87f4bbd6f6ebbd635427ec06441f8656192ae337f1ea59b2b691e9bd4342bdf1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Size

168KB
MD5

81a8d771a529c68cb18faa23de210608
SHA1

1f496424bbb65f91e92d981b29e7e6011f9719c3
SHA256

87f4bbd6f6ebbd635427ec06441f8656192ae337f1ea59b2b691e9bd4342bdf1
SHA512

c6e89522d1764b7543008053410c9231717b55c10af0524eae4c529c0226aac6ad4ec40aa9ffe0db9442854150e175e7c425d364003cd4ab716c7776ac5c21e4
SSDEEP

1536:1EGh0oqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}\stubpath = "C:\\Windows\\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe"	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}\stubpath = "C:\\Windows\\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe"	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC997013-F549-4a81-AF15-64CBFACBDB2E}	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}\stubpath = "C:\\Windows\\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe"	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30930E1C-0105-4565-8F2B-D6C798CA10D8}	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87D388E-6BBE-4023-9254-14A4872ECC03}	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87D388E-6BBE-4023-9254-14A4872ECC03}\stubpath = "C:\\Windows\\{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe"	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}\stubpath = "C:\\Windows\\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}.exe"	{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30930E1C-0105-4565-8F2B-D6C798CA10D8}\stubpath = "C:\\Windows\\{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe"	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}\stubpath = "C:\\Windows\\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe"	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}\stubpath = "C:\\Windows\\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe"	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}\stubpath = "C:\\Windows\\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe"	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}\stubpath = "C:\\Windows\\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe"	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}\stubpath = "C:\\Windows\\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe"	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC997013-F549-4a81-AF15-64CBFACBDB2E}\stubpath = "C:\\Windows\\{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe"	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}	{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe
3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe
3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe
1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe
2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe
2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe
428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe
3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe
1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe
3748	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe
408	{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe
540	{A4733A16-7238-47a0-BAEC-9BD16CEECD06}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
File created	C:\Windows\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe
File created	C:\Windows\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe
File created	C:\Windows\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe
File created	C:\Windows\{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe
File created	C:\Windows\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}.exe	{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe
File created	C:\Windows\{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe
File created	C:\Windows\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe
File created	C:\Windows\{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe
File created	C:\Windows\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe
File created	C:\Windows\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe
File created	C:\Windows\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe
Token: SeIncBasePriorityPrivilege	3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe
Token: SeIncBasePriorityPrivilege	3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe
Token: SeIncBasePriorityPrivilege	1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe
Token: SeIncBasePriorityPrivilege	2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe
Token: SeIncBasePriorityPrivilege	2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe
Token: SeIncBasePriorityPrivilege	428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe
Token: SeIncBasePriorityPrivilege	3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe
Token: SeIncBasePriorityPrivilege	1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe
Token: SeIncBasePriorityPrivilege	3748	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe
Token: SeIncBasePriorityPrivilege	408	{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3760	1152	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	89
PID 1152 wrote to memory of 3760	1152	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	89
PID 1152 wrote to memory of 3760	1152	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	89
PID 1152 wrote to memory of 2972	1152	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	90
PID 1152 wrote to memory of 2972	1152	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	90
PID 1152 wrote to memory of 2972	1152	81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe	90
PID 3760 wrote to memory of 3392	3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe	91
PID 3760 wrote to memory of 3392	3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe	91
PID 3760 wrote to memory of 3392	3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe	91
PID 3760 wrote to memory of 3280	3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe	92
PID 3760 wrote to memory of 3280	3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe	92
PID 3760 wrote to memory of 3280	3760	{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe	92
PID 3392 wrote to memory of 3676	3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe	95
PID 3392 wrote to memory of 3676	3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe	95
PID 3392 wrote to memory of 3676	3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe	95
PID 3392 wrote to memory of 1688	3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe	94
PID 3392 wrote to memory of 1688	3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe	94
PID 3392 wrote to memory of 1688	3392	{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe	94
PID 3676 wrote to memory of 1644	3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe	96
PID 3676 wrote to memory of 1644	3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe	96
PID 3676 wrote to memory of 1644	3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe	96
PID 3676 wrote to memory of 4584	3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe	97
PID 3676 wrote to memory of 4584	3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe	97
PID 3676 wrote to memory of 4584	3676	{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe	97
PID 1644 wrote to memory of 2904	1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe	98
PID 1644 wrote to memory of 2904	1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe	98
PID 1644 wrote to memory of 2904	1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe	98
PID 1644 wrote to memory of 4172	1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe	99
PID 1644 wrote to memory of 4172	1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe	99
PID 1644 wrote to memory of 4172	1644	{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe	99
PID 2904 wrote to memory of 2636	2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe	100
PID 2904 wrote to memory of 2636	2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe	100
PID 2904 wrote to memory of 2636	2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe	100
PID 2904 wrote to memory of 2644	2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe	101
PID 2904 wrote to memory of 2644	2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe	101
PID 2904 wrote to memory of 2644	2904	{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe	101
PID 2636 wrote to memory of 428	2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe	102
PID 2636 wrote to memory of 428	2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe	102
PID 2636 wrote to memory of 428	2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe	102
PID 2636 wrote to memory of 4920	2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe	103
PID 2636 wrote to memory of 4920	2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe	103
PID 2636 wrote to memory of 4920	2636	{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe	103
PID 428 wrote to memory of 3012	428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe	104
PID 428 wrote to memory of 3012	428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe	104
PID 428 wrote to memory of 3012	428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe	104
PID 428 wrote to memory of 4772	428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe	105
PID 428 wrote to memory of 4772	428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe	105
PID 428 wrote to memory of 4772	428	{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe	105
PID 3012 wrote to memory of 1028	3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe	106
PID 3012 wrote to memory of 1028	3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe	106
PID 3012 wrote to memory of 1028	3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe	106
PID 3012 wrote to memory of 1228	3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe	107
PID 3012 wrote to memory of 1228	3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe	107
PID 3012 wrote to memory of 1228	3012	{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe	107
PID 1028 wrote to memory of 3748	1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe	108
PID 1028 wrote to memory of 3748	1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe	108
PID 1028 wrote to memory of 3748	1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe	108
PID 1028 wrote to memory of 2548	1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe	109
PID 1028 wrote to memory of 2548	1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe	109
PID 1028 wrote to memory of 2548	1028	{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe	109
PID 3748 wrote to memory of 408	3748	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe	110
PID 3748 wrote to memory of 408	3748	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe	110
PID 3748 wrote to memory of 408	3748	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe	110
PID 3748 wrote to memory of 2476	3748	{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe	111

C:\Users\Admin\AppData\Local\Temp\81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\81a8d771a529c68cb18faa23de210608_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe
  C:\Windows\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe
    C:\Windows\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6FBF~1.EXE > nul
      4⤵
      PID:1688
  - - C:\Windows\{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe
      C:\Windows\{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe
        
        C:\Windows\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe
        
        C:\Windows\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe
        
        C:\Windows\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe
        
        C:\Windows\{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe
        
        C:\Windows\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe
        
        C:\Windows\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe
        
        C:\Windows\{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe
        
        C:\Windows\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}.exe
        
        C:\Windows\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}.exe
        13⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1B4E~1.EXE > nul
        13⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC997~1.EXE > nul
        12⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF83C~1.EXE > nul
        11⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E3F1~1.EXE > nul
        10⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F87D3~1.EXE > nul
        9⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B43B~1.EXE > nul
        8⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99C05~1.EXE > nul
        7⤵
        
        PID:2644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83E95~1.EXE > nul
        6⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30930~1.EXE > nul
        5⤵
        
        PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F54FA~1.EXE > nul
    3⤵
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\81A8D7~1.EXE > nul
  2⤵
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe

Filesize
168KB

MD5
6d006beb6f88f5fcd2d89f8d28472920

SHA1
2c7f3e55e3a350a4bfffada92bf49be047beb1d0

SHA256
8452b8f01475c5d2275f4f61e632012d25f5d3797af2a0c6b729c515b1f0ef8d

SHA512
912728f4082555068f142ee18b00447f8784d478bed8c3e26b5b383bc0d2cf5fc3e0a35050102adf912428aff19253130b08a33e34913adc86e522e97cb293e7

Download Submit
C:\Windows\{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe

Filesize
168KB

MD5
6d006beb6f88f5fcd2d89f8d28472920

SHA1
2c7f3e55e3a350a4bfffada92bf49be047beb1d0

SHA256
8452b8f01475c5d2275f4f61e632012d25f5d3797af2a0c6b729c515b1f0ef8d

SHA512
912728f4082555068f142ee18b00447f8784d478bed8c3e26b5b383bc0d2cf5fc3e0a35050102adf912428aff19253130b08a33e34913adc86e522e97cb293e7

Download Submit
C:\Windows\{30930E1C-0105-4565-8F2B-D6C798CA10D8}.exe

Filesize
168KB

MD5
6d006beb6f88f5fcd2d89f8d28472920

SHA1
2c7f3e55e3a350a4bfffada92bf49be047beb1d0

SHA256
8452b8f01475c5d2275f4f61e632012d25f5d3797af2a0c6b729c515b1f0ef8d

SHA512
912728f4082555068f142ee18b00447f8784d478bed8c3e26b5b383bc0d2cf5fc3e0a35050102adf912428aff19253130b08a33e34913adc86e522e97cb293e7

Download Submit
C:\Windows\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe

Filesize
168KB

MD5
fc08d9395ff3209f14b45b9ecfe04d67

SHA1
a092e874b71e1f992d212a7fec8cffb2e0ab6020

SHA256
4ae8cc7a32c32b7eb803d6cc99e82866531e54b1338c692067992c1adffcc218

SHA512
7b2cd8b724f98e961158707a112a7af7400eb5f1e3325bc2f27b55d42db049870bebb83ea11ac2f6818833182d631221f5c68dddb380e1a6f656cd0ffdf8ead7

Download Submit
C:\Windows\{3B43B5C7-6B03-45bc-B0F4-AA90739DFF13}.exe

Filesize
168KB

MD5
fc08d9395ff3209f14b45b9ecfe04d67

SHA1
a092e874b71e1f992d212a7fec8cffb2e0ab6020

SHA256
4ae8cc7a32c32b7eb803d6cc99e82866531e54b1338c692067992c1adffcc218

SHA512
7b2cd8b724f98e961158707a112a7af7400eb5f1e3325bc2f27b55d42db049870bebb83ea11ac2f6818833182d631221f5c68dddb380e1a6f656cd0ffdf8ead7

Download Submit
C:\Windows\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe

Filesize
168KB

MD5
930d79e113c7dd8b982a1bb62d9cc718

SHA1
da1589c3c7cf88e9d7b4db3ee130e10e6fb5dc44

SHA256
ce13f8f07935e8e456526f07ad170f994ee539ca779412fe3953110c6b78f939

SHA512
4dc01325e86a80ad9e694e8957a14a38de10323652602447037e03412df6a333692e4f2b9b717fd73fb92c766d018b02c3abe78aa879afa03c711cb3c0eaeeae

Download Submit
C:\Windows\{6E3F1D00-E1E3-44cc-8BF5-B066A8449681}.exe

Filesize
168KB

MD5
930d79e113c7dd8b982a1bb62d9cc718

SHA1
da1589c3c7cf88e9d7b4db3ee130e10e6fb5dc44

SHA256
ce13f8f07935e8e456526f07ad170f994ee539ca779412fe3953110c6b78f939

SHA512
4dc01325e86a80ad9e694e8957a14a38de10323652602447037e03412df6a333692e4f2b9b717fd73fb92c766d018b02c3abe78aa879afa03c711cb3c0eaeeae

Download Submit
C:\Windows\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe

Filesize
168KB

MD5
c0b1ce4ef4bfaa5fdd7b70eccd435776

SHA1
7c6555c01852fb9564747a2956a2630cda95d99e

SHA256
d29a57f97c31f82b8d90450ee2808aeda5d0be0588f7723add275cd80964db5f

SHA512
bd7d455cca997d026f8d54c43c5ad5b29fb5607d6dd04109440c61e264e49cca8c0574a3fe7c43d6dfbecf4e12eee988e3e27b36e52c88113c07589add174fcd

Download Submit
C:\Windows\{83E95A05-BBB8-4150-9E16-1647B82EB3E6}.exe

Filesize
168KB

MD5
c0b1ce4ef4bfaa5fdd7b70eccd435776

SHA1
7c6555c01852fb9564747a2956a2630cda95d99e

SHA256
d29a57f97c31f82b8d90450ee2808aeda5d0be0588f7723add275cd80964db5f

SHA512
bd7d455cca997d026f8d54c43c5ad5b29fb5607d6dd04109440c61e264e49cca8c0574a3fe7c43d6dfbecf4e12eee988e3e27b36e52c88113c07589add174fcd

Download Submit
C:\Windows\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe

Filesize
168KB

MD5
9887b927ad6a68701ed541df7234f425

SHA1
6d5cb56c5ddba9e50f83cc45354c8b0818255b4b

SHA256
f062bd8623f887dc86a6d6b4306110bc0cdfaf4841e77584ffb396d6a8e8683f

SHA512
e6ba40ed26d0b6e9e4e66b86f5591f552d557f666e758689c32cc2fd1966dc668fe8462da5eaac5ff20a10fbefa47daa36e54d899f4feac8dc8a749a50f3d059

Download Submit
C:\Windows\{99C056B6-6F88-41f9-8A36-FC2BFCE41B1A}.exe

Filesize
168KB

MD5
9887b927ad6a68701ed541df7234f425

SHA1
6d5cb56c5ddba9e50f83cc45354c8b0818255b4b

SHA256
f062bd8623f887dc86a6d6b4306110bc0cdfaf4841e77584ffb396d6a8e8683f

SHA512
e6ba40ed26d0b6e9e4e66b86f5591f552d557f666e758689c32cc2fd1966dc668fe8462da5eaac5ff20a10fbefa47daa36e54d899f4feac8dc8a749a50f3d059

Download Submit
C:\Windows\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}.exe

Filesize
168KB

MD5
d33c69337a6503df6a8e751a81c99746

SHA1
54f306926cba21eb63098b6d1820c2348daaab81

SHA256
690ce803b6c7fc9f272cb4ebe310863e347ff82dd8236c3c406f8392ce95aea5

SHA512
41c320ee80be3c9b5d5944496ce1ec023fb236950edc177edefb7e1f2bf09f4af7c9f9c1fc3b171f992fad8f649e32a0f273d40a5ed11bc9c1973e14af5efcf0

Download Submit
C:\Windows\{A4733A16-7238-47a0-BAEC-9BD16CEECD06}.exe

Filesize
168KB

MD5
d33c69337a6503df6a8e751a81c99746

SHA1
54f306926cba21eb63098b6d1820c2348daaab81

SHA256
690ce803b6c7fc9f272cb4ebe310863e347ff82dd8236c3c406f8392ce95aea5

SHA512
41c320ee80be3c9b5d5944496ce1ec023fb236950edc177edefb7e1f2bf09f4af7c9f9c1fc3b171f992fad8f649e32a0f273d40a5ed11bc9c1973e14af5efcf0

Download Submit
C:\Windows\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe

Filesize
168KB

MD5
5b7a65ccde699a995ed5af1f7049efe1

SHA1
9cea6c57c67684d6ff98fd144f686303285a84b6

SHA256
bedea8d37456a1b6ddbf1f4d2bc437c1ad7cd1517d8024d1a8ee277827843065

SHA512
b4941f34864c730d5da0a33da0428e57ba67694f5139548f9e0a06bfa809e3cfc27a1485207bb7513935c1024c82ca29bf7613a41e7458e74e1e727bb78f95c8

Download Submit
C:\Windows\{B6FBF99A-1D41-42e1-81C7-5327A8FA32CF}.exe

Filesize
168KB

MD5
5b7a65ccde699a995ed5af1f7049efe1

SHA1
9cea6c57c67684d6ff98fd144f686303285a84b6

SHA256
bedea8d37456a1b6ddbf1f4d2bc437c1ad7cd1517d8024d1a8ee277827843065

SHA512
b4941f34864c730d5da0a33da0428e57ba67694f5139548f9e0a06bfa809e3cfc27a1485207bb7513935c1024c82ca29bf7613a41e7458e74e1e727bb78f95c8

Download Submit
C:\Windows\{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe

Filesize
168KB

MD5
a4fa35313ac7857c556c81d24075d180

SHA1
c2b39371e77911429190b3f7bf9ac4e188b724dd

SHA256
268924761b2d36124d8ba896cef5693b963f4312cb311ff2f898e691e6366f2b

SHA512
5f27eacdf08550fc26cfcad0dfef9bee7f0280275e420108664cc05e43558a9eb3944d50d8640082ab7517fd5e536c3cc8e807a1fda606aaae23dd027243bdf8

Download Submit
C:\Windows\{DC997013-F549-4a81-AF15-64CBFACBDB2E}.exe

Filesize
168KB

MD5
a4fa35313ac7857c556c81d24075d180

SHA1
c2b39371e77911429190b3f7bf9ac4e188b724dd

SHA256
268924761b2d36124d8ba896cef5693b963f4312cb311ff2f898e691e6366f2b

SHA512
5f27eacdf08550fc26cfcad0dfef9bee7f0280275e420108664cc05e43558a9eb3944d50d8640082ab7517fd5e536c3cc8e807a1fda606aaae23dd027243bdf8

Download Submit
C:\Windows\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe

Filesize
168KB

MD5
3aa096b6c45e8b4289b8ce72ae88a15f

SHA1
aeed43d2db641ba2dfff2a4b23801252d0044aa4

SHA256
d00558afa04170316000ff78fae876bf26d318e4f0faa6815f5149df434fca09

SHA512
2f1876480a4e71711fc9722bda583c73306479a81c9e79842c77278f57acdf9f87a8efbdda292f45a8d9631b0f6d8141032535539bb1fff2c09c648f73b1fb49

Download Submit
C:\Windows\{F1B4E052-227C-419d-ADC1-D88EE72AB02F}.exe

Filesize
168KB

MD5
3aa096b6c45e8b4289b8ce72ae88a15f

SHA1
aeed43d2db641ba2dfff2a4b23801252d0044aa4

SHA256
d00558afa04170316000ff78fae876bf26d318e4f0faa6815f5149df434fca09

SHA512
2f1876480a4e71711fc9722bda583c73306479a81c9e79842c77278f57acdf9f87a8efbdda292f45a8d9631b0f6d8141032535539bb1fff2c09c648f73b1fb49

Download Submit
C:\Windows\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe

Filesize
168KB

MD5
cb945b16e249d925081a52f4c5d4c04b

SHA1
5b950e8830899cb27e0a2109d8c25fd7bcf41bcd

SHA256
4d2708d2ebca3de1b17ec942bd541d762263d68f021c6054b6ed37eaaac80bc6

SHA512
f80085c591d9401acdd988df5f75d15c277e4f2b054b4a4a40578ae4a42034ec48d4a9c7e25de0cf496428be40ce848030047bd47c9cbf17c1c805a6e44c9c52

Download Submit
C:\Windows\{F54FACDF-BB1A-4477-B6AF-7DDD2A1B1FFA}.exe

Filesize
168KB

MD5
cb945b16e249d925081a52f4c5d4c04b

SHA1
5b950e8830899cb27e0a2109d8c25fd7bcf41bcd

SHA256
4d2708d2ebca3de1b17ec942bd541d762263d68f021c6054b6ed37eaaac80bc6

SHA512
f80085c591d9401acdd988df5f75d15c277e4f2b054b4a4a40578ae4a42034ec48d4a9c7e25de0cf496428be40ce848030047bd47c9cbf17c1c805a6e44c9c52

Download Submit
C:\Windows\{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe

Filesize
168KB

MD5
5acf29fb9de7119789c69d1a6abde55e

SHA1
2e57fa8c0f20c38a8b66114c3e478f9c8c9da62d

SHA256
5bab1e0067586f48afc50b6d78327d5feefa21eee51900f377d76cb27f32f94f

SHA512
3c662e308a8260143b7c5d96aa7b87e0b2f91cab6515f196fbe6c471d6708229db02ab804f14ba88fc55f7e0218284291d47450be008e8eb8efde87d13e65ab2

Download Submit
C:\Windows\{F87D388E-6BBE-4023-9254-14A4872ECC03}.exe

Filesize
168KB

MD5
5acf29fb9de7119789c69d1a6abde55e

SHA1
2e57fa8c0f20c38a8b66114c3e478f9c8c9da62d

SHA256
5bab1e0067586f48afc50b6d78327d5feefa21eee51900f377d76cb27f32f94f

SHA512
3c662e308a8260143b7c5d96aa7b87e0b2f91cab6515f196fbe6c471d6708229db02ab804f14ba88fc55f7e0218284291d47450be008e8eb8efde87d13e65ab2

Download Submit
C:\Windows\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe

Filesize
168KB

MD5
475cfa41b3ab08fe80ed3a43075690b0

SHA1
fda6882e752807572370e9b29222720f5a2fbe8d

SHA256
3d8a700c284732ccadbb920df5639136d7355a4413f0b518552575dfe0865966

SHA512
35e15fa5ada29e8ee2acc74de486c49cb4d7b42ec48ae7d1270ee627ffed4e4668addc34816994a342fb5293487dd38ad1e8d28a0f600de4640a47bc48d43776

Download Submit
C:\Windows\{FF83C279-61FD-48e0-8FD1-F1E1E7C2CF2A}.exe

Filesize
168KB

MD5
475cfa41b3ab08fe80ed3a43075690b0

SHA1
fda6882e752807572370e9b29222720f5a2fbe8d

SHA256
3d8a700c284732ccadbb920df5639136d7355a4413f0b518552575dfe0865966

SHA512
35e15fa5ada29e8ee2acc74de486c49cb4d7b42ec48ae7d1270ee627ffed4e4668addc34816994a342fb5293487dd38ad1e8d28a0f600de4640a47bc48d43776

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads