b461a8b55374c8d202501d4d898cf5eaf3b45c5249bcb0eb9c367dd6fe93df29

Analysis

max time kernel
151s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2023, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Size

168KB
MD5

ff29fab1b2ae1ab5030787c5644579db
SHA1

b57f74276b0bf1eed4c89ad78baeeeb6f424af1f
SHA256

b461a8b55374c8d202501d4d898cf5eaf3b45c5249bcb0eb9c367dd6fe93df29
SHA512

c3a630da08653cf0d70fb8059d80db28a17431e33a617af4ebc0ab2b2fea634373ed4790f1dcc5b46ba56b1d1d22e740c8605b8151c2e3accf21cd354d462721
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}\stubpath = "C:\\Windows\\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe"	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9261C476-37E1-46d9-B7FE-6372A163FEAA}\stubpath = "C:\\Windows\\{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe"	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}\stubpath = "C:\\Windows\\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe"	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}\stubpath = "C:\\Windows\\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe"	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9261C476-37E1-46d9-B7FE-6372A163FEAA}	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B762A0DA-FA6A-407f-B988-664B04FD8A98}	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B762A0DA-FA6A-407f-B988-664B04FD8A98}\stubpath = "C:\\Windows\\{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe"	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}\stubpath = "C:\\Windows\\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe"	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}\stubpath = "C:\\Windows\\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe"	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}\stubpath = "C:\\Windows\\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}.exe"	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FF6BE44-8D05-4911-AD54-082EE9310F19}\stubpath = "C:\\Windows\\{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe"	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}\stubpath = "C:\\Windows\\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe"	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}\stubpath = "C:\\Windows\\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe"	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FF6BE44-8D05-4911-AD54-082EE9310F19}	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe

Executes dropped EXE 11 IoCs

pid	Process
3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe
3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe
2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe
1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe
4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe
352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe
2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe
1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe
1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe
3044	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe
1788	{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe
File created	C:\Windows\{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe
File created	C:\Windows\{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe
File created	C:\Windows\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe
File created	C:\Windows\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
File created	C:\Windows\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe
File created	C:\Windows\{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe
File created	C:\Windows\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe
File created	C:\Windows\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe
File created	C:\Windows\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe
File created	C:\Windows\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}.exe	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2468	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe
Token: SeIncBasePriorityPrivilege	3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe
Token: SeIncBasePriorityPrivilege	2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe
Token: SeIncBasePriorityPrivilege	1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe
Token: SeIncBasePriorityPrivilege	4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe
Token: SeIncBasePriorityPrivilege	352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe
Token: SeIncBasePriorityPrivilege	2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe
Token: SeIncBasePriorityPrivilege	1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe
Token: SeIncBasePriorityPrivilege	1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe
Token: SeIncBasePriorityPrivilege	3044	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3920	2468	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	89
PID 2468 wrote to memory of 3920	2468	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	89
PID 2468 wrote to memory of 3920	2468	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	89
PID 2468 wrote to memory of 568	2468	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	90
PID 2468 wrote to memory of 568	2468	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	90
PID 2468 wrote to memory of 568	2468	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	90
PID 3920 wrote to memory of 3556	3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe	91
PID 3920 wrote to memory of 3556	3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe	91
PID 3920 wrote to memory of 3556	3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe	91
PID 3920 wrote to memory of 3488	3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe	92
PID 3920 wrote to memory of 3488	3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe	92
PID 3920 wrote to memory of 3488	3920	{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe	92
PID 3556 wrote to memory of 2568	3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe	95
PID 3556 wrote to memory of 2568	3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe	95
PID 3556 wrote to memory of 2568	3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe	95
PID 3556 wrote to memory of 1976	3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe	94
PID 3556 wrote to memory of 1976	3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe	94
PID 3556 wrote to memory of 1976	3556	{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe	94
PID 2568 wrote to memory of 1472	2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe	96
PID 2568 wrote to memory of 1472	2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe	96
PID 2568 wrote to memory of 1472	2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe	96
PID 2568 wrote to memory of 180	2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe	97
PID 2568 wrote to memory of 180	2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe	97
PID 2568 wrote to memory of 180	2568	{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe	97
PID 1472 wrote to memory of 4820	1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe	98
PID 1472 wrote to memory of 4820	1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe	98
PID 1472 wrote to memory of 4820	1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe	98
PID 1472 wrote to memory of 4444	1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe	99
PID 1472 wrote to memory of 4444	1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe	99
PID 1472 wrote to memory of 4444	1472	{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe	99
PID 4820 wrote to memory of 352	4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe	100
PID 4820 wrote to memory of 352	4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe	100
PID 4820 wrote to memory of 352	4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe	100
PID 4820 wrote to memory of 4388	4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe	101
PID 4820 wrote to memory of 4388	4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe	101
PID 4820 wrote to memory of 4388	4820	{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe	101
PID 352 wrote to memory of 2172	352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe	102
PID 352 wrote to memory of 2172	352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe	102
PID 352 wrote to memory of 2172	352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe	102
PID 352 wrote to memory of 860	352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe	103
PID 352 wrote to memory of 860	352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe	103
PID 352 wrote to memory of 860	352	{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe	103
PID 2172 wrote to memory of 1004	2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe	104
PID 2172 wrote to memory of 1004	2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe	104
PID 2172 wrote to memory of 1004	2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe	104
PID 2172 wrote to memory of 1352	2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe	105
PID 2172 wrote to memory of 1352	2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe	105
PID 2172 wrote to memory of 1352	2172	{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe	105
PID 1004 wrote to memory of 1768	1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe	106
PID 1004 wrote to memory of 1768	1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe	106
PID 1004 wrote to memory of 1768	1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe	106
PID 1004 wrote to memory of 400	1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe	107
PID 1004 wrote to memory of 400	1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe	107
PID 1004 wrote to memory of 400	1004	{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe	107
PID 1768 wrote to memory of 3044	1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe	108
PID 1768 wrote to memory of 3044	1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe	108
PID 1768 wrote to memory of 3044	1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe	108
PID 1768 wrote to memory of 3748	1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe	109
PID 1768 wrote to memory of 3748	1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe	109
PID 1768 wrote to memory of 3748	1768	{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe	109
PID 3044 wrote to memory of 1788	3044	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe	110
PID 3044 wrote to memory of 1788	3044	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe	110
PID 3044 wrote to memory of 1788	3044	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe	110
PID 3044 wrote to memory of 2408	3044	{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe	111

C:\Users\Admin\AppData\Local\Temp\2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe
  C:\Windows\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe
    C:\Windows\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59CF8~1.EXE > nul
      4⤵
      PID:1976
  - - C:\Windows\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe
      C:\Windows\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe
        
        C:\Windows\{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe
        
        C:\Windows\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe
        
        C:\Windows\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe
        
        C:\Windows\{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe
        
        C:\Windows\{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe
        
        C:\Windows\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe
        
        C:\Windows\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}.exe
        
        C:\Windows\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EB1C~1.EXE > nul
        12⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6037E~1.EXE > nul
        11⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9261C~1.EXE > nul
        10⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B762A~1.EXE > nul
        9⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B159~1.EXE > nul
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4961~1.EXE > nul
        7⤵
        
        PID:4388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FF6B~1.EXE > nul
        6⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA754~1.EXE > nul
        5⤵
        
        PID:180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{80C0A~1.EXE > nul
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe

Filesize
168KB

MD5
c76572e9bd373cf5474caf877311af3a

SHA1
4c5a8019d4dafebcbf1f0720a10147eabce62f87

SHA256
eb8f6a8c808345665abf753f2892b27a8a4f6ee61e96a4df486481579027bd98

SHA512
08839c5ced497a66c40363f6ddcc5a1af78de71bc970d9c3d7181061b192856d10f3e5256d1204cd0dea96b605d08383e83b1c0a2cecacb80394f013fde0be9c

Download Submit
C:\Windows\{2EB1C938-65EF-411c-B99E-BB731EBD1D0E}.exe

Filesize
168KB

MD5
c76572e9bd373cf5474caf877311af3a

SHA1
4c5a8019d4dafebcbf1f0720a10147eabce62f87

SHA256
eb8f6a8c808345665abf753f2892b27a8a4f6ee61e96a4df486481579027bd98

SHA512
08839c5ced497a66c40363f6ddcc5a1af78de71bc970d9c3d7181061b192856d10f3e5256d1204cd0dea96b605d08383e83b1c0a2cecacb80394f013fde0be9c

Download Submit
C:\Windows\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe

Filesize
168KB

MD5
6406f75b70dd94703eb4b8fc31615e00

SHA1
2ce32099ced50648a942aa4e581898a40aa716cc

SHA256
68989fd3f32975bf628007bafbaad66254d66d66ca50189817542fdc13ccf672

SHA512
88d9e8116e172e910031798ab5f05fa1ff6772c976feb9b02ef8403d0b45c4aaa4ea25ae54a685661c479b1ad4ef8005e7a12cdbd0b3fadd02676feed3354837

Download Submit
C:\Windows\{4B159260-991C-4ea0-980F-CFCA8A6DDFC5}.exe

Filesize
168KB

MD5
6406f75b70dd94703eb4b8fc31615e00

SHA1
2ce32099ced50648a942aa4e581898a40aa716cc

SHA256
68989fd3f32975bf628007bafbaad66254d66d66ca50189817542fdc13ccf672

SHA512
88d9e8116e172e910031798ab5f05fa1ff6772c976feb9b02ef8403d0b45c4aaa4ea25ae54a685661c479b1ad4ef8005e7a12cdbd0b3fadd02676feed3354837

Download Submit
C:\Windows\{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe

Filesize
168KB

MD5
c40ca543320d5f3624a2b334aab8a65f

SHA1
4071a27bae74beaf17e578e3c140786aece9edcb

SHA256
9b4667f54a672b0e7426f66d8600048b83d31de0d94ea43bd78032bd0a936e06

SHA512
49628d62fff4ab60386e66af8732738317b9a63ae7766f0e05dede6fb5c3e55f0ba4a85daeccc286bf1ea4e15f27e265fadf9688124ce4b6609402f253749585

Download Submit
C:\Windows\{4FF6BE44-8D05-4911-AD54-082EE9310F19}.exe

Filesize
168KB

MD5
c40ca543320d5f3624a2b334aab8a65f

SHA1
4071a27bae74beaf17e578e3c140786aece9edcb

SHA256
9b4667f54a672b0e7426f66d8600048b83d31de0d94ea43bd78032bd0a936e06

SHA512
49628d62fff4ab60386e66af8732738317b9a63ae7766f0e05dede6fb5c3e55f0ba4a85daeccc286bf1ea4e15f27e265fadf9688124ce4b6609402f253749585

Download Submit
C:\Windows\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe

Filesize
168KB

MD5
46d4b8493f2c779e7634afd3e10a6ca4

SHA1
9bcecda9c6bef13e45deaed98edd906c4426414e

SHA256
4a77961c981c320b64900b3909bc442b5df3fa0a48df348641f866d2533e5a54

SHA512
423600f19ad7490b1238b2bb73b60a8fb53c56cb6d6e41f31c69b93a92e35807821a9a8cbc11a6b628a0ec3afac81ee82adfac2e7479daa6cad26b66feedf1d4

Download Submit
C:\Windows\{59CF8ECC-645E-47e2-8B01-B66417A8EB82}.exe

Filesize
168KB

MD5
46d4b8493f2c779e7634afd3e10a6ca4

SHA1
9bcecda9c6bef13e45deaed98edd906c4426414e

SHA256
4a77961c981c320b64900b3909bc442b5df3fa0a48df348641f866d2533e5a54

SHA512
423600f19ad7490b1238b2bb73b60a8fb53c56cb6d6e41f31c69b93a92e35807821a9a8cbc11a6b628a0ec3afac81ee82adfac2e7479daa6cad26b66feedf1d4

Download Submit
C:\Windows\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe

Filesize
168KB

MD5
dbf9c05d3e375e6778409e265c5ad512

SHA1
9a889e762e946fa313ac2e8f67c9cb1676cb5dd0

SHA256
cb02a0f3723ef520e3b02426e42f917cd00c93d36696a45d44a7c5a042660460

SHA512
43aa353b203761dc62172db1404d582b9471a6e2917d81e71f3cbff5aec2e395954deb95f796a2be78da89b06f769953d037f2d7f8d425a01e6a3e18f81c9042

Download Submit
C:\Windows\{6037EDBE-CF36-4721-95E9-5B7FD56A4957}.exe

Filesize
168KB

MD5
dbf9c05d3e375e6778409e265c5ad512

SHA1
9a889e762e946fa313ac2e8f67c9cb1676cb5dd0

SHA256
cb02a0f3723ef520e3b02426e42f917cd00c93d36696a45d44a7c5a042660460

SHA512
43aa353b203761dc62172db1404d582b9471a6e2917d81e71f3cbff5aec2e395954deb95f796a2be78da89b06f769953d037f2d7f8d425a01e6a3e18f81c9042

Download Submit
C:\Windows\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe

Filesize
168KB

MD5
c62d1708150972e5527fb5c809a9ce5a

SHA1
a4b7fd70c536c6ff3fb68f70c3d18b5d99b83c75

SHA256
f5681ab05e19050a6ac0d6974f14b21a5d54a62522827ce938af714e434e6100

SHA512
c6a42898211d102c8be333ec528ee4543b49b39a06b5f89059638f2a5c38f20207378c8472afd1e38e10dfbc6ff4c9ebe649ed15cb41730891e32e33f7409b71

Download Submit
C:\Windows\{80C0A77C-5C81-471d-AB72-CE3D72C8322E}.exe

Filesize
168KB

MD5
c62d1708150972e5527fb5c809a9ce5a

SHA1
a4b7fd70c536c6ff3fb68f70c3d18b5d99b83c75

SHA256
f5681ab05e19050a6ac0d6974f14b21a5d54a62522827ce938af714e434e6100

SHA512
c6a42898211d102c8be333ec528ee4543b49b39a06b5f89059638f2a5c38f20207378c8472afd1e38e10dfbc6ff4c9ebe649ed15cb41730891e32e33f7409b71

Download Submit
C:\Windows\{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe

Filesize
168KB

MD5
39a4946f6395778f0975d705040cffc9

SHA1
50397106a775d3c942b04c8ba63c252ddb52e5b8

SHA256
f4775b9bbf15d551b52093a8cac2e848c2a0f7d84d369307a997989957cd6cfa

SHA512
5cda43e616dbd9fda27102661664d8e70d56f9e6d93ca221103b54017eb1e95dd0cba89cf4291fb4ce3b338462c676a72c0dd048c67bf352c219e5f42f45eaa5

Download Submit
C:\Windows\{9261C476-37E1-46d9-B7FE-6372A163FEAA}.exe

Filesize
168KB

MD5
39a4946f6395778f0975d705040cffc9

SHA1
50397106a775d3c942b04c8ba63c252ddb52e5b8

SHA256
f4775b9bbf15d551b52093a8cac2e848c2a0f7d84d369307a997989957cd6cfa

SHA512
5cda43e616dbd9fda27102661664d8e70d56f9e6d93ca221103b54017eb1e95dd0cba89cf4291fb4ce3b338462c676a72c0dd048c67bf352c219e5f42f45eaa5

Download Submit
C:\Windows\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}.exe

Filesize
168KB

MD5
bb4061371f049309f1650a7349a59674

SHA1
d545d8d27c68aac8ef47fbbfb4d1c1a164cc0343

SHA256
3f220ae167d6257ccbeb957db4eb9c428d0424f1cfa410b9eebf6aeb9fbd0f9d

SHA512
0a9e1854c3148713fcb9903ff8993e516a58ad70e082c2ebab04fb365aebc3ae8a7a6aadbf6f59217a9429abc4ea4cc15e13b02922295cb914b95be544a9c180

Download Submit
C:\Windows\{A2F3735B-2A9F-4b8e-AB5A-B309A569DDB8}.exe

Filesize
168KB

MD5
bb4061371f049309f1650a7349a59674

SHA1
d545d8d27c68aac8ef47fbbfb4d1c1a164cc0343

SHA256
3f220ae167d6257ccbeb957db4eb9c428d0424f1cfa410b9eebf6aeb9fbd0f9d

SHA512
0a9e1854c3148713fcb9903ff8993e516a58ad70e082c2ebab04fb365aebc3ae8a7a6aadbf6f59217a9429abc4ea4cc15e13b02922295cb914b95be544a9c180

Download Submit
C:\Windows\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe

Filesize
168KB

MD5
7ac5547e298ac44c02a85e438ea0f55a

SHA1
a59fc1e6a44af0c2e820668054c7fb1bb5408359

SHA256
6cfeb639875c63d7284f605ed1aa0db80fb8f9952ef13e1df48799c1b3c6a478

SHA512
e78a68a5253bd086e8427a7333c22d468a40b68b0c53e2acd139a0fcf9f9d5093c729ce2cca4ce448a8a1d8cf2d7560d7f76f36cb073377498d04bace5381a0f

Download Submit
C:\Windows\{B496125E-BEF2-4889-AB7A-F3DEE22ECC6B}.exe

Filesize
168KB

MD5
7ac5547e298ac44c02a85e438ea0f55a

SHA1
a59fc1e6a44af0c2e820668054c7fb1bb5408359

SHA256
6cfeb639875c63d7284f605ed1aa0db80fb8f9952ef13e1df48799c1b3c6a478

SHA512
e78a68a5253bd086e8427a7333c22d468a40b68b0c53e2acd139a0fcf9f9d5093c729ce2cca4ce448a8a1d8cf2d7560d7f76f36cb073377498d04bace5381a0f

Download Submit
C:\Windows\{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe

Filesize
168KB

MD5
b027796a1ddbfb073876d124a346b981

SHA1
557d53392877abcb3f317dd98bf080da5bcc20af

SHA256
77f801b616082c92945049a3d2bd551d3be064685726200b9116ab8681b1bbe1

SHA512
870819d455d60eeedec0442fed3daa51aa0e68742bc138b8373b49278b4a55b372c74a209aad060d47f50f478759ae8d19bd9fbd9aca92ab6f522cf0dc8d2aad

Download Submit
C:\Windows\{B762A0DA-FA6A-407f-B988-664B04FD8A98}.exe

Filesize
168KB

MD5
b027796a1ddbfb073876d124a346b981

SHA1
557d53392877abcb3f317dd98bf080da5bcc20af

SHA256
77f801b616082c92945049a3d2bd551d3be064685726200b9116ab8681b1bbe1

SHA512
870819d455d60eeedec0442fed3daa51aa0e68742bc138b8373b49278b4a55b372c74a209aad060d47f50f478759ae8d19bd9fbd9aca92ab6f522cf0dc8d2aad

Download Submit
C:\Windows\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe

Filesize
168KB

MD5
57bc4093ed62e6ed0b30bcfde2981c23

SHA1
204e99c798c1123b01bb3f1a30c541d13f0b265f

SHA256
c2f407cfbc297d8dff5545df112ba804be07864c7411606fb5804b475b7b592a

SHA512
78a5c6dd0c18a051eea76cb35fd06d6927dc957d5a21550abc8b4ccd0ca19e573f51e29a9c11aa079d5326d96f8d23ca6e8ca1c1f180e135aaada3a992b12f72

Download Submit
C:\Windows\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe

Filesize
168KB

MD5
57bc4093ed62e6ed0b30bcfde2981c23

SHA1
204e99c798c1123b01bb3f1a30c541d13f0b265f

SHA256
c2f407cfbc297d8dff5545df112ba804be07864c7411606fb5804b475b7b592a

SHA512
78a5c6dd0c18a051eea76cb35fd06d6927dc957d5a21550abc8b4ccd0ca19e573f51e29a9c11aa079d5326d96f8d23ca6e8ca1c1f180e135aaada3a992b12f72

Download Submit
C:\Windows\{FA754D66-F1BD-4d3b-AC17-84459F5B3B92}.exe

Filesize
168KB

MD5
57bc4093ed62e6ed0b30bcfde2981c23

SHA1
204e99c798c1123b01bb3f1a30c541d13f0b265f

SHA256
c2f407cfbc297d8dff5545df112ba804be07864c7411606fb5804b475b7b592a

SHA512
78a5c6dd0c18a051eea76cb35fd06d6927dc957d5a21550abc8b4ccd0ca19e573f51e29a9c11aa079d5326d96f8d23ca6e8ca1c1f180e135aaada3a992b12f72

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads