70e63d8bf18ea2b4e6d2b570afab399f04c87d62596e81bc6c555dd044b2034b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Size

216KB
MD5

e1adc912447b616b8e6b5e08d242d82a
SHA1

a4e69b9d6a1e93b3c88178f9dc84556f25848dde
SHA256

70e63d8bf18ea2b4e6d2b570afab399f04c87d62596e81bc6c555dd044b2034b
SHA512

6c425ebbaea20e23b8177d61d387a3dbf1eb7bef339968f8d8bdd54d6766348f0fa6ed877d7f6d3cffffeeea42a49115d1d74b56cb1592e5e2c57d3b2f10a982
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGNlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}\stubpath = "C:\\Windows\\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe"	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}\stubpath = "C:\\Windows\\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe"	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}\stubpath = "C:\\Windows\\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe"	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC29243B-11B4-4698-ABDD-1571787DA075}	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC29243B-11B4-4698-ABDD-1571787DA075}\stubpath = "C:\\Windows\\{DC29243B-11B4-4698-ABDD-1571787DA075}.exe"	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC428DA-DB9B-4867-B44E-67D668D6948F}\stubpath = "C:\\Windows\\{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe"	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}\stubpath = "C:\\Windows\\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe"	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A9009C8-4552-4248-8741-2273BD82ABE9}	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}	{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44609F6A-0182-45bd-A8CA-80A40CA045EC}	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}\stubpath = "C:\\Windows\\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe"	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A9009C8-4552-4248-8741-2273BD82ABE9}\stubpath = "C:\\Windows\\{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe"	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F865A86C-2390-4d1e-B60F-80892ECE45D1}\stubpath = "C:\\Windows\\{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe"	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2706F43-38BD-4652-AE45-ECD771D146BA}	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2706F43-38BD-4652-AE45-ECD771D146BA}\stubpath = "C:\\Windows\\{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe"	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44609F6A-0182-45bd-A8CA-80A40CA045EC}\stubpath = "C:\\Windows\\{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe"	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC428DA-DB9B-4867-B44E-67D668D6948F}	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F865A86C-2390-4d1e-B60F-80892ECE45D1}	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}\stubpath = "C:\\Windows\\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}.exe"	{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe
2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe
2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe
2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe
3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe
4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe
2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe
3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe
1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe
3596	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe
5020	{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe
3812	{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
File created	C:\Windows\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe
File created	C:\Windows\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe
File created	C:\Windows\{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe
File created	C:\Windows\{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe
File created	C:\Windows\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}.exe	{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe
File created	C:\Windows\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe
File created	C:\Windows\{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe
File created	C:\Windows\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe
File created	C:\Windows\{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe
File created	C:\Windows\{DC29243B-11B4-4698-ABDD-1571787DA075}.exe	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe
File created	C:\Windows\{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1228	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe
Token: SeIncBasePriorityPrivilege	2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe
Token: SeIncBasePriorityPrivilege	2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe
Token: SeIncBasePriorityPrivilege	2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe
Token: SeIncBasePriorityPrivilege	3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe
Token: SeIncBasePriorityPrivilege	4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe
Token: SeIncBasePriorityPrivilege	2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe
Token: SeIncBasePriorityPrivilege	3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe
Token: SeIncBasePriorityPrivilege	1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe
Token: SeIncBasePriorityPrivilege	3596	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe
Token: SeIncBasePriorityPrivilege	5020	{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4468	1228	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	90
PID 1228 wrote to memory of 4468	1228	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	90
PID 1228 wrote to memory of 4468	1228	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	90
PID 1228 wrote to memory of 536	1228	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	91
PID 1228 wrote to memory of 536	1228	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	91
PID 1228 wrote to memory of 536	1228	e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe	91
PID 4468 wrote to memory of 2408	4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe	92
PID 4468 wrote to memory of 2408	4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe	92
PID 4468 wrote to memory of 2408	4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe	92
PID 4468 wrote to memory of 4116	4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe	93
PID 4468 wrote to memory of 4116	4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe	93
PID 4468 wrote to memory of 4116	4468	{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe	93
PID 2408 wrote to memory of 2576	2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe	95
PID 2408 wrote to memory of 2576	2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe	95
PID 2408 wrote to memory of 2576	2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe	95
PID 2408 wrote to memory of 1976	2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe	96
PID 2408 wrote to memory of 1976	2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe	96
PID 2408 wrote to memory of 1976	2408	{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe	96
PID 2576 wrote to memory of 2296	2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe	97
PID 2576 wrote to memory of 2296	2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe	97
PID 2576 wrote to memory of 2296	2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe	97
PID 2576 wrote to memory of 3416	2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe	98
PID 2576 wrote to memory of 3416	2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe	98
PID 2576 wrote to memory of 3416	2576	{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe	98
PID 2296 wrote to memory of 3808	2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe	99
PID 2296 wrote to memory of 3808	2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe	99
PID 2296 wrote to memory of 3808	2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe	99
PID 2296 wrote to memory of 996	2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe	100
PID 2296 wrote to memory of 996	2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe	100
PID 2296 wrote to memory of 996	2296	{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe	100
PID 3808 wrote to memory of 4616	3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe	101
PID 3808 wrote to memory of 4616	3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe	101
PID 3808 wrote to memory of 4616	3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe	101
PID 3808 wrote to memory of 3212	3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe	102
PID 3808 wrote to memory of 3212	3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe	102
PID 3808 wrote to memory of 3212	3808	{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe	102
PID 4616 wrote to memory of 2592	4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe	103
PID 4616 wrote to memory of 2592	4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe	103
PID 4616 wrote to memory of 2592	4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe	103
PID 4616 wrote to memory of 4836	4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe	104
PID 4616 wrote to memory of 4836	4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe	104
PID 4616 wrote to memory of 4836	4616	{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe	104
PID 2592 wrote to memory of 3876	2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe	105
PID 2592 wrote to memory of 3876	2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe	105
PID 2592 wrote to memory of 3876	2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe	105
PID 2592 wrote to memory of 692	2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe	106
PID 2592 wrote to memory of 692	2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe	106
PID 2592 wrote to memory of 692	2592	{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe	106
PID 3876 wrote to memory of 1712	3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe	107
PID 3876 wrote to memory of 1712	3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe	107
PID 3876 wrote to memory of 1712	3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe	107
PID 3876 wrote to memory of 1932	3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe	108
PID 3876 wrote to memory of 1932	3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe	108
PID 3876 wrote to memory of 1932	3876	{DC29243B-11B4-4698-ABDD-1571787DA075}.exe	108
PID 1712 wrote to memory of 3596	1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe	109
PID 1712 wrote to memory of 3596	1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe	109
PID 1712 wrote to memory of 3596	1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe	109
PID 1712 wrote to memory of 2364	1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe	110
PID 1712 wrote to memory of 2364	1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe	110
PID 1712 wrote to memory of 2364	1712	{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe	110
PID 3596 wrote to memory of 5020	3596	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe	111
PID 3596 wrote to memory of 5020	3596	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe	111
PID 3596 wrote to memory of 5020	3596	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe	111
PID 3596 wrote to memory of 4484	3596	{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe	112

C:\Users\Admin\AppData\Local\Temp\e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e1adc912447b616b8e6b5e08d242d82a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe
  C:\Windows\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe
    C:\Windows\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe
      C:\Windows\{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe
        
        C:\Windows\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe
        
        C:\Windows\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe
        
        C:\Windows\{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe
        
        C:\Windows\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{DC29243B-11B4-4698-ABDD-1571787DA075}.exe
        
        C:\Windows\{DC29243B-11B4-4698-ABDD-1571787DA075}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe
        
        C:\Windows\{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe
        
        C:\Windows\{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe
        
        C:\Windows\{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}.exe
        
        C:\Windows\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}.exe
        13⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F865A~1.EXE > nul
        13⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A900~1.EXE > nul
        12⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BC42~1.EXE > nul
        11⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC292~1.EXE > nul
        10⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52B73~1.EXE > nul
        9⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44609~1.EXE > nul
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99C1C~1.EXE > nul
        7⤵
        
        PID:3212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F092D~1.EXE > nul
        6⤵
        
        PID:996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2706~1.EXE > nul
        5⤵
        
        PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7218B~1.EXE > nul
      4⤵
      PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{99ABB~1.EXE > nul
    3⤵
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E1ADC9~1.EXE > nul
  2⤵
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe

Filesize
216KB

MD5
df4800074541c292c4725e3b0aa2dae2

SHA1
b64dba89f76b202d2aa4b3f4fd117df267c40c1e

SHA256
ba506d86f9c9745811059704c4db200e5c53647e50f7465cbf19daacf275b0fe

SHA512
fcc5f99253896685538c6b3bd912bf3f9b7b3d4a01ce364bddcde20d6678c6c374bae893f2b3cc1fcdd42efd9a4489ee0b3ba41f116b448d3e648adc566e79f4

Download Submit
C:\Windows\{1A9009C8-4552-4248-8741-2273BD82ABE9}.exe

Filesize
216KB

MD5
df4800074541c292c4725e3b0aa2dae2

SHA1
b64dba89f76b202d2aa4b3f4fd117df267c40c1e

SHA256
ba506d86f9c9745811059704c4db200e5c53647e50f7465cbf19daacf275b0fe

SHA512
fcc5f99253896685538c6b3bd912bf3f9b7b3d4a01ce364bddcde20d6678c6c374bae893f2b3cc1fcdd42efd9a4489ee0b3ba41f116b448d3e648adc566e79f4

Download Submit
C:\Windows\{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe

Filesize
216KB

MD5
ef96fc01e67164dd5c71b91e18e3bbfd

SHA1
ba565044db3f8049fa625c414a9fc7a02dc1990e

SHA256
374b4424aa38e439c7644f1b21a28fd79fa9a8e37f4a9f54a2e9cdc0b160a753

SHA512
ab29f0b608370be0c55d4c2c510af069e2ddd2e3ccf2ec61097e9b60f0cf5d7b39dbe50881b241e93eaf94c8f97255c35d5c31b7159ad5dad55afaaf6fc9bc32

Download Submit
C:\Windows\{3BC428DA-DB9B-4867-B44E-67D668D6948F}.exe

Filesize
216KB

MD5
ef96fc01e67164dd5c71b91e18e3bbfd

SHA1
ba565044db3f8049fa625c414a9fc7a02dc1990e

SHA256
374b4424aa38e439c7644f1b21a28fd79fa9a8e37f4a9f54a2e9cdc0b160a753

SHA512
ab29f0b608370be0c55d4c2c510af069e2ddd2e3ccf2ec61097e9b60f0cf5d7b39dbe50881b241e93eaf94c8f97255c35d5c31b7159ad5dad55afaaf6fc9bc32

Download Submit
C:\Windows\{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe

Filesize
216KB

MD5
cf7e0c5bfba38f75a301b78eaf26578b

SHA1
ae2fafdf7119908315cb894e7be6168a32d82d69

SHA256
cc212fca3c826bea1b4bd2c5ce03aaad5369a4be348a290e2094a91ef5928f81

SHA512
9b998b96acd52e3c19dec9f226310e5df19e1c09f3a3aba929b6be2374e2af93d143061d9cadb2237664a19d73cf712ce378cd1122a7a34a0a8fe8ccab358f2c

Download Submit
C:\Windows\{44609F6A-0182-45bd-A8CA-80A40CA045EC}.exe

Filesize
216KB

MD5
cf7e0c5bfba38f75a301b78eaf26578b

SHA1
ae2fafdf7119908315cb894e7be6168a32d82d69

SHA256
cc212fca3c826bea1b4bd2c5ce03aaad5369a4be348a290e2094a91ef5928f81

SHA512
9b998b96acd52e3c19dec9f226310e5df19e1c09f3a3aba929b6be2374e2af93d143061d9cadb2237664a19d73cf712ce378cd1122a7a34a0a8fe8ccab358f2c

Download Submit
C:\Windows\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe

Filesize
216KB

MD5
cf450951cab027f796f8e503cc28e1d4

SHA1
f09ea42528e22722d3cf2f1cbf7eea97f39af02b

SHA256
ac59ca40d3bfa7fbbc4e03e0009673c1b5a771ab6d16ecb6b9be4c71ab76059e

SHA512
0885a73f4cc9400e0cb7868677c0888428d6e61244fb5f1f1f836e95054219775119ae568c56d0063eb6005f6e262e488e488c57cab3ba518e4acfc1fe28fb0e

Download Submit
C:\Windows\{52B737BA-434F-4485-BBD9-3E8B1DB54C4B}.exe

Filesize
216KB

MD5
cf450951cab027f796f8e503cc28e1d4

SHA1
f09ea42528e22722d3cf2f1cbf7eea97f39af02b

SHA256
ac59ca40d3bfa7fbbc4e03e0009673c1b5a771ab6d16ecb6b9be4c71ab76059e

SHA512
0885a73f4cc9400e0cb7868677c0888428d6e61244fb5f1f1f836e95054219775119ae568c56d0063eb6005f6e262e488e488c57cab3ba518e4acfc1fe28fb0e

Download Submit
C:\Windows\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe

Filesize
216KB

MD5
80e4b73d2a78caf6f7d63e7f0d264292

SHA1
fcb3f7fded1a176f115a18bc51e4ad6e2431718c

SHA256
ea11c9b2b752e6884005afc292d0eab68d26c507d3c44f6731197a4f2b638089

SHA512
e7a32d6788d22ca4c245177e48523c79a402edcfad326c10f2e7c98af33aef6c64d02462c8b1fa7e4693c46fb8b8ba5b39e6732f0c5518523fea5472fc4f5c6a

Download Submit
C:\Windows\{7218BCBB-B4B1-49ca-8545-C72DDB0D5271}.exe

Filesize
216KB

MD5
80e4b73d2a78caf6f7d63e7f0d264292

SHA1
fcb3f7fded1a176f115a18bc51e4ad6e2431718c

SHA256
ea11c9b2b752e6884005afc292d0eab68d26c507d3c44f6731197a4f2b638089

SHA512
e7a32d6788d22ca4c245177e48523c79a402edcfad326c10f2e7c98af33aef6c64d02462c8b1fa7e4693c46fb8b8ba5b39e6732f0c5518523fea5472fc4f5c6a

Download Submit
C:\Windows\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe

Filesize
216KB

MD5
dfbb096ee4994570157aff42aefc3acd

SHA1
ae87b587738e1142b0e4cd96b6ecb2e569c021ee

SHA256
067fe95760c25a0460f4f57b83d51f4f26ce1b7e57fb869a9aa1d5aa3e462c7c

SHA512
8e263c820466de7974feed3d7075a1498c917555e1ebb08065ba4f35236064a6f5a9f042c8b6ef42a77ec9058beedc4457be46ce90bb342e7325dc85ef56d397

Download Submit
C:\Windows\{99ABBA48-F8D5-43c6-A8F7-C08D521987CD}.exe

Filesize
216KB

MD5
dfbb096ee4994570157aff42aefc3acd

SHA1
ae87b587738e1142b0e4cd96b6ecb2e569c021ee

SHA256
067fe95760c25a0460f4f57b83d51f4f26ce1b7e57fb869a9aa1d5aa3e462c7c

SHA512
8e263c820466de7974feed3d7075a1498c917555e1ebb08065ba4f35236064a6f5a9f042c8b6ef42a77ec9058beedc4457be46ce90bb342e7325dc85ef56d397

Download Submit
C:\Windows\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe

Filesize
216KB

MD5
401038f0dba644f95adfda69a55d2ff5

SHA1
816479122993c95d0d974b5c24e4e719ae43b9c4

SHA256
2bd8f81a8118b9bad474fdecf02cf82c68a42f1f74b76c41e525fc9ceed75931

SHA512
dd54df9c6b5e8083f9076e30d42d0889accd3b7b7c054c957b9a7132284f18b9a12cffe88b0ce1033931f3ce293ccf88f151dc1d152ca60881766496018ef8c5

Download Submit
C:\Windows\{99C1C930-13AE-4f3d-B147-2894CC6CACD1}.exe

Filesize
216KB

MD5
401038f0dba644f95adfda69a55d2ff5

SHA1
816479122993c95d0d974b5c24e4e719ae43b9c4

SHA256
2bd8f81a8118b9bad474fdecf02cf82c68a42f1f74b76c41e525fc9ceed75931

SHA512
dd54df9c6b5e8083f9076e30d42d0889accd3b7b7c054c957b9a7132284f18b9a12cffe88b0ce1033931f3ce293ccf88f151dc1d152ca60881766496018ef8c5

Download Submit
C:\Windows\{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe

Filesize
216KB

MD5
4c2b1e50e8cbf8887fc8463b87259565

SHA1
db18409d46288d98a08d4d7eeb25e6c077c0ea3e

SHA256
16856cfc01130cbf13b157e928b91baea73a2d4ad2dcfe6632f83803b046698a

SHA512
11fc5508a67e168772681d72e3ae3113a265a0c81ce20e53f0b0a2d144700c5304d230618ecbcbacca59358f3cfcb1f1935c1b5d21d9c9efba575e167f825fb6

Download Submit
C:\Windows\{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe

Filesize
216KB

MD5
4c2b1e50e8cbf8887fc8463b87259565

SHA1
db18409d46288d98a08d4d7eeb25e6c077c0ea3e

SHA256
16856cfc01130cbf13b157e928b91baea73a2d4ad2dcfe6632f83803b046698a

SHA512
11fc5508a67e168772681d72e3ae3113a265a0c81ce20e53f0b0a2d144700c5304d230618ecbcbacca59358f3cfcb1f1935c1b5d21d9c9efba575e167f825fb6

Download Submit
C:\Windows\{B2706F43-38BD-4652-AE45-ECD771D146BA}.exe

Filesize
216KB

MD5
4c2b1e50e8cbf8887fc8463b87259565

SHA1
db18409d46288d98a08d4d7eeb25e6c077c0ea3e

SHA256
16856cfc01130cbf13b157e928b91baea73a2d4ad2dcfe6632f83803b046698a

SHA512
11fc5508a67e168772681d72e3ae3113a265a0c81ce20e53f0b0a2d144700c5304d230618ecbcbacca59358f3cfcb1f1935c1b5d21d9c9efba575e167f825fb6

Download Submit
C:\Windows\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}.exe

Filesize
216KB

MD5
bcf48eda0823cef406478e263b1acf6d

SHA1
f4c82261ac780881d69cdf7c4b128b700578a1d8

SHA256
b2f4d9c9b0d8e81081c3a0956b091bb360d86f3de0b6216259b49ef97146860a

SHA512
a92d539e9f0911b57cff00da3c69a1f8a7a1f53203b01edd120de31cbb3463db7ae110a4ec054f7014c09cd8c5b64daad1ff5f66fbbf44930cc99a62b7620114

Download Submit
C:\Windows\{BE7DE3E4-A147-4a4f-8F52-56D5CFBFDD63}.exe

Filesize
216KB

MD5
bcf48eda0823cef406478e263b1acf6d

SHA1
f4c82261ac780881d69cdf7c4b128b700578a1d8

SHA256
b2f4d9c9b0d8e81081c3a0956b091bb360d86f3de0b6216259b49ef97146860a

SHA512
a92d539e9f0911b57cff00da3c69a1f8a7a1f53203b01edd120de31cbb3463db7ae110a4ec054f7014c09cd8c5b64daad1ff5f66fbbf44930cc99a62b7620114

Download Submit
C:\Windows\{DC29243B-11B4-4698-ABDD-1571787DA075}.exe

Filesize
216KB

MD5
344108dc5eb6dee15df54d68a491c110

SHA1
75e6014ad3e5f030e875e7f8ff72c5b29ec40a39

SHA256
3569768efcff73fc7f22b22a5e9e26dc573d5d37c0431394e0562dd4d06df043

SHA512
257cf3de3efde1a2bf9530ec40ed5e2b0121678594d9337356e5872c0e60be9ae02f91cdea68f12c47228aae2a9f898e8f3a3dd2563e94946fbaba2bd17e9a9b

Download Submit
C:\Windows\{DC29243B-11B4-4698-ABDD-1571787DA075}.exe

Filesize
216KB

MD5
344108dc5eb6dee15df54d68a491c110

SHA1
75e6014ad3e5f030e875e7f8ff72c5b29ec40a39

SHA256
3569768efcff73fc7f22b22a5e9e26dc573d5d37c0431394e0562dd4d06df043

SHA512
257cf3de3efde1a2bf9530ec40ed5e2b0121678594d9337356e5872c0e60be9ae02f91cdea68f12c47228aae2a9f898e8f3a3dd2563e94946fbaba2bd17e9a9b

Download Submit
C:\Windows\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe

Filesize
216KB

MD5
53c41a4050ea2ddd3a3425cb4fcd2629

SHA1
bf29d46d0302dbe96b0d16fa923b3de2371d1e9c

SHA256
bb3140597121ce66d17feb2327c5c7d8480891e2d33e5f1adf3e6d1ab3d69bfb

SHA512
89ee1cb7309c20ed9ef00a9a103ec919f0cb92b119bf47ec0773a6b41e33c692d45ed3551c3931054050723e6e47223c6c6f2a215cb76bcea427c78045c8facf

Download Submit
C:\Windows\{F092DC86-2BB1-4cf2-8A51-2AABE86FD0CA}.exe

Filesize
216KB

MD5
53c41a4050ea2ddd3a3425cb4fcd2629

SHA1
bf29d46d0302dbe96b0d16fa923b3de2371d1e9c

SHA256
bb3140597121ce66d17feb2327c5c7d8480891e2d33e5f1adf3e6d1ab3d69bfb

SHA512
89ee1cb7309c20ed9ef00a9a103ec919f0cb92b119bf47ec0773a6b41e33c692d45ed3551c3931054050723e6e47223c6c6f2a215cb76bcea427c78045c8facf

Download Submit
C:\Windows\{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe

Filesize
216KB

MD5
de79431f2a2e53cd6b7801c1b0ec56a5

SHA1
183c8488191f65e722b5e1d8fa4bb9e7c8b0ce9c

SHA256
90c9cee39322dcb4ea1768e2df8fd36266998dcf387bbdedb77cf3111754ad02

SHA512
669fb050d5aa75e4479e3ab8128319c383e6e62bba8867632a4f17eb714476e23492a16559d60a1ae0c2ac6f83a334a16ec647b3fd14b0436610997a820a4c8d

Download Submit
C:\Windows\{F865A86C-2390-4d1e-B60F-80892ECE45D1}.exe

Filesize
216KB

MD5
de79431f2a2e53cd6b7801c1b0ec56a5

SHA1
183c8488191f65e722b5e1d8fa4bb9e7c8b0ce9c

SHA256
90c9cee39322dcb4ea1768e2df8fd36266998dcf387bbdedb77cf3111754ad02

SHA512
669fb050d5aa75e4479e3ab8128319c383e6e62bba8867632a4f17eb714476e23492a16559d60a1ae0c2ac6f83a334a16ec647b3fd14b0436610997a820a4c8d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads