6efc46860291a153140982c8c4aa098f5126e05178f461982f2bd17183a60e5e

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Size

408KB
MD5

fdbda32eaf9086a0cb7eea9682664395
SHA1

5b1a827f9a9396e67cb4afd0d36410eebe4770a5
SHA256

6efc46860291a153140982c8c4aa098f5126e05178f461982f2bd17183a60e5e
SHA512

86874256fb80b2f8f460f0d4cb3cb7e74d0da169fb42e808e11c1f79d51122d1f4e2fe412255df071ae4bd3f259fc215dd4d6f30eef14fafca63db21bbf83ec8
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB9BE896-E7D8-4d95-893C-2C6F35562380}\stubpath = "C:\\Windows\\{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe"	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC434DC-A9DA-4332-8E04-A09D432E6413}\stubpath = "C:\\Windows\\{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe"	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}	{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}	{F184102E-6658-401e-810C-4B6309AB7C66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB9BE896-E7D8-4d95-893C-2C6F35562380}	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C7E0781-C56D-40f6-ADC7-55F38569291F}	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC434DC-A9DA-4332-8E04-A09D432E6413}	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}\stubpath = "C:\\Windows\\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}.exe"	{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F184102E-6658-401e-810C-4B6309AB7C66}	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F184102E-6658-401e-810C-4B6309AB7C66}\stubpath = "C:\\Windows\\{F184102E-6658-401e-810C-4B6309AB7C66}.exe"	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}\stubpath = "C:\\Windows\\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe"	{F184102E-6658-401e-810C-4B6309AB7C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}\stubpath = "C:\\Windows\\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe"	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}\stubpath = "C:\\Windows\\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe"	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}\stubpath = "C:\\Windows\\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe"	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A76596-2A86-45e3-A409-61E1FBAF6531}	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A76596-2A86-45e3-A409-61E1FBAF6531}\stubpath = "C:\\Windows\\{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe"	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EACF2D3A-E43B-4323-9369-25EED36371E7}	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EACF2D3A-E43B-4323-9369-25EED36371E7}\stubpath = "C:\\Windows\\{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe"	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}\stubpath = "C:\\Windows\\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe"	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C7E0781-C56D-40f6-ADC7-55F38569291F}\stubpath = "C:\\Windows\\{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe"	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe

Executes dropped EXE 12 IoCs

pid	Process
1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe
1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe
1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe
4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe
1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe
772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe
3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe
5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe
4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe
4924	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe
2388	{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe
4480	{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe
File created	C:\Windows\{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe
File created	C:\Windows\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe
File created	C:\Windows\{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
File created	C:\Windows\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe
File created	C:\Windows\{F184102E-6658-401e-810C-4B6309AB7C66}.exe	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe
File created	C:\Windows\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe	{F184102E-6658-401e-810C-4B6309AB7C66}.exe
File created	C:\Windows\{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe
File created	C:\Windows\{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe
File created	C:\Windows\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe
File created	C:\Windows\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}.exe	{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe
File created	C:\Windows\{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4528	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe
Token: SeIncBasePriorityPrivilege	1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe
Token: SeIncBasePriorityPrivilege	1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe
Token: SeIncBasePriorityPrivilege	4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe
Token: SeIncBasePriorityPrivilege	1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe
Token: SeIncBasePriorityPrivilege	772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe
Token: SeIncBasePriorityPrivilege	3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe
Token: SeIncBasePriorityPrivilege	5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe
Token: SeIncBasePriorityPrivilege	4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe
Token: SeIncBasePriorityPrivilege	4924	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe
Token: SeIncBasePriorityPrivilege	2388	{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1676	4528	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	89
PID 4528 wrote to memory of 1676	4528	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	89
PID 4528 wrote to memory of 1676	4528	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	89
PID 4528 wrote to memory of 2056	4528	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	90
PID 4528 wrote to memory of 2056	4528	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	90
PID 4528 wrote to memory of 2056	4528	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	90
PID 1676 wrote to memory of 1468	1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe	93
PID 1676 wrote to memory of 1468	1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe	93
PID 1676 wrote to memory of 1468	1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe	93
PID 1676 wrote to memory of 3664	1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe	94
PID 1676 wrote to memory of 3664	1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe	94
PID 1676 wrote to memory of 3664	1676	{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe	94
PID 1468 wrote to memory of 1888	1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe	97
PID 1468 wrote to memory of 1888	1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe	97
PID 1468 wrote to memory of 1888	1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe	97
PID 1468 wrote to memory of 2596	1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe	98
PID 1468 wrote to memory of 2596	1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe	98
PID 1468 wrote to memory of 2596	1468	{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe	98
PID 1888 wrote to memory of 4464	1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe	102
PID 1888 wrote to memory of 4464	1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe	102
PID 1888 wrote to memory of 4464	1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe	102
PID 1888 wrote to memory of 4116	1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe	103
PID 1888 wrote to memory of 4116	1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe	103
PID 1888 wrote to memory of 4116	1888	{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe	103
PID 4464 wrote to memory of 1516	4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe	104
PID 4464 wrote to memory of 1516	4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe	104
PID 4464 wrote to memory of 1516	4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe	104
PID 4464 wrote to memory of 2628	4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe	105
PID 4464 wrote to memory of 2628	4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe	105
PID 4464 wrote to memory of 2628	4464	{F184102E-6658-401e-810C-4B6309AB7C66}.exe	105
PID 1516 wrote to memory of 772	1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe	107
PID 1516 wrote to memory of 772	1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe	107
PID 1516 wrote to memory of 772	1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe	107
PID 1516 wrote to memory of 1784	1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe	108
PID 1516 wrote to memory of 1784	1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe	108
PID 1516 wrote to memory of 1784	1516	{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe	108
PID 772 wrote to memory of 3492	772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe	109
PID 772 wrote to memory of 3492	772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe	109
PID 772 wrote to memory of 3492	772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe	109
PID 772 wrote to memory of 3116	772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe	110
PID 772 wrote to memory of 3116	772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe	110
PID 772 wrote to memory of 3116	772	{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe	110
PID 3492 wrote to memory of 5068	3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe	111
PID 3492 wrote to memory of 5068	3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe	111
PID 3492 wrote to memory of 5068	3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe	111
PID 3492 wrote to memory of 1812	3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe	112
PID 3492 wrote to memory of 1812	3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe	112
PID 3492 wrote to memory of 1812	3492	{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe	112
PID 5068 wrote to memory of 4708	5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe	113
PID 5068 wrote to memory of 4708	5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe	113
PID 5068 wrote to memory of 4708	5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe	113
PID 5068 wrote to memory of 1872	5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe	114
PID 5068 wrote to memory of 1872	5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe	114
PID 5068 wrote to memory of 1872	5068	{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe	114
PID 4708 wrote to memory of 4924	4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe	115
PID 4708 wrote to memory of 4924	4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe	115
PID 4708 wrote to memory of 4924	4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe	115
PID 4708 wrote to memory of 2496	4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe	116
PID 4708 wrote to memory of 2496	4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe	116
PID 4708 wrote to memory of 2496	4708	{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe	116
PID 4924 wrote to memory of 2388	4924	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe	117
PID 4924 wrote to memory of 2388	4924	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe	117
PID 4924 wrote to memory of 2388	4924	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe	117
PID 4924 wrote to memory of 3732	4924	{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe	118

C:\Users\Admin\AppData\Local\Temp\fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe
  C:\Windows\{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe
    C:\Windows\{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe
      C:\Windows\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\{F184102E-6658-401e-810C-4B6309AB7C66}.exe
        
        C:\Windows\{F184102E-6658-401e-810C-4B6309AB7C66}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe
        
        C:\Windows\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe
        
        C:\Windows\{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe
        
        C:\Windows\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe
        
        C:\Windows\{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe
        
        C:\Windows\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe
        
        C:\Windows\{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe
        
        C:\Windows\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}.exe
        
        C:\Windows\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}.exe
        13⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD7D1~1.EXE > nul
        13⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC43~1.EXE > nul
        12⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3E4A~1.EXE > nul
        11⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C7E0~1.EXE > nul
        10⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75E1C~1.EXE > nul
        9⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB9BE~1.EXE > nul
        8⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6419~1.EXE > nul
        7⤵
        
        PID:1784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1841~1.EXE > nul
        6⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{619DE~1.EXE > nul
        5⤵
        
        PID:4116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EACF2~1.EXE > nul
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4A76~1.EXE > nul
    3⤵
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FDBDA3~1.EXE > nul
  2⤵
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe

Filesize
408KB

MD5
bea386dc1d2258bd866c325acabec359

SHA1
2b486bd32f19ab679e08076a334bef290878c4ac

SHA256
f6e210442a1a3ea668a32952932c630d7564767b1dc4c333906aee4b07699552

SHA512
1d1c16e12775a4dfed492a5b585ce2f7bb54369b8d13207145846ee3befb1cbe79b8c9b5e92b62e8428bef83608db70f6cefa26df92b59b661b1da2f2200cfff

Download Submit
C:\Windows\{1C7E0781-C56D-40f6-ADC7-55F38569291F}.exe

Filesize
408KB

MD5
bea386dc1d2258bd866c325acabec359

SHA1
2b486bd32f19ab679e08076a334bef290878c4ac

SHA256
f6e210442a1a3ea668a32952932c630d7564767b1dc4c333906aee4b07699552

SHA512
1d1c16e12775a4dfed492a5b585ce2f7bb54369b8d13207145846ee3befb1cbe79b8c9b5e92b62e8428bef83608db70f6cefa26df92b59b661b1da2f2200cfff

Download Submit
C:\Windows\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe

Filesize
408KB

MD5
72c9791a173adc5e0b928f115ebcf1d0

SHA1
c57a5a082132323eab825685f5d7133e969429d6

SHA256
08df0553b8bfc552be63ba0bfe3526b818a818e7f43076d0c854f7f1a98c824e

SHA512
e85a25e46b06ceeb288cfadd19fa8a8246cc20f9ccf939d03521d0a5de53fe2ddf43ed2e50da07c1fb5d6c8a42a7274b84929c0194490ffa978b770d0558bbcc

Download Submit
C:\Windows\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe

Filesize
408KB

MD5
72c9791a173adc5e0b928f115ebcf1d0

SHA1
c57a5a082132323eab825685f5d7133e969429d6

SHA256
08df0553b8bfc552be63ba0bfe3526b818a818e7f43076d0c854f7f1a98c824e

SHA512
e85a25e46b06ceeb288cfadd19fa8a8246cc20f9ccf939d03521d0a5de53fe2ddf43ed2e50da07c1fb5d6c8a42a7274b84929c0194490ffa978b770d0558bbcc

Download Submit
C:\Windows\{619DE30F-995C-4c80-89EE-FBC6FECFBBF9}.exe

Filesize
408KB

MD5
72c9791a173adc5e0b928f115ebcf1d0

SHA1
c57a5a082132323eab825685f5d7133e969429d6

SHA256
08df0553b8bfc552be63ba0bfe3526b818a818e7f43076d0c854f7f1a98c824e

SHA512
e85a25e46b06ceeb288cfadd19fa8a8246cc20f9ccf939d03521d0a5de53fe2ddf43ed2e50da07c1fb5d6c8a42a7274b84929c0194490ffa978b770d0558bbcc

Download Submit
C:\Windows\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe

Filesize
408KB

MD5
4a06df2ad80e93cb83b34db82443bb96

SHA1
adf3de1fb9673491ad5d22c996f63b9386557ea9

SHA256
7df6fb3cad15c721ca41d1e05be6fbf970515fa6d3cd9dd1cec51f3c59f02847

SHA512
b5aa86529109fa6a1ba11b7b60643d3f08208758289a273faaa3a0d5992c026b689ebfc395e58eb612b02524bbe88533e049cf687bbb19e126eaa413d2053e70

Download Submit
C:\Windows\{75E1C3DD-2F62-4763-A8EC-3D9265946BD3}.exe

Filesize
408KB

MD5
4a06df2ad80e93cb83b34db82443bb96

SHA1
adf3de1fb9673491ad5d22c996f63b9386557ea9

SHA256
7df6fb3cad15c721ca41d1e05be6fbf970515fa6d3cd9dd1cec51f3c59f02847

SHA512
b5aa86529109fa6a1ba11b7b60643d3f08208758289a273faaa3a0d5992c026b689ebfc395e58eb612b02524bbe88533e049cf687bbb19e126eaa413d2053e70

Download Submit
C:\Windows\{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe

Filesize
408KB

MD5
34500e7c503026e7eaf925319dfa3133

SHA1
705c9e23194a53f884f06d09000a5d49cac50bbd

SHA256
4b0d5fca73e2b8142128e65a18b03253a4f1e302cc435ce87d51f1cfdde3892e

SHA512
4050b9cabde07bc4b108a5470bef1b71147ebad77c171a720a5b09880826f7444206e6176fb3d03f734cc92d64816b89af6d5b5702e787cf2518e473dcd892f0

Download Submit
C:\Windows\{AB9BE896-E7D8-4d95-893C-2C6F35562380}.exe

Filesize
408KB

MD5
34500e7c503026e7eaf925319dfa3133

SHA1
705c9e23194a53f884f06d09000a5d49cac50bbd

SHA256
4b0d5fca73e2b8142128e65a18b03253a4f1e302cc435ce87d51f1cfdde3892e

SHA512
4050b9cabde07bc4b108a5470bef1b71147ebad77c171a720a5b09880826f7444206e6176fb3d03f734cc92d64816b89af6d5b5702e787cf2518e473dcd892f0

Download Submit
C:\Windows\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe

Filesize
408KB

MD5
a284fec79ad0725e7dd69b02fa1de1ac

SHA1
a5fefc11c8528837edba713bc13e7fe36c747f3a

SHA256
8051b7a25c00f7f91b1234f3c73d9252af8026cce16c666583be58171b9e6d6c

SHA512
277db5f1a5d6562cb85dda2d24d39e5a71c02be8c63cb4346fb106b4dd068e5a464371f7209571410cce13a0296811fe39de616e4f91839eab340a1433d0bfda

Download Submit
C:\Windows\{B64191C8-0E0C-462d-9C4D-29D53EDE0A92}.exe

Filesize
408KB

MD5
a284fec79ad0725e7dd69b02fa1de1ac

SHA1
a5fefc11c8528837edba713bc13e7fe36c747f3a

SHA256
8051b7a25c00f7f91b1234f3c73d9252af8026cce16c666583be58171b9e6d6c

SHA512
277db5f1a5d6562cb85dda2d24d39e5a71c02be8c63cb4346fb106b4dd068e5a464371f7209571410cce13a0296811fe39de616e4f91839eab340a1433d0bfda

Download Submit
C:\Windows\{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe

Filesize
408KB

MD5
5af38bdda0b7e1e871902543051e1b68

SHA1
7a4092ac302af8b57373d8b77cc0adfadf35a5b6

SHA256
82f2f3d63a2ea7dd090a597fb7c6ae10319a906dac9b8fc4f16623a8a837b524

SHA512
bdd9a475e56ee51f0e568d62a1ac4561bb4741317bd2b8860bf54ece510dab05bdf762dadb4d4f4e231e654e6956d4b24f8e06c8c533fa693e6100a9a28e633d

Download Submit
C:\Windows\{BCC434DC-A9DA-4332-8E04-A09D432E6413}.exe

Filesize
408KB

MD5
5af38bdda0b7e1e871902543051e1b68

SHA1
7a4092ac302af8b57373d8b77cc0adfadf35a5b6

SHA256
82f2f3d63a2ea7dd090a597fb7c6ae10319a906dac9b8fc4f16623a8a837b524

SHA512
bdd9a475e56ee51f0e568d62a1ac4561bb4741317bd2b8860bf54ece510dab05bdf762dadb4d4f4e231e654e6956d4b24f8e06c8c533fa693e6100a9a28e633d

Download Submit
C:\Windows\{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe

Filesize
408KB

MD5
63d9e5257288e54c0400e08064580ebe

SHA1
c304dd36795a6b7ad7318d0eb16ab1c4477fcb08

SHA256
a73f4638ac8abeeff9c3b2d359056c4739e3198c6257c82e81d8535ae65230c2

SHA512
1a383d6de4236892332d70dd2e47a5cdc164e6025f9c1ed41fc4eae2a19c41f49088bcda27c300d5ead0f70364a7cb3130293252a1bfd94a516cd2097e7360cb

Download Submit
C:\Windows\{E4A76596-2A86-45e3-A409-61E1FBAF6531}.exe

Filesize
408KB

MD5
63d9e5257288e54c0400e08064580ebe

SHA1
c304dd36795a6b7ad7318d0eb16ab1c4477fcb08

SHA256
a73f4638ac8abeeff9c3b2d359056c4739e3198c6257c82e81d8535ae65230c2

SHA512
1a383d6de4236892332d70dd2e47a5cdc164e6025f9c1ed41fc4eae2a19c41f49088bcda27c300d5ead0f70364a7cb3130293252a1bfd94a516cd2097e7360cb

Download Submit
C:\Windows\{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe

Filesize
408KB

MD5
5d93debb339585f7b16ea0bc1d206ae2

SHA1
c5a5656bb8ed6a04b147eaf3d5fe7f8c039fca8b

SHA256
d98c3055b6304fbd73a9d4b55350a7f8ab3be9ea7f5ea2914d672be9177c2246

SHA512
d17ff103e94b3e5fc12667d4536914d141acac9fbe8f2dc4000199c1ed9dbf281af17473834412c79764be1bac95b3086d7eac6c649ab07c60349cf1aba7ea60

Download Submit
C:\Windows\{EACF2D3A-E43B-4323-9369-25EED36371E7}.exe

Filesize
408KB

MD5
5d93debb339585f7b16ea0bc1d206ae2

SHA1
c5a5656bb8ed6a04b147eaf3d5fe7f8c039fca8b

SHA256
d98c3055b6304fbd73a9d4b55350a7f8ab3be9ea7f5ea2914d672be9177c2246

SHA512
d17ff103e94b3e5fc12667d4536914d141acac9fbe8f2dc4000199c1ed9dbf281af17473834412c79764be1bac95b3086d7eac6c649ab07c60349cf1aba7ea60

Download Submit
C:\Windows\{F184102E-6658-401e-810C-4B6309AB7C66}.exe

Filesize
408KB

MD5
dd245cf437a6bb3298905eaec1571329

SHA1
bfcd871087bc0dfe1ea8ed236d5b946eb760be9c

SHA256
8adc10309fe372ae90cea744552b82ad3b5148456be8be86427905aecdd872c8

SHA512
45d07fc4e710a59f7a6a0b4a697ffb28dd1c1d413563188fd22f54e1f535bebb7b1c67b44addd94316c08f5f6616d7e6714b6fbf01d94281759f61e4da326b1c

Download Submit
C:\Windows\{F184102E-6658-401e-810C-4B6309AB7C66}.exe

Filesize
408KB

MD5
dd245cf437a6bb3298905eaec1571329

SHA1
bfcd871087bc0dfe1ea8ed236d5b946eb760be9c

SHA256
8adc10309fe372ae90cea744552b82ad3b5148456be8be86427905aecdd872c8

SHA512
45d07fc4e710a59f7a6a0b4a697ffb28dd1c1d413563188fd22f54e1f535bebb7b1c67b44addd94316c08f5f6616d7e6714b6fbf01d94281759f61e4da326b1c

Download Submit
C:\Windows\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe

Filesize
408KB

MD5
4c385cb133aa42ff2102739b583ebe5f

SHA1
5dc4e97b231980c168a0abdacf8dfe19b84fa97f

SHA256
9ca321d3bd2b74fb7cf1d3994524f4628b5b4f383b561238851edf784f7f9f43

SHA512
50ba52d3cec8df5ee758ca609d3970d9e2f551d7e66d6748d743639731ae7a80c0570c452121be26e740c7f7b37362fe3b74f96f520bff920ad7e670526c1739

Download Submit
C:\Windows\{F3E4ADA3-D84E-4575-ADC7-39272F46FD5A}.exe

Filesize
408KB

MD5
4c385cb133aa42ff2102739b583ebe5f

SHA1
5dc4e97b231980c168a0abdacf8dfe19b84fa97f

SHA256
9ca321d3bd2b74fb7cf1d3994524f4628b5b4f383b561238851edf784f7f9f43

SHA512
50ba52d3cec8df5ee758ca609d3970d9e2f551d7e66d6748d743639731ae7a80c0570c452121be26e740c7f7b37362fe3b74f96f520bff920ad7e670526c1739

Download Submit
C:\Windows\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}.exe

Filesize
408KB

MD5
cd3c61a9660612c5ebf3a882c9ffab72

SHA1
38599a15fd3114743b567acdb19a67e8f77f4f09

SHA256
f0b6daeab3b6ebe9cc27be8ad85cfc6300e27c98277b1a59179b9ab49480bc54

SHA512
fa985bbe317ba66ec72f6f031b16f1668a8d1b737034704fcd433f3f5a7019ff5431f03fe88fb3d90b785aa84a00ae86838f5d7f4b5bb30fc1c8b1f3aab3ef4d

Download Submit
C:\Windows\{FB9F2CA1-BF5D-47bb-BD88-AF41EE2498E6}.exe

Filesize
408KB

MD5
cd3c61a9660612c5ebf3a882c9ffab72

SHA1
38599a15fd3114743b567acdb19a67e8f77f4f09

SHA256
f0b6daeab3b6ebe9cc27be8ad85cfc6300e27c98277b1a59179b9ab49480bc54

SHA512
fa985bbe317ba66ec72f6f031b16f1668a8d1b737034704fcd433f3f5a7019ff5431f03fe88fb3d90b785aa84a00ae86838f5d7f4b5bb30fc1c8b1f3aab3ef4d

Download Submit
C:\Windows\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe

Filesize
408KB

MD5
b15f3dad11d7ffdcfffacf62c54352a6

SHA1
de12daa2e460a4d7d7a96a2bb39459894a818b3d

SHA256
bb34fed573268dd11dcfb3c95134fdd3bdf80228e00ce011309d4e27dac5eeaa

SHA512
510d7cd8a33d308ee973cf54846f70eceadd6d77e0ff1c4a7c4422b794d06ea2cda78400a0862063b5cf5f4698dcdfa30c0b6525dc901510587111993c94a7e2

Download Submit
C:\Windows\{FD7D1D3A-28F9-4ee9-AC8A-59B5126E3CAE}.exe

Filesize
408KB

MD5
b15f3dad11d7ffdcfffacf62c54352a6

SHA1
de12daa2e460a4d7d7a96a2bb39459894a818b3d

SHA256
bb34fed573268dd11dcfb3c95134fdd3bdf80228e00ce011309d4e27dac5eeaa

SHA512
510d7cd8a33d308ee973cf54846f70eceadd6d77e0ff1c4a7c4422b794d06ea2cda78400a0862063b5cf5f4698dcdfa30c0b6525dc901510587111993c94a7e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads