PID 4376 wrote to memory of 3196	4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe	102
PID 4376 wrote to memory of 3196	4376	{96CDC951-93F6-4b07-B7CD-10D826006852}.exe	102
PID 4204 wrote to memory of 2748	4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe	103
PID 4204 wrote to memory of 2748	4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe	103
PID 4204 wrote to memory of 2748	4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe	103
PID 4204 wrote to memory of 2336	4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe	104
PID 4204 wrote to memory of 2336	4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe	104
PID 4204 wrote to memory of 2336	4204	{C0930667-7AB4-421a-9260-52C45502F6D8}.exe	104
PID 2748 wrote to memory of 652	2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe	105
PID 2748 wrote to memory of 652	2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe	105
PID 2748 wrote to memory of 652	2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe	105
PID 2748 wrote to memory of 3900	2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe	106
PID 2748 wrote to memory of 3900	2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe	106
PID 2748 wrote to memory of 3900	2748	{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe	106
PID 652 wrote to memory of 1676	652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe	107
PID 652 wrote to memory of 1676	652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe	107
PID 652 wrote to memory of 1676	652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe	107
PID 652 wrote to memory of 4680	652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe	108
PID 652 wrote to memory of 4680	652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe	108
PID 652 wrote to memory of 4680	652	{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe	108
PID 1676 wrote to memory of 4016	1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe	109
PID 1676 wrote to memory of 4016	1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe	109
PID 1676 wrote to memory of 4016	1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe	109
PID 1676 wrote to memory of 540	1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe	110
PID 1676 wrote to memory of 540	1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe	110
PID 1676 wrote to memory of 540	1676	{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe	110
PID 4016 wrote to memory of 1836	4016	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe	111
PID 4016 wrote to memory of 1836	4016	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe	111
PID 4016 wrote to memory of 1836	4016	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe	111
PID 4016 wrote to memory of 4172	4016	{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe	112

C:\Users\Admin\AppData\Local\Temp\a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a489688a1858d8ad980fb434b2c613af_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe
  C:\Windows\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe
    C:\Windows\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe
      C:\Windows\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe
        
        C:\Windows\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{128F4~1.EXE > nul
        6⤵
        
        PID:4232
      - C:\Windows\{96CDC951-93F6-4b07-B7CD-10D826006852}.exe
        
        C:\Windows\{96CDC951-93F6-4b07-B7CD-10D826006852}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{C0930667-7AB4-421a-9260-52C45502F6D8}.exe
        
        C:\Windows\{C0930667-7AB4-421a-9260-52C45502F6D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe
        
        C:\Windows\{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe
        
        C:\Windows\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe
        
        C:\Windows\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe
        
        C:\Windows\{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe
        
        C:\Windows\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}.exe
        
        C:\Windows\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}.exe
        13⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F431~1.EXE > nul
        13⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69290~1.EXE > nul
        12⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09905~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFC5F~1.EXE > nul
        10⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B056D~1.EXE > nul
        9⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0930~1.EXE > nul
        8⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96CDC~1.EXE > nul
        7⤵
        
        PID:3196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE487~1.EXE > nul
        5⤵
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7F86~1.EXE > nul
      4⤵
      PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF5A~1.EXE > nul
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A48968~1.EXE > nul
  2⤵
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe

Filesize
168KB

MD5
9be71e41164c5ca37538804167999dd0

SHA1
c16cc76e3cd45ae8cb9ba218bfe4e226d6bf2b46

SHA256
e6a857dd2e4e92585ce0d97e916f4b1cb57b4b584dbbd70d345909821e9d3654

SHA512
edf35a2d2c58519a4bd26ad1b95bf1a403c370e1f8b268d669d1093724a10ec6475ef99f6d259bcda11281fbb33ff92f829a146f0e0c481d32b50fac11ccc727

Download Submit
C:\Windows\{099053A1-62BD-4e09-A96B-EF0D6D3985AB}.exe

Filesize
168KB

MD5
9be71e41164c5ca37538804167999dd0

SHA1
c16cc76e3cd45ae8cb9ba218bfe4e226d6bf2b46

SHA256
e6a857dd2e4e92585ce0d97e916f4b1cb57b4b584dbbd70d345909821e9d3654

SHA512
edf35a2d2c58519a4bd26ad1b95bf1a403c370e1f8b268d669d1093724a10ec6475ef99f6d259bcda11281fbb33ff92f829a146f0e0c481d32b50fac11ccc727

Download Submit
C:\Windows\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe

Filesize
168KB

MD5
85b6ad9fea1b99146ff7c3ebbbe2b222

SHA1
bd5f7d692d008596b1abd14a45e37bb80c8dfcbb

SHA256
c3b8d1f375061d3821e17b32de384e0b4c0fd143d139088ce01568fe67b55558

SHA512
b710ab14cf3a8e762f5cc7e849ca76d7a90a5781762e1c18f9c76a8d6412709b269318577d4b7aba3718636ae031e088d69332d0781d18f2b711b751037f26bb

Download Submit
C:\Windows\{128F4E8F-7E31-4408-8E01-3D6A35ACF9E7}.exe

Filesize
168KB

MD5
85b6ad9fea1b99146ff7c3ebbbe2b222

SHA1
bd5f7d692d008596b1abd14a45e37bb80c8dfcbb

SHA256
c3b8d1f375061d3821e17b32de384e0b4c0fd143d139088ce01568fe67b55558

SHA512
b710ab14cf3a8e762f5cc7e849ca76d7a90a5781762e1c18f9c76a8d6412709b269318577d4b7aba3718636ae031e088d69332d0781d18f2b711b751037f26bb

Download Submit
C:\Windows\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe

Filesize
168KB

MD5
76c4626e74972f3331eca01930eac996

SHA1
052046fe7e3327ebb466b6096984e36ee620e8af

SHA256
8e30d107f2a07955c675fac3537001ada273d9edcdfb7653da8744fb875caaf2

SHA512
836e701e669d74197d34367997df0f3986820e9c524d15101650574b230e2e4b9f7a22dab7d29a0f6d8b3ce07a6fe10c056aaa1e282e2f576f90f10dd4b56efd

Download Submit
C:\Windows\{1F431DBC-0E92-40cc-B8B7-D7FB30749B36}.exe

Filesize
168KB

MD5
76c4626e74972f3331eca01930eac996

SHA1
052046fe7e3327ebb466b6096984e36ee620e8af

SHA256
8e30d107f2a07955c675fac3537001ada273d9edcdfb7653da8744fb875caaf2

SHA512
836e701e669d74197d34367997df0f3986820e9c524d15101650574b230e2e4b9f7a22dab7d29a0f6d8b3ce07a6fe10c056aaa1e282e2f576f90f10dd4b56efd

Download Submit
C:\Windows\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}.exe

Filesize
168KB

MD5
b98d53e90d61f75a4429c81991fcf4d5

SHA1
61ff4fce78c11abbe9f67738ddc7935a6bd08812

SHA256
50a5e8791fece22dac6413c726aec95565f22da27f1e4c595415b40ac2142a9c

SHA512
b02bc41e6f96b05bec2c5e530901692bef91d459917f9bab3a58ba9c94b31a3ef47c6df629391f04dc3c0531a1a47bd653685d99e44d65fc87e41c7650d1eca1

Download Submit
C:\Windows\{59F722D5-D88E-4eb6-A2EE-8E7D76BC5A44}.exe

Filesize
168KB

MD5
b98d53e90d61f75a4429c81991fcf4d5

SHA1
61ff4fce78c11abbe9f67738ddc7935a6bd08812

SHA256
50a5e8791fece22dac6413c726aec95565f22da27f1e4c595415b40ac2142a9c

SHA512
b02bc41e6f96b05bec2c5e530901692bef91d459917f9bab3a58ba9c94b31a3ef47c6df629391f04dc3c0531a1a47bd653685d99e44d65fc87e41c7650d1eca1

Download Submit
C:\Windows\{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe

Filesize
168KB

MD5
519991fafd3941072fd66e3b8e200028

SHA1
1b862425a63eaff1c65e9bc4f61477f3e543fe90

SHA256
ea2ca3c830bd8550c1b4d11203704e7132eb2e1e6e49ef950a407b735ded7fc8

SHA512
25a87208eb3fbd5c37da59fe32c901f9ceef20868d6277479990953c52a404f1af7ef88b95b2cda9aab465be9195d44e338f9c23dcc4edc47bae31518f153098

Download Submit
C:\Windows\{69290832-5AF8-4333-A07C-EF9F5911FDBD}.exe

Filesize
168KB

MD5
519991fafd3941072fd66e3b8e200028

SHA1
1b862425a63eaff1c65e9bc4f61477f3e543fe90

SHA256
ea2ca3c830bd8550c1b4d11203704e7132eb2e1e6e49ef950a407b735ded7fc8

SHA512
25a87208eb3fbd5c37da59fe32c901f9ceef20868d6277479990953c52a404f1af7ef88b95b2cda9aab465be9195d44e338f9c23dcc4edc47bae31518f153098

Download Submit
C:\Windows\{96CDC951-93F6-4b07-B7CD-10D826006852}.exe

Filesize
168KB

MD5
a3a0dbdcc1a749cba41e0590d2a5ae91

SHA1
ea02c6807d9552a7dd7bf7e3513ab186cc6986d0

SHA256
69d3453d104e517e9893593376f3563557adc3141254fa1d42f213a65f69f7b9

SHA512
b9dac01a4b1e188d0cfc66f2ca9e3532f8032071c74a36c692c8aa95ea0e0c7202524e7c57dc8957f267203534fef7af100a9ce629eb224a8c69858f48acad46

Download Submit
C:\Windows\{96CDC951-93F6-4b07-B7CD-10D826006852}.exe

Filesize
168KB

MD5
a3a0dbdcc1a749cba41e0590d2a5ae91

SHA1
ea02c6807d9552a7dd7bf7e3513ab186cc6986d0

SHA256
69d3453d104e517e9893593376f3563557adc3141254fa1d42f213a65f69f7b9

SHA512
b9dac01a4b1e188d0cfc66f2ca9e3532f8032071c74a36c692c8aa95ea0e0c7202524e7c57dc8957f267203534fef7af100a9ce629eb224a8c69858f48acad46

Download Submit
C:\Windows\{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe

Filesize
168KB

MD5
197b91ac75c0c8af3bc52b0211604a53

SHA1
64c657ed1ee0ba4b37ed3cce61c9eb59cb548dfa

SHA256
33f649311d85945bcb2bb7ec88e740db82ee05bc2dd89e6bf492878bfd1b3e4d

SHA512
3e0c737afce2925be7fe7930fe6ba376ea97d059664d1de7bd2e7448980ee16807e9f4c05ef5c386488d4f24b593a06ee017767d15ee493837cecf4ec1f421a6

Download Submit
C:\Windows\{B056D625-6B08-48d2-A1C6-24A04C4900E7}.exe

Filesize
168KB

MD5
197b91ac75c0c8af3bc52b0211604a53

SHA1
64c657ed1ee0ba4b37ed3cce61c9eb59cb548dfa

SHA256
33f649311d85945bcb2bb7ec88e740db82ee05bc2dd89e6bf492878bfd1b3e4d

SHA512
3e0c737afce2925be7fe7930fe6ba376ea97d059664d1de7bd2e7448980ee16807e9f4c05ef5c386488d4f24b593a06ee017767d15ee493837cecf4ec1f421a6

Download Submit
C:\Windows\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe

Filesize
168KB

MD5
c54d6886b66d92efc32b0e1d196d97c7

SHA1
0ebb38f29e16410f503b0999d4bf314052b6bf9e

SHA256
e1a1ba900547df64d15959dd50d66d048aacb81219d2a86f9e277c1e66066ce7

SHA512
0405a369976e18ca9bd8f078e7ea35f591d66f0202d9884956c94c26bfc139b482e2000a6c76a99ce712fe0f7f202c2bd70269f052b0c2873fe71e68635583ec

Download Submit
C:\Windows\{BEF5A116-6DE4-4e8a-B684-97DA3A23929B}.exe

Filesize
168KB

MD5
c54d6886b66d92efc32b0e1d196d97c7

SHA1
0ebb38f29e16410f503b0999d4bf314052b6bf9e

SHA256
e1a1ba900547df64d15959dd50d66d048aacb81219d2a86f9e277c1e66066ce7

SHA512
0405a369976e18ca9bd8f078e7ea35f591d66f0202d9884956c94c26bfc139b482e2000a6c76a99ce712fe0f7f202c2bd70269f052b0c2873fe71e68635583ec

Download Submit
C:\Windows\{C0930667-7AB4-421a-9260-52C45502F6D8}.exe

Filesize
168KB

MD5
36eece7f5a2495210b55a8042dc88772

SHA1
d33d448a1574d6429771c99c27bb8747ef43126f

SHA256
1a031bfe0df37bd2e2b446042ab0cf35b50883a873e061a617ab76b549882586

SHA512
a76fe8722f0f83b0c42192467fb13c2f31afbcd81abb4cfc503c678f197d5c7e08769447a7a91c64f243632a74339bbd8fe2028ee8e2e9cfde067cc9ddcfe284

Download Submit
C:\Windows\{C0930667-7AB4-421a-9260-52C45502F6D8}.exe

Filesize
168KB

MD5
36eece7f5a2495210b55a8042dc88772

SHA1
d33d448a1574d6429771c99c27bb8747ef43126f

SHA256
1a031bfe0df37bd2e2b446042ab0cf35b50883a873e061a617ab76b549882586

SHA512
a76fe8722f0f83b0c42192467fb13c2f31afbcd81abb4cfc503c678f197d5c7e08769447a7a91c64f243632a74339bbd8fe2028ee8e2e9cfde067cc9ddcfe284

Download Submit
C:\Windows\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe

Filesize
168KB

MD5
5e3ee88ed2a1812c70ef34c33a2b63bb

SHA1
8550ab3405c80523d13c7330cef9c054ae23e25c

SHA256
6c8bba1dc7b32ba263367fd73ce3db80055678f7209d61a2448f988106f2f806

SHA512
6a33868bb1978a6a5939bb24e4c7003f552f6ca1ff634729a7688882b92620b63e492840b571eb9511e361dbc2060b71de7e6b9198fbdab70ce4c9fe2dc30008

Download Submit
C:\Windows\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe

Filesize
168KB

MD5
5e3ee88ed2a1812c70ef34c33a2b63bb

SHA1
8550ab3405c80523d13c7330cef9c054ae23e25c

SHA256
6c8bba1dc7b32ba263367fd73ce3db80055678f7209d61a2448f988106f2f806

SHA512
6a33868bb1978a6a5939bb24e4c7003f552f6ca1ff634729a7688882b92620b63e492840b571eb9511e361dbc2060b71de7e6b9198fbdab70ce4c9fe2dc30008

Download Submit
C:\Windows\{DE487181-CFED-45dd-B3BD-4A6AE3938AC7}.exe

Filesize
168KB

MD5
5e3ee88ed2a1812c70ef34c33a2b63bb

SHA1
8550ab3405c80523d13c7330cef9c054ae23e25c

SHA256
6c8bba1dc7b32ba263367fd73ce3db80055678f7209d61a2448f988106f2f806

SHA512
6a33868bb1978a6a5939bb24e4c7003f552f6ca1ff634729a7688882b92620b63e492840b571eb9511e361dbc2060b71de7e6b9198fbdab70ce4c9fe2dc30008

Download Submit
C:\Windows\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe

Filesize
168KB

MD5
610e876954ae9cdbcedf15a25095be4e

SHA1
c14a3abd2c5e7d6529de37944a67170ff25c6401

SHA256
f19c3777ce4770060d0e449981562a62c338b673d80951b86f002d1237fb882e

SHA512
ed6fd86119fdb5a762ec251db021fb6a840a58114230dec241f6a41e257d3130f938d6ca6136cbc63159cc39068e7d9020d37f11c67b68410c9239baacb13aad

Download Submit
C:\Windows\{DFC5F553-26F3-49a9-A8EC-96463B7C642B}.exe

Filesize
168KB

MD5
610e876954ae9cdbcedf15a25095be4e

SHA1
c14a3abd2c5e7d6529de37944a67170ff25c6401

SHA256
f19c3777ce4770060d0e449981562a62c338b673d80951b86f002d1237fb882e

SHA512
ed6fd86119fdb5a762ec251db021fb6a840a58114230dec241f6a41e257d3130f938d6ca6136cbc63159cc39068e7d9020d37f11c67b68410c9239baacb13aad

Download Submit
C:\Windows\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe

Filesize
168KB

MD5
0951381761982dae307a0e7d39502b4a

SHA1
7b3bc9b2a9c6846b1faca7c28b305282035e02a8

SHA256
c4f094126ca104aabf3eed4980b1761bd5d255c75f87920f5d48c4cf4fcaf3d8

SHA512
f99019b6904c04e963e21b4617baf3ec475400b538dff055741e3af1f729e774c9ace54a0dfd63d3aafd3b7bf67e4e015051863c15fdfa0c89e545723fe79bf7

Download Submit
C:\Windows\{E7F861E2-83BC-4395-A929-2B047EF7F9BB}.exe

Filesize
168KB

MD5
0951381761982dae307a0e7d39502b4a

SHA1
7b3bc9b2a9c6846b1faca7c28b305282035e02a8

SHA256
c4f094126ca104aabf3eed4980b1761bd5d255c75f87920f5d48c4cf4fcaf3d8

SHA512
f99019b6904c04e963e21b4617baf3ec475400b538dff055741e3af1f729e774c9ace54a0dfd63d3aafd3b7bf67e4e015051863c15fdfa0c89e545723fe79bf7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads