1e0ae35e77deadaabb31b061bd37c6fe3a463e7c63085da5724c0d37a25a3296

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2023 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Size

372KB
MD5

13ad5d0cb2b321ac7cbda3c6ffe5cda3
SHA1

2db7dbc546ab603a6736cd4f178d93267fef640a
SHA256

1e0ae35e77deadaabb31b061bd37c6fe3a463e7c63085da5724c0d37a25a3296
SHA512

d2996220daef189907cd017518655f8d267c830726103502ed2d70a0936cb9b9edbcdf7bb6a6284ed57272fe47af8bc547aeccdeca6fce29819a41c72678684b
SSDEEP

3072:CEGh0oAmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGnl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}\stubpath = "C:\\Windows\\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe"	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}\stubpath = "C:\\Windows\\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe"	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4932C8-3095-4306-8545-390BEFD91B27}	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4932C8-3095-4306-8545-390BEFD91B27}\stubpath = "C:\\Windows\\{DE4932C8-3095-4306-8545-390BEFD91B27}.exe"	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}	{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B119EF77-27F6-4dd7-B391-6956FDF3A407}\stubpath = "C:\\Windows\\{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe"	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E448298-DC89-4090-AAF4-9F8D616457DB}	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}\stubpath = "C:\\Windows\\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe"	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE5F6B6-64F4-473f-8316-919501FB6060}	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}\stubpath = "C:\\Windows\\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}.exe"	{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E448298-DC89-4090-AAF4-9F8D616457DB}\stubpath = "C:\\Windows\\{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe"	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}\stubpath = "C:\\Windows\\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe"	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE5F6B6-64F4-473f-8316-919501FB6060}\stubpath = "C:\\Windows\\{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe"	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}\stubpath = "C:\\Windows\\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe"	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}\stubpath = "C:\\Windows\\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe"	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B119EF77-27F6-4dd7-B391-6956FDF3A407}	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}\stubpath = "C:\\Windows\\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe"	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe

Executes dropped EXE 12 IoCs

pid	Process
1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe
3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe
4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe
4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe
4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe
3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe
4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe
3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe
408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe
4864	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe
1808	{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe
3632	{72337989-6ACF-4b44-AD83-84E05DBEEC0D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DE4932C8-3095-4306-8545-390BEFD91B27}.exe	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe
File created	C:\Windows\{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe
File created	C:\Windows\{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe
File created	C:\Windows\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}.exe	{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe
File created	C:\Windows\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
File created	C:\Windows\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe
File created	C:\Windows\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe
File created	C:\Windows\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe
File created	C:\Windows\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe
File created	C:\Windows\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe
File created	C:\Windows\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe
File created	C:\Windows\{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3792	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe
Token: SeIncBasePriorityPrivilege	3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe
Token: SeIncBasePriorityPrivilege	4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe
Token: SeIncBasePriorityPrivilege	4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe
Token: SeIncBasePriorityPrivilege	4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe
Token: SeIncBasePriorityPrivilege	3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe
Token: SeIncBasePriorityPrivilege	4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe
Token: SeIncBasePriorityPrivilege	3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe
Token: SeIncBasePriorityPrivilege	408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe
Token: SeIncBasePriorityPrivilege	4864	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe
Token: SeIncBasePriorityPrivilege	1808	{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 1412	3792	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	89
PID 3792 wrote to memory of 1412	3792	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	89
PID 3792 wrote to memory of 1412	3792	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	89
PID 3792 wrote to memory of 2700	3792	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	90
PID 3792 wrote to memory of 2700	3792	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	90
PID 3792 wrote to memory of 2700	3792	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	90
PID 1412 wrote to memory of 3700	1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe	91
PID 1412 wrote to memory of 3700	1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe	91
PID 1412 wrote to memory of 3700	1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe	91
PID 1412 wrote to memory of 3736	1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe	92
PID 1412 wrote to memory of 3736	1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe	92
PID 1412 wrote to memory of 3736	1412	{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe	92
PID 3700 wrote to memory of 4868	3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe	94
PID 3700 wrote to memory of 4868	3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe	94
PID 3700 wrote to memory of 4868	3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe	94
PID 3700 wrote to memory of 1916	3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe	95
PID 3700 wrote to memory of 1916	3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe	95
PID 3700 wrote to memory of 1916	3700	{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe	95
PID 4868 wrote to memory of 4340	4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe	96
PID 4868 wrote to memory of 4340	4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe	96
PID 4868 wrote to memory of 4340	4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe	96
PID 4868 wrote to memory of 3968	4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe	97
PID 4868 wrote to memory of 3968	4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe	97
PID 4868 wrote to memory of 3968	4868	{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe	97
PID 4340 wrote to memory of 4992	4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe	98
PID 4340 wrote to memory of 4992	4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe	98
PID 4340 wrote to memory of 4992	4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe	98
PID 4340 wrote to memory of 1480	4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe	99
PID 4340 wrote to memory of 1480	4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe	99
PID 4340 wrote to memory of 1480	4340	{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe	99
PID 4992 wrote to memory of 3340	4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe	100
PID 4992 wrote to memory of 3340	4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe	100
PID 4992 wrote to memory of 3340	4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe	100
PID 4992 wrote to memory of 1872	4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe	101
PID 4992 wrote to memory of 1872	4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe	101
PID 4992 wrote to memory of 1872	4992	{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe	101
PID 3340 wrote to memory of 4724	3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe	102
PID 3340 wrote to memory of 4724	3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe	102
PID 3340 wrote to memory of 4724	3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe	102
PID 3340 wrote to memory of 3608	3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe	103
PID 3340 wrote to memory of 3608	3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe	103
PID 3340 wrote to memory of 3608	3340	{DE4932C8-3095-4306-8545-390BEFD91B27}.exe	103
PID 4724 wrote to memory of 3752	4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe	104
PID 4724 wrote to memory of 3752	4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe	104
PID 4724 wrote to memory of 3752	4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe	104
PID 4724 wrote to memory of 1848	4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe	105
PID 4724 wrote to memory of 1848	4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe	105
PID 4724 wrote to memory of 1848	4724	{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe	105
PID 3752 wrote to memory of 408	3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe	106
PID 3752 wrote to memory of 408	3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe	106
PID 3752 wrote to memory of 408	3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe	106
PID 3752 wrote to memory of 500	3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe	107
PID 3752 wrote to memory of 500	3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe	107
PID 3752 wrote to memory of 500	3752	{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe	107
PID 408 wrote to memory of 4864	408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe	108
PID 408 wrote to memory of 4864	408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe	108
PID 408 wrote to memory of 4864	408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe	108
PID 408 wrote to memory of 4836	408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe	109
PID 408 wrote to memory of 4836	408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe	109
PID 408 wrote to memory of 4836	408	{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe	109
PID 4864 wrote to memory of 1808	4864	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe	110
PID 4864 wrote to memory of 1808	4864	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe	110
PID 4864 wrote to memory of 1808	4864	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe	110
PID 4864 wrote to memory of 4036	4864	{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe	111

C:\Users\Admin\AppData\Local\Temp\13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe
  C:\Windows\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe
    C:\Windows\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe
      C:\Windows\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe
        
        C:\Windows\{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe
        
        C:\Windows\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{DE4932C8-3095-4306-8545-390BEFD91B27}.exe
        
        C:\Windows\{DE4932C8-3095-4306-8545-390BEFD91B27}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe
        
        C:\Windows\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe
        
        C:\Windows\{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe
        
        C:\Windows\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe
        
        C:\Windows\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe
        
        C:\Windows\{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}.exe
        
        C:\Windows\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}.exe
        13⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEE5F~1.EXE > nul
        13⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09EF3~1.EXE > nul
        12⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5385A~1.EXE > nul
        11⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E448~1.EXE > nul
        10⤵
        
        PID:500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC9E0~1.EXE > nul
        9⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE493~1.EXE > nul
        8⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1153~1.EXE > nul
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B119E~1.EXE > nul
        6⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3556A~1.EXE > nul
        5⤵
        
        PID:3968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{44EF6~1.EXE > nul
      4⤵
      PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5298F~1.EXE > nul
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\13AD5D~1.EXE > nul
  2⤵
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe

Filesize
372KB

MD5
5bf2d9277fd67af94ab2c05c1fd3de22

SHA1
68bf3d0522353c4527a590a2f728d4940bc74463

SHA256
7ccbc9a8bb0a1ce9f053672acfd1b8a0e8866d021992276183e21125e139a105

SHA512
f463120b05e6c4dc1b406b39f65e255ae1cd78510ca01b5189592239f7b1a20cad4af75818677e141bf43d0ddadf8754184034658e08e58644577b060284afe6

Download Submit
C:\Windows\{09EF3C27-D027-4c0d-8FD3-7E2D4C84BA67}.exe

Filesize
372KB

MD5
5bf2d9277fd67af94ab2c05c1fd3de22

SHA1
68bf3d0522353c4527a590a2f728d4940bc74463

SHA256
7ccbc9a8bb0a1ce9f053672acfd1b8a0e8866d021992276183e21125e139a105

SHA512
f463120b05e6c4dc1b406b39f65e255ae1cd78510ca01b5189592239f7b1a20cad4af75818677e141bf43d0ddadf8754184034658e08e58644577b060284afe6

Download Submit
C:\Windows\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe

Filesize
372KB

MD5
248e4784e64bf4b4aae3619457d8671d

SHA1
4d2a5cc3635bdf1145666a609401399542bc3bff

SHA256
cff5ccc2bcc4007118388e4c6504ee620a343acc31b4fd9d2c37e7a45b50fa45

SHA512
f7d42f3d4858c5abf306235dc803ef24fbf34c2c59e46fccccb6434de06a33edacbdbdc5ad4663df3ef7cae0d45968361abd46fbed22f5285a69468921a4a422

Download Submit
C:\Windows\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe

Filesize
372KB

MD5
248e4784e64bf4b4aae3619457d8671d

SHA1
4d2a5cc3635bdf1145666a609401399542bc3bff

SHA256
cff5ccc2bcc4007118388e4c6504ee620a343acc31b4fd9d2c37e7a45b50fa45

SHA512
f7d42f3d4858c5abf306235dc803ef24fbf34c2c59e46fccccb6434de06a33edacbdbdc5ad4663df3ef7cae0d45968361abd46fbed22f5285a69468921a4a422

Download Submit
C:\Windows\{3556A3D0-F07C-4bbf-A184-441E5E4916C2}.exe

Filesize
372KB

MD5
248e4784e64bf4b4aae3619457d8671d

SHA1
4d2a5cc3635bdf1145666a609401399542bc3bff

SHA256
cff5ccc2bcc4007118388e4c6504ee620a343acc31b4fd9d2c37e7a45b50fa45

SHA512
f7d42f3d4858c5abf306235dc803ef24fbf34c2c59e46fccccb6434de06a33edacbdbdc5ad4663df3ef7cae0d45968361abd46fbed22f5285a69468921a4a422

Download Submit
C:\Windows\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe

Filesize
372KB

MD5
0c3ca8e5bdd6e1246f555c49deb45130

SHA1
d9c3d431018512654188c9dde152ad049a6a73b4

SHA256
2288c2dfc3c35fbfe081ef850404893144cfcce11f083d6dd123aebfd45d0d60

SHA512
535802eccabd7e0c79ca2841336fc26977ef89b93386a2c04fe36884c2a1d5d29237c41292935fdca5b59668fa95042c504b9591ba0910f02bcfbb26d3d45e25

Download Submit
C:\Windows\{44EF6D1E-0AEC-4ae3-AFAC-3E489213D3F3}.exe

Filesize
372KB

MD5
0c3ca8e5bdd6e1246f555c49deb45130

SHA1
d9c3d431018512654188c9dde152ad049a6a73b4

SHA256
2288c2dfc3c35fbfe081ef850404893144cfcce11f083d6dd123aebfd45d0d60

SHA512
535802eccabd7e0c79ca2841336fc26977ef89b93386a2c04fe36884c2a1d5d29237c41292935fdca5b59668fa95042c504b9591ba0910f02bcfbb26d3d45e25

Download Submit
C:\Windows\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe

Filesize
372KB

MD5
7096cddde9104a5535949072fc3715d2

SHA1
b3c49f3ba4129d424d60b3750f9e96cdcef3bcea

SHA256
0d4013818b073c73329ca18ce621b107fbfec086f4d078ddc42fb93bfcb01497

SHA512
7fa6f7eb3de8a7b9ea3f451bdcca5194950d454f6532bbf1d8ae98549a671f10f6628a0adfb486250dea20fd61c0f9b4ac820e591d792a27023e8534fd89bb9a

Download Submit
C:\Windows\{5298FD6C-7677-4d9d-BD76-70E8C0833ED8}.exe

Filesize
372KB

MD5
7096cddde9104a5535949072fc3715d2

SHA1
b3c49f3ba4129d424d60b3750f9e96cdcef3bcea

SHA256
0d4013818b073c73329ca18ce621b107fbfec086f4d078ddc42fb93bfcb01497

SHA512
7fa6f7eb3de8a7b9ea3f451bdcca5194950d454f6532bbf1d8ae98549a671f10f6628a0adfb486250dea20fd61c0f9b4ac820e591d792a27023e8534fd89bb9a

Download Submit
C:\Windows\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe

Filesize
372KB

MD5
b26ed144b22084d803aa23f3710ea1aa

SHA1
d4d57cb776aaf27dce45e0290ce28c282ac6506f

SHA256
01549b647b69bf32cc5b9e95e221538318b455a18ccfe9cc5a0d8264f9bb4a7d

SHA512
9bdccefab54e047d6993483111af6f6cbf5290eb8915026f354e72a4f5a585e0f7cf655183b5b84ca9a7ada4c5f5ecb3ce3b6271a133bbe228760282319d8392

Download Submit
C:\Windows\{5385AAF0-0AE7-4bbe-B740-DB7905E4B2BF}.exe

Filesize
372KB

MD5
b26ed144b22084d803aa23f3710ea1aa

SHA1
d4d57cb776aaf27dce45e0290ce28c282ac6506f

SHA256
01549b647b69bf32cc5b9e95e221538318b455a18ccfe9cc5a0d8264f9bb4a7d

SHA512
9bdccefab54e047d6993483111af6f6cbf5290eb8915026f354e72a4f5a585e0f7cf655183b5b84ca9a7ada4c5f5ecb3ce3b6271a133bbe228760282319d8392

Download Submit
C:\Windows\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}.exe

Filesize
372KB

MD5
e0f3b653c76482273729eaf6471d703a

SHA1
172e6d289d3b08046f995dd29221d411d0a37839

SHA256
0dd02a4cd22d4d122b793fe797f68311142649847fc961a6c99ebb6b430d30a1

SHA512
ffbdbe4a6a573e5f6897002981ac633627aa51913c0adf93c780e0c0f207a089726d7b8d35b49340c51acf8635fb94b04495f7c6b927e623248f2a58b5a87278

Download Submit
C:\Windows\{72337989-6ACF-4b44-AD83-84E05DBEEC0D}.exe

Filesize
372KB

MD5
e0f3b653c76482273729eaf6471d703a

SHA1
172e6d289d3b08046f995dd29221d411d0a37839

SHA256
0dd02a4cd22d4d122b793fe797f68311142649847fc961a6c99ebb6b430d30a1

SHA512
ffbdbe4a6a573e5f6897002981ac633627aa51913c0adf93c780e0c0f207a089726d7b8d35b49340c51acf8635fb94b04495f7c6b927e623248f2a58b5a87278

Download Submit
C:\Windows\{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe

Filesize
372KB

MD5
8dc5eee355806af8f3d060ad9c093804

SHA1
17c1f2d7a5da2d3533c4e8947195f384519bfff5

SHA256
b14f45a306710f27ee38f26ddae802516d2d1165cef73ab5e9a152375a6b278f

SHA512
26ad7710c65443364b324d7e94f24236de29dc6b8447ae52c38fbe6522fa25fc8d13721baa868c9430011d8741aa124685be54c686fb48c67db9e1623f3f89a5

Download Submit
C:\Windows\{8E448298-DC89-4090-AAF4-9F8D616457DB}.exe

Filesize
372KB

MD5
8dc5eee355806af8f3d060ad9c093804

SHA1
17c1f2d7a5da2d3533c4e8947195f384519bfff5

SHA256
b14f45a306710f27ee38f26ddae802516d2d1165cef73ab5e9a152375a6b278f

SHA512
26ad7710c65443364b324d7e94f24236de29dc6b8447ae52c38fbe6522fa25fc8d13721baa868c9430011d8741aa124685be54c686fb48c67db9e1623f3f89a5

Download Submit
C:\Windows\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe

Filesize
372KB

MD5
613dbdd254e495578ac598344db7e0b2

SHA1
50a048035b2dfeb715234de2530667a2733cfafe

SHA256
509856081ef297960737b0b5e899f19b2a966de12451eb81fa1eff0e90b39420

SHA512
93f7c7ed6f094fdee6962c215cb92b8f8144c246f2555b6522b7f41de6b370ab1fb612cedd04d21cd4425faf9e076ca75597dd5ddb5824e7036b52546501aa20

Download Submit
C:\Windows\{AC9E05D0-C36F-4cee-BACF-B5E7FE2763D6}.exe

Filesize
372KB

MD5
613dbdd254e495578ac598344db7e0b2

SHA1
50a048035b2dfeb715234de2530667a2733cfafe

SHA256
509856081ef297960737b0b5e899f19b2a966de12451eb81fa1eff0e90b39420

SHA512
93f7c7ed6f094fdee6962c215cb92b8f8144c246f2555b6522b7f41de6b370ab1fb612cedd04d21cd4425faf9e076ca75597dd5ddb5824e7036b52546501aa20

Download Submit
C:\Windows\{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe

Filesize
372KB

MD5
e4ff4c29d393697af4bdd5d8dc720dfa

SHA1
de7eb006e3c2ac60aa24d2e8e4102afe21778056

SHA256
bc6aab5ebfaf410d19cd64eb34352d00a7ccc5f3faf7c43f5d9cf6bdb3998977

SHA512
87ea9e6996857d6c7df07c4f355d8ff5fbe527624de5fe7bc73c39cebf351ff26238e8553f5d91a87a5ec5504dabe7cad3cde0d1aebdadd65505ead868fc7262

Download Submit
C:\Windows\{B119EF77-27F6-4dd7-B391-6956FDF3A407}.exe

Filesize
372KB

MD5
e4ff4c29d393697af4bdd5d8dc720dfa

SHA1
de7eb006e3c2ac60aa24d2e8e4102afe21778056

SHA256
bc6aab5ebfaf410d19cd64eb34352d00a7ccc5f3faf7c43f5d9cf6bdb3998977

SHA512
87ea9e6996857d6c7df07c4f355d8ff5fbe527624de5fe7bc73c39cebf351ff26238e8553f5d91a87a5ec5504dabe7cad3cde0d1aebdadd65505ead868fc7262

Download Submit
C:\Windows\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe

Filesize
372KB

MD5
3cd0e65e15e201d2e987171d20a1d99c

SHA1
951a558d667eb03812a07ccebcfb3cc0f032ea68

SHA256
ed7057caf6a1c8808fabf5de32ecc7e3e0e60acc030915b8b5639286bb2b3eb3

SHA512
b71b72dc514c4382b09287739ff9adb83602f42f71d6d33979751a4419ec94492905c3fc8cfdf52b6c07f21345360f9f7a681879cdbfbd3b3caeb53942671f32

Download Submit
C:\Windows\{C1153BE0-C84D-4571-855D-E1C70F42A7BC}.exe

Filesize
372KB

MD5
3cd0e65e15e201d2e987171d20a1d99c

SHA1
951a558d667eb03812a07ccebcfb3cc0f032ea68

SHA256
ed7057caf6a1c8808fabf5de32ecc7e3e0e60acc030915b8b5639286bb2b3eb3

SHA512
b71b72dc514c4382b09287739ff9adb83602f42f71d6d33979751a4419ec94492905c3fc8cfdf52b6c07f21345360f9f7a681879cdbfbd3b3caeb53942671f32

Download Submit
C:\Windows\{DE4932C8-3095-4306-8545-390BEFD91B27}.exe

Filesize
372KB

MD5
21ee6725f67a576ba4be85d135686059

SHA1
5c98f13eee13ea324fd975cd77139330e895b88f

SHA256
bad51f2dbd30e8b50cdd894ab16b05be2c329788ed9fa9d4c0187df2fdcabaab

SHA512
e1ffe692e8aaaf1a53f6a1efbddcb48b21cf847a957efa20f1d96016daa2ae14c8717caeced01deadef4e8d8821025ebf0fdeb55f6e307f9a1a91f707675edfb

Download Submit
C:\Windows\{DE4932C8-3095-4306-8545-390BEFD91B27}.exe

Filesize
372KB

MD5
21ee6725f67a576ba4be85d135686059

SHA1
5c98f13eee13ea324fd975cd77139330e895b88f

SHA256
bad51f2dbd30e8b50cdd894ab16b05be2c329788ed9fa9d4c0187df2fdcabaab

SHA512
e1ffe692e8aaaf1a53f6a1efbddcb48b21cf847a957efa20f1d96016daa2ae14c8717caeced01deadef4e8d8821025ebf0fdeb55f6e307f9a1a91f707675edfb

Download Submit
C:\Windows\{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe

Filesize
372KB

MD5
094e27f2ce2ab9dd2f761654f5d444c0

SHA1
93b7dea2f52d29d5abb4b6452dc69e5b1526596e

SHA256
a7baa42dce187a2e62e2088a29bc534fe19a9f31c8c0f65e7fbcb6b7d71c0563

SHA512
da2b49e299f4d5d0848d420e5ce1aa1b2ed49f992fe055caaefe671ff2266c6f859589aa1761eb684d778d08e97cba79cb0248a2571d0cfa0f34d4fa11047c02

Download Submit
C:\Windows\{FEE5F6B6-64F4-473f-8316-919501FB6060}.exe

Filesize
372KB

MD5
094e27f2ce2ab9dd2f761654f5d444c0

SHA1
93b7dea2f52d29d5abb4b6452dc69e5b1526596e

SHA256
a7baa42dce187a2e62e2088a29bc534fe19a9f31c8c0f65e7fbcb6b7d71c0563

SHA512
da2b49e299f4d5d0848d420e5ce1aa1b2ed49f992fe055caaefe671ff2266c6f859589aa1761eb684d778d08e97cba79cb0248a2571d0cfa0f34d4fa11047c02

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads