bedda55a233c9dff70e80311718207465dd17795b582f3b73bef45de9f5eac1e

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Size

204KB
MD5

21c7814c95e5a510c2e6e538e62dba15
SHA1

e57d1312d10c43a981299c12af06d54fda5ac902
SHA256

bedda55a233c9dff70e80311718207465dd17795b582f3b73bef45de9f5eac1e
SHA512

e02466efd77a6412dd16732fa958234e552a7e20a5e5f8c732c6b101b00c1e159c12658711ea95fbcaeb987e14d766b5b64749740a8ae276373a369188ffd55e
SSDEEP

1536:1EGh0oTl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oTl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BCF8150-1F25-4549-B7F6-02241EEFE950}	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137267BB-2FF0-48f2-888B-21E0A14F044A}\stubpath = "C:\\Windows\\{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe"	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}\stubpath = "C:\\Windows\\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe"	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D25A143-B325-4893-BA18-CD5CC28FCE02}	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}\stubpath = "C:\\Windows\\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe"	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}\stubpath = "C:\\Windows\\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe"	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69B48385-D92E-4902-9F1E-2C13FA22EA67}\stubpath = "C:\\Windows\\{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe"	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B4FE32-7B4A-4165-864C-262D96853E32}	{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}\stubpath = "C:\\Windows\\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe"	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D25A143-B325-4893-BA18-CD5CC28FCE02}\stubpath = "C:\\Windows\\{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe"	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}\stubpath = "C:\\Windows\\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe"	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BCF8150-1F25-4549-B7F6-02241EEFE950}\stubpath = "C:\\Windows\\{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe"	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69B48385-D92E-4902-9F1E-2C13FA22EA67}	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}\stubpath = "C:\\Windows\\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe"	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F24F816-6EDE-441f-8023-BA52394CC1C8}	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{137267BB-2FF0-48f2-888B-21E0A14F044A}	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B4FE32-7B4A-4165-864C-262D96853E32}\stubpath = "C:\\Windows\\{92B4FE32-7B4A-4165-864C-262D96853E32}.exe"	{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F24F816-6EDE-441f-8023-BA52394CC1C8}\stubpath = "C:\\Windows\\{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe"	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe

Executes dropped EXE 12 IoCs

pid	Process
1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe
1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe
2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe
4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe
1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe
4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe
3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe
4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe
2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe
2696	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe
4164	{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe
4576	{92B4FE32-7B4A-4165-864C-262D96853E32}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{92B4FE32-7B4A-4165-864C-262D96853E32}.exe	{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe
File created	C:\Windows\{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe
File created	C:\Windows\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe
File created	C:\Windows\{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe
File created	C:\Windows\{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe
File created	C:\Windows\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe
File created	C:\Windows\{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe
File created	C:\Windows\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
File created	C:\Windows\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe
File created	C:\Windows\{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe
File created	C:\Windows\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe
File created	C:\Windows\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4392	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe
Token: SeIncBasePriorityPrivilege	1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe
Token: SeIncBasePriorityPrivilege	2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe
Token: SeIncBasePriorityPrivilege	4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe
Token: SeIncBasePriorityPrivilege	1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe
Token: SeIncBasePriorityPrivilege	4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe
Token: SeIncBasePriorityPrivilege	3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe
Token: SeIncBasePriorityPrivilege	4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe
Token: SeIncBasePriorityPrivilege	2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe
Token: SeIncBasePriorityPrivilege	2696	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe
Token: SeIncBasePriorityPrivilege	4164	{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 1152	4392	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	90
PID 4392 wrote to memory of 1152	4392	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	90
PID 4392 wrote to memory of 1152	4392	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	90
PID 4392 wrote to memory of 1828	4392	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	91
PID 4392 wrote to memory of 1828	4392	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	91
PID 4392 wrote to memory of 1828	4392	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	91
PID 1152 wrote to memory of 1204	1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe	92
PID 1152 wrote to memory of 1204	1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe	92
PID 1152 wrote to memory of 1204	1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe	92
PID 1152 wrote to memory of 212	1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe	93
PID 1152 wrote to memory of 212	1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe	93
PID 1152 wrote to memory of 212	1152	{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe	93
PID 1204 wrote to memory of 2608	1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe	96
PID 1204 wrote to memory of 2608	1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe	96
PID 1204 wrote to memory of 2608	1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe	96
PID 1204 wrote to memory of 4620	1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe	95
PID 1204 wrote to memory of 4620	1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe	95
PID 1204 wrote to memory of 4620	1204	{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe	95
PID 2608 wrote to memory of 4888	2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe	97
PID 2608 wrote to memory of 4888	2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe	97
PID 2608 wrote to memory of 4888	2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe	97
PID 2608 wrote to memory of 5108	2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe	98
PID 2608 wrote to memory of 5108	2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe	98
PID 2608 wrote to memory of 5108	2608	{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe	98
PID 4888 wrote to memory of 1180	4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe	99
PID 4888 wrote to memory of 1180	4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe	99
PID 4888 wrote to memory of 1180	4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe	99
PID 4888 wrote to memory of 1648	4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe	100
PID 4888 wrote to memory of 1648	4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe	100
PID 4888 wrote to memory of 1648	4888	{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe	100
PID 1180 wrote to memory of 4316	1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe	101
PID 1180 wrote to memory of 4316	1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe	101
PID 1180 wrote to memory of 4316	1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe	101
PID 1180 wrote to memory of 3184	1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe	102
PID 1180 wrote to memory of 3184	1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe	102
PID 1180 wrote to memory of 3184	1180	{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe	102
PID 4316 wrote to memory of 3380	4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe	103
PID 4316 wrote to memory of 3380	4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe	103
PID 4316 wrote to memory of 3380	4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe	103
PID 4316 wrote to memory of 5096	4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe	104
PID 4316 wrote to memory of 5096	4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe	104
PID 4316 wrote to memory of 5096	4316	{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe	104
PID 3380 wrote to memory of 4860	3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe	105
PID 3380 wrote to memory of 4860	3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe	105
PID 3380 wrote to memory of 4860	3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe	105
PID 3380 wrote to memory of 3840	3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe	106
PID 3380 wrote to memory of 3840	3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe	106
PID 3380 wrote to memory of 3840	3380	{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe	106
PID 4860 wrote to memory of 2268	4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe	107
PID 4860 wrote to memory of 2268	4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe	107
PID 4860 wrote to memory of 2268	4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe	107
PID 4860 wrote to memory of 3104	4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe	108
PID 4860 wrote to memory of 3104	4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe	108
PID 4860 wrote to memory of 3104	4860	{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe	108
PID 2268 wrote to memory of 2696	2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe	109
PID 2268 wrote to memory of 2696	2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe	109
PID 2268 wrote to memory of 2696	2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe	109
PID 2268 wrote to memory of 1992	2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe	110
PID 2268 wrote to memory of 1992	2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe	110
PID 2268 wrote to memory of 1992	2268	{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe	110
PID 2696 wrote to memory of 4164	2696	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe	111
PID 2696 wrote to memory of 4164	2696	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe	111
PID 2696 wrote to memory of 4164	2696	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe	111
PID 2696 wrote to memory of 3288	2696	{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe	112

C:\Users\Admin\AppData\Local\Temp\2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe
  C:\Windows\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe
    C:\Windows\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C290A~1.EXE > nul
      4⤵
      PID:4620
  - - C:\Windows\{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe
      C:\Windows\{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe
        
        C:\Windows\{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe
        
        C:\Windows\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe
        
        C:\Windows\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe
        
        C:\Windows\{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe
        
        C:\Windows\{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe
        
        C:\Windows\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe
        
        C:\Windows\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe
        
        C:\Windows\{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\{92B4FE32-7B4A-4165-864C-262D96853E32}.exe
        
        C:\Windows\{92B4FE32-7B4A-4165-864C-262D96853E32}.exe
        13⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69B48~1.EXE > nul
        13⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1B28~1.EXE > nul
        12⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D183F~1.EXE > nul
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13726~1.EXE > nul
        10⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BCF8~1.EXE > nul
        9⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04DE6~1.EXE > nul
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC33~1.EXE > nul
        7⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D25A~1.EXE > nul
        6⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F24F~1.EXE > nul
        5⤵
        
        PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C05A~1.EXE > nul
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe

Filesize
204KB

MD5
ab920fc381b22d1aa2d7a40ac0f9bb8a

SHA1
9860e80a87703c70ab670a9f968c08d5f0394ebc

SHA256
6862c879d3acc286cee60f35876e9bfb704356453db15a8a6937c9a7837ebb0d

SHA512
1db29ac3734aaa637cab298fb9f5483531368ef96bb2aedfc69d3829141678a1a5534052b89a81d59c045a52b0dc7c3bc7476c836431d813621feb1a443717d1

Download Submit
C:\Windows\{04DE6960-46A4-4a5a-BE00-2FC260768AA6}.exe

Filesize
204KB

MD5
ab920fc381b22d1aa2d7a40ac0f9bb8a

SHA1
9860e80a87703c70ab670a9f968c08d5f0394ebc

SHA256
6862c879d3acc286cee60f35876e9bfb704356453db15a8a6937c9a7837ebb0d

SHA512
1db29ac3734aaa637cab298fb9f5483531368ef96bb2aedfc69d3829141678a1a5534052b89a81d59c045a52b0dc7c3bc7476c836431d813621feb1a443717d1

Download Submit
C:\Windows\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe

Filesize
204KB

MD5
ae82f9d3ef1ac6f41b22ebc59c0eaad3

SHA1
3f2a1c430e4a1b31098f899662391f32e9ecd8ae

SHA256
630234650eff013d7f14f12a43bf49cc08060818a96a2444685e0f8be7fe2ef8

SHA512
3fa8173c71a4ec2b5c8815c2322f80424662d83c8f347eacbb13174a9dfe292d368098a7eb8adaef90aece37228bd61723b8e31b5c8934e48a2e437a88bfb2df

Download Submit
C:\Windows\{0C05A55C-24A5-4cb2-A9B4-CA363FE427AA}.exe

Filesize
204KB

MD5
ae82f9d3ef1ac6f41b22ebc59c0eaad3

SHA1
3f2a1c430e4a1b31098f899662391f32e9ecd8ae

SHA256
630234650eff013d7f14f12a43bf49cc08060818a96a2444685e0f8be7fe2ef8

SHA512
3fa8173c71a4ec2b5c8815c2322f80424662d83c8f347eacbb13174a9dfe292d368098a7eb8adaef90aece37228bd61723b8e31b5c8934e48a2e437a88bfb2df

Download Submit
C:\Windows\{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe

Filesize
204KB

MD5
dd3474c58befdcf04a0acaf7f24cd6e9

SHA1
b8d603a9f654e41ea7bc5f77c8c7ba4b396e82e5

SHA256
a8d6211365cd20a96d61f6e13e2dcda04d6a7f618893336586f5adaae87b03f4

SHA512
3f03a28a4fc2b760f5f72ebdbddd048327d1aa3b77c2bf428680ce330f423e23a11e2b92b41870c8bd991ea061a8ae6e3e7d13aa542797888ff528cf303a1429

Download Submit
C:\Windows\{137267BB-2FF0-48f2-888B-21E0A14F044A}.exe

Filesize
204KB

MD5
dd3474c58befdcf04a0acaf7f24cd6e9

SHA1
b8d603a9f654e41ea7bc5f77c8c7ba4b396e82e5

SHA256
a8d6211365cd20a96d61f6e13e2dcda04d6a7f618893336586f5adaae87b03f4

SHA512
3f03a28a4fc2b760f5f72ebdbddd048327d1aa3b77c2bf428680ce330f423e23a11e2b92b41870c8bd991ea061a8ae6e3e7d13aa542797888ff528cf303a1429

Download Submit
C:\Windows\{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe

Filesize
204KB

MD5
8c0ccede8ac7dd3e4026c7dade18aa83

SHA1
be202c0afd7c98f3f8ad6cd3e314477e24271fdf

SHA256
4022f08ba9fe8ad713e4529413056d2c596a6edf5d7113d81a990b9633e0f6c9

SHA512
7dd856c06787b81b7f325a5c1da955f41efa6f3b51beff0d6542e7488f69924af72517489c10dbd8c832bf8380235ebc3fe18b8d4aa6415d867e56b288abf3e4

Download Submit
C:\Windows\{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe

Filesize
204KB

MD5
8c0ccede8ac7dd3e4026c7dade18aa83

SHA1
be202c0afd7c98f3f8ad6cd3e314477e24271fdf

SHA256
4022f08ba9fe8ad713e4529413056d2c596a6edf5d7113d81a990b9633e0f6c9

SHA512
7dd856c06787b81b7f325a5c1da955f41efa6f3b51beff0d6542e7488f69924af72517489c10dbd8c832bf8380235ebc3fe18b8d4aa6415d867e56b288abf3e4

Download Submit
C:\Windows\{3F24F816-6EDE-441f-8023-BA52394CC1C8}.exe

Filesize
204KB

MD5
8c0ccede8ac7dd3e4026c7dade18aa83

SHA1
be202c0afd7c98f3f8ad6cd3e314477e24271fdf

SHA256
4022f08ba9fe8ad713e4529413056d2c596a6edf5d7113d81a990b9633e0f6c9

SHA512
7dd856c06787b81b7f325a5c1da955f41efa6f3b51beff0d6542e7488f69924af72517489c10dbd8c832bf8380235ebc3fe18b8d4aa6415d867e56b288abf3e4

Download Submit
C:\Windows\{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe

Filesize
204KB

MD5
6f5871403ea018cd9090b65a8acb203f

SHA1
20f1ce29a122f9f79cef41dce5e909a786aa1f14

SHA256
cd63960e67aec42730ae0a004ce4e127fdc7e18d21133c95882ef8e27c619d33

SHA512
e9e0a8faf91509a4276cd747fd50b6be593d97d272b280124090fa8062e2194450819a1034646a33b8ace25ee876ae8275c47b31881197b45b4ae8c77354cab0

Download Submit
C:\Windows\{69B48385-D92E-4902-9F1E-2C13FA22EA67}.exe

Filesize
204KB

MD5
6f5871403ea018cd9090b65a8acb203f

SHA1
20f1ce29a122f9f79cef41dce5e909a786aa1f14

SHA256
cd63960e67aec42730ae0a004ce4e127fdc7e18d21133c95882ef8e27c619d33

SHA512
e9e0a8faf91509a4276cd747fd50b6be593d97d272b280124090fa8062e2194450819a1034646a33b8ace25ee876ae8275c47b31881197b45b4ae8c77354cab0

Download Submit
C:\Windows\{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe

Filesize
204KB

MD5
d8b0c342b520920c8285c162bb3771cf

SHA1
e5f06361c2d6163312fd7aad66d25aa9d7997e80

SHA256
284c73013b0792079b6905dbcbc748fe246ff6beb620f6d9f2d7eafd561ade16

SHA512
388c65a796d74ed883b38f0bb751a85b99aba6b012f43a78fa47bc3a675bf4218781fc27dfc2016b59b0a2557f301d36515b71c04b254b3a1b64d9d224364168

Download Submit
C:\Windows\{6BCF8150-1F25-4549-B7F6-02241EEFE950}.exe

Filesize
204KB

MD5
d8b0c342b520920c8285c162bb3771cf

SHA1
e5f06361c2d6163312fd7aad66d25aa9d7997e80

SHA256
284c73013b0792079b6905dbcbc748fe246ff6beb620f6d9f2d7eafd561ade16

SHA512
388c65a796d74ed883b38f0bb751a85b99aba6b012f43a78fa47bc3a675bf4218781fc27dfc2016b59b0a2557f301d36515b71c04b254b3a1b64d9d224364168

Download Submit
C:\Windows\{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe

Filesize
204KB

MD5
d57066bc16ec75fd75864a38c45528e7

SHA1
1d6d96357320dbb1bf87ef1d3cf7cba2517a8d45

SHA256
83ed60aaef84050cf4995ef6a6e56ea1aa0ad94afe5a8b6976a460c9ee743c93

SHA512
73d82765e2a3575f574136d0dfc5f94c7fbaa0dabb183f7d722676cce6542ff842898adaa9732db359818d902ccd8d334c0670d46c85584a8ce191051b5de569

Download Submit
C:\Windows\{8D25A143-B325-4893-BA18-CD5CC28FCE02}.exe

Filesize
204KB

MD5
d57066bc16ec75fd75864a38c45528e7

SHA1
1d6d96357320dbb1bf87ef1d3cf7cba2517a8d45

SHA256
83ed60aaef84050cf4995ef6a6e56ea1aa0ad94afe5a8b6976a460c9ee743c93

SHA512
73d82765e2a3575f574136d0dfc5f94c7fbaa0dabb183f7d722676cce6542ff842898adaa9732db359818d902ccd8d334c0670d46c85584a8ce191051b5de569

Download Submit
C:\Windows\{92B4FE32-7B4A-4165-864C-262D96853E32}.exe

Filesize
204KB

MD5
2c99c6df7b825f364b29dd1957fab043

SHA1
5039ddad9d4d45a66040fae3487fe4cbdade72ec

SHA256
0759340b0ab316b7c0f6f359a0bdfa56108818f6eede39574467a917809cdaa0

SHA512
ef8dde1fbe5958e39953bf7a75ea6b0f6aae8624ed538f79002217f2b05946e3fa95d24e4c0b1cbb1c3b5c66c961bac2a141fab8f5119aeeb04347f2ec6b296c

Download Submit
C:\Windows\{92B4FE32-7B4A-4165-864C-262D96853E32}.exe

Filesize
204KB

MD5
2c99c6df7b825f364b29dd1957fab043

SHA1
5039ddad9d4d45a66040fae3487fe4cbdade72ec

SHA256
0759340b0ab316b7c0f6f359a0bdfa56108818f6eede39574467a917809cdaa0

SHA512
ef8dde1fbe5958e39953bf7a75ea6b0f6aae8624ed538f79002217f2b05946e3fa95d24e4c0b1cbb1c3b5c66c961bac2a141fab8f5119aeeb04347f2ec6b296c

Download Submit
C:\Windows\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe

Filesize
204KB

MD5
62bd0e3745ca313cf941bd32003891ec

SHA1
41525b611fba516f55ed04dec32a6e6147c268fb

SHA256
135ea9c4cfda16e90cd63b1178f5416723b325cb36996be6ae99a0ae35b1dd43

SHA512
9489a0d24161e3404b4cd388e9a9f575d4f7fb17af4edd16c989a2a64ea7d098757b44c1b76da04a60df1cae26d6ff8ce4ac479be29afdbcc85c2fc6fb4eb53b

Download Submit
C:\Windows\{C290A7A0-CE28-4b4e-965A-6B8BA9105616}.exe

Filesize
204KB

MD5
62bd0e3745ca313cf941bd32003891ec

SHA1
41525b611fba516f55ed04dec32a6e6147c268fb

SHA256
135ea9c4cfda16e90cd63b1178f5416723b325cb36996be6ae99a0ae35b1dd43

SHA512
9489a0d24161e3404b4cd388e9a9f575d4f7fb17af4edd16c989a2a64ea7d098757b44c1b76da04a60df1cae26d6ff8ce4ac479be29afdbcc85c2fc6fb4eb53b

Download Submit
C:\Windows\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe

Filesize
204KB

MD5
688b4f46bf360386853615ddcdc5b35f

SHA1
fa7d8c1503b0b54dba0fef07df2b8017b784bc79

SHA256
b92b6c3f1229811e7613cd001bc113cef980981c35891ed95a948a97eb3e88b4

SHA512
0cfd283fed059dfb053e030159645fd817d473ed4172c3553f95ff6e1eed0865d888a1d326c3f0a80cbab4e3ac9782903ed44ad50884814869085dbd4c86bb7b

Download Submit
C:\Windows\{D183FA62-8932-4dd0-8A3F-4B8A44E39A01}.exe

Filesize
204KB

MD5
688b4f46bf360386853615ddcdc5b35f

SHA1
fa7d8c1503b0b54dba0fef07df2b8017b784bc79

SHA256
b92b6c3f1229811e7613cd001bc113cef980981c35891ed95a948a97eb3e88b4

SHA512
0cfd283fed059dfb053e030159645fd817d473ed4172c3553f95ff6e1eed0865d888a1d326c3f0a80cbab4e3ac9782903ed44ad50884814869085dbd4c86bb7b

Download Submit
C:\Windows\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe

Filesize
204KB

MD5
87d23ce29d587a04b64a1f0c7b955060

SHA1
f66dd54800c71e8a567168d56ee528ec4fda8a65

SHA256
19da63418d33e643bf68bdec52cceab4e1039a8c774524c3439a92d76080ae05

SHA512
81d514769bf70958589577f8fb24bf2c295840499b58198da6691c1ff1046382ee9b60f729108b49c62fefed86762e47f108e67a7c3379220db6abbf7d7c0ca8

Download Submit
C:\Windows\{E1B28B13-7457-47cd-A3D3-CB6E27573BF7}.exe

Filesize
204KB

MD5
87d23ce29d587a04b64a1f0c7b955060

SHA1
f66dd54800c71e8a567168d56ee528ec4fda8a65

SHA256
19da63418d33e643bf68bdec52cceab4e1039a8c774524c3439a92d76080ae05

SHA512
81d514769bf70958589577f8fb24bf2c295840499b58198da6691c1ff1046382ee9b60f729108b49c62fefed86762e47f108e67a7c3379220db6abbf7d7c0ca8

Download Submit
C:\Windows\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe

Filesize
204KB

MD5
d76527d6bf8f01f3d98694a69f226acb

SHA1
d4ead74dee646f23b8e51b9a44902a2faa68ded6

SHA256
342ccac869346748b77e6d15ef19bbabed0b76997bf83fbd631977c0a7c3d158

SHA512
f1aa6a86210e0212ea22b19c900f30e2faa961e68e4d54f2311c07a2f60a4c4dc3d104eef740d908c7060fa37f2479b4973cfd08d968cf1dc4496f6b3be2d63b

Download Submit
C:\Windows\{EDC339BB-3861-4655-8AE0-DD5D4D0E7A28}.exe

Filesize
204KB

MD5
d76527d6bf8f01f3d98694a69f226acb

SHA1
d4ead74dee646f23b8e51b9a44902a2faa68ded6

SHA256
342ccac869346748b77e6d15ef19bbabed0b76997bf83fbd631977c0a7c3d158

SHA512
f1aa6a86210e0212ea22b19c900f30e2faa961e68e4d54f2311c07a2f60a4c4dc3d104eef740d908c7060fa37f2479b4973cfd08d968cf1dc4496f6b3be2d63b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads