24df8c79ad2d7677ea36619f03c932561baa0d0b03510e903100ef6284bea433

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Size

380KB
MD5

bb3c9af958810ad697b39a6f2b7f4756
SHA1

c0053bcce07850a3dd881ac9a84cfa9856e67258
SHA256

24df8c79ad2d7677ea36619f03c932561baa0d0b03510e903100ef6284bea433
SHA512

61af8f961830a36ec5477c0b80986273d4a92e8c71ae1ba138cd05ff075211002f555b78429f53ccf0d20076e089d3535e8d9986f8b99822e345ed1823c7b908
SSDEEP

3072:mEGh0o6lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG0l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{812B3B45-2D50-451e-9E8F-68B23A876800}	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{376E0A67-318B-457c-9C8F-9680704F9A6E}\stubpath = "C:\\Windows\\{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe"	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}\stubpath = "C:\\Windows\\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe"	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}\stubpath = "C:\\Windows\\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe"	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61439AC7-33C1-4000-A3D3-93AE53C07814}	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61439AC7-33C1-4000-A3D3-93AE53C07814}\stubpath = "C:\\Windows\\{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe"	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98CE0AFC-ED5C-411b-9998-F428563A5988}\stubpath = "C:\\Windows\\{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe"	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{376E0A67-318B-457c-9C8F-9680704F9A6E}	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}\stubpath = "C:\\Windows\\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}.exe"	{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}\stubpath = "C:\\Windows\\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe"	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{812B3B45-2D50-451e-9E8F-68B23A876800}\stubpath = "C:\\Windows\\{812B3B45-2D50-451e-9E8F-68B23A876800}.exe"	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}\stubpath = "C:\\Windows\\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe"	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98CE0AFC-ED5C-411b-9998-F428563A5988}	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}	{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}\stubpath = "C:\\Windows\\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe"	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}\stubpath = "C:\\Windows\\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe"	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}\stubpath = "C:\\Windows\\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe"	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe
3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe
1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe
4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe
3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe
2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe
2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe
3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe
3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe
2960	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe
1712	{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe
1596	{7961F917-028B-4bd8-9839-0C2EFF3DF41B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{812B3B45-2D50-451e-9E8F-68B23A876800}.exe	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe
File created	C:\Windows\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe
File created	C:\Windows\{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
File created	C:\Windows\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe
File created	C:\Windows\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe
File created	C:\Windows\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe
File created	C:\Windows\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe
File created	C:\Windows\{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe
File created	C:\Windows\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe
File created	C:\Windows\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe
File created	C:\Windows\{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe
File created	C:\Windows\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}.exe	{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1008	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe
Token: SeIncBasePriorityPrivilege	3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe
Token: SeIncBasePriorityPrivilege	1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe
Token: SeIncBasePriorityPrivilege	4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe
Token: SeIncBasePriorityPrivilege	3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe
Token: SeIncBasePriorityPrivilege	2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe
Token: SeIncBasePriorityPrivilege	2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe
Token: SeIncBasePriorityPrivilege	3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe
Token: SeIncBasePriorityPrivilege	3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe
Token: SeIncBasePriorityPrivilege	2960	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe
Token: SeIncBasePriorityPrivilege	1712	{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 4644	1008	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	89
PID 1008 wrote to memory of 4644	1008	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	89
PID 1008 wrote to memory of 4644	1008	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	89
PID 1008 wrote to memory of 2796	1008	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	90
PID 1008 wrote to memory of 2796	1008	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	90
PID 1008 wrote to memory of 2796	1008	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	90
PID 4644 wrote to memory of 3868	4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe	91
PID 4644 wrote to memory of 3868	4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe	91
PID 4644 wrote to memory of 3868	4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe	91
PID 4644 wrote to memory of 3440	4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe	92
PID 4644 wrote to memory of 3440	4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe	92
PID 4644 wrote to memory of 3440	4644	{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe	92
PID 3868 wrote to memory of 1600	3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe	94
PID 3868 wrote to memory of 1600	3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe	94
PID 3868 wrote to memory of 1600	3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe	94
PID 3868 wrote to memory of 3668	3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe	95
PID 3868 wrote to memory of 3668	3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe	95
PID 3868 wrote to memory of 3668	3868	{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe	95
PID 1600 wrote to memory of 4720	1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe	96
PID 1600 wrote to memory of 4720	1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe	96
PID 1600 wrote to memory of 4720	1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe	96
PID 1600 wrote to memory of 1648	1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe	97
PID 1600 wrote to memory of 1648	1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe	97
PID 1600 wrote to memory of 1648	1600	{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe	97
PID 4720 wrote to memory of 3660	4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe	98
PID 4720 wrote to memory of 3660	4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe	98
PID 4720 wrote to memory of 3660	4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe	98
PID 4720 wrote to memory of 2268	4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe	99
PID 4720 wrote to memory of 2268	4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe	99
PID 4720 wrote to memory of 2268	4720	{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe	99
PID 3660 wrote to memory of 2200	3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe	100
PID 3660 wrote to memory of 2200	3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe	100
PID 3660 wrote to memory of 2200	3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe	100
PID 3660 wrote to memory of 1864	3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe	101
PID 3660 wrote to memory of 1864	3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe	101
PID 3660 wrote to memory of 1864	3660	{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe	101
PID 2200 wrote to memory of 2552	2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe	102
PID 2200 wrote to memory of 2552	2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe	102
PID 2200 wrote to memory of 2552	2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe	102
PID 2200 wrote to memory of 3476	2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe	103
PID 2200 wrote to memory of 3476	2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe	103
PID 2200 wrote to memory of 3476	2200	{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe	103
PID 2552 wrote to memory of 3480	2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe	104
PID 2552 wrote to memory of 3480	2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe	104
PID 2552 wrote to memory of 3480	2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe	104
PID 2552 wrote to memory of 4268	2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe	105
PID 2552 wrote to memory of 4268	2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe	105
PID 2552 wrote to memory of 4268	2552	{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe	105
PID 3480 wrote to memory of 3500	3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe	106
PID 3480 wrote to memory of 3500	3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe	106
PID 3480 wrote to memory of 3500	3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe	106
PID 3480 wrote to memory of 4132	3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe	107
PID 3480 wrote to memory of 4132	3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe	107
PID 3480 wrote to memory of 4132	3480	{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe	107
PID 3500 wrote to memory of 2960	3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe	108
PID 3500 wrote to memory of 2960	3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe	108
PID 3500 wrote to memory of 2960	3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe	108
PID 3500 wrote to memory of 2832	3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe	109
PID 3500 wrote to memory of 2832	3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe	109
PID 3500 wrote to memory of 2832	3500	{812B3B45-2D50-451e-9E8F-68B23A876800}.exe	109
PID 2960 wrote to memory of 1712	2960	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe	110
PID 2960 wrote to memory of 1712	2960	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe	110
PID 2960 wrote to memory of 1712	2960	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe	110
PID 2960 wrote to memory of 3800	2960	{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe	111

C:\Users\Admin\AppData\Local\Temp\bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe
  C:\Windows\{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe
    C:\Windows\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe
      C:\Windows\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe
        
        C:\Windows\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Windows\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe
        
        C:\Windows\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe
        
        C:\Windows\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe
        
        C:\Windows\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe
        
        C:\Windows\{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{812B3B45-2D50-451e-9E8F-68B23A876800}.exe
        
        C:\Windows\{812B3B45-2D50-451e-9E8F-68B23A876800}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe
        
        C:\Windows\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe
        
        C:\Windows\{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}.exe
        
        C:\Windows\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}.exe
        13⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98CE0~1.EXE > nul
        13⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37AFF~1.EXE > nul
        12⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{812B3~1.EXE > nul
        11⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61439~1.EXE > nul
        10⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7710B~1.EXE > nul
        9⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43F9F~1.EXE > nul
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ADB1~1.EXE > nul
        7⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E68CC~1.EXE > nul
        6⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B575~1.EXE > nul
        5⤵
        
        PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2AA4~1.EXE > nul
      4⤵
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{376E0~1.EXE > nul
    3⤵
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BB3C9A~1.EXE > nul
  2⤵
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe

Filesize
380KB

MD5
40731dc7ddcd324d28aff581e4915a08

SHA1
9d1e90f1323f409b62abc90dc1ba947bf116d06f

SHA256
c009c26be3e71d8ebbe4b599832bb0b65b1e57db3f2df659b7663d0b99b5989f

SHA512
311681cf236daa2e4c90f83bbea2da8c98e9dd21abff3bddbad2f35bfdf117964772e9a7b0cfdfee9318e0fb70d145fc3bd17e942fa751e2f52828fb35a912d9

Download Submit
C:\Windows\{376E0A67-318B-457c-9C8F-9680704F9A6E}.exe

Filesize
380KB

MD5
40731dc7ddcd324d28aff581e4915a08

SHA1
9d1e90f1323f409b62abc90dc1ba947bf116d06f

SHA256
c009c26be3e71d8ebbe4b599832bb0b65b1e57db3f2df659b7663d0b99b5989f

SHA512
311681cf236daa2e4c90f83bbea2da8c98e9dd21abff3bddbad2f35bfdf117964772e9a7b0cfdfee9318e0fb70d145fc3bd17e942fa751e2f52828fb35a912d9

Download Submit
C:\Windows\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe

Filesize
380KB

MD5
7329ebd9b352c51fe1abdd0dc7183042

SHA1
03e0a3291bfa8519e00e2d791cbee932a839c1d1

SHA256
7466caede065067d46c8bdd8ddb93231ff548b69c9f35eb8583ee837b83c86e5

SHA512
ff799087138709b0aac75d71dfe65868bb6783a8933abee00072dde0cadc1d7ca8dc462e1555fc05e75370881935539b686f988d1a3fe287b0d8a49863e97529

Download Submit
C:\Windows\{37AFFBAA-AE73-408c-AAFE-EE7419DAB509}.exe

Filesize
380KB

MD5
7329ebd9b352c51fe1abdd0dc7183042

SHA1
03e0a3291bfa8519e00e2d791cbee932a839c1d1

SHA256
7466caede065067d46c8bdd8ddb93231ff548b69c9f35eb8583ee837b83c86e5

SHA512
ff799087138709b0aac75d71dfe65868bb6783a8933abee00072dde0cadc1d7ca8dc462e1555fc05e75370881935539b686f988d1a3fe287b0d8a49863e97529

Download Submit
C:\Windows\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe

Filesize
380KB

MD5
f72682311dd2e2fb23d209f01fc39d9e

SHA1
06b7a26688cdf426b42f7637981eb9f2fdd96a94

SHA256
35d4882c2086f1512a0797781d1c147ea6cd6e272e5d57b23ffa8f4e6d802940

SHA512
06a9ab678f30af6ca80d6152e98659ef9d0835932a67b381fb7ca4fb75b99ce390b490b4047f249f1e97c43589b2678aa0b5889b3398571ec12070e168c350c2

Download Submit
C:\Windows\{43F9F171-F3DC-4af9-968C-649F8DBB8CC2}.exe

Filesize
380KB

MD5
f72682311dd2e2fb23d209f01fc39d9e

SHA1
06b7a26688cdf426b42f7637981eb9f2fdd96a94

SHA256
35d4882c2086f1512a0797781d1c147ea6cd6e272e5d57b23ffa8f4e6d802940

SHA512
06a9ab678f30af6ca80d6152e98659ef9d0835932a67b381fb7ca4fb75b99ce390b490b4047f249f1e97c43589b2678aa0b5889b3398571ec12070e168c350c2

Download Submit
C:\Windows\{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe

Filesize
380KB

MD5
b6669df46b19104c7766466bb8316490

SHA1
044e24acf1d641c27ed1d5f4cb32e76464ae6632

SHA256
56683654236cfa7d104893442c3818b759f6916c256439b427a9965aebc0c17f

SHA512
3e5893c343a493721ef86f386ec02e4fab010d18d902462053031affc20c1727dc61d6d99296c40f04186e47f5ed8245f63ff2fc025913c4cfaab9cf576b1860

Download Submit
C:\Windows\{61439AC7-33C1-4000-A3D3-93AE53C07814}.exe

Filesize
380KB

MD5
b6669df46b19104c7766466bb8316490

SHA1
044e24acf1d641c27ed1d5f4cb32e76464ae6632

SHA256
56683654236cfa7d104893442c3818b759f6916c256439b427a9965aebc0c17f

SHA512
3e5893c343a493721ef86f386ec02e4fab010d18d902462053031affc20c1727dc61d6d99296c40f04186e47f5ed8245f63ff2fc025913c4cfaab9cf576b1860

Download Submit
C:\Windows\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe

Filesize
380KB

MD5
6955a6d6abdb83176588ac9d8402e1b3

SHA1
0c237ff02d7c6ee7e44009f19981317dba73fb51

SHA256
e9fc61b090dc6fef58414b24a6c86b5b25e7a2e9574f89d740381381983c857c

SHA512
be689de4ebdf13ebd16698a7d5a0bb7a6b73f03de7e43c8d7ce037785cb15d8ff0af7d181c2862b98987cac88ca6870426c43539cd14f3e3acaf9bbe47108d19

Download Submit
C:\Windows\{7710B0E6-9BC4-420a-9425-C0986FD3DB5C}.exe

Filesize
380KB

MD5
6955a6d6abdb83176588ac9d8402e1b3

SHA1
0c237ff02d7c6ee7e44009f19981317dba73fb51

SHA256
e9fc61b090dc6fef58414b24a6c86b5b25e7a2e9574f89d740381381983c857c

SHA512
be689de4ebdf13ebd16698a7d5a0bb7a6b73f03de7e43c8d7ce037785cb15d8ff0af7d181c2862b98987cac88ca6870426c43539cd14f3e3acaf9bbe47108d19

Download Submit
C:\Windows\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}.exe

Filesize
380KB

MD5
38360b99d114d073aa51a4968ff8c95d

SHA1
3c6b45c7c266862dbb36d65b5ed5d77948e398d5

SHA256
6a23268749686769feb0942067c5234e5cd3b3e90e9b2f6642c2566306e74527

SHA512
3d81ac8a23e64c82d23b9ba0b39f35bfb66cb3190c48fc45ce415c70f1b5a97936f32651f34a519f7bafe56e5df7a69bff38e57c89b91f07259a607edf0b759f

Download Submit
C:\Windows\{7961F917-028B-4bd8-9839-0C2EFF3DF41B}.exe

Filesize
380KB

MD5
38360b99d114d073aa51a4968ff8c95d

SHA1
3c6b45c7c266862dbb36d65b5ed5d77948e398d5

SHA256
6a23268749686769feb0942067c5234e5cd3b3e90e9b2f6642c2566306e74527

SHA512
3d81ac8a23e64c82d23b9ba0b39f35bfb66cb3190c48fc45ce415c70f1b5a97936f32651f34a519f7bafe56e5df7a69bff38e57c89b91f07259a607edf0b759f

Download Submit
C:\Windows\{812B3B45-2D50-451e-9E8F-68B23A876800}.exe

Filesize
380KB

MD5
9b5c11a747bd0a8589bc8d4f8ec11469

SHA1
64a536c80127467bfc00b0a49d00d302f2292766

SHA256
edbe31d2b201fa9ce610d0ef409321577e96d9e1d1f5129855a687144dcd7b26

SHA512
7cf455ea3b10a4a5a829fad560db94aa06c4158d0e2b9da9e7eeaf3991e775123f3f92c9f35ea3faba0c9b4220d3adb6bc77d18f72f7553c663f47c3726b7974

Download Submit
C:\Windows\{812B3B45-2D50-451e-9E8F-68B23A876800}.exe

Filesize
380KB

MD5
9b5c11a747bd0a8589bc8d4f8ec11469

SHA1
64a536c80127467bfc00b0a49d00d302f2292766

SHA256
edbe31d2b201fa9ce610d0ef409321577e96d9e1d1f5129855a687144dcd7b26

SHA512
7cf455ea3b10a4a5a829fad560db94aa06c4158d0e2b9da9e7eeaf3991e775123f3f92c9f35ea3faba0c9b4220d3adb6bc77d18f72f7553c663f47c3726b7974

Download Submit
C:\Windows\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe

Filesize
380KB

MD5
5d024ab4e49d586133596f1141146e03

SHA1
8f103aa82c96c6c77784f0f5f4e4ec2c8db6137b

SHA256
3968e4af1dad0845cc62919f2ac67c5c9de5d06598aa339567e5e43e459bc478

SHA512
b3115da28e2ac313db4f555c2e0adffcd9c9dad5831011d4e9193c505bff46e8b6da868e93ceced89bff0d435569d87b88b0011d57a47bfafa6b3f56187bffc0

Download Submit
C:\Windows\{8ADB17D5-AF98-4316-AB84-C9467E9BDBF2}.exe

Filesize
380KB

MD5
5d024ab4e49d586133596f1141146e03

SHA1
8f103aa82c96c6c77784f0f5f4e4ec2c8db6137b

SHA256
3968e4af1dad0845cc62919f2ac67c5c9de5d06598aa339567e5e43e459bc478

SHA512
b3115da28e2ac313db4f555c2e0adffcd9c9dad5831011d4e9193c505bff46e8b6da868e93ceced89bff0d435569d87b88b0011d57a47bfafa6b3f56187bffc0

Download Submit
C:\Windows\{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe

Filesize
380KB

MD5
09d52d7578796a335a7ccdee1cdc1fef

SHA1
515045b439d5dba2a55cf32eb5fbd0a758921ddd

SHA256
717c2a55ed94cfabc72c297dcfa7f28dde5086c0336af6f8c54427bdbf5381a0

SHA512
d638e2eecfe5654c56b159705d0dc5b31d43130dfb34f508bd0769febf536ecbb181955040558e9f94af0a3b0b79e638b628c99ad505b73c5d5d94ef031c5692

Download Submit
C:\Windows\{98CE0AFC-ED5C-411b-9998-F428563A5988}.exe

Filesize
380KB

MD5
09d52d7578796a335a7ccdee1cdc1fef

SHA1
515045b439d5dba2a55cf32eb5fbd0a758921ddd

SHA256
717c2a55ed94cfabc72c297dcfa7f28dde5086c0336af6f8c54427bdbf5381a0

SHA512
d638e2eecfe5654c56b159705d0dc5b31d43130dfb34f508bd0769febf536ecbb181955040558e9f94af0a3b0b79e638b628c99ad505b73c5d5d94ef031c5692

Download Submit
C:\Windows\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe

Filesize
380KB

MD5
dfc734ad9777dd36c349522f8dd06e9b

SHA1
c517a48c68fbc7f6ceb0575c624534adb5a91bfd

SHA256
d0a737e9b65cbb6e5f964d106fd964ef150681d8016ed1bb6b8970d0318da6d8

SHA512
fc7f3407aa5eb23ea0be09f1a8b6423f56a0c743160070b765034e6c72f276164193b6667bd308d5bebafceb0bb50a06c9c7f2bb6f907f4ba897d32d455a8863

Download Submit
C:\Windows\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe

Filesize
380KB

MD5
dfc734ad9777dd36c349522f8dd06e9b

SHA1
c517a48c68fbc7f6ceb0575c624534adb5a91bfd

SHA256
d0a737e9b65cbb6e5f964d106fd964ef150681d8016ed1bb6b8970d0318da6d8

SHA512
fc7f3407aa5eb23ea0be09f1a8b6423f56a0c743160070b765034e6c72f276164193b6667bd308d5bebafceb0bb50a06c9c7f2bb6f907f4ba897d32d455a8863

Download Submit
C:\Windows\{9B575D94-586C-4c4b-BAC6-EFC988423AC7}.exe

Filesize
380KB

MD5
dfc734ad9777dd36c349522f8dd06e9b

SHA1
c517a48c68fbc7f6ceb0575c624534adb5a91bfd

SHA256
d0a737e9b65cbb6e5f964d106fd964ef150681d8016ed1bb6b8970d0318da6d8

SHA512
fc7f3407aa5eb23ea0be09f1a8b6423f56a0c743160070b765034e6c72f276164193b6667bd308d5bebafceb0bb50a06c9c7f2bb6f907f4ba897d32d455a8863

Download Submit
C:\Windows\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe

Filesize
380KB

MD5
f9d20c10f93275bef036e6c3300d3a6a

SHA1
3fcc1895746f82f7dfb9efce0bad28bc7e1a3e2f

SHA256
0d15dbba60267ca8ab535ab7c7f6996739a368546e7763854ab225ca9abee198

SHA512
9d0e29f8c0f362c1597230574c47fcb591899c3b4d0c3780fb443fd7b0572e343ec4ebacd7d00412efb50f243c91d04ab17484696ca0491176fca308e849df3f

Download Submit
C:\Windows\{C2AA4F39-7C0C-43c8-B8BD-00070EC96196}.exe

Filesize
380KB

MD5
f9d20c10f93275bef036e6c3300d3a6a

SHA1
3fcc1895746f82f7dfb9efce0bad28bc7e1a3e2f

SHA256
0d15dbba60267ca8ab535ab7c7f6996739a368546e7763854ab225ca9abee198

SHA512
9d0e29f8c0f362c1597230574c47fcb591899c3b4d0c3780fb443fd7b0572e343ec4ebacd7d00412efb50f243c91d04ab17484696ca0491176fca308e849df3f

Download Submit
C:\Windows\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe

Filesize
380KB

MD5
d36c1cc22473774d067e7bcc42e9f809

SHA1
3727f5b1e96b56935cb8581842e1472c435f37e5

SHA256
36b3349c2713976e6ab7224854a72d6e654051714a6fa940b65dbb470897ea8b

SHA512
683c5060e4e6d9cf3f273a7a22be62b1897a0869b72773a426be2fe5c190b9ee2bf225d40b6b4d02dedc9f27e40f66684bfc115d044ef3b40a118ce55de28e88

Download Submit
C:\Windows\{E68CC5C9-7FA4-4ba2-BB13-8EAC1BC0F43B}.exe

Filesize
380KB

MD5
d36c1cc22473774d067e7bcc42e9f809

SHA1
3727f5b1e96b56935cb8581842e1472c435f37e5

SHA256
36b3349c2713976e6ab7224854a72d6e654051714a6fa940b65dbb470897ea8b

SHA512
683c5060e4e6d9cf3f273a7a22be62b1897a0869b72773a426be2fe5c190b9ee2bf225d40b6b4d02dedc9f27e40f66684bfc115d044ef3b40a118ce55de28e88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads