a84411b5a747a1ad42638b67debdd63106d3acc2595dc114626e497dd285e341

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Size

408KB
MD5

25de35a20184013edefb0093b0766822
SHA1

f891b6d3627476a843b2768b609463dde27ad3c1
SHA256

a84411b5a747a1ad42638b67debdd63106d3acc2595dc114626e497dd285e341
SHA512

322ecc2832cc777df38fd07502a246fb3c855f4c2468e14d8d4abbdafd25575379379db9b11d60db0c9729fd28b6d83f4a75d571416296755da94f5f2001455c
SSDEEP

3072:CEGh0oCl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGQldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}	{67543EE2-026F-447f-967C-B78E05FF9361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}\stubpath = "C:\\Windows\\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}.exe"	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195A52EE-6DB4-4b7a-85D0-C100183C9713}	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E60F785-7C4B-4090-A564-F16E95DE2B02}	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}\stubpath = "C:\\Windows\\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe"	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}\stubpath = "C:\\Windows\\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe"	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67543EE2-026F-447f-967C-B78E05FF9361}	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22702204-471C-41ae-8E26-E02E7C55FA17}\stubpath = "C:\\Windows\\{22702204-471C-41ae-8E26-E02E7C55FA17}.exe"	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{195A52EE-6DB4-4b7a-85D0-C100183C9713}\stubpath = "C:\\Windows\\{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe"	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}\stubpath = "C:\\Windows\\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe"	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}\stubpath = "C:\\Windows\\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe"	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67543EE2-026F-447f-967C-B78E05FF9361}\stubpath = "C:\\Windows\\{67543EE2-026F-447f-967C-B78E05FF9361}.exe"	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}\stubpath = "C:\\Windows\\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe"	{67543EE2-026F-447f-967C-B78E05FF9361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}\stubpath = "C:\\Windows\\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe"	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E60F785-7C4B-4090-A564-F16E95DE2B02}\stubpath = "C:\\Windows\\{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe"	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22702204-471C-41ae-8E26-E02E7C55FA17}	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe

Executes dropped EXE 11 IoCs

pid	Process
3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe
4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe
3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe
4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe
2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe
2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe
1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe
4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe
5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe
4532	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe
4132	{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{67543EE2-026F-447f-967C-B78E05FF9361}.exe	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe
File created	C:\Windows\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe
File created	C:\Windows\{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe
File created	C:\Windows\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}.exe	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe
File created	C:\Windows\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe
File created	C:\Windows\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe	{67543EE2-026F-447f-967C-B78E05FF9361}.exe
File created	C:\Windows\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe
File created	C:\Windows\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe
File created	C:\Windows\{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe
File created	C:\Windows\{22702204-471C-41ae-8E26-E02E7C55FA17}.exe	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe
File created	C:\Windows\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe
Token: SeIncBasePriorityPrivilege	4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe
Token: SeIncBasePriorityPrivilege	3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe
Token: SeIncBasePriorityPrivilege	4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe
Token: SeIncBasePriorityPrivilege	2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe
Token: SeIncBasePriorityPrivilege	2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe
Token: SeIncBasePriorityPrivilege	1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe
Token: SeIncBasePriorityPrivilege	4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe
Token: SeIncBasePriorityPrivilege	5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe
Token: SeIncBasePriorityPrivilege	4532	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3712	2324	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	83
PID 2324 wrote to memory of 3712	2324	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	83
PID 2324 wrote to memory of 3712	2324	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	83
PID 2324 wrote to memory of 4520	2324	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	84
PID 2324 wrote to memory of 4520	2324	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	84
PID 2324 wrote to memory of 4520	2324	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	84
PID 3712 wrote to memory of 4580	3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe	85
PID 3712 wrote to memory of 4580	3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe	85
PID 3712 wrote to memory of 4580	3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe	85
PID 3712 wrote to memory of 3400	3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe	86
PID 3712 wrote to memory of 3400	3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe	86
PID 3712 wrote to memory of 3400	3712	{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe	86
PID 4580 wrote to memory of 3832	4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe	91
PID 4580 wrote to memory of 3832	4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe	91
PID 4580 wrote to memory of 3832	4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe	91
PID 4580 wrote to memory of 484	4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe	90
PID 4580 wrote to memory of 484	4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe	90
PID 4580 wrote to memory of 484	4580	{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe	90
PID 3832 wrote to memory of 4744	3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe	92
PID 3832 wrote to memory of 4744	3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe	92
PID 3832 wrote to memory of 4744	3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe	92
PID 3832 wrote to memory of 4728	3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe	93
PID 3832 wrote to memory of 4728	3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe	93
PID 3832 wrote to memory of 4728	3832	{67543EE2-026F-447f-967C-B78E05FF9361}.exe	93
PID 4744 wrote to memory of 2732	4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe	94
PID 4744 wrote to memory of 2732	4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe	94
PID 4744 wrote to memory of 2732	4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe	94
PID 4744 wrote to memory of 3120	4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe	95
PID 4744 wrote to memory of 3120	4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe	95
PID 4744 wrote to memory of 3120	4744	{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe	95
PID 2732 wrote to memory of 2680	2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe	96
PID 2732 wrote to memory of 2680	2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe	96
PID 2732 wrote to memory of 2680	2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe	96
PID 2732 wrote to memory of 4308	2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe	97
PID 2732 wrote to memory of 4308	2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe	97
PID 2732 wrote to memory of 4308	2732	{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe	97
PID 2680 wrote to memory of 1364	2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe	98
PID 2680 wrote to memory of 1364	2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe	98
PID 2680 wrote to memory of 1364	2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe	98
PID 2680 wrote to memory of 3512	2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe	99
PID 2680 wrote to memory of 3512	2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe	99
PID 2680 wrote to memory of 3512	2680	{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe	99
PID 1364 wrote to memory of 4936	1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe	100
PID 1364 wrote to memory of 4936	1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe	100
PID 1364 wrote to memory of 4936	1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe	100
PID 1364 wrote to memory of 3348	1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe	101
PID 1364 wrote to memory of 3348	1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe	101
PID 1364 wrote to memory of 3348	1364	{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe	101
PID 4936 wrote to memory of 5076	4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe	102
PID 4936 wrote to memory of 5076	4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe	102
PID 4936 wrote to memory of 5076	4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe	102
PID 4936 wrote to memory of 1172	4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe	103
PID 4936 wrote to memory of 1172	4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe	103
PID 4936 wrote to memory of 1172	4936	{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe	103
PID 5076 wrote to memory of 4532	5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe	104
PID 5076 wrote to memory of 4532	5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe	104
PID 5076 wrote to memory of 4532	5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe	104
PID 5076 wrote to memory of 1992	5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe	105
PID 5076 wrote to memory of 1992	5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe	105
PID 5076 wrote to memory of 1992	5076	{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe	105
PID 4532 wrote to memory of 4132	4532	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe	106
PID 4532 wrote to memory of 4132	4532	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe	106
PID 4532 wrote to memory of 4132	4532	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe	106
PID 4532 wrote to memory of 408	4532	{22702204-471C-41ae-8E26-E02E7C55FA17}.exe	107

C:\Users\Admin\AppData\Local\Temp\2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe
  C:\Windows\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe
    C:\Windows\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{57982~1.EXE > nul
      4⤵
      PID:484
  - - C:\Windows\{67543EE2-026F-447f-967C-B78E05FF9361}.exe
      C:\Windows\{67543EE2-026F-447f-967C-B78E05FF9361}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe
        
        C:\Windows\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe
        
        C:\Windows\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe
        
        C:\Windows\{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe
        
        C:\Windows\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe
        
        C:\Windows\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe
        
        C:\Windows\{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\{22702204-471C-41ae-8E26-E02E7C55FA17}.exe
        
        C:\Windows\{22702204-471C-41ae-8E26-E02E7C55FA17}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}.exe
        
        C:\Windows\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}.exe
        12⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22702~1.EXE > nul
        12⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E60F~1.EXE > nul
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF6B3~1.EXE > nul
        10⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D0AE~1.EXE > nul
        9⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{195A5~1.EXE > nul
        8⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97A15~1.EXE > nul
        7⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEF8F~1.EXE > nul
        6⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67543~1.EXE > nul
        5⤵
        
        PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A0EA~1.EXE > nul
    3⤵
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe

Filesize
408KB

MD5
23231ba0ab31bdd6155cc50e494c6f2f

SHA1
c1281a5d6296f4e3b99398c8b0b5466ec49c99ed

SHA256
d5f2de1bfa6db72d59e75b320dd6403c7e071a4d52b611a84e7af0dfcc5da572

SHA512
507485527c75c809395bb34e908f3e1a57ae5f2d1fe501645a5a5296925ffb73de22c039b81b4fd256db3be79f9d80574dc760dbd60778e6868f9f8c79d4c6bc

Download Submit
C:\Windows\{195A52EE-6DB4-4b7a-85D0-C100183C9713}.exe

Filesize
408KB

MD5
23231ba0ab31bdd6155cc50e494c6f2f

SHA1
c1281a5d6296f4e3b99398c8b0b5466ec49c99ed

SHA256
d5f2de1bfa6db72d59e75b320dd6403c7e071a4d52b611a84e7af0dfcc5da572

SHA512
507485527c75c809395bb34e908f3e1a57ae5f2d1fe501645a5a5296925ffb73de22c039b81b4fd256db3be79f9d80574dc760dbd60778e6868f9f8c79d4c6bc

Download Submit
C:\Windows\{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe

Filesize
408KB

MD5
6b63fe92e5441a54e871ec2fb10703ed

SHA1
8c91c2d70296d94ee3abec385d1557555d92c4b7

SHA256
f9f323d2efa3d7b849a110c9b0058020cc5f80718386fa73d328719a6fa19f55

SHA512
390d0dab0a01d22f0c8bec6679e19586637326f92465e25c4759cdee98cd43aeef3b49cd940c822115eeff64d31182d1bcf86a8ba47ce4e0428feca2aadbbc8e

Download Submit
C:\Windows\{1E60F785-7C4B-4090-A564-F16E95DE2B02}.exe

Filesize
408KB

MD5
6b63fe92e5441a54e871ec2fb10703ed

SHA1
8c91c2d70296d94ee3abec385d1557555d92c4b7

SHA256
f9f323d2efa3d7b849a110c9b0058020cc5f80718386fa73d328719a6fa19f55

SHA512
390d0dab0a01d22f0c8bec6679e19586637326f92465e25c4759cdee98cd43aeef3b49cd940c822115eeff64d31182d1bcf86a8ba47ce4e0428feca2aadbbc8e

Download Submit
C:\Windows\{22702204-471C-41ae-8E26-E02E7C55FA17}.exe

Filesize
408KB

MD5
32c3038f32f6ac28c85322ebc36b87f6

SHA1
9d890fe6225fb96024c8432eec9ce2beb3b73c8a

SHA256
8489767da5c7493519a419d27451e92ef101e40d83e196e616663a9f42dd930a

SHA512
aef8b7693a308fc27c60d87495e375d9975b172281fcf818b51f95098f3dcd86cd7e382fb22a66393f358bfcae85e360bb573a1a3869ae3784d10c9bc95c7bb3

Download Submit
C:\Windows\{22702204-471C-41ae-8E26-E02E7C55FA17}.exe

Filesize
408KB

MD5
32c3038f32f6ac28c85322ebc36b87f6

SHA1
9d890fe6225fb96024c8432eec9ce2beb3b73c8a

SHA256
8489767da5c7493519a419d27451e92ef101e40d83e196e616663a9f42dd930a

SHA512
aef8b7693a308fc27c60d87495e375d9975b172281fcf818b51f95098f3dcd86cd7e382fb22a66393f358bfcae85e360bb573a1a3869ae3784d10c9bc95c7bb3

Download Submit
C:\Windows\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe

Filesize
408KB

MD5
67bbeb944897e801334a7ae932f25ea1

SHA1
1004eeb7692d730a0dc365392475134b1b1c3c9b

SHA256
f41cfb649faceb3d2aa141dc5a16690dad78fb1f9112db33c05b742fd0ae09f0

SHA512
19737777eadc8acd5a06dcca682bf4caf9ae5eefe9ae5322479cfe8221ba4bb8c625519ec8d93d83d0cbf0e647b892c41d633f1d0cb3f3d95972f3a8e5994fb5

Download Submit
C:\Windows\{4A0EADBC-E62F-468e-9AF0-CE3851A1743B}.exe

Filesize
408KB

MD5
67bbeb944897e801334a7ae932f25ea1

SHA1
1004eeb7692d730a0dc365392475134b1b1c3c9b

SHA256
f41cfb649faceb3d2aa141dc5a16690dad78fb1f9112db33c05b742fd0ae09f0

SHA512
19737777eadc8acd5a06dcca682bf4caf9ae5eefe9ae5322479cfe8221ba4bb8c625519ec8d93d83d0cbf0e647b892c41d633f1d0cb3f3d95972f3a8e5994fb5

Download Submit
C:\Windows\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe

Filesize
408KB

MD5
bf9b2f5d105487443638d3e3536da67b

SHA1
6226f59516e26d83a348f8dda7a1eac1d02ef5ee

SHA256
d55f1c752eeb6889811dbc7407cbe2b3e6d67815a4e6e715f0a62985a75f0d08

SHA512
d582348d79fa4faa7d22197a9bcc47e3faf7caafda75ac465d6d20a44fb653cf3f2ba2e4cc14eb982f8f2eab4d1b514b91f18e11f2fd133818b4d4d87a9e3fb7

Download Submit
C:\Windows\{5798261D-9F47-44b1-B7E6-13A50D20DF1F}.exe

Filesize
408KB

MD5
bf9b2f5d105487443638d3e3536da67b

SHA1
6226f59516e26d83a348f8dda7a1eac1d02ef5ee

SHA256
d55f1c752eeb6889811dbc7407cbe2b3e6d67815a4e6e715f0a62985a75f0d08

SHA512
d582348d79fa4faa7d22197a9bcc47e3faf7caafda75ac465d6d20a44fb653cf3f2ba2e4cc14eb982f8f2eab4d1b514b91f18e11f2fd133818b4d4d87a9e3fb7

Download Submit
C:\Windows\{67543EE2-026F-447f-967C-B78E05FF9361}.exe

Filesize
408KB

MD5
5ed4f9ebefb4bbd0f00dfc726416d8f9

SHA1
117522d65788d063a05862de052a55c25cf42b2c

SHA256
3cb91c0c6b607ce6ccf562cbf9365fcd9f605bcf85bceee07b50b86d27176cdd

SHA512
6160b75e313604b88aed21b12594d8a67ef22985c9ec744bc0a850af422446d53c3b97e79c267cae6ee7e21668ed9452e3956d6371d1899eca4a93c2b46d51c1

Download Submit
C:\Windows\{67543EE2-026F-447f-967C-B78E05FF9361}.exe

Filesize
408KB

MD5
5ed4f9ebefb4bbd0f00dfc726416d8f9

SHA1
117522d65788d063a05862de052a55c25cf42b2c

SHA256
3cb91c0c6b607ce6ccf562cbf9365fcd9f605bcf85bceee07b50b86d27176cdd

SHA512
6160b75e313604b88aed21b12594d8a67ef22985c9ec744bc0a850af422446d53c3b97e79c267cae6ee7e21668ed9452e3956d6371d1899eca4a93c2b46d51c1

Download Submit
C:\Windows\{67543EE2-026F-447f-967C-B78E05FF9361}.exe

Filesize
408KB

MD5
5ed4f9ebefb4bbd0f00dfc726416d8f9

SHA1
117522d65788d063a05862de052a55c25cf42b2c

SHA256
3cb91c0c6b607ce6ccf562cbf9365fcd9f605bcf85bceee07b50b86d27176cdd

SHA512
6160b75e313604b88aed21b12594d8a67ef22985c9ec744bc0a850af422446d53c3b97e79c267cae6ee7e21668ed9452e3956d6371d1899eca4a93c2b46d51c1

Download Submit
C:\Windows\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe

Filesize
408KB

MD5
07f4910d30f871ff040c90420a4bc5b6

SHA1
31468a2556004a6c673efb46fe90bbe0c4dabe0d

SHA256
bfdccd168d1736b21330d37d122663567080ceeb2e44269abec402050d33053c

SHA512
66057e184904a323a36bff720173f6cbc61128ffe85adfb75438c2cf949a4594177f9e5bc41a525f12ad15699cd74f8821fd272bcc90192874ffd43b0371501a

Download Submit
C:\Windows\{8D0AEC05-6F4A-4193-BA49-EB7ED0058690}.exe

Filesize
408KB

MD5
07f4910d30f871ff040c90420a4bc5b6

SHA1
31468a2556004a6c673efb46fe90bbe0c4dabe0d

SHA256
bfdccd168d1736b21330d37d122663567080ceeb2e44269abec402050d33053c

SHA512
66057e184904a323a36bff720173f6cbc61128ffe85adfb75438c2cf949a4594177f9e5bc41a525f12ad15699cd74f8821fd272bcc90192874ffd43b0371501a

Download Submit
C:\Windows\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe

Filesize
408KB

MD5
d2eca9bc06524de77efb4ec89b9d56b5

SHA1
68934287e833d77dc9f331d4598c46abb439c070

SHA256
4850ee1cf5c2e5ef5b7cffec0af93802b7ce1b9aac8f1c12b9135c947b99c0f2

SHA512
5aa0efee2df3337ff07f1a7319ed4924bcc17c3624e5369e3932c83f4149ae8e5f8c1e93682789a2f0fbd9e9d88ac497e1e04343f1d29799210c8b6caaf1f448

Download Submit
C:\Windows\{97A15C14-9FEF-46a7-B36E-E46413FF3FED}.exe

Filesize
408KB

MD5
d2eca9bc06524de77efb4ec89b9d56b5

SHA1
68934287e833d77dc9f331d4598c46abb439c070

SHA256
4850ee1cf5c2e5ef5b7cffec0af93802b7ce1b9aac8f1c12b9135c947b99c0f2

SHA512
5aa0efee2df3337ff07f1a7319ed4924bcc17c3624e5369e3932c83f4149ae8e5f8c1e93682789a2f0fbd9e9d88ac497e1e04343f1d29799210c8b6caaf1f448

Download Submit
C:\Windows\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}.exe

Filesize
408KB

MD5
249ed333ab35e2c1cbc8d39f2ed5e30c

SHA1
853041de75de8f5820d31e20d7d643c1496f97d5

SHA256
e712007ae35824dae0814c10e6ea835c0d72edd41d68469badab47785a91ca17

SHA512
983e19741471ce0a3eae12ac62b66df9dda0ec61067265cfffb3ebcc695a2336a58b321d504359cc4607586f1c51655c602f4addecfad34e3f6d0fe64289fe57

Download Submit
C:\Windows\{B448A4FF-F578-4f1d-B1ED-30DD7C48DD9E}.exe

Filesize
408KB

MD5
249ed333ab35e2c1cbc8d39f2ed5e30c

SHA1
853041de75de8f5820d31e20d7d643c1496f97d5

SHA256
e712007ae35824dae0814c10e6ea835c0d72edd41d68469badab47785a91ca17

SHA512
983e19741471ce0a3eae12ac62b66df9dda0ec61067265cfffb3ebcc695a2336a58b321d504359cc4607586f1c51655c602f4addecfad34e3f6d0fe64289fe57

Download Submit
C:\Windows\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe

Filesize
408KB

MD5
2eb4e8eb610fc2558126f936d8a4f09b

SHA1
ed050485eb435588dd1364a923dc13c8f4de2be5

SHA256
770b226399cac6de0c645e0d0d47fc642273132e16a45848409a98a24878c505

SHA512
170c02826ff5c42a8cbc9fdb2667a2036d7ada78d952edaf3d6d1756650f272b62ba06295215aab3a7671b5fdc3a8d5a895c2e260e4cf2e9c0a4bac28c5ad61b

Download Submit
C:\Windows\{DF6B31E2-4584-4769-98A5-F66DE5EF187D}.exe

Filesize
408KB

MD5
2eb4e8eb610fc2558126f936d8a4f09b

SHA1
ed050485eb435588dd1364a923dc13c8f4de2be5

SHA256
770b226399cac6de0c645e0d0d47fc642273132e16a45848409a98a24878c505

SHA512
170c02826ff5c42a8cbc9fdb2667a2036d7ada78d952edaf3d6d1756650f272b62ba06295215aab3a7671b5fdc3a8d5a895c2e260e4cf2e9c0a4bac28c5ad61b

Download Submit
C:\Windows\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe

Filesize
408KB

MD5
719999fc7d73b2b4d2ef85e9c4694e1a

SHA1
8f73f4f969313a5432c89b277e6ae15f099bbae7

SHA256
c56316662743efcc3261909c7b0c55b6dbc94318ca1ac56fb53474f3761e1f91

SHA512
6713ef5b0d8c231991d7a04ac3bda509a874ff001d626d4244699f66d9c9729c39fc101381fe2f9caac3658155b4e6aa1d7f6541f0a64be55bfcd0410fe1e966

Download Submit
C:\Windows\{EEF8F2A6-C93E-4329-A311-C3ABE2DFCB27}.exe

Filesize
408KB

MD5
719999fc7d73b2b4d2ef85e9c4694e1a

SHA1
8f73f4f969313a5432c89b277e6ae15f099bbae7

SHA256
c56316662743efcc3261909c7b0c55b6dbc94318ca1ac56fb53474f3761e1f91

SHA512
6713ef5b0d8c231991d7a04ac3bda509a874ff001d626d4244699f66d9c9729c39fc101381fe2f9caac3658155b4e6aa1d7f6541f0a64be55bfcd0410fe1e966

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads