a9e70626ad9eb370d7d96e5bfa7cfc89430e220e7e04f144b2f28b0f20286629

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2023, 12:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Size

380KB
MD5

3bd2c1b130b1eb1b68ef74b8910261d3
SHA1

61eccbe8077e768b313c05501d4228ced2ec533c
SHA256

a9e70626ad9eb370d7d96e5bfa7cfc89430e220e7e04f144b2f28b0f20286629
SHA512

35d78cd3d091322b605b9056718371eaa545d9e44fe61158a815849f54e9876a1dbd30d5b08f8c4c1c05fbc7ff1370a61e19ee2c3aa91926dd90d254aea0c18a
SSDEEP

3072:mEGh0oJlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}\stubpath = "C:\\Windows\\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe"	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}\stubpath = "C:\\Windows\\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe"	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAC43986-B624-422b-BB73-DF58B98AA817}\stubpath = "C:\\Windows\\{FAC43986-B624-422b-BB73-DF58B98AA817}.exe"	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}\stubpath = "C:\\Windows\\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe"	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}	{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}\stubpath = "C:\\Windows\\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}.exe"	{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48908D67-4AF6-4585-BF1C-073353922617}	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}	{48908D67-4AF6-4585-BF1C-073353922617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAC43986-B624-422b-BB73-DF58B98AA817}	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DFD796C-9F61-4035-B548-F4C4159553D0}	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2404A355-A3C6-4355-83DD-E694855ECC02}\stubpath = "C:\\Windows\\{2404A355-A3C6-4355-83DD-E694855ECC02}.exe"	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}\stubpath = "C:\\Windows\\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe"	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}\stubpath = "C:\\Windows\\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe"	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48908D67-4AF6-4585-BF1C-073353922617}\stubpath = "C:\\Windows\\{48908D67-4AF6-4585-BF1C-073353922617}.exe"	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}\stubpath = "C:\\Windows\\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe"	{48908D67-4AF6-4585-BF1C-073353922617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2404A355-A3C6-4355-83DD-E694855ECC02}	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}\stubpath = "C:\\Windows\\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe"	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DFD796C-9F61-4035-B548-F4C4159553D0}\stubpath = "C:\\Windows\\{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe"	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe

Executes dropped EXE 12 IoCs

pid	Process
4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe
3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe
2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe
4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe
3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe
224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe
4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe
1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe
4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe
4724	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe
5100	{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe
780	{FCAAFD5F-DECE-4750-91B1-964F830A4C49}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe
File created	C:\Windows\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe
File created	C:\Windows\{48908D67-4AF6-4585-BF1C-073353922617}.exe	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe
File created	C:\Windows\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe	{48908D67-4AF6-4585-BF1C-073353922617}.exe
File created	C:\Windows\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe
File created	C:\Windows\{FAC43986-B624-422b-BB73-DF58B98AA817}.exe	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe
File created	C:\Windows\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe
File created	C:\Windows\{2404A355-A3C6-4355-83DD-E694855ECC02}.exe	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe
File created	C:\Windows\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe
File created	C:\Windows\{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe
File created	C:\Windows\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}.exe	{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe
File created	C:\Windows\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	716	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe
Token: SeIncBasePriorityPrivilege	3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe
Token: SeIncBasePriorityPrivilege	2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe
Token: SeIncBasePriorityPrivilege	4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe
Token: SeIncBasePriorityPrivilege	3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe
Token: SeIncBasePriorityPrivilege	224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe
Token: SeIncBasePriorityPrivilege	4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe
Token: SeIncBasePriorityPrivilege	1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe
Token: SeIncBasePriorityPrivilege	4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe
Token: SeIncBasePriorityPrivilege	4724	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe
Token: SeIncBasePriorityPrivilege	5100	{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 4832	716	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	87
PID 716 wrote to memory of 4832	716	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	87
PID 716 wrote to memory of 4832	716	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	87
PID 716 wrote to memory of 2728	716	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	88
PID 716 wrote to memory of 2728	716	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	88
PID 716 wrote to memory of 2728	716	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	88
PID 4832 wrote to memory of 3392	4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe	91
PID 4832 wrote to memory of 3392	4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe	91
PID 4832 wrote to memory of 3392	4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe	91
PID 4832 wrote to memory of 2192	4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe	92
PID 4832 wrote to memory of 2192	4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe	92
PID 4832 wrote to memory of 2192	4832	{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe	92
PID 3392 wrote to memory of 2236	3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe	94
PID 3392 wrote to memory of 2236	3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe	94
PID 3392 wrote to memory of 2236	3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe	94
PID 3392 wrote to memory of 3712	3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe	95
PID 3392 wrote to memory of 3712	3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe	95
PID 3392 wrote to memory of 3712	3392	{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe	95
PID 2236 wrote to memory of 4996	2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe	96
PID 2236 wrote to memory of 4996	2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe	96
PID 2236 wrote to memory of 4996	2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe	96
PID 2236 wrote to memory of 444	2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe	97
PID 2236 wrote to memory of 444	2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe	97
PID 2236 wrote to memory of 444	2236	{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe	97
PID 4996 wrote to memory of 3972	4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe	98
PID 4996 wrote to memory of 3972	4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe	98
PID 4996 wrote to memory of 3972	4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe	98
PID 4996 wrote to memory of 3116	4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe	99
PID 4996 wrote to memory of 3116	4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe	99
PID 4996 wrote to memory of 3116	4996	{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe	99
PID 3972 wrote to memory of 224	3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe	100
PID 3972 wrote to memory of 224	3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe	100
PID 3972 wrote to memory of 224	3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe	100
PID 3972 wrote to memory of 3872	3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe	101
PID 3972 wrote to memory of 3872	3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe	101
PID 3972 wrote to memory of 3872	3972	{48908D67-4AF6-4585-BF1C-073353922617}.exe	101
PID 224 wrote to memory of 4908	224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe	102
PID 224 wrote to memory of 4908	224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe	102
PID 224 wrote to memory of 4908	224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe	102
PID 224 wrote to memory of 1324	224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe	103
PID 224 wrote to memory of 1324	224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe	103
PID 224 wrote to memory of 1324	224	{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe	103
PID 4908 wrote to memory of 1640	4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe	104
PID 4908 wrote to memory of 1640	4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe	104
PID 4908 wrote to memory of 1640	4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe	104
PID 4908 wrote to memory of 212	4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe	105
PID 4908 wrote to memory of 212	4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe	105
PID 4908 wrote to memory of 212	4908	{FAC43986-B624-422b-BB73-DF58B98AA817}.exe	105
PID 1640 wrote to memory of 4108	1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe	106
PID 1640 wrote to memory of 4108	1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe	106
PID 1640 wrote to memory of 4108	1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe	106
PID 1640 wrote to memory of 2016	1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe	107
PID 1640 wrote to memory of 2016	1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe	107
PID 1640 wrote to memory of 2016	1640	{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe	107
PID 4108 wrote to memory of 4724	4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe	108
PID 4108 wrote to memory of 4724	4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe	108
PID 4108 wrote to memory of 4724	4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe	108
PID 4108 wrote to memory of 4112	4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe	109
PID 4108 wrote to memory of 4112	4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe	109
PID 4108 wrote to memory of 4112	4108	{2404A355-A3C6-4355-83DD-E694855ECC02}.exe	109
PID 4724 wrote to memory of 5100	4724	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe	111
PID 4724 wrote to memory of 5100	4724	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe	111
PID 4724 wrote to memory of 5100	4724	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe	111
PID 4724 wrote to memory of 3520	4724	{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe	110

C:\Users\Admin\AppData\Local\Temp\3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe
  C:\Windows\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe
    C:\Windows\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe
      C:\Windows\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe
        
        C:\Windows\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
      - C:\Windows\{48908D67-4AF6-4585-BF1C-073353922617}.exe
        
        C:\Windows\{48908D67-4AF6-4585-BF1C-073353922617}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe
        
        C:\Windows\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{FAC43986-B624-422b-BB73-DF58B98AA817}.exe
        
        C:\Windows\{FAC43986-B624-422b-BB73-DF58B98AA817}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe
        
        C:\Windows\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{2404A355-A3C6-4355-83DD-E694855ECC02}.exe
        
        C:\Windows\{2404A355-A3C6-4355-83DD-E694855ECC02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe
        
        C:\Windows\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8740B~1.EXE > nul
        12⤵
        
        PID:3520
        
        C:\Windows\{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe
        
        C:\Windows\{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}.exe
        
        C:\Windows\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}.exe
        13⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DFD7~1.EXE > nul
        13⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2404A~1.EXE > nul
        11⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16C6E~1.EXE > nul
        10⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC43~1.EXE > nul
        9⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0EF~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48908~1.EXE > nul
        7⤵
        
        PID:3872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1E0E~1.EXE > nul
        6⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BACFE~1.EXE > nul
        5⤵
        
        PID:444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80250~1.EXE > nul
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{03224~1.EXE > nul
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3BD2C1~1.EXE > nul
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe

Filesize
380KB

MD5
f185b755a8db12b6e7f60aa08953bcb6

SHA1
f5eaa98cefdb57f66fa6742e3a30ef2a30087824

SHA256
9a4d9a40cc070cc1db44f7befd1650faa524252fcc0bc4b14312e8acd1de9111

SHA512
c2ba7c416a57a715a9b597322acbf50e35e2a1b823a6f901e9bb0451d329dec6934eb68379a12ced6e52ed7c694026a8dbbcb0e1366c82e5a41ea42c85230fd2

Download Submit
C:\Windows\{032244F0-BF07-4fdc-97E3-1F1B5E73B69D}.exe

Filesize
380KB

MD5
f185b755a8db12b6e7f60aa08953bcb6

SHA1
f5eaa98cefdb57f66fa6742e3a30ef2a30087824

SHA256
9a4d9a40cc070cc1db44f7befd1650faa524252fcc0bc4b14312e8acd1de9111

SHA512
c2ba7c416a57a715a9b597322acbf50e35e2a1b823a6f901e9bb0451d329dec6934eb68379a12ced6e52ed7c694026a8dbbcb0e1366c82e5a41ea42c85230fd2

Download Submit
C:\Windows\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe

Filesize
380KB

MD5
4828778c65893cfb089ab3a68600633c

SHA1
6bf4cc22031fd2727352cf5708da6c3281a8eee7

SHA256
32455c1c96ea67ae918819a0e6951d77a4110820a4bb873418d9adeb5285cdfc

SHA512
7de9ebadfaf0e607c456d822f3f4e874a16928fef6a0dfa6bf841df08bc9872a652bc455493f06bed890ddf5e183927e0b667f6ad74d5d7c15bc39b8f467de65

Download Submit
C:\Windows\{16C6EC4A-FBFA-42e3-BA33-DCF5B76ACBC5}.exe

Filesize
380KB

MD5
4828778c65893cfb089ab3a68600633c

SHA1
6bf4cc22031fd2727352cf5708da6c3281a8eee7

SHA256
32455c1c96ea67ae918819a0e6951d77a4110820a4bb873418d9adeb5285cdfc

SHA512
7de9ebadfaf0e607c456d822f3f4e874a16928fef6a0dfa6bf841df08bc9872a652bc455493f06bed890ddf5e183927e0b667f6ad74d5d7c15bc39b8f467de65

Download Submit
C:\Windows\{2404A355-A3C6-4355-83DD-E694855ECC02}.exe

Filesize
380KB

MD5
b02c5c77af28acfc1b594ae7cd2ec6e8

SHA1
fecbb30206f367a6e8105a0c8a40897917d20561

SHA256
85939b9904ef56dd321f9504bf4452fb5a7c093290b77da5a3074808e7b823e6

SHA512
e0505f01f217a6d7dc87fdb862bee6d118191e65133f6f272066f4ed31cf00bf7aa40d6762108f52e580b5b11d6e103ccc1dfdb16230dcaafcdfdcceea9aed17

Download Submit
C:\Windows\{2404A355-A3C6-4355-83DD-E694855ECC02}.exe

Filesize
380KB

MD5
b02c5c77af28acfc1b594ae7cd2ec6e8

SHA1
fecbb30206f367a6e8105a0c8a40897917d20561

SHA256
85939b9904ef56dd321f9504bf4452fb5a7c093290b77da5a3074808e7b823e6

SHA512
e0505f01f217a6d7dc87fdb862bee6d118191e65133f6f272066f4ed31cf00bf7aa40d6762108f52e580b5b11d6e103ccc1dfdb16230dcaafcdfdcceea9aed17

Download Submit
C:\Windows\{48908D67-4AF6-4585-BF1C-073353922617}.exe

Filesize
380KB

MD5
8ede7bb02e8418b1b55b87c56c521105

SHA1
9900c0c59e43f1921b7374672a36644248997a9a

SHA256
6ddc9f7dabd3c379254ecbf555ba654b2d17541d5ae7f7e758a54433b9bbedea

SHA512
b134209caada1b95477115f89999eb347d1cf76fd792ab2c3d84192dd35484907b5728210b44c653f80665cd4ca0d981a7279145d90d1330e9581e3ce75e3a57

Download Submit
C:\Windows\{48908D67-4AF6-4585-BF1C-073353922617}.exe

Filesize
380KB

MD5
8ede7bb02e8418b1b55b87c56c521105

SHA1
9900c0c59e43f1921b7374672a36644248997a9a

SHA256
6ddc9f7dabd3c379254ecbf555ba654b2d17541d5ae7f7e758a54433b9bbedea

SHA512
b134209caada1b95477115f89999eb347d1cf76fd792ab2c3d84192dd35484907b5728210b44c653f80665cd4ca0d981a7279145d90d1330e9581e3ce75e3a57

Download Submit
C:\Windows\{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe

Filesize
380KB

MD5
2af216f410b1ca09786d288b53b25606

SHA1
e62ad5890cb0769cf340e3bc7e7d900b54312439

SHA256
14ec7e997628dac6080d8e67e7ee2b5b441abab51e1dbdc8912284c1d9319a5b

SHA512
7b7edb52e99d8b018b7f85f939a0d9c67075d0d64e7bd25d64ecd0d75bce13e6eb0d4e51d13ebb553f2e5484704b18cf89f60fc9a11ce3bcba0963b253e84e18

Download Submit
C:\Windows\{5DFD796C-9F61-4035-B548-F4C4159553D0}.exe

Filesize
380KB

MD5
2af216f410b1ca09786d288b53b25606

SHA1
e62ad5890cb0769cf340e3bc7e7d900b54312439

SHA256
14ec7e997628dac6080d8e67e7ee2b5b441abab51e1dbdc8912284c1d9319a5b

SHA512
7b7edb52e99d8b018b7f85f939a0d9c67075d0d64e7bd25d64ecd0d75bce13e6eb0d4e51d13ebb553f2e5484704b18cf89f60fc9a11ce3bcba0963b253e84e18

Download Submit
C:\Windows\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe

Filesize
380KB

MD5
2b769c7fbfdccf813ea1e1f7700716d1

SHA1
ee032222dda21936490deb123820ef9efa9c4a1f

SHA256
420cb2db9335f014ba3e0fadce525d5c9fdd5b2209c1235819add9f5e9127fd1

SHA512
641dd6533ae3714c586edf14e84682f1c00705b6be4f6a0bf5d1136e8aebb684af945f1b25348fe60db9af32a9dc7079bacf835cba855cef28846057eaca2fa7

Download Submit
C:\Windows\{80250CA4-EE72-4f23-AC77-6B50EB2B7610}.exe

Filesize
380KB

MD5
2b769c7fbfdccf813ea1e1f7700716d1

SHA1
ee032222dda21936490deb123820ef9efa9c4a1f

SHA256
420cb2db9335f014ba3e0fadce525d5c9fdd5b2209c1235819add9f5e9127fd1

SHA512
641dd6533ae3714c586edf14e84682f1c00705b6be4f6a0bf5d1136e8aebb684af945f1b25348fe60db9af32a9dc7079bacf835cba855cef28846057eaca2fa7

Download Submit
C:\Windows\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe

Filesize
380KB

MD5
8369dbaff0f1870205d283b516ac334a

SHA1
e8a7ba81b84f23d40de184244c399fd3aec3e89e

SHA256
3b3cc8092d1eec6e16360e796a8638f77970c276a9149cd13aa2353e425c28a9

SHA512
fa9a5f1c3088c178fa86106b8f3ef36cc5e0a5af53e0f9df16329dcd876dbb5ef979b3e1f4a8431e485691e7f7e7cc77011430d5b60651b0b446f5b0c004721d

Download Submit
C:\Windows\{8740BD63-83B7-4f24-B2DD-A9D58AC06C61}.exe

Filesize
380KB

MD5
8369dbaff0f1870205d283b516ac334a

SHA1
e8a7ba81b84f23d40de184244c399fd3aec3e89e

SHA256
3b3cc8092d1eec6e16360e796a8638f77970c276a9149cd13aa2353e425c28a9

SHA512
fa9a5f1c3088c178fa86106b8f3ef36cc5e0a5af53e0f9df16329dcd876dbb5ef979b3e1f4a8431e485691e7f7e7cc77011430d5b60651b0b446f5b0c004721d

Download Submit
C:\Windows\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe

Filesize
380KB

MD5
ea2838f5c3522c3c7a7d7203a5571977

SHA1
d6066f1888f7727db4d7c0b46498cafe350bfb81

SHA256
892a0147b745b4003431258657aea316641d8abbf38e247a576319e459be74ee

SHA512
4f46edce26439e3dbb26858f7abe41c284aa4049dd6e7597c48526e95f24d97f75a36d475bec7605e01e8033ec32e2f70e36b873d238f75ae5e40f2be2099155

Download Submit
C:\Windows\{A1E0E7BB-0278-4097-AD10-3B4ACE01C7EA}.exe

Filesize
380KB

MD5
ea2838f5c3522c3c7a7d7203a5571977

SHA1
d6066f1888f7727db4d7c0b46498cafe350bfb81

SHA256
892a0147b745b4003431258657aea316641d8abbf38e247a576319e459be74ee

SHA512
4f46edce26439e3dbb26858f7abe41c284aa4049dd6e7597c48526e95f24d97f75a36d475bec7605e01e8033ec32e2f70e36b873d238f75ae5e40f2be2099155

Download Submit
C:\Windows\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe

Filesize
380KB

MD5
4ada29816cfc1f06316e556a3787db23

SHA1
a9eef25785b47734bc6b5aeeff4a2f779acf4d98

SHA256
7e1661b34c35ce6055bd4ecf08b1668be6308f308012b66b97076aeed9c2c252

SHA512
64384d4d61e9f5b296f6f7764feab49253e8fa7ad13418298ef125ed6b38761d9b0392981d9a0f5c8919e9e63b2802eeb1c96d1ab6ab60007b3ae921c6c696dc

Download Submit
C:\Windows\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe

Filesize
380KB

MD5
4ada29816cfc1f06316e556a3787db23

SHA1
a9eef25785b47734bc6b5aeeff4a2f779acf4d98

SHA256
7e1661b34c35ce6055bd4ecf08b1668be6308f308012b66b97076aeed9c2c252

SHA512
64384d4d61e9f5b296f6f7764feab49253e8fa7ad13418298ef125ed6b38761d9b0392981d9a0f5c8919e9e63b2802eeb1c96d1ab6ab60007b3ae921c6c696dc

Download Submit
C:\Windows\{BACFE0BC-1378-429b-BFCA-2FC94DEF7497}.exe

Filesize
380KB

MD5
4ada29816cfc1f06316e556a3787db23

SHA1
a9eef25785b47734bc6b5aeeff4a2f779acf4d98

SHA256
7e1661b34c35ce6055bd4ecf08b1668be6308f308012b66b97076aeed9c2c252

SHA512
64384d4d61e9f5b296f6f7764feab49253e8fa7ad13418298ef125ed6b38761d9b0392981d9a0f5c8919e9e63b2802eeb1c96d1ab6ab60007b3ae921c6c696dc

Download Submit
C:\Windows\{FAC43986-B624-422b-BB73-DF58B98AA817}.exe

Filesize
380KB

MD5
1378cecb668ee9cdbae013813da9c1dc

SHA1
accb14bb1e2bea2f96311468fd62226720e228aa

SHA256
99d77b33a9b0d4bf255e3cae60cd438b7476559bf602c0463a0326e80673a736

SHA512
6496c31ae32ac86e9fd219bb6182856683a3e00da5e9845d6943f197eaea3001d871a3c1971ba85f5e7d13cf29371b48feaf02ffa5c7d49639393802920b1c2d

Download Submit
C:\Windows\{FAC43986-B624-422b-BB73-DF58B98AA817}.exe

Filesize
380KB

MD5
1378cecb668ee9cdbae013813da9c1dc

SHA1
accb14bb1e2bea2f96311468fd62226720e228aa

SHA256
99d77b33a9b0d4bf255e3cae60cd438b7476559bf602c0463a0326e80673a736

SHA512
6496c31ae32ac86e9fd219bb6182856683a3e00da5e9845d6943f197eaea3001d871a3c1971ba85f5e7d13cf29371b48feaf02ffa5c7d49639393802920b1c2d

Download Submit
C:\Windows\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe

Filesize
380KB

MD5
21ae2d5c1e3dff6ae44a383cfea94cb1

SHA1
a61a7b240939418cf5ec32f639181308e7e8a78c

SHA256
2b56576dd431987fcad7ab8dcb7086a7342ec62db8a7fe9a75602a78c7cd30ba

SHA512
1d5044184c2e9a2d70a884fb34435f705b62fd57cbc57a0d9d7133ac3df315b2502a9ca303c7c2371eb19fa7835394ccd0f38eac2e9f300e956ed8357330bd91

Download Submit
C:\Windows\{FC0EFC99-C7A4-486e-AC3C-51B6CCB2B43D}.exe

Filesize
380KB

MD5
21ae2d5c1e3dff6ae44a383cfea94cb1

SHA1
a61a7b240939418cf5ec32f639181308e7e8a78c

SHA256
2b56576dd431987fcad7ab8dcb7086a7342ec62db8a7fe9a75602a78c7cd30ba

SHA512
1d5044184c2e9a2d70a884fb34435f705b62fd57cbc57a0d9d7133ac3df315b2502a9ca303c7c2371eb19fa7835394ccd0f38eac2e9f300e956ed8357330bd91

Download Submit
C:\Windows\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}.exe

Filesize
380KB

MD5
185625f123b539ddca8ed0652706692d

SHA1
a74d002ec2c7cd8b4137e6e88ca9b95c1c0e50bf

SHA256
580e850d2e4505c359df902f1f4718689430023f60c77d13335e80f91a2fe8a2

SHA512
3784cf6b9c611c7aa3d8603b6a8d919adfc451575391f7b94f20b2c48301bbce1ab7f8955ef2ed2a46040b4b24680864ceb4d301d38f58ac7e2a726623f8647b

Download Submit
C:\Windows\{FCAAFD5F-DECE-4750-91B1-964F830A4C49}.exe

Filesize
380KB

MD5
185625f123b539ddca8ed0652706692d

SHA1
a74d002ec2c7cd8b4137e6e88ca9b95c1c0e50bf

SHA256
580e850d2e4505c359df902f1f4718689430023f60c77d13335e80f91a2fe8a2

SHA512
3784cf6b9c611c7aa3d8603b6a8d919adfc451575391f7b94f20b2c48301bbce1ab7f8955ef2ed2a46040b4b24680864ceb4d301d38f58ac7e2a726623f8647b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads