a7a08ed8675564831ad83cf653ad34fe395f4f574b1b5bae0217318ad5a320e1

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-08-2023 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe
Size

216KB
MD5

13e57c9944836f69f2a09ced6f9f1313
SHA1

320d50265b98842e282145283ad1b81343c515f3
SHA256

a7a08ed8675564831ad83cf653ad34fe395f4f574b1b5bae0217318ad5a320e1
SHA512

a8eda1aae1af63a6cf49f8498baf83bcc01e55591ac6cf602f38ff8417581aebbb4c938313af9a3ac24e5f50c2e9d7e3d45b26d860d26df9d06f5f975b55d07e
SSDEEP

3072:jEGh0ool+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18D50DF-D506-4774-B8DE-DA88A3E58982}\stubpath = "C:\\Windows\\{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe"	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED7DF25C-676C-4bf8-A203-13149F05A08A}\stubpath = "C:\\Windows\\{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe"	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1EFC810-3ABE-407f-89CE-BF495D359BA0}	{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6A17CA8-8422-4004-A954-5EF52834E7A4}\stubpath = "C:\\Windows\\{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe"	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}	{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}\stubpath = "C:\\Windows\\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe"	{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}	{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED7DF25C-676C-4bf8-A203-13149F05A08A}	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}\stubpath = "C:\\Windows\\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe"	{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1EFC810-3ABE-407f-89CE-BF495D359BA0}\stubpath = "C:\\Windows\\{D1EFC810-3ABE-407f-89CE-BF495D359BA0}.exe"	{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}\stubpath = "C:\\Windows\\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe"	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082A1411-BCFC-49b1-962C-9E0A2F576593}	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18D50DF-D506-4774-B8DE-DA88A3E58982}	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}\stubpath = "C:\\Windows\\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe"	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}\stubpath = "C:\\Windows\\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe"	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082A1411-BCFC-49b1-962C-9E0A2F576593}\stubpath = "C:\\Windows\\{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe"	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6A17CA8-8422-4004-A954-5EF52834E7A4}	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}\stubpath = "C:\\Windows\\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe"	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe
2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe
2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe
2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe
2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe
516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe
1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe
1324	{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe
2300	{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe
2332	{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe
540	{D1EFC810-3ABE-407f-89CE-BF495D359BA0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D1EFC810-3ABE-407f-89CE-BF495D359BA0}.exe	{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe
File created	C:\Windows\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe
File created	C:\Windows\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe
File created	C:\Windows\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe	{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe
File created	C:\Windows\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe	{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe
File created	C:\Windows\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe
File created	C:\Windows\{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe
File created	C:\Windows\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe
File created	C:\Windows\{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe
File created	C:\Windows\{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe
File created	C:\Windows\{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe
Token: SeIncBasePriorityPrivilege	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe
Token: SeIncBasePriorityPrivilege	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe
Token: SeIncBasePriorityPrivilege	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe
Token: SeIncBasePriorityPrivilege	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe
Token: SeIncBasePriorityPrivilege	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe
Token: SeIncBasePriorityPrivilege	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe
Token: SeIncBasePriorityPrivilege	1324	{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe
Token: SeIncBasePriorityPrivilege	2300	{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe
Token: SeIncBasePriorityPrivilege	2332	{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2076	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	28
PID 2472 wrote to memory of 2076	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	28
PID 2472 wrote to memory of 2076	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	28
PID 2472 wrote to memory of 2076	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	28
PID 2472 wrote to memory of 2912	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	29
PID 2472 wrote to memory of 2912	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	29
PID 2472 wrote to memory of 2912	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	29
PID 2472 wrote to memory of 2912	2472	13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe	29
PID 2076 wrote to memory of 2744	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	32
PID 2076 wrote to memory of 2744	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	32
PID 2076 wrote to memory of 2744	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	32
PID 2076 wrote to memory of 2744	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	32
PID 2076 wrote to memory of 2732	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	33
PID 2076 wrote to memory of 2732	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	33
PID 2076 wrote to memory of 2732	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	33
PID 2076 wrote to memory of 2732	2076	{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe	33
PID 2744 wrote to memory of 2876	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	34
PID 2744 wrote to memory of 2876	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	34
PID 2744 wrote to memory of 2876	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	34
PID 2744 wrote to memory of 2876	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	34
PID 2744 wrote to memory of 2820	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	35
PID 2744 wrote to memory of 2820	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	35
PID 2744 wrote to memory of 2820	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	35
PID 2744 wrote to memory of 2820	2744	{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe	35
PID 2876 wrote to memory of 2720	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	36
PID 2876 wrote to memory of 2720	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	36
PID 2876 wrote to memory of 2720	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	36
PID 2876 wrote to memory of 2720	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	36
PID 2876 wrote to memory of 2784	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	37
PID 2876 wrote to memory of 2784	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	37
PID 2876 wrote to memory of 2784	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	37
PID 2876 wrote to memory of 2784	2876	{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe	37
PID 2720 wrote to memory of 2084	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	38
PID 2720 wrote to memory of 2084	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	38
PID 2720 wrote to memory of 2084	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	38
PID 2720 wrote to memory of 2084	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	38
PID 2720 wrote to memory of 524	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	39
PID 2720 wrote to memory of 524	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	39
PID 2720 wrote to memory of 524	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	39
PID 2720 wrote to memory of 524	2720	{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe	39
PID 2084 wrote to memory of 516	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	40
PID 2084 wrote to memory of 516	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	40
PID 2084 wrote to memory of 516	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	40
PID 2084 wrote to memory of 516	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	40
PID 2084 wrote to memory of 752	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	41
PID 2084 wrote to memory of 752	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	41
PID 2084 wrote to memory of 752	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	41
PID 2084 wrote to memory of 752	2084	{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe	41
PID 516 wrote to memory of 1140	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	42
PID 516 wrote to memory of 1140	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	42
PID 516 wrote to memory of 1140	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	42
PID 516 wrote to memory of 1140	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	42
PID 516 wrote to memory of 1644	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	43
PID 516 wrote to memory of 1644	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	43
PID 516 wrote to memory of 1644	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	43
PID 516 wrote to memory of 1644	516	{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe	43
PID 1140 wrote to memory of 1324	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	44
PID 1140 wrote to memory of 1324	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	44
PID 1140 wrote to memory of 1324	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	44
PID 1140 wrote to memory of 1324	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	44
PID 1140 wrote to memory of 1448	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	45
PID 1140 wrote to memory of 1448	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	45
PID 1140 wrote to memory of 1448	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	45
PID 1140 wrote to memory of 1448	1140	{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe	45

C:\Users\Admin\AppData\Local\Temp\13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\13e57c9944836f69f2a09ced6f9f1313_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe
  C:\Windows\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe
    C:\Windows\{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe
      C:\Windows\{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe
        
        C:\Windows\{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe
        
        C:\Windows\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe
        
        C:\Windows\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe
        
        C:\Windows\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe
        
        C:\Windows\{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe
        
        C:\Windows\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe
        
        C:\Windows\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\{D1EFC810-3ABE-407f-89CE-BF495D359BA0}.exe
        
        C:\Windows\{D1EFC810-3ABE-407f-89CE-BF495D359BA0}.exe
        12⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED60~1.EXE > nul
        12⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9835C~1.EXE > nul
        11⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED7DF~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F0F~1.EXE > nul
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF103~1.EXE > nul
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FBD0~1.EXE > nul
        7⤵
        
        PID:752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F18D5~1.EXE > nul
        6⤵
        
        PID:524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6A17~1.EXE > nul
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{082A1~1.EXE > nul
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C925~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\13E57C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe

Filesize
216KB

MD5
5bad5baa2297fad3116d5f807da44bc1

SHA1
7fdd22bfeb1d82a2753301cdf6000afa339e7ad5

SHA256
85e5ee0af6b354c5efd428bc25e593fa5ced63bec53cf13a95c454834faaf9e9

SHA512
b98048eb2ed272f119a7ca363922a2c6fea6cee20fb73dfd2339a52ca629d828ff32ea7b3a63935ea29777db7ace3eb701c39eeeb35fc59fb193028264495a6c

Download Submit
C:\Windows\{082A1411-BCFC-49b1-962C-9E0A2F576593}.exe

Filesize
216KB

MD5
5bad5baa2297fad3116d5f807da44bc1

SHA1
7fdd22bfeb1d82a2753301cdf6000afa339e7ad5

SHA256
85e5ee0af6b354c5efd428bc25e593fa5ced63bec53cf13a95c454834faaf9e9

SHA512
b98048eb2ed272f119a7ca363922a2c6fea6cee20fb73dfd2339a52ca629d828ff32ea7b3a63935ea29777db7ace3eb701c39eeeb35fc59fb193028264495a6c

Download Submit
C:\Windows\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe

Filesize
216KB

MD5
0e9ffad5142ff090d004dc0afc1f75ef

SHA1
05bbca7d1676e9311ed6df5b2f3b3a4949d8d807

SHA256
a9cb702551a55983c206c26e514db43d737f6cb52ccb4531330442cccf1fa529

SHA512
47e14047156622ab4c0984610b8f32b0c0dca8492237324d39e45c7fb4bf1e5235f59da5a7d9683117955b189d1d5571d73f87c4a52a042bf79f88cea0447390

Download Submit
C:\Windows\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe

Filesize
216KB

MD5
0e9ffad5142ff090d004dc0afc1f75ef

SHA1
05bbca7d1676e9311ed6df5b2f3b3a4949d8d807

SHA256
a9cb702551a55983c206c26e514db43d737f6cb52ccb4531330442cccf1fa529

SHA512
47e14047156622ab4c0984610b8f32b0c0dca8492237324d39e45c7fb4bf1e5235f59da5a7d9683117955b189d1d5571d73f87c4a52a042bf79f88cea0447390

Download Submit
C:\Windows\{1C9252C5-62A9-46c9-9140-978DCCC13A7D}.exe

Filesize
216KB

MD5
0e9ffad5142ff090d004dc0afc1f75ef

SHA1
05bbca7d1676e9311ed6df5b2f3b3a4949d8d807

SHA256
a9cb702551a55983c206c26e514db43d737f6cb52ccb4531330442cccf1fa529

SHA512
47e14047156622ab4c0984610b8f32b0c0dca8492237324d39e45c7fb4bf1e5235f59da5a7d9683117955b189d1d5571d73f87c4a52a042bf79f88cea0447390

Download Submit
C:\Windows\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe

Filesize
216KB

MD5
e81fbcad95875d27b21aaac367e6c47b

SHA1
5b8fe7513733f8611fb5a05740370f25fc4a2b3d

SHA256
67ac16364d12e2cede2715cf2f3b46d58393a2eaed318ad78cd52e91db994de1

SHA512
2cd3da8983ab5cc2c217557ecbcd0561e5cf445ae6625016f774f964d496b479d52f0e37cf90fc7af30655ac9cf7154f46e51cc6a6f65fb6d9f29e6afffe8859

Download Submit
C:\Windows\{1ED600F7-1FB4-45f4-9733-21E5D6BF7D5E}.exe

Filesize
216KB

MD5
e81fbcad95875d27b21aaac367e6c47b

SHA1
5b8fe7513733f8611fb5a05740370f25fc4a2b3d

SHA256
67ac16364d12e2cede2715cf2f3b46d58393a2eaed318ad78cd52e91db994de1

SHA512
2cd3da8983ab5cc2c217557ecbcd0561e5cf445ae6625016f774f964d496b479d52f0e37cf90fc7af30655ac9cf7154f46e51cc6a6f65fb6d9f29e6afffe8859

Download Submit
C:\Windows\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe

Filesize
216KB

MD5
735dab53fc0f2892b8dd6039cbe5c14d

SHA1
67752efe6b008c562270841f6ce67cdf7f84b3cf

SHA256
d619b7e4b2ce4427fab5b3e5774e7e37112b6aeb50ee0a3a73a143caa5197b6d

SHA512
00a5585dcf6c08e94942aaed632fe7fe2f077a0ea97563eda135f5529611d3a014a7d587a07829895dc04fa8c7a314458a9fca519ed3dc10a1b8c015cbb5e8ec

Download Submit
C:\Windows\{1FBD010A-BC6A-47e9-A053-AD9109DCAEA5}.exe

Filesize
216KB

MD5
735dab53fc0f2892b8dd6039cbe5c14d

SHA1
67752efe6b008c562270841f6ce67cdf7f84b3cf

SHA256
d619b7e4b2ce4427fab5b3e5774e7e37112b6aeb50ee0a3a73a143caa5197b6d

SHA512
00a5585dcf6c08e94942aaed632fe7fe2f077a0ea97563eda135f5529611d3a014a7d587a07829895dc04fa8c7a314458a9fca519ed3dc10a1b8c015cbb5e8ec

Download Submit
C:\Windows\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe

Filesize
216KB

MD5
9742dd5d775c8579a1e0c52270716ff5

SHA1
c4cb4de43378e0ade682ac6f07ec626d28fb13de

SHA256
8518bed577e7b132f602357d23d4d758f10324263fd822a616d666f9c09f9c1c

SHA512
af37713e57b7a87f60d65cf33b61877d19c2e2b29a06e017b0d752fe8f6b257acbbcc6195ac6b35edc35f5201fa40912bfc29fbd24353a2c3685882a13cf477c

Download Submit
C:\Windows\{79F0F90F-0C1B-41ef-999D-8C34CCDD9AB9}.exe

Filesize
216KB

MD5
9742dd5d775c8579a1e0c52270716ff5

SHA1
c4cb4de43378e0ade682ac6f07ec626d28fb13de

SHA256
8518bed577e7b132f602357d23d4d758f10324263fd822a616d666f9c09f9c1c

SHA512
af37713e57b7a87f60d65cf33b61877d19c2e2b29a06e017b0d752fe8f6b257acbbcc6195ac6b35edc35f5201fa40912bfc29fbd24353a2c3685882a13cf477c

Download Submit
C:\Windows\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe

Filesize
216KB

MD5
15d9114e23b41e246ba4aa92427ea641

SHA1
e50437dc7dcecf9423c5eef2263953eb3cc553f2

SHA256
7af64f0cda7881f176fd4370a996a977b4c94bbf0936428f9e2f166dd8fd6496

SHA512
25fed586437df57ffdab3e4c74a8bd10d03445bfa72e9c36be10756d49b1a1189e85cc7448cd9e3cfbb9187cf5eb9726afe8d6f215476b79bb4b8a642e639a6e

Download Submit
C:\Windows\{9835CEC6-645E-4382-9ADE-6E6B59E43C00}.exe

Filesize
216KB

MD5
15d9114e23b41e246ba4aa92427ea641

SHA1
e50437dc7dcecf9423c5eef2263953eb3cc553f2

SHA256
7af64f0cda7881f176fd4370a996a977b4c94bbf0936428f9e2f166dd8fd6496

SHA512
25fed586437df57ffdab3e4c74a8bd10d03445bfa72e9c36be10756d49b1a1189e85cc7448cd9e3cfbb9187cf5eb9726afe8d6f215476b79bb4b8a642e639a6e

Download Submit
C:\Windows\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe

Filesize
216KB

MD5
1806a582ba052cb4159fee5fd0583dc7

SHA1
364718f75efe00d2f591e38fa9d5a0cc77d493aa

SHA256
decf8f67ac3489e7751b695c1957a99659d8bdac399966e13617c793a3a5e874

SHA512
4176e3c41eb26271b72508879dca04e7b04df2ce02155e9e5318b389e7b3a6e5030dd565cbaf87c119dee1abcce86e3f6b0588af4272774522de8b153f97b66e

Download Submit
C:\Windows\{BF10310A-BAEC-449f-BBFD-F6D309F9E844}.exe

Filesize
216KB

MD5
1806a582ba052cb4159fee5fd0583dc7

SHA1
364718f75efe00d2f591e38fa9d5a0cc77d493aa

SHA256
decf8f67ac3489e7751b695c1957a99659d8bdac399966e13617c793a3a5e874

SHA512
4176e3c41eb26271b72508879dca04e7b04df2ce02155e9e5318b389e7b3a6e5030dd565cbaf87c119dee1abcce86e3f6b0588af4272774522de8b153f97b66e

Download Submit
C:\Windows\{D1EFC810-3ABE-407f-89CE-BF495D359BA0}.exe

Filesize
216KB

MD5
83e36eb0fbda0c6de21010a91e9c0673

SHA1
c375be036066ec9c493c9fd547d83d957cedd6b6

SHA256
0133801b97b3811bbd69fafe69ce2a7122206104b5f682ff65c1526bea558864

SHA512
d0db149a381601567bb524980a085a85ea9284a1dba2377d9452259bc3834386aad0fc00606b669e6f1537928d51ba61cd2f489d827501a3e87af8bf7d4f9b0d

Download Submit
C:\Windows\{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe

Filesize
216KB

MD5
b869234a921a06ad689007c8f114a668

SHA1
705d3a3e1cd4f1ef93a1496585d26d111bf3b700

SHA256
99f01cc77f0c0b8f1920839943c84a364b4ec3ab1b636fb15a0090478ac3d104

SHA512
e1e6874453ed951f7d98f62dfe44a7e8ad4d10e335c572a63de457ec5b4755d25cf29122bf707e186d1ac0139ff6d99a88d3f2dffccfddaed3a0b221580726c4

Download Submit
C:\Windows\{D6A17CA8-8422-4004-A954-5EF52834E7A4}.exe

Filesize
216KB

MD5
b869234a921a06ad689007c8f114a668

SHA1
705d3a3e1cd4f1ef93a1496585d26d111bf3b700

SHA256
99f01cc77f0c0b8f1920839943c84a364b4ec3ab1b636fb15a0090478ac3d104

SHA512
e1e6874453ed951f7d98f62dfe44a7e8ad4d10e335c572a63de457ec5b4755d25cf29122bf707e186d1ac0139ff6d99a88d3f2dffccfddaed3a0b221580726c4

Download Submit
C:\Windows\{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe

Filesize
216KB

MD5
85c6308a618a2419ab596100d503f1fa

SHA1
b2531d66f4c10e66fcf17e6fa4e840b9c4126daf

SHA256
cb9128c40228c47c3239d963f549c65696bc403a40c8121ae81ea80a4a6295f9

SHA512
dff24cff014fa333cba5fbaa4a4845cdeb189c40f4f4342c044248a6b4e2924e345ff3e713a23334e92c23fd15d9515ee219044de9996bb0e6c0179d0bdfd863

Download Submit
C:\Windows\{ED7DF25C-676C-4bf8-A203-13149F05A08A}.exe

Filesize
216KB

MD5
85c6308a618a2419ab596100d503f1fa

SHA1
b2531d66f4c10e66fcf17e6fa4e840b9c4126daf

SHA256
cb9128c40228c47c3239d963f549c65696bc403a40c8121ae81ea80a4a6295f9

SHA512
dff24cff014fa333cba5fbaa4a4845cdeb189c40f4f4342c044248a6b4e2924e345ff3e713a23334e92c23fd15d9515ee219044de9996bb0e6c0179d0bdfd863

Download Submit
C:\Windows\{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe

Filesize
216KB

MD5
7b2f799077870ae4c9cc0f809606b835

SHA1
3028aa7390e82c8fc5624d2e8f3f8965785c99b4

SHA256
547bb3bac4c649e821c91d8a01e7207f6a1eb110a0d669bb3e93e225a28531de

SHA512
c6c10a4b3c197aeecd759e6355adcaa45bfb86b3079b335de8337817b83f17fcefcbc08ca72a0ee8b7af00365d5b2ef9a96dce050b317a8f3fa4df06a1855b1f

Download Submit
C:\Windows\{F18D50DF-D506-4774-B8DE-DA88A3E58982}.exe

Filesize
216KB

MD5
7b2f799077870ae4c9cc0f809606b835

SHA1
3028aa7390e82c8fc5624d2e8f3f8965785c99b4

SHA256
547bb3bac4c649e821c91d8a01e7207f6a1eb110a0d669bb3e93e225a28531de

SHA512
c6c10a4b3c197aeecd759e6355adcaa45bfb86b3079b335de8337817b83f17fcefcbc08ca72a0ee8b7af00365d5b2ef9a96dce050b317a8f3fa4df06a1855b1f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads