167eb26a906726c454e101e56f481e32cae989ca56cab6f04b273a2186c6e17f

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2023 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Size

168KB
MD5

c9e4c70978bbdf429344cc704c9ddb70
SHA1

67422b0ec88830b8fc90ff818528d458091f29b4
SHA256

167eb26a906726c454e101e56f481e32cae989ca56cab6f04b273a2186c6e17f
SHA512

df9cec14a7d7d8084e57735896297ee474febb3c41e10c1828aeb928785e352a110c737d1559662f564206455e1f1e0942d0e44adf093fc246f569123821da00
SSDEEP

1536:1EGh0oclq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oclqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D68519D5-9935-469b-93A8-D5E2271E8B92}\stubpath = "C:\\Windows\\{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe"	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72010898-92C4-4991-B548-0AF7B630299D}\stubpath = "C:\\Windows\\{72010898-92C4-4991-B548-0AF7B630299D}.exe"	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E33ACDF-7C70-493c-B155-4014AA613FEC}	{72010898-92C4-4991-B548-0AF7B630299D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC82C261-EC87-46f5-8F43-77637ECE75A6}\stubpath = "C:\\Windows\\{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe"	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}\stubpath = "C:\\Windows\\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}.exe"	{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}\stubpath = "C:\\Windows\\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe"	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}\stubpath = "C:\\Windows\\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe"	{F3745403-D445-418f-9515-E39A13707AF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FF72171-32F7-4985-8017-62A75327376C}	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3745403-D445-418f-9515-E39A13707AF7}\stubpath = "C:\\Windows\\{F3745403-D445-418f-9515-E39A13707AF7}.exe"	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3745403-D445-418f-9515-E39A13707AF7}	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}	{F3745403-D445-418f-9515-E39A13707AF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D68519D5-9935-469b-93A8-D5E2271E8B92}	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72010898-92C4-4991-B548-0AF7B630299D}	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E33ACDF-7C70-493c-B155-4014AA613FEC}\stubpath = "C:\\Windows\\{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe"	{72010898-92C4-4991-B548-0AF7B630299D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}\stubpath = "C:\\Windows\\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe"	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}\stubpath = "C:\\Windows\\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe"	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6E8C915-8F6F-40da-973D-11366BE18EFF}\stubpath = "C:\\Windows\\{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe"	{8FF72171-32F7-4985-8017-62A75327376C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC82C261-EC87-46f5-8F43-77637ECE75A6}	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}	{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FF72171-32F7-4985-8017-62A75327376C}\stubpath = "C:\\Windows\\{8FF72171-32F7-4985-8017-62A75327376C}.exe"	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6E8C915-8F6F-40da-973D-11366BE18EFF}	{8FF72171-32F7-4985-8017-62A75327376C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe
508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe
1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe
736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe
1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe
2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe
364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe
1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe
3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe
628	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe
624	{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe
1964	{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe	{8FF72171-32F7-4985-8017-62A75327376C}.exe
File created	C:\Windows\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe
File created	C:\Windows\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe	{F3745403-D445-418f-9515-E39A13707AF7}.exe
File created	C:\Windows\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe
File created	C:\Windows\{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe
File created	C:\Windows\{8FF72171-32F7-4985-8017-62A75327376C}.exe	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
File created	C:\Windows\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe
File created	C:\Windows\{F3745403-D445-418f-9515-E39A13707AF7}.exe	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe
File created	C:\Windows\{72010898-92C4-4991-B548-0AF7B630299D}.exe	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe
File created	C:\Windows\{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe	{72010898-92C4-4991-B548-0AF7B630299D}.exe
File created	C:\Windows\{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe
File created	C:\Windows\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}.exe	{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1408	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe
Token: SeIncBasePriorityPrivilege	508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe
Token: SeIncBasePriorityPrivilege	1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe
Token: SeIncBasePriorityPrivilege	736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe
Token: SeIncBasePriorityPrivilege	1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe
Token: SeIncBasePriorityPrivilege	2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe
Token: SeIncBasePriorityPrivilege	364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe
Token: SeIncBasePriorityPrivilege	1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe
Token: SeIncBasePriorityPrivilege	3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe
Token: SeIncBasePriorityPrivilege	628	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe
Token: SeIncBasePriorityPrivilege	624	{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 4528	1408	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	89
PID 1408 wrote to memory of 4528	1408	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	89
PID 1408 wrote to memory of 4528	1408	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	89
PID 1408 wrote to memory of 4364	1408	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	90
PID 1408 wrote to memory of 4364	1408	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	90
PID 1408 wrote to memory of 4364	1408	c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe	90
PID 4528 wrote to memory of 508	4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe	91
PID 4528 wrote to memory of 508	4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe	91
PID 4528 wrote to memory of 508	4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe	91
PID 4528 wrote to memory of 5104	4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe	92
PID 4528 wrote to memory of 5104	4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe	92
PID 4528 wrote to memory of 5104	4528	{8FF72171-32F7-4985-8017-62A75327376C}.exe	92
PID 508 wrote to memory of 1876	508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe	94
PID 508 wrote to memory of 1876	508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe	94
PID 508 wrote to memory of 1876	508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe	94
PID 508 wrote to memory of 1712	508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe	95
PID 508 wrote to memory of 1712	508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe	95
PID 508 wrote to memory of 1712	508	{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe	95
PID 1876 wrote to memory of 736	1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe	96
PID 1876 wrote to memory of 736	1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe	96
PID 1876 wrote to memory of 736	1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe	96
PID 1876 wrote to memory of 3884	1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe	97
PID 1876 wrote to memory of 3884	1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe	97
PID 1876 wrote to memory of 3884	1876	{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe	97
PID 736 wrote to memory of 1104	736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe	98
PID 736 wrote to memory of 1104	736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe	98
PID 736 wrote to memory of 1104	736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe	98
PID 736 wrote to memory of 4024	736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe	99
PID 736 wrote to memory of 4024	736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe	99
PID 736 wrote to memory of 4024	736	{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe	99
PID 1104 wrote to memory of 2164	1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe	100
PID 1104 wrote to memory of 2164	1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe	100
PID 1104 wrote to memory of 2164	1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe	100
PID 1104 wrote to memory of 4184	1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe	101
PID 1104 wrote to memory of 4184	1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe	101
PID 1104 wrote to memory of 4184	1104	{F3745403-D445-418f-9515-E39A13707AF7}.exe	101
PID 2164 wrote to memory of 364	2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe	102
PID 2164 wrote to memory of 364	2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe	102
PID 2164 wrote to memory of 364	2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe	102
PID 2164 wrote to memory of 3360	2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe	103
PID 2164 wrote to memory of 3360	2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe	103
PID 2164 wrote to memory of 3360	2164	{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe	103
PID 364 wrote to memory of 1316	364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe	104
PID 364 wrote to memory of 1316	364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe	104
PID 364 wrote to memory of 1316	364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe	104
PID 364 wrote to memory of 832	364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe	105
PID 364 wrote to memory of 832	364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe	105
PID 364 wrote to memory of 832	364	{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe	105
PID 1316 wrote to memory of 3728	1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe	106
PID 1316 wrote to memory of 3728	1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe	106
PID 1316 wrote to memory of 3728	1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe	106
PID 1316 wrote to memory of 1536	1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe	107
PID 1316 wrote to memory of 1536	1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe	107
PID 1316 wrote to memory of 1536	1316	{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe	107
PID 3728 wrote to memory of 628	3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe	108
PID 3728 wrote to memory of 628	3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe	108
PID 3728 wrote to memory of 628	3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe	108
PID 3728 wrote to memory of 1196	3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe	109
PID 3728 wrote to memory of 1196	3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe	109
PID 3728 wrote to memory of 1196	3728	{72010898-92C4-4991-B548-0AF7B630299D}.exe	109
PID 628 wrote to memory of 624	628	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe	110
PID 628 wrote to memory of 624	628	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe	110
PID 628 wrote to memory of 624	628	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe	110
PID 628 wrote to memory of 3136	628	{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe	111

C:\Users\Admin\AppData\Local\Temp\c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c9e4c70978bbdf429344cc704c9ddb70_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\{8FF72171-32F7-4985-8017-62A75327376C}.exe
  C:\Windows\{8FF72171-32F7-4985-8017-62A75327376C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe
    C:\Windows\{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:508
  - - C:\Windows\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe
      C:\Windows\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe
        
        C:\Windows\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
      - C:\Windows\{F3745403-D445-418f-9515-E39A13707AF7}.exe
        
        C:\Windows\{F3745403-D445-418f-9515-E39A13707AF7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe
        
        C:\Windows\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe
        
        C:\Windows\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe
        
        C:\Windows\{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\{72010898-92C4-4991-B548-0AF7B630299D}.exe
        
        C:\Windows\{72010898-92C4-4991-B548-0AF7B630299D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe
        
        C:\Windows\{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe
        
        C:\Windows\{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}.exe
        
        C:\Windows\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}.exe
        13⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC82C~1.EXE > nul
        13⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E33A~1.EXE > nul
        12⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72010~1.EXE > nul
        11⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6851~1.EXE > nul
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB2A~1.EXE > nul
        9⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5CB9~1.EXE > nul
        8⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3745~1.EXE > nul
        7⤵
        
        PID:4184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F85FF~1.EXE > nul
        6⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9DA0~1.EXE > nul
        5⤵
        
        PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E8C~1.EXE > nul
      4⤵
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8FF72~1.EXE > nul
    3⤵
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C9E4C7~1.EXE > nul
  2⤵
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}.exe

Filesize
168KB

MD5
dad9cb42e6aeff7f9a7bf1dc2e129e86

SHA1
9943e184d907cd56e94c77c852e7233312ebd8e7

SHA256
1b2df3965aea0b5cb1b989dc87aed9d4a057d3d9869b0b34006cfb6d605b722c

SHA512
e4783c00c4127a6a33bb402efe82abe9da74be1f64352ac04273ccfc2abdce6916776c8f3d05a9675528a65a25029687283092ddaf3ca64a45069d0502f342aa

Download Submit
C:\Windows\{51BDFC4A-97F6-4fc6-ABD2-D545606B1458}.exe

Filesize
168KB

MD5
dad9cb42e6aeff7f9a7bf1dc2e129e86

SHA1
9943e184d907cd56e94c77c852e7233312ebd8e7

SHA256
1b2df3965aea0b5cb1b989dc87aed9d4a057d3d9869b0b34006cfb6d605b722c

SHA512
e4783c00c4127a6a33bb402efe82abe9da74be1f64352ac04273ccfc2abdce6916776c8f3d05a9675528a65a25029687283092ddaf3ca64a45069d0502f342aa

Download Submit
C:\Windows\{72010898-92C4-4991-B548-0AF7B630299D}.exe

Filesize
168KB

MD5
9030933cd4eb2b455c79d36e6454e40a

SHA1
76f4ec96edd249831032c9edbe48a7e17d048109

SHA256
39bba96aa62621ae8807d531db518ddbd667b6aa3b88984118666ab391c6e120

SHA512
4a59eed1a3ca5e5c4d5e09926a9b45c590d6654ece9d80ed86c3fc5352d0b500a4e187b4e52cc76f405cb18e7f13d61bc946d15940b3e5e0e286764710795462

Download Submit
C:\Windows\{72010898-92C4-4991-B548-0AF7B630299D}.exe

Filesize
168KB

MD5
9030933cd4eb2b455c79d36e6454e40a

SHA1
76f4ec96edd249831032c9edbe48a7e17d048109

SHA256
39bba96aa62621ae8807d531db518ddbd667b6aa3b88984118666ab391c6e120

SHA512
4a59eed1a3ca5e5c4d5e09926a9b45c590d6654ece9d80ed86c3fc5352d0b500a4e187b4e52cc76f405cb18e7f13d61bc946d15940b3e5e0e286764710795462

Download Submit
C:\Windows\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe

Filesize
168KB

MD5
0834be862f40d0844615bc590f11f2b3

SHA1
645824c9c6ae369bd909a8af4bb526103d6c9ac5

SHA256
4022dca489d9fb081f9b6c728840ed142acd9abcc8e6addad57f5fed7c88983f

SHA512
dc7bbaeec20cf13a4264245cb1ba6ce6c9262667d255b0d1e0759673a2c6313602a0ecdd80792f4a270cf7cda91513b9eec71fd4f53f00c536fbff87adb5eed7

Download Submit
C:\Windows\{8AB2A136-53B3-4ab1-AABA-95615C7CACE7}.exe

Filesize
168KB

MD5
0834be862f40d0844615bc590f11f2b3

SHA1
645824c9c6ae369bd909a8af4bb526103d6c9ac5

SHA256
4022dca489d9fb081f9b6c728840ed142acd9abcc8e6addad57f5fed7c88983f

SHA512
dc7bbaeec20cf13a4264245cb1ba6ce6c9262667d255b0d1e0759673a2c6313602a0ecdd80792f4a270cf7cda91513b9eec71fd4f53f00c536fbff87adb5eed7

Download Submit
C:\Windows\{8FF72171-32F7-4985-8017-62A75327376C}.exe

Filesize
168KB

MD5
6a8c9ce504de1f2e5583c589f205b28e

SHA1
d823529aa82263e9ce64443420e2bfc55ec028bf

SHA256
514c2c2661d3b875d30793211732e3864c6396f68beba33f352942a5cc01804e

SHA512
f757e6ae1f1f60d4290c38903f3af3954c40ddd2eef4516e95785e50f0619404e76138d7d3e3da4eaaa65b9347746574bcc5e93f7f09b59731c6e30a7a63c5fa

Download Submit
C:\Windows\{8FF72171-32F7-4985-8017-62A75327376C}.exe

Filesize
168KB

MD5
6a8c9ce504de1f2e5583c589f205b28e

SHA1
d823529aa82263e9ce64443420e2bfc55ec028bf

SHA256
514c2c2661d3b875d30793211732e3864c6396f68beba33f352942a5cc01804e

SHA512
f757e6ae1f1f60d4290c38903f3af3954c40ddd2eef4516e95785e50f0619404e76138d7d3e3da4eaaa65b9347746574bcc5e93f7f09b59731c6e30a7a63c5fa

Download Submit
C:\Windows\{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe

Filesize
168KB

MD5
6425700f1af9b284689a4ce026f9d2f0

SHA1
7f56b7a2bcfdb0a5240c2b6daaee4c46433be0cc

SHA256
54a71f9637054b2e1b18262ced5d4bb17b72f6c397375af1091ba9a819f248dc

SHA512
c388b8cf907b925b349c6dc98f38832d92d9d836d951df8cc7bd6cdf79d1111fbda9588192268be09ce6759e2472dd0331ffc4adff4f4a6ceadefb4415c43c6d

Download Submit
C:\Windows\{9E33ACDF-7C70-493c-B155-4014AA613FEC}.exe

Filesize
168KB

MD5
6425700f1af9b284689a4ce026f9d2f0

SHA1
7f56b7a2bcfdb0a5240c2b6daaee4c46433be0cc

SHA256
54a71f9637054b2e1b18262ced5d4bb17b72f6c397375af1091ba9a819f248dc

SHA512
c388b8cf907b925b349c6dc98f38832d92d9d836d951df8cc7bd6cdf79d1111fbda9588192268be09ce6759e2472dd0331ffc4adff4f4a6ceadefb4415c43c6d

Download Submit
C:\Windows\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe

Filesize
168KB

MD5
a9c43150589811b8686bf5613211ebde

SHA1
83c9180de1895c256ff485e828945764acdabeba

SHA256
90a3b4184582c416a4e17e531e98e09494d26db29f3286e533279e3b06f0c2da

SHA512
16d0d5c164ef9b4c9b8146b6ad3d29f8c23c444beb272132c7d89311ba92d35970a7b9e4e69f3e75c4e614fc36ce4f565502227c6e6b5bf39e06cdf997905c43

Download Submit
C:\Windows\{B5CB9B1D-5A54-4903-B048-8B60317F3BAC}.exe

Filesize
168KB

MD5
a9c43150589811b8686bf5613211ebde

SHA1
83c9180de1895c256ff485e828945764acdabeba

SHA256
90a3b4184582c416a4e17e531e98e09494d26db29f3286e533279e3b06f0c2da

SHA512
16d0d5c164ef9b4c9b8146b6ad3d29f8c23c444beb272132c7d89311ba92d35970a7b9e4e69f3e75c4e614fc36ce4f565502227c6e6b5bf39e06cdf997905c43

Download Submit
C:\Windows\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe

Filesize
168KB

MD5
99ec57c460c15eb4a39e2fbb0aaf4d36

SHA1
54e639ef58ae9440e5a1c6c483a30e0161a45bd6

SHA256
5dd6e73cdace7b566465a447dc2c99f9d0f1f76367c8232fe16734939122a3c0

SHA512
efa735c85629cbd82426c8266c976858791dbe6ad799fd9ab89bbff847204eb6cc5b5fdb8a8f031519d08e17888ea34d2ccc21a4029be89a2f1679214f698edc

Download Submit
C:\Windows\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe

Filesize
168KB

MD5
99ec57c460c15eb4a39e2fbb0aaf4d36

SHA1
54e639ef58ae9440e5a1c6c483a30e0161a45bd6

SHA256
5dd6e73cdace7b566465a447dc2c99f9d0f1f76367c8232fe16734939122a3c0

SHA512
efa735c85629cbd82426c8266c976858791dbe6ad799fd9ab89bbff847204eb6cc5b5fdb8a8f031519d08e17888ea34d2ccc21a4029be89a2f1679214f698edc

Download Submit
C:\Windows\{B9DA0E86-7746-472f-BE73-FB75DB2FF2D6}.exe

Filesize
168KB

MD5
99ec57c460c15eb4a39e2fbb0aaf4d36

SHA1
54e639ef58ae9440e5a1c6c483a30e0161a45bd6

SHA256
5dd6e73cdace7b566465a447dc2c99f9d0f1f76367c8232fe16734939122a3c0

SHA512
efa735c85629cbd82426c8266c976858791dbe6ad799fd9ab89bbff847204eb6cc5b5fdb8a8f031519d08e17888ea34d2ccc21a4029be89a2f1679214f698edc

Download Submit
C:\Windows\{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe

Filesize
168KB

MD5
644457a0cc575fe9f4c2a1c93cfb6c9d

SHA1
56514e96f66c5a46349bf8d5c5d9a9a81b2b87f9

SHA256
e4f04edc3d5e38a5835fa051f97b94aea167da4918472c8010b75ab4a2a5587e

SHA512
fbb3f9b285cc13b0133b540ad620bb7b87d6457a380d473eeb9d4fb0dbba19c1e11dce8b3e242181564c3483ba3ec384eea3943406e663fa21be5dcee20c2310

Download Submit
C:\Windows\{D68519D5-9935-469b-93A8-D5E2271E8B92}.exe

Filesize
168KB

MD5
644457a0cc575fe9f4c2a1c93cfb6c9d

SHA1
56514e96f66c5a46349bf8d5c5d9a9a81b2b87f9

SHA256
e4f04edc3d5e38a5835fa051f97b94aea167da4918472c8010b75ab4a2a5587e

SHA512
fbb3f9b285cc13b0133b540ad620bb7b87d6457a380d473eeb9d4fb0dbba19c1e11dce8b3e242181564c3483ba3ec384eea3943406e663fa21be5dcee20c2310

Download Submit
C:\Windows\{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe

Filesize
168KB

MD5
084462fd7167a14fb6a27a5154aab3a8

SHA1
a628e6626288e042b71ff1a790d57a1bacd7758a

SHA256
2a1493980a8e06e3bb8ead3f085d1e21a82c8fef921f73137b73c489c292be17

SHA512
ae0e9adb7fd6565549abed433cd81677cb1db51748c2d8af7043d8b8150d51062f10875bfaf2f7d72b8e42813b4c7fda6e04068d465970c5021f0906e7fb968c

Download Submit
C:\Windows\{E6E8C915-8F6F-40da-973D-11366BE18EFF}.exe

Filesize
168KB

MD5
084462fd7167a14fb6a27a5154aab3a8

SHA1
a628e6626288e042b71ff1a790d57a1bacd7758a

SHA256
2a1493980a8e06e3bb8ead3f085d1e21a82c8fef921f73137b73c489c292be17

SHA512
ae0e9adb7fd6565549abed433cd81677cb1db51748c2d8af7043d8b8150d51062f10875bfaf2f7d72b8e42813b4c7fda6e04068d465970c5021f0906e7fb968c

Download Submit
C:\Windows\{F3745403-D445-418f-9515-E39A13707AF7}.exe

Filesize
168KB

MD5
6ffdd9265baa6cc598de735bb9762d63

SHA1
eb65bca53b289bd20aa6396b4a02293737276bba

SHA256
f99cb6296f902fb8b9b6d1f3a2cbcdc0afff5faa0fce6bf6f30e518fe336cba5

SHA512
1bac0a86ab114ac860365bc2f32e10254b8cc96d66c74f8be8403fe2be4f1416a2ccac20a21b62e76c945c5bff8216c95e5e17f2fc0dfb69c8d6737e99d0a56a

Download Submit
C:\Windows\{F3745403-D445-418f-9515-E39A13707AF7}.exe

Filesize
168KB

MD5
6ffdd9265baa6cc598de735bb9762d63

SHA1
eb65bca53b289bd20aa6396b4a02293737276bba

SHA256
f99cb6296f902fb8b9b6d1f3a2cbcdc0afff5faa0fce6bf6f30e518fe336cba5

SHA512
1bac0a86ab114ac860365bc2f32e10254b8cc96d66c74f8be8403fe2be4f1416a2ccac20a21b62e76c945c5bff8216c95e5e17f2fc0dfb69c8d6737e99d0a56a

Download Submit
C:\Windows\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe

Filesize
168KB

MD5
bd5b0a521fd30cb811a847e7b960e01c

SHA1
27d148090fbb8ef96978cc23272f8b97139b003e

SHA256
8dc84ca1be8f0279ba7804ace2e0e6ed822026a7f77e24a7f5aa713e9c8b41cd

SHA512
b5a29f91f24e478795ce25fc61d721976924c73fe3ef4ccf692d4af241cf9116d4d49f1fd191ece4ae68c319e6c0c6497d179dd465ab52db8fe01442ba53ddf2

Download Submit
C:\Windows\{F85FF760-90FE-4bbb-BBFD-BFA0908B51A1}.exe

Filesize
168KB

MD5
bd5b0a521fd30cb811a847e7b960e01c

SHA1
27d148090fbb8ef96978cc23272f8b97139b003e

SHA256
8dc84ca1be8f0279ba7804ace2e0e6ed822026a7f77e24a7f5aa713e9c8b41cd

SHA512
b5a29f91f24e478795ce25fc61d721976924c73fe3ef4ccf692d4af241cf9116d4d49f1fd191ece4ae68c319e6c0c6497d179dd465ab52db8fe01442ba53ddf2

Download Submit
C:\Windows\{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe

Filesize
168KB

MD5
c6a818289e327dc0722db137285326e2

SHA1
a124e7fd8802afb6c12af025b1f6564a0555c55e

SHA256
179cee8c78332d881591b986142ae4f16837579708fe9f0d7cdedad309128a10

SHA512
7dc92b5890459478e96a3ff8faef884e314c210e53b93de6849df9ea87ab526d3d1528720651fb743aa079a7f108ef8198e077b619383c13b3f027cee77cc20c

Download Submit
C:\Windows\{FC82C261-EC87-46f5-8F43-77637ECE75A6}.exe

Filesize
168KB

MD5
c6a818289e327dc0722db137285326e2

SHA1
a124e7fd8802afb6c12af025b1f6564a0555c55e

SHA256
179cee8c78332d881591b986142ae4f16837579708fe9f0d7cdedad309128a10

SHA512
7dc92b5890459478e96a3ff8faef884e314c210e53b93de6849df9ea87ab526d3d1528720651fb743aa079a7f108ef8198e077b619383c13b3f027cee77cc20c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads