685f0d7fb3f87e14c667128c7993243b5041f5da6deb718b20fb8d3a228fccc6

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 16:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe
Size

216KB
MD5

5f399041553d4921b4ff36f3f683f959
SHA1

52841dcba8c7e15580914ec53f8b9e39aab9b1b6
SHA256

685f0d7fb3f87e14c667128c7993243b5041f5da6deb718b20fb8d3a228fccc6
SHA512

1c32bfbb3e7aa65b21bf39200e7a03dcf5e76afd6f911578fb245bbf5e9f01d7f19f71f11056bdf1b0515b5220529db6ab475e6d9088a0ca6687c4fa5e86d1cf
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG7lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}\stubpath = "C:\\Windows\\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe"	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{409D2F10-3E25-4098-AC02-F91AF0AA2904}\stubpath = "C:\\Windows\\{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe"	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}\stubpath = "C:\\Windows\\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe"	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}\stubpath = "C:\\Windows\\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe"	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{409D2F10-3E25-4098-AC02-F91AF0AA2904}	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}\stubpath = "C:\\Windows\\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe"	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}\stubpath = "C:\\Windows\\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe"	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BDE9C4F-E699-4777-807D-15D364598636}	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}\stubpath = "C:\\Windows\\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}.exe"	{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}\stubpath = "C:\\Windows\\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe"	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BDE9C4F-E699-4777-807D-15D364598636}\stubpath = "C:\\Windows\\{1BDE9C4F-E699-4777-807D-15D364598636}.exe"	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}	{1BDE9C4F-E699-4777-807D-15D364598636}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}\stubpath = "C:\\Windows\\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe"	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}\stubpath = "C:\\Windows\\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe"	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}	{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}\stubpath = "C:\\Windows\\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe"	{1BDE9C4F-E699-4777-807D-15D364598636}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe

Executes dropped EXE 12 IoCs

pid	Process
2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe
2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe
4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe
4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe
1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe
2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe
400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe
792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe
4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe
1352	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe
1148	{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe
4572	{5ADBDC55-3F07-4f4e-B919-C281D3881C51}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe
File created	C:\Windows\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe
File created	C:\Windows\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe
File created	C:\Windows\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe
File created	C:\Windows\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}.exe	{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe
File created	C:\Windows\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe	{1BDE9C4F-E699-4777-807D-15D364598636}.exe
File created	C:\Windows\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe
File created	C:\Windows\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe
File created	C:\Windows\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe
File created	C:\Windows\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe
File created	C:\Windows\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe
File created	C:\Windows\{1BDE9C4F-E699-4777-807D-15D364598636}.exe	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4928	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe
Token: SeIncBasePriorityPrivilege	2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe
Token: SeIncBasePriorityPrivilege	4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe
Token: SeIncBasePriorityPrivilege	4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe
Token: SeIncBasePriorityPrivilege	1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe
Token: SeIncBasePriorityPrivilege	2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe
Token: SeIncBasePriorityPrivilege	400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe
Token: SeIncBasePriorityPrivilege	792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe
Token: SeIncBasePriorityPrivilege	4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe
Token: SeIncBasePriorityPrivilege	1352	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe
Token: SeIncBasePriorityPrivilege	1148	{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2764	4928	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe	90
PID 4928 wrote to memory of 2764	4928	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe	90
PID 4928 wrote to memory of 2764	4928	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe	90
PID 4928 wrote to memory of 4828	4928	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe	91
PID 4928 wrote to memory of 4828	4928	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe	91
PID 4928 wrote to memory of 4828	4928	5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe	91
PID 2764 wrote to memory of 2240	2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe	92
PID 2764 wrote to memory of 2240	2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe	92
PID 2764 wrote to memory of 2240	2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe	92
PID 2764 wrote to memory of 3084	2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe	93
PID 2764 wrote to memory of 3084	2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe	93
PID 2764 wrote to memory of 3084	2764	{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe	93
PID 2240 wrote to memory of 4932	2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe	95
PID 2240 wrote to memory of 4932	2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe	95
PID 2240 wrote to memory of 4932	2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe	95
PID 2240 wrote to memory of 3516	2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe	96
PID 2240 wrote to memory of 3516	2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe	96
PID 2240 wrote to memory of 3516	2240	{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe	96
PID 4932 wrote to memory of 4156	4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe	97
PID 4932 wrote to memory of 4156	4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe	97
PID 4932 wrote to memory of 4156	4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe	97
PID 4932 wrote to memory of 4512	4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe	98
PID 4932 wrote to memory of 4512	4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe	98
PID 4932 wrote to memory of 4512	4932	{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe	98
PID 4156 wrote to memory of 1296	4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe	99
PID 4156 wrote to memory of 1296	4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe	99
PID 4156 wrote to memory of 1296	4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe	99
PID 4156 wrote to memory of 1752	4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe	100
PID 4156 wrote to memory of 1752	4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe	100
PID 4156 wrote to memory of 1752	4156	{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe	100
PID 1296 wrote to memory of 2248	1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe	101
PID 1296 wrote to memory of 2248	1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe	101
PID 1296 wrote to memory of 2248	1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe	101
PID 1296 wrote to memory of 1228	1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe	102
PID 1296 wrote to memory of 1228	1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe	102
PID 1296 wrote to memory of 1228	1296	{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe	102
PID 2248 wrote to memory of 400	2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe	103
PID 2248 wrote to memory of 400	2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe	103
PID 2248 wrote to memory of 400	2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe	103
PID 2248 wrote to memory of 3388	2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe	104
PID 2248 wrote to memory of 3388	2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe	104
PID 2248 wrote to memory of 3388	2248	{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe	104
PID 400 wrote to memory of 792	400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe	105
PID 400 wrote to memory of 792	400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe	105
PID 400 wrote to memory of 792	400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe	105
PID 400 wrote to memory of 3468	400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe	106
PID 400 wrote to memory of 3468	400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe	106
PID 400 wrote to memory of 3468	400	{1BDE9C4F-E699-4777-807D-15D364598636}.exe	106
PID 792 wrote to memory of 4744	792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe	107
PID 792 wrote to memory of 4744	792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe	107
PID 792 wrote to memory of 4744	792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe	107
PID 792 wrote to memory of 4180	792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe	108
PID 792 wrote to memory of 4180	792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe	108
PID 792 wrote to memory of 4180	792	{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe	108
PID 4744 wrote to memory of 1352	4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe	109
PID 4744 wrote to memory of 1352	4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe	109
PID 4744 wrote to memory of 1352	4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe	109
PID 4744 wrote to memory of 4468	4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe	110
PID 4744 wrote to memory of 4468	4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe	110
PID 4744 wrote to memory of 4468	4744	{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe	110
PID 1352 wrote to memory of 1148	1352	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe	111
PID 1352 wrote to memory of 1148	1352	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe	111
PID 1352 wrote to memory of 1148	1352	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe	111
PID 1352 wrote to memory of 4380	1352	{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe	112

C:\Users\Admin\AppData\Local\Temp\5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5f399041553d4921b4ff36f3f683f959_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe
  C:\Windows\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe
    C:\Windows\{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe
      C:\Windows\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe
        
        C:\Windows\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe
        
        C:\Windows\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe
        
        C:\Windows\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{1BDE9C4F-E699-4777-807D-15D364598636}.exe
        
        C:\Windows\{1BDE9C4F-E699-4777-807D-15D364598636}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe
        
        C:\Windows\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe
        
        C:\Windows\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe
        
        C:\Windows\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe
        
        C:\Windows\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}.exe
        
        C:\Windows\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}.exe
        13⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{706E0~1.EXE > nul
        13⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E80F9~1.EXE > nul
        12⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D000B~1.EXE > nul
        11⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98562~1.EXE > nul
        10⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BDE9~1.EXE > nul
        9⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F3C0~1.EXE > nul
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF84B~1.EXE > nul
        7⤵
        
        PID:1228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA837~1.EXE > nul
        6⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89BC9~1.EXE > nul
        5⤵
        
        PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{409D2~1.EXE > nul
      4⤵
      PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{822AB~1.EXE > nul
    3⤵
    PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F3990~1.EXE > nul
  2⤵
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BDE9C4F-E699-4777-807D-15D364598636}.exe

Filesize
216KB

MD5
f57621642d58e2eae0f09be482ddec3b

SHA1
ecbe575783590f0ea2324ad7de98f1d4bdc26a11

SHA256
9f0449c07e5664581c9eb436c56b6b6ac5520b7a90b122742f3d934c98c052a7

SHA512
c477a487b42f3237a15d49ef39a64022171b4ffeaa5fe6bbd2e39ffe9f6ce7613da121d6db47f0dda27bc8c77b84b5cf1bb7077f538ca636a28b29cb9b243e3d

Download Submit
C:\Windows\{1BDE9C4F-E699-4777-807D-15D364598636}.exe

Filesize
216KB

MD5
f57621642d58e2eae0f09be482ddec3b

SHA1
ecbe575783590f0ea2324ad7de98f1d4bdc26a11

SHA256
9f0449c07e5664581c9eb436c56b6b6ac5520b7a90b122742f3d934c98c052a7

SHA512
c477a487b42f3237a15d49ef39a64022171b4ffeaa5fe6bbd2e39ffe9f6ce7613da121d6db47f0dda27bc8c77b84b5cf1bb7077f538ca636a28b29cb9b243e3d

Download Submit
C:\Windows\{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe

Filesize
216KB

MD5
e3224f2f6834827285e644ef33c48258

SHA1
9305c916326bfa97759a64e0557ad9b29fcc43a8

SHA256
f4f208de16db8d334c8e810742e077785b5778f4afa262b0ea3b1701ada0fc7d

SHA512
16b3b7d7a65149f3641c6ccbc8e479f13155f5749d0f0a49608e9d8445cc8e0bf5f4f4e103858a4f0d429ddfd0e9be84851aa121e0040a5baa6e1bbdda2c765c

Download Submit
C:\Windows\{409D2F10-3E25-4098-AC02-F91AF0AA2904}.exe

Filesize
216KB

MD5
e3224f2f6834827285e644ef33c48258

SHA1
9305c916326bfa97759a64e0557ad9b29fcc43a8

SHA256
f4f208de16db8d334c8e810742e077785b5778f4afa262b0ea3b1701ada0fc7d

SHA512
16b3b7d7a65149f3641c6ccbc8e479f13155f5749d0f0a49608e9d8445cc8e0bf5f4f4e103858a4f0d429ddfd0e9be84851aa121e0040a5baa6e1bbdda2c765c

Download Submit
C:\Windows\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}.exe

Filesize
216KB

MD5
da22b86fbfa1dce6ef0c8de7e997b40c

SHA1
eabbc2dd1c9fe86870255d1cca513fa39d8a640b

SHA256
4d2c6f9eeea8a4bc606d98dd8584dd4ecb74a5cae635c858e40858d26bc084c5

SHA512
b57530ec4bc2197d6235d6ebf696b3c5ab43045d165f35523f9f618da85fc4b295e17464148c3b2fdcb66674575220fdcc3b378bf6f57bc113eea520954483fe

Download Submit
C:\Windows\{5ADBDC55-3F07-4f4e-B919-C281D3881C51}.exe

Filesize
216KB

MD5
da22b86fbfa1dce6ef0c8de7e997b40c

SHA1
eabbc2dd1c9fe86870255d1cca513fa39d8a640b

SHA256
4d2c6f9eeea8a4bc606d98dd8584dd4ecb74a5cae635c858e40858d26bc084c5

SHA512
b57530ec4bc2197d6235d6ebf696b3c5ab43045d165f35523f9f618da85fc4b295e17464148c3b2fdcb66674575220fdcc3b378bf6f57bc113eea520954483fe

Download Submit
C:\Windows\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe

Filesize
216KB

MD5
14d59c5e16c56ac5165198c26e2de071

SHA1
221393784c128f8c6d11783e079791d7ed4b2796

SHA256
4a3ec26fa663870616b94aa44226eee6596d518cdc9af90f392e1fc64c5cb2a1

SHA512
d9aad6ae00448312c7eacef2ee14ba6e62c2aeb69ae471c38d5c3bb669f81fca4f67950d801b784681db2099b853cfb4b0c55b7f4619e17e5b683aca65c558a1

Download Submit
C:\Windows\{706E02D7-2BCD-46b3-ABD8-7FF907FD33A0}.exe

Filesize
216KB

MD5
14d59c5e16c56ac5165198c26e2de071

SHA1
221393784c128f8c6d11783e079791d7ed4b2796

SHA256
4a3ec26fa663870616b94aa44226eee6596d518cdc9af90f392e1fc64c5cb2a1

SHA512
d9aad6ae00448312c7eacef2ee14ba6e62c2aeb69ae471c38d5c3bb669f81fca4f67950d801b784681db2099b853cfb4b0c55b7f4619e17e5b683aca65c558a1

Download Submit
C:\Windows\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe

Filesize
216KB

MD5
7ce1c6d32ad792488fe12e331b300aaa

SHA1
d88acc71cbdd3c24c348ef5ed792a6e4c1e831db

SHA256
2f0fabca7ad9d1dc04d853f725955112a710960ac9ee18bc76d6ae62648c5a36

SHA512
1cb983c970fd3e38e6dd47cfd20d1cea26392e6303c0725ebe5f69d5550f2db23671b4da43b231d9dde5fa987039887c7fd32f9dae9f3fce681a338d2ea8b07a

Download Submit
C:\Windows\{822AB3E4-EB14-4f79-81BB-7093BDB8A4AD}.exe

Filesize
216KB

MD5
7ce1c6d32ad792488fe12e331b300aaa

SHA1
d88acc71cbdd3c24c348ef5ed792a6e4c1e831db

SHA256
2f0fabca7ad9d1dc04d853f725955112a710960ac9ee18bc76d6ae62648c5a36

SHA512
1cb983c970fd3e38e6dd47cfd20d1cea26392e6303c0725ebe5f69d5550f2db23671b4da43b231d9dde5fa987039887c7fd32f9dae9f3fce681a338d2ea8b07a

Download Submit
C:\Windows\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe

Filesize
216KB

MD5
59a349012923edf524ebeeae7dfe36d1

SHA1
ac3cb9a94cd1606a13fb7b7b9f8dea92804eed9d

SHA256
fcddae9066d0ffadd0db18c8a5e90173e31b3aee64a5c0f643466519fcf9a975

SHA512
612606ed61ab0f9dfe1a3bc9a877bcdb4a458dca4aff5de648008e7b4af3adf45f433bbf33a079ae600de76e5acb09f0de0415b17df25ac374913c995fb8a71c

Download Submit
C:\Windows\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe

Filesize
216KB

MD5
59a349012923edf524ebeeae7dfe36d1

SHA1
ac3cb9a94cd1606a13fb7b7b9f8dea92804eed9d

SHA256
fcddae9066d0ffadd0db18c8a5e90173e31b3aee64a5c0f643466519fcf9a975

SHA512
612606ed61ab0f9dfe1a3bc9a877bcdb4a458dca4aff5de648008e7b4af3adf45f433bbf33a079ae600de76e5acb09f0de0415b17df25ac374913c995fb8a71c

Download Submit
C:\Windows\{89BC9AD2-6F79-4cec-AFBE-8711210A44AE}.exe

Filesize
216KB

MD5
59a349012923edf524ebeeae7dfe36d1

SHA1
ac3cb9a94cd1606a13fb7b7b9f8dea92804eed9d

SHA256
fcddae9066d0ffadd0db18c8a5e90173e31b3aee64a5c0f643466519fcf9a975

SHA512
612606ed61ab0f9dfe1a3bc9a877bcdb4a458dca4aff5de648008e7b4af3adf45f433bbf33a079ae600de76e5acb09f0de0415b17df25ac374913c995fb8a71c

Download Submit
C:\Windows\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe

Filesize
216KB

MD5
39f27f99bf7ad741a7992bf1019baa0c

SHA1
f8fd872277f05ff7733b99e1c3d133cc0716308a

SHA256
d1bfe8755012eb735e91d90a7f516242f4daa9a1489c1a251a3f1e7d536f1afc

SHA512
36e0032ba71c5b72eb8620fee084206a4afa0a74961bd1f0e22cac670f9c65e15af1094e95c390b722fd1df252be3905a313bddd95451d68f45b72a441316476

Download Submit
C:\Windows\{98562D3D-7A2B-4b6f-96C9-DF27BFD06D97}.exe

Filesize
216KB

MD5
39f27f99bf7ad741a7992bf1019baa0c

SHA1
f8fd872277f05ff7733b99e1c3d133cc0716308a

SHA256
d1bfe8755012eb735e91d90a7f516242f4daa9a1489c1a251a3f1e7d536f1afc

SHA512
36e0032ba71c5b72eb8620fee084206a4afa0a74961bd1f0e22cac670f9c65e15af1094e95c390b722fd1df252be3905a313bddd95451d68f45b72a441316476

Download Submit
C:\Windows\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe

Filesize
216KB

MD5
33832ab5946277a77e89c959b9be9063

SHA1
3e46a46e4802e329a6c9bb23006c8d96ba98e7b5

SHA256
62fa6f6fbb8b2ef321e2b8d2dc38fe0019dfc4a9926d05f2c3dbaf5aaf1ab9fa

SHA512
3635b1db4651c4574d14d61181a5990ce4e8da3b30009b7044c96b36697bffd16aa547d23e695fb0fcddc6bb9feb40db1eb03c666366a223968ee03fc0a45344

Download Submit
C:\Windows\{9F3C049E-C7EB-43fd-86DB-4B31C5007B65}.exe

Filesize
216KB

MD5
33832ab5946277a77e89c959b9be9063

SHA1
3e46a46e4802e329a6c9bb23006c8d96ba98e7b5

SHA256
62fa6f6fbb8b2ef321e2b8d2dc38fe0019dfc4a9926d05f2c3dbaf5aaf1ab9fa

SHA512
3635b1db4651c4574d14d61181a5990ce4e8da3b30009b7044c96b36697bffd16aa547d23e695fb0fcddc6bb9feb40db1eb03c666366a223968ee03fc0a45344

Download Submit
C:\Windows\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe

Filesize
216KB

MD5
5bc4d8ba3bda016a8b93d73c7598f6f9

SHA1
07db4fee3b9110902c971fc75a52ddefc317e333

SHA256
8d26b6bf2439bd5c56576e96686fd3a1e77bd56cf6d0d07710b07baafb8e7899

SHA512
f43455f22aa44c5a9b3e06fe6bb858cd98dfb73be37d5aa0f323d3883d561647070f784137d7a62d831a0fd4979d14e4efd3e633d9a1a703c6f45ca7cccaa361

Download Submit
C:\Windows\{AF84B636-B1CA-4b1d-84B9-683347E18BDA}.exe

Filesize
216KB

MD5
5bc4d8ba3bda016a8b93d73c7598f6f9

SHA1
07db4fee3b9110902c971fc75a52ddefc317e333

SHA256
8d26b6bf2439bd5c56576e96686fd3a1e77bd56cf6d0d07710b07baafb8e7899

SHA512
f43455f22aa44c5a9b3e06fe6bb858cd98dfb73be37d5aa0f323d3883d561647070f784137d7a62d831a0fd4979d14e4efd3e633d9a1a703c6f45ca7cccaa361

Download Submit
C:\Windows\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe

Filesize
216KB

MD5
58519ac6dfc0a97910ee89bace945504

SHA1
e2357c5e7798a9c1fb909d5c8ead3e8573d5512b

SHA256
9e019c80653097f81c2681155e6cd234eaeb6080de59b672c4798b9b7141b3ec

SHA512
8adaf512cf5a2bf278053ede3b5b85b04852518711d173dbbff33d289a586aede824a786d3713231074d032a03a4e679ae3f8f5eb8cd70db92433c86af3fddc4

Download Submit
C:\Windows\{CA837FAE-E87E-41c5-9AEB-A6774C848BFD}.exe

Filesize
216KB

MD5
58519ac6dfc0a97910ee89bace945504

SHA1
e2357c5e7798a9c1fb909d5c8ead3e8573d5512b

SHA256
9e019c80653097f81c2681155e6cd234eaeb6080de59b672c4798b9b7141b3ec

SHA512
8adaf512cf5a2bf278053ede3b5b85b04852518711d173dbbff33d289a586aede824a786d3713231074d032a03a4e679ae3f8f5eb8cd70db92433c86af3fddc4

Download Submit
C:\Windows\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe

Filesize
216KB

MD5
f27169ba10bf6d4c80d66d03bed8cd21

SHA1
9933c4d3c1c8ceef1b8a44ddebd6fdc8c23a2246

SHA256
63f0f6f5fb5e3590dc1f9ad34261521a8ee93b231c5f40ce4da22fa8acbbdcb6

SHA512
1046265f2083e795e0a6cf6da32effc9849a1a4e1c3a3ee018eadea0ed785510e93c562bfd42f6c25aa0e8f495b30c5c95dc3f86518b78d867c2210082a88ab8

Download Submit
C:\Windows\{D000B4B5-EF3D-4490-8382-0D9A39BF4481}.exe

Filesize
216KB

MD5
f27169ba10bf6d4c80d66d03bed8cd21

SHA1
9933c4d3c1c8ceef1b8a44ddebd6fdc8c23a2246

SHA256
63f0f6f5fb5e3590dc1f9ad34261521a8ee93b231c5f40ce4da22fa8acbbdcb6

SHA512
1046265f2083e795e0a6cf6da32effc9849a1a4e1c3a3ee018eadea0ed785510e93c562bfd42f6c25aa0e8f495b30c5c95dc3f86518b78d867c2210082a88ab8

Download Submit
C:\Windows\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe

Filesize
216KB

MD5
a2ec2d9425c9edbdfb9dd2ac354ef79a

SHA1
343e770164b34dd5e7d5af8b90725713a9c98ef9

SHA256
0d3c3221be88f3e43a9453db73cba1626162072b233a51947db783e151442d10

SHA512
e4bb033fb631b6e777d173830b11ab92a6ef6b07f722fd81df4bd77f5f2669da53f5d3226735a7381a01d51353fa906c438703482211c95e114a1b8930fcf0cf

Download Submit
C:\Windows\{E80F9FC8-83A1-41ff-B626-30BF219A10FD}.exe

Filesize
216KB

MD5
a2ec2d9425c9edbdfb9dd2ac354ef79a

SHA1
343e770164b34dd5e7d5af8b90725713a9c98ef9

SHA256
0d3c3221be88f3e43a9453db73cba1626162072b233a51947db783e151442d10

SHA512
e4bb033fb631b6e777d173830b11ab92a6ef6b07f722fd81df4bd77f5f2669da53f5d3226735a7381a01d51353fa906c438703482211c95e114a1b8930fcf0cf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads