3345fdd40abbd3d10228df4c14d015e2dd819b83a4d460b5c6d3125c249c2c6c

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2023, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Size

372KB
MD5

541823e918e36d78ba1e9341ed55eae1
SHA1

67c6e1515bcdf0f92c72cc339a8c0dcec7072dc5
SHA256

3345fdd40abbd3d10228df4c14d015e2dd819b83a4d460b5c6d3125c249c2c6c
SHA512

be75244719c3e86215a6c2ca2afd9d0b0392949c3d2c0e529aec31d8e12fd2a89951414166d4bcb008a3d9bfc35d46dc731a5a545e7a2e5347368873187d3ce6
SSDEEP

3072:CEGh0oZmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGil/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD75E916-BD44-4f47-8775-B2F63973496C}\stubpath = "C:\\Windows\\{DD75E916-BD44-4f47-8775-B2F63973496C}.exe"	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55592A75-1F6E-495b-9298-08B0881AA5AE}	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55592A75-1F6E-495b-9298-08B0881AA5AE}\stubpath = "C:\\Windows\\{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe"	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844BFD65-D53B-44ab-876D-D7C269513972}	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D3014B-6675-423f-8195-D7B4DD1DFC61}\stubpath = "C:\\Windows\\{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe"	{844BFD65-D53B-44ab-876D-D7C269513972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED009E93-7903-4cb5-A985-906BF00DBF48}\stubpath = "C:\\Windows\\{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe"	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}\stubpath = "C:\\Windows\\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe"	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844BFD65-D53B-44ab-876D-D7C269513972}\stubpath = "C:\\Windows\\{844BFD65-D53B-44ab-876D-D7C269513972}.exe"	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}\stubpath = "C:\\Windows\\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe"	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26826C7-C212-42b7-AE4D-C21E79027689}	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}\stubpath = "C:\\Windows\\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe"	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED009E93-7903-4cb5-A985-906BF00DBF48}	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD75E916-BD44-4f47-8775-B2F63973496C}	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}\stubpath = "C:\\Windows\\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe"	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2858814-6505-41a1-9286-C6E8F27F86FA}	{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26826C7-C212-42b7-AE4D-C21E79027689}\stubpath = "C:\\Windows\\{D26826C7-C212-42b7-AE4D-C21E79027689}.exe"	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2858814-6505-41a1-9286-C6E8F27F86FA}\stubpath = "C:\\Windows\\{B2858814-6505-41a1-9286-C6E8F27F86FA}.exe"	{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D3014B-6675-423f-8195-D7B4DD1DFC61}	{844BFD65-D53B-44ab-876D-D7C269513972}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}\stubpath = "C:\\Windows\\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe"	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe

Executes dropped EXE 12 IoCs

pid	Process
5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe
4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe
5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe
4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe
4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe
2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe
1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe
5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe
316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe
3208	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe
4756	{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe
1632	{B2858814-6505-41a1-9286-C6E8F27F86FA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D26826C7-C212-42b7-AE4D-C21E79027689}.exe	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe
File created	C:\Windows\{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe
File created	C:\Windows\{844BFD65-D53B-44ab-876D-D7C269513972}.exe	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe
File created	C:\Windows\{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe	{844BFD65-D53B-44ab-876D-D7C269513972}.exe
File created	C:\Windows\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe
File created	C:\Windows\{B2858814-6505-41a1-9286-C6E8F27F86FA}.exe	{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe
File created	C:\Windows\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
File created	C:\Windows\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe
File created	C:\Windows\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe
File created	C:\Windows\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe
File created	C:\Windows\{DD75E916-BD44-4f47-8775-B2F63973496C}.exe	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe
File created	C:\Windows\{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3728	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe
Token: SeIncBasePriorityPrivilege	4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe
Token: SeIncBasePriorityPrivilege	5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe
Token: SeIncBasePriorityPrivilege	4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe
Token: SeIncBasePriorityPrivilege	4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe
Token: SeIncBasePriorityPrivilege	2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe
Token: SeIncBasePriorityPrivilege	1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe
Token: SeIncBasePriorityPrivilege	5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe
Token: SeIncBasePriorityPrivilege	316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe
Token: SeIncBasePriorityPrivilege	3208	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe
Token: SeIncBasePriorityPrivilege	4756	{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 5084	3728	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	90
PID 3728 wrote to memory of 5084	3728	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	90
PID 3728 wrote to memory of 5084	3728	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	90
PID 3728 wrote to memory of 1364	3728	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	91
PID 3728 wrote to memory of 1364	3728	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	91
PID 3728 wrote to memory of 1364	3728	541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe	91
PID 5084 wrote to memory of 4932	5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe	92
PID 5084 wrote to memory of 4932	5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe	92
PID 5084 wrote to memory of 4932	5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe	92
PID 5084 wrote to memory of 3512	5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe	93
PID 5084 wrote to memory of 3512	5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe	93
PID 5084 wrote to memory of 3512	5084	{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe	93
PID 4932 wrote to memory of 5088	4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe	96
PID 4932 wrote to memory of 5088	4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe	96
PID 4932 wrote to memory of 5088	4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe	96
PID 4932 wrote to memory of 3676	4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe	95
PID 4932 wrote to memory of 3676	4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe	95
PID 4932 wrote to memory of 3676	4932	{D26826C7-C212-42b7-AE4D-C21E79027689}.exe	95
PID 5088 wrote to memory of 4240	5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe	97
PID 5088 wrote to memory of 4240	5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe	97
PID 5088 wrote to memory of 4240	5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe	97
PID 5088 wrote to memory of 1792	5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe	98
PID 5088 wrote to memory of 1792	5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe	98
PID 5088 wrote to memory of 1792	5088	{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe	98
PID 4240 wrote to memory of 4660	4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe	99
PID 4240 wrote to memory of 4660	4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe	99
PID 4240 wrote to memory of 4660	4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe	99
PID 4240 wrote to memory of 5020	4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe	100
PID 4240 wrote to memory of 5020	4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe	100
PID 4240 wrote to memory of 5020	4240	{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe	100
PID 4660 wrote to memory of 2700	4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe	101
PID 4660 wrote to memory of 2700	4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe	101
PID 4660 wrote to memory of 2700	4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe	101
PID 4660 wrote to memory of 3352	4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe	102
PID 4660 wrote to memory of 3352	4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe	102
PID 4660 wrote to memory of 3352	4660	{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe	102
PID 2700 wrote to memory of 1924	2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe	103
PID 2700 wrote to memory of 1924	2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe	103
PID 2700 wrote to memory of 1924	2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe	103
PID 2700 wrote to memory of 3888	2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe	104
PID 2700 wrote to memory of 3888	2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe	104
PID 2700 wrote to memory of 3888	2700	{844BFD65-D53B-44ab-876D-D7C269513972}.exe	104
PID 1924 wrote to memory of 5052	1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe	105
PID 1924 wrote to memory of 5052	1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe	105
PID 1924 wrote to memory of 5052	1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe	105
PID 1924 wrote to memory of 4544	1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe	106
PID 1924 wrote to memory of 4544	1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe	106
PID 1924 wrote to memory of 4544	1924	{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe	106
PID 5052 wrote to memory of 316	5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe	107
PID 5052 wrote to memory of 316	5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe	107
PID 5052 wrote to memory of 316	5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe	107
PID 5052 wrote to memory of 1052	5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe	108
PID 5052 wrote to memory of 1052	5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe	108
PID 5052 wrote to memory of 1052	5052	{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe	108
PID 316 wrote to memory of 3208	316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe	109
PID 316 wrote to memory of 3208	316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe	109
PID 316 wrote to memory of 3208	316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe	109
PID 316 wrote to memory of 1752	316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe	110
PID 316 wrote to memory of 1752	316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe	110
PID 316 wrote to memory of 1752	316	{DD75E916-BD44-4f47-8775-B2F63973496C}.exe	110
PID 3208 wrote to memory of 4756	3208	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe	111
PID 3208 wrote to memory of 4756	3208	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe	111
PID 3208 wrote to memory of 4756	3208	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe	111
PID 3208 wrote to memory of 5004	3208	{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe	112

C:\Users\Admin\AppData\Local\Temp\541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\541823e918e36d78ba1e9341ed55eae1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe
  C:\Windows\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\{D26826C7-C212-42b7-AE4D-C21E79027689}.exe
    C:\Windows\{D26826C7-C212-42b7-AE4D-C21E79027689}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D2682~1.EXE > nul
      4⤵
      PID:3676
  - - C:\Windows\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe
      C:\Windows\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe
        
        C:\Windows\{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe
        
        C:\Windows\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{844BFD65-D53B-44ab-876D-D7C269513972}.exe
        
        C:\Windows\{844BFD65-D53B-44ab-876D-D7C269513972}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe
        
        C:\Windows\{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe
        
        C:\Windows\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{DD75E916-BD44-4f47-8775-B2F63973496C}.exe
        
        C:\Windows\{DD75E916-BD44-4f47-8775-B2F63973496C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe
        
        C:\Windows\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe
        
        C:\Windows\{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\{B2858814-6505-41a1-9286-C6E8F27F86FA}.exe
        
        C:\Windows\{B2858814-6505-41a1-9286-C6E8F27F86FA}.exe
        13⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55592~1.EXE > nul
        13⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78A8A~1.EXE > nul
        12⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD75E~1.EXE > nul
        11⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC17B~1.EXE > nul
        10⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24D30~1.EXE > nul
        9⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{844BF~1.EXE > nul
        8⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB28~1.EXE > nul
        7⤵
        
        PID:3352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED009~1.EXE > nul
        6⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{884FF~1.EXE > nul
        5⤵
        
        PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BBC40~1.EXE > nul
    3⤵
    PID:3512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\541823~1.EXE > nul
  2⤵
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe

Filesize
372KB

MD5
a2fdf7912cd04138d2b3b19b894a8cc1

SHA1
0aea465e6626b90950b1e8e3f927dd5830aed15c

SHA256
a93a2308e471eeab8f851a16e4a583300479b3194a6f1ee2d0a67a2fd9ed9398

SHA512
8da589d1ecb6fa6bbb847038016b33f4eb06ad900206abf58a116ba66cfd6977a46135b36ecd0c1744f55acb322ca485c1eae0f2c36fd9c17d9e4c1e13bcc8e8

Download Submit
C:\Windows\{24D3014B-6675-423f-8195-D7B4DD1DFC61}.exe

Filesize
372KB

MD5
a2fdf7912cd04138d2b3b19b894a8cc1

SHA1
0aea465e6626b90950b1e8e3f927dd5830aed15c

SHA256
a93a2308e471eeab8f851a16e4a583300479b3194a6f1ee2d0a67a2fd9ed9398

SHA512
8da589d1ecb6fa6bbb847038016b33f4eb06ad900206abf58a116ba66cfd6977a46135b36ecd0c1744f55acb322ca485c1eae0f2c36fd9c17d9e4c1e13bcc8e8

Download Submit
C:\Windows\{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe

Filesize
372KB

MD5
65f9da58764c1f4e314d30fd5e858405

SHA1
461c98b629d14540f668d3d8b0a87b839ad027c8

SHA256
a97e123b73772bc36bf0fd0bf7ca13526563aab8980cfac7ee508916684eb048

SHA512
7f388f9520aedac6b0da83fa8b1b3dd93eb7d7ab4d401c8896bdab07aa51e708f871ffbf7a96fc00004520b6a98476236caa284090fbeba3d4d6e9ac8458d7ca

Download Submit
C:\Windows\{55592A75-1F6E-495b-9298-08B0881AA5AE}.exe

Filesize
372KB

MD5
65f9da58764c1f4e314d30fd5e858405

SHA1
461c98b629d14540f668d3d8b0a87b839ad027c8

SHA256
a97e123b73772bc36bf0fd0bf7ca13526563aab8980cfac7ee508916684eb048

SHA512
7f388f9520aedac6b0da83fa8b1b3dd93eb7d7ab4d401c8896bdab07aa51e708f871ffbf7a96fc00004520b6a98476236caa284090fbeba3d4d6e9ac8458d7ca

Download Submit
C:\Windows\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe

Filesize
372KB

MD5
61321d905e735eed54756356a550d2e3

SHA1
2ff2e0b1a20c0b0c50ea4d1a01c45c16e6968776

SHA256
4bc7c336eb9df64fd8f99c341051e78a83f6c601d1a817c08685a48de75bcfeb

SHA512
2066fdd9e6c88b4dd09c0ae48f824f64a408617fd66e9e4cdb585ad01273b978540179ce6ce3a11549cbae247c211b4fa9772c0484646cb7d2f89544939b8d7b

Download Submit
C:\Windows\{78A8A329-FC19-4ae8-B3BA-7C54AE1DD288}.exe

Filesize
372KB

MD5
61321d905e735eed54756356a550d2e3

SHA1
2ff2e0b1a20c0b0c50ea4d1a01c45c16e6968776

SHA256
4bc7c336eb9df64fd8f99c341051e78a83f6c601d1a817c08685a48de75bcfeb

SHA512
2066fdd9e6c88b4dd09c0ae48f824f64a408617fd66e9e4cdb585ad01273b978540179ce6ce3a11549cbae247c211b4fa9772c0484646cb7d2f89544939b8d7b

Download Submit
C:\Windows\{844BFD65-D53B-44ab-876D-D7C269513972}.exe

Filesize
372KB

MD5
65f1dd5e1e385588bc11cfaf8af8a7d4

SHA1
6af72879c094254f2281b507000fc9889af0fc14

SHA256
c9ddd9bdcb1e4f8610581584ec1ff42c6105faa297f4f8f2b4bdf74e66ee85ab

SHA512
310e11c1024f5738ebeeb1ec2f530b7562460e6ea60c1338412930a97056558844cf821392be87b42886d2ee5713fdef32fdcfa10e582501babe606dc500ad51

Download Submit
C:\Windows\{844BFD65-D53B-44ab-876D-D7C269513972}.exe

Filesize
372KB

MD5
65f1dd5e1e385588bc11cfaf8af8a7d4

SHA1
6af72879c094254f2281b507000fc9889af0fc14

SHA256
c9ddd9bdcb1e4f8610581584ec1ff42c6105faa297f4f8f2b4bdf74e66ee85ab

SHA512
310e11c1024f5738ebeeb1ec2f530b7562460e6ea60c1338412930a97056558844cf821392be87b42886d2ee5713fdef32fdcfa10e582501babe606dc500ad51

Download Submit
C:\Windows\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe

Filesize
372KB

MD5
1abcb69358f490aca6c94a40c00496bc

SHA1
024570d723996b9a8d9021ed139924bcdf239bf9

SHA256
44dc5d41b12e617db5042bf78ba0634aa75bf4da3c04e14902e9834a950700f7

SHA512
1d654aea6eace81167fe84954176ab00b174246bd6000bbadea07670a1bc56ccfef06cedf5039a819be67a2f851ebc08a8fb85b82137b9f563697bf089da4efa

Download Submit
C:\Windows\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe

Filesize
372KB

MD5
1abcb69358f490aca6c94a40c00496bc

SHA1
024570d723996b9a8d9021ed139924bcdf239bf9

SHA256
44dc5d41b12e617db5042bf78ba0634aa75bf4da3c04e14902e9834a950700f7

SHA512
1d654aea6eace81167fe84954176ab00b174246bd6000bbadea07670a1bc56ccfef06cedf5039a819be67a2f851ebc08a8fb85b82137b9f563697bf089da4efa

Download Submit
C:\Windows\{884FFC6C-7BB3-4495-A76D-A77EB992E70A}.exe

Filesize
372KB

MD5
1abcb69358f490aca6c94a40c00496bc

SHA1
024570d723996b9a8d9021ed139924bcdf239bf9

SHA256
44dc5d41b12e617db5042bf78ba0634aa75bf4da3c04e14902e9834a950700f7

SHA512
1d654aea6eace81167fe84954176ab00b174246bd6000bbadea07670a1bc56ccfef06cedf5039a819be67a2f851ebc08a8fb85b82137b9f563697bf089da4efa

Download Submit
C:\Windows\{B2858814-6505-41a1-9286-C6E8F27F86FA}.exe

Filesize
372KB

MD5
bd3a0ea35ba55f8e80234d61efc68215

SHA1
edec329f304eac409c1c53a92f94cbb6d5038ea1

SHA256
68a25a74f0b6f20caeb306310f61e69288d4a594119803abc1d88a7cb0456fbb

SHA512
910d82626fb720227ba59b1e0423c2821f8658dec710765fce997c8a2e44abc0362d67226bf158d50a7a7e27dc1ce77e108c2f4739243a786ae8f384c645de33

Download Submit
C:\Windows\{B2858814-6505-41a1-9286-C6E8F27F86FA}.exe

Filesize
372KB

MD5
bd3a0ea35ba55f8e80234d61efc68215

SHA1
edec329f304eac409c1c53a92f94cbb6d5038ea1

SHA256
68a25a74f0b6f20caeb306310f61e69288d4a594119803abc1d88a7cb0456fbb

SHA512
910d82626fb720227ba59b1e0423c2821f8658dec710765fce997c8a2e44abc0362d67226bf158d50a7a7e27dc1ce77e108c2f4739243a786ae8f384c645de33

Download Submit
C:\Windows\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe

Filesize
372KB

MD5
af951f98e161d3793449e644585e074e

SHA1
48d28239fb492d7e27ae5dc592ffb6b9e792d500

SHA256
261b2eddcc9288aee0fc96bfcdb468056be2eccdec3d65d0f51f49b71ddeb472

SHA512
3d22219d4bce43f5e369fec6cb2bd75ee2d44fc1eb3fba6ed0272a95a48ac008d55df39e1993dbd1c2b80e158253368ec0d52a5479ba32afb80b7349d42da9fd

Download Submit
C:\Windows\{BBC40DF7-4894-43e2-A1B3-3FD15348C7C7}.exe

Filesize
372KB

MD5
af951f98e161d3793449e644585e074e

SHA1
48d28239fb492d7e27ae5dc592ffb6b9e792d500

SHA256
261b2eddcc9288aee0fc96bfcdb468056be2eccdec3d65d0f51f49b71ddeb472

SHA512
3d22219d4bce43f5e369fec6cb2bd75ee2d44fc1eb3fba6ed0272a95a48ac008d55df39e1993dbd1c2b80e158253368ec0d52a5479ba32afb80b7349d42da9fd

Download Submit
C:\Windows\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe

Filesize
372KB

MD5
17b8af6f6beb318e4f3f3f340f650c88

SHA1
f0ef8c67e2d292fb5ec0b9101b525570f5a7910a

SHA256
9f8fa0bb534e506212ee7a1ffe1cbc982a943c36450285d4c75d291385516403

SHA512
ee3924f48ac789211bb22cde77daeaace575ff2414a396234c380910d49d109b8e893e7aa5782fa5cd2c90863d1ef1cb33ed588485149462c71c085878121df5

Download Submit
C:\Windows\{BCB28E5E-D1BE-4684-8C7F-B46190D729EE}.exe

Filesize
372KB

MD5
17b8af6f6beb318e4f3f3f340f650c88

SHA1
f0ef8c67e2d292fb5ec0b9101b525570f5a7910a

SHA256
9f8fa0bb534e506212ee7a1ffe1cbc982a943c36450285d4c75d291385516403

SHA512
ee3924f48ac789211bb22cde77daeaace575ff2414a396234c380910d49d109b8e893e7aa5782fa5cd2c90863d1ef1cb33ed588485149462c71c085878121df5

Download Submit
C:\Windows\{D26826C7-C212-42b7-AE4D-C21E79027689}.exe

Filesize
372KB

MD5
605c0189c1331ded255d98c767889f9d

SHA1
a2cf518d9b1c4f816f75eefa76e61722caa6d23b

SHA256
d49bbc76950c6c470bf8e6e43a552fddf3f932bf5a5bc18f1fb114f0d70b9628

SHA512
f0dac57018101463e089602478b42c8c4b4072aeb4012ee3be1a659c57e2bc2649ce0b79312a8ed71106a0542047025803238a8a8b3bc9515accb1393f39b37a

Download Submit
C:\Windows\{D26826C7-C212-42b7-AE4D-C21E79027689}.exe

Filesize
372KB

MD5
605c0189c1331ded255d98c767889f9d

SHA1
a2cf518d9b1c4f816f75eefa76e61722caa6d23b

SHA256
d49bbc76950c6c470bf8e6e43a552fddf3f932bf5a5bc18f1fb114f0d70b9628

SHA512
f0dac57018101463e089602478b42c8c4b4072aeb4012ee3be1a659c57e2bc2649ce0b79312a8ed71106a0542047025803238a8a8b3bc9515accb1393f39b37a

Download Submit
C:\Windows\{DD75E916-BD44-4f47-8775-B2F63973496C}.exe

Filesize
372KB

MD5
c0a753729fd769952105e19945dacb3d

SHA1
d73add728d80b6a26e545fb73c2059d01e6d6a47

SHA256
d74f0371f6766b4d8f4698287318afb0ff19595018da1fd8c46359f1339572db

SHA512
c984831fea9cea37cc3ebaa4064d2a96f3898098aedbc95fbcb7e1c0515a90bb9f14d61c3c26d142a194deefdad0fb40cdb565e0df539deb29dce6ab65dc82f7

Download Submit
C:\Windows\{DD75E916-BD44-4f47-8775-B2F63973496C}.exe

Filesize
372KB

MD5
c0a753729fd769952105e19945dacb3d

SHA1
d73add728d80b6a26e545fb73c2059d01e6d6a47

SHA256
d74f0371f6766b4d8f4698287318afb0ff19595018da1fd8c46359f1339572db

SHA512
c984831fea9cea37cc3ebaa4064d2a96f3898098aedbc95fbcb7e1c0515a90bb9f14d61c3c26d142a194deefdad0fb40cdb565e0df539deb29dce6ab65dc82f7

Download Submit
C:\Windows\{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe

Filesize
372KB

MD5
4ac4e244265fab9e16f85cffd5c4d0c5

SHA1
4a3b6cdfa58aa3571c28b29decfcc9f239a1422f

SHA256
c98182c3b59683681bce5f5c936726993790fbaa2cb601c36152866767977edb

SHA512
bb77d52e2148f97c631ab869fb7656facf4673f491ce46fea12cf6dad37ad42b63957e20aaa9202811780d7306a2511e24f99df382bef5ecec7d23ba59801570

Download Submit
C:\Windows\{ED009E93-7903-4cb5-A985-906BF00DBF48}.exe

Filesize
372KB

MD5
4ac4e244265fab9e16f85cffd5c4d0c5

SHA1
4a3b6cdfa58aa3571c28b29decfcc9f239a1422f

SHA256
c98182c3b59683681bce5f5c936726993790fbaa2cb601c36152866767977edb

SHA512
bb77d52e2148f97c631ab869fb7656facf4673f491ce46fea12cf6dad37ad42b63957e20aaa9202811780d7306a2511e24f99df382bef5ecec7d23ba59801570

Download Submit
C:\Windows\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe

Filesize
372KB

MD5
bbf07e7e9ca154b428bec8e5d870a3cf

SHA1
e50d4f0b1eba083c75ce34e94a4d4483d489ac67

SHA256
851755f3f933f0d04881dcf976dc2bc5d2cfd4637cc52ae411c491f88b528fe5

SHA512
06a42f6e30fe2510721b8cd018929db3f0419dc8ac8986857c6d21034300f57584ffa04b4c42b9d2c2ca78a66154153f20fc7a1e6b4059064a9af29cabe44122

Download Submit
C:\Windows\{FC17B160-93CF-4f30-8AF8-D47C2070D11B}.exe

Filesize
372KB

MD5
bbf07e7e9ca154b428bec8e5d870a3cf

SHA1
e50d4f0b1eba083c75ce34e94a4d4483d489ac67

SHA256
851755f3f933f0d04881dcf976dc2bc5d2cfd4637cc52ae411c491f88b528fe5

SHA512
06a42f6e30fe2510721b8cd018929db3f0419dc8ac8986857c6d21034300f57584ffa04b4c42b9d2c2ca78a66154153f20fc7a1e6b4059064a9af29cabe44122

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads