bd44cfc41f9a08eec4357776aaccab6db0d38c4a883815e6beb6fff4168054cc

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2023 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe
Size

192KB
MD5

5e63955cae724a8dad194272be35d0a7
SHA1

82df358133b7ada6d26f509b67dc3aab9e2ff9d8
SHA256

bd44cfc41f9a08eec4357776aaccab6db0d38c4a883815e6beb6fff4168054cc
SHA512

4ae0dc022672d9ea77b906b38c75d1f172a678418236a3c347111f1cf593f158c28599adad281f8472e5acd75c4b7ccc4f8fca396480420d307fe9805d29780a
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0osl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}\stubpath = "C:\\Windows\\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}.exe"	{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8462640D-78B4-460f-BF62-4C38AAA3E485}\stubpath = "C:\\Windows\\{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe"	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C884BCA7-3931-4cc4-ADF5-0396C5672756}	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}\stubpath = "C:\\Windows\\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe"	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}\stubpath = "C:\\Windows\\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe"	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}	{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035FE0B1-3409-4435-8F71-30F993B114C2}	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035FE0B1-3409-4435-8F71-30F993B114C2}\stubpath = "C:\\Windows\\{035FE0B1-3409-4435-8F71-30F993B114C2}.exe"	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}\stubpath = "C:\\Windows\\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe"	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}\stubpath = "C:\\Windows\\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe"	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}\stubpath = "C:\\Windows\\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe"	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C884BCA7-3931-4cc4-ADF5-0396C5672756}\stubpath = "C:\\Windows\\{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe"	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}\stubpath = "C:\\Windows\\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe"	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391DB70B-418B-448e-B4A3-B29BE41110B3}\stubpath = "C:\\Windows\\{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe"	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8462640D-78B4-460f-BF62-4C38AAA3E485}	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391DB70B-418B-448e-B4A3-B29BE41110B3}	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}\stubpath = "C:\\Windows\\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe"	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe
2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe
4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe
792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe
1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe
864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe
3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe
3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe
1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe
4072	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe
2084	{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe
1832	{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{035FE0B1-3409-4435-8F71-30F993B114C2}.exe	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe
File created	C:\Windows\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe
File created	C:\Windows\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe
File created	C:\Windows\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe
File created	C:\Windows\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe
File created	C:\Windows\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}.exe	{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe
File created	C:\Windows\{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe
File created	C:\Windows\{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe
File created	C:\Windows\{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe
File created	C:\Windows\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe
File created	C:\Windows\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe
File created	C:\Windows\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4324	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe
Token: SeIncBasePriorityPrivilege	2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe
Token: SeIncBasePriorityPrivilege	4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe
Token: SeIncBasePriorityPrivilege	792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe
Token: SeIncBasePriorityPrivilege	1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe
Token: SeIncBasePriorityPrivilege	864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe
Token: SeIncBasePriorityPrivilege	3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe
Token: SeIncBasePriorityPrivilege	3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe
Token: SeIncBasePriorityPrivilege	1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe
Token: SeIncBasePriorityPrivilege	4072	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe
Token: SeIncBasePriorityPrivilege	2084	{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4924	4324	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe	87
PID 4324 wrote to memory of 4924	4324	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe	87
PID 4324 wrote to memory of 4924	4324	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe	87
PID 4324 wrote to memory of 2228	4324	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe	88
PID 4324 wrote to memory of 2228	4324	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe	88
PID 4324 wrote to memory of 2228	4324	2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe	88
PID 4924 wrote to memory of 2140	4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe	90
PID 4924 wrote to memory of 2140	4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe	90
PID 4924 wrote to memory of 2140	4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe	90
PID 4924 wrote to memory of 1844	4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe	91
PID 4924 wrote to memory of 1844	4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe	91
PID 4924 wrote to memory of 1844	4924	{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe	91
PID 2140 wrote to memory of 4996	2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe	95
PID 2140 wrote to memory of 4996	2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe	95
PID 2140 wrote to memory of 4996	2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe	95
PID 2140 wrote to memory of 3100	2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe	94
PID 2140 wrote to memory of 3100	2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe	94
PID 2140 wrote to memory of 3100	2140	{035FE0B1-3409-4435-8F71-30F993B114C2}.exe	94
PID 4996 wrote to memory of 792	4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe	96
PID 4996 wrote to memory of 792	4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe	96
PID 4996 wrote to memory of 792	4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe	96
PID 4996 wrote to memory of 996	4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe	97
PID 4996 wrote to memory of 996	4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe	97
PID 4996 wrote to memory of 996	4996	{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe	97
PID 792 wrote to memory of 1136	792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe	98
PID 792 wrote to memory of 1136	792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe	98
PID 792 wrote to memory of 1136	792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe	98
PID 792 wrote to memory of 4768	792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe	99
PID 792 wrote to memory of 4768	792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe	99
PID 792 wrote to memory of 4768	792	{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe	99
PID 1136 wrote to memory of 864	1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe	100
PID 1136 wrote to memory of 864	1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe	100
PID 1136 wrote to memory of 864	1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe	100
PID 1136 wrote to memory of 4344	1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe	101
PID 1136 wrote to memory of 4344	1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe	101
PID 1136 wrote to memory of 4344	1136	{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe	101
PID 864 wrote to memory of 3028	864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe	102
PID 864 wrote to memory of 3028	864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe	102
PID 864 wrote to memory of 3028	864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe	102
PID 864 wrote to memory of 2620	864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe	103
PID 864 wrote to memory of 2620	864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe	103
PID 864 wrote to memory of 2620	864	{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe	103
PID 3028 wrote to memory of 3212	3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe	104
PID 3028 wrote to memory of 3212	3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe	104
PID 3028 wrote to memory of 3212	3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe	104
PID 3028 wrote to memory of 3824	3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe	105
PID 3028 wrote to memory of 3824	3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe	105
PID 3028 wrote to memory of 3824	3028	{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe	105
PID 3212 wrote to memory of 1388	3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe	106
PID 3212 wrote to memory of 1388	3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe	106
PID 3212 wrote to memory of 1388	3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe	106
PID 3212 wrote to memory of 3920	3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe	107
PID 3212 wrote to memory of 3920	3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe	107
PID 3212 wrote to memory of 3920	3212	{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe	107
PID 1388 wrote to memory of 4072	1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe	108
PID 1388 wrote to memory of 4072	1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe	108
PID 1388 wrote to memory of 4072	1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe	108
PID 1388 wrote to memory of 704	1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe	109
PID 1388 wrote to memory of 704	1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe	109
PID 1388 wrote to memory of 704	1388	{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe	109
PID 4072 wrote to memory of 2084	4072	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe	110
PID 4072 wrote to memory of 2084	4072	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe	110
PID 4072 wrote to memory of 2084	4072	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe	110
PID 4072 wrote to memory of 4236	4072	{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe	111

C:\Users\Admin\AppData\Local\Temp\2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_5e63955cae724a8dad194272be35d0a7_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe
  C:\Windows\{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\{035FE0B1-3409-4435-8F71-30F993B114C2}.exe
    C:\Windows\{035FE0B1-3409-4435-8F71-30F993B114C2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{035FE~1.EXE > nul
      4⤵
      PID:3100
  - - C:\Windows\{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe
      C:\Windows\{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe
        
        C:\Windows\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
      - C:\Windows\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe
        
        C:\Windows\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe
        
        C:\Windows\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe
        
        C:\Windows\{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe
        
        C:\Windows\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe
        
        C:\Windows\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe
        
        C:\Windows\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe
        
        C:\Windows\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}.exe
        
        C:\Windows\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20F4C~1.EXE > nul
        13⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ACE6~1.EXE > nul
        12⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{238D0~1.EXE > nul
        11⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7EE6~1.EXE > nul
        10⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{391DB~1.EXE > nul
        9⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB517~1.EXE > nul
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EFF2~1.EXE > nul
        7⤵
        
        PID:4344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7D2C~1.EXE > nul
        6⤵
        
        PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C884B~1.EXE > nul
        5⤵
        
        PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{84626~1.EXE > nul
    3⤵
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{035FE0B1-3409-4435-8F71-30F993B114C2}.exe

Filesize
192KB

MD5
25e2309a87dd287e9436a63c754f01d9

SHA1
518a8bd4cb5b3e709d202a33cfaef91da4109cfa

SHA256
76a4711c44cfc28774492393d8e5cc26cae8b9d25f70098ded62d3d06ba7eb53

SHA512
d1bc1c343a92909b4f81ac093bab7ca4afdd21ca5f149b207037282eb18264fd247a57b9a59371f62cdc6e0f49f8c5dd9d259b0831a3d45bf3f46c2c36c098b3

Download Submit
C:\Windows\{035FE0B1-3409-4435-8F71-30F993B114C2}.exe

Filesize
192KB

MD5
25e2309a87dd287e9436a63c754f01d9

SHA1
518a8bd4cb5b3e709d202a33cfaef91da4109cfa

SHA256
76a4711c44cfc28774492393d8e5cc26cae8b9d25f70098ded62d3d06ba7eb53

SHA512
d1bc1c343a92909b4f81ac093bab7ca4afdd21ca5f149b207037282eb18264fd247a57b9a59371f62cdc6e0f49f8c5dd9d259b0831a3d45bf3f46c2c36c098b3

Download Submit
C:\Windows\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe

Filesize
192KB

MD5
3268c30b8414bca2a6c0d70df4fa9e0e

SHA1
b73240280d7dbb6f7b8216b0ee343fa181b0862f

SHA256
481a18c7c4e5b962906462a459f60e71a4ed26d8a9e817de0f1bacc88a1b4aa4

SHA512
3c81c2e445d9cfa3ad5ebac3daca808b1bb806842635aadb5f4f7ffe016aba94e7c979377206657b6d86021cc23776d17c1e296d0ab8d20d168987bb1a3994ad

Download Submit
C:\Windows\{20F4C00D-1879-4ac3-9CC8-0F7F9B100CBE}.exe

Filesize
192KB

MD5
3268c30b8414bca2a6c0d70df4fa9e0e

SHA1
b73240280d7dbb6f7b8216b0ee343fa181b0862f

SHA256
481a18c7c4e5b962906462a459f60e71a4ed26d8a9e817de0f1bacc88a1b4aa4

SHA512
3c81c2e445d9cfa3ad5ebac3daca808b1bb806842635aadb5f4f7ffe016aba94e7c979377206657b6d86021cc23776d17c1e296d0ab8d20d168987bb1a3994ad

Download Submit
C:\Windows\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe

Filesize
192KB

MD5
42bc251a8f6fba8dd0062bde627a0980

SHA1
0a81c85947e430aebfe135e7f2027aa1b1237ab8

SHA256
1a79552a7eba5a349c54d70e9ff5ffde24d30b5443644a7e66f0e557e3dd22e6

SHA512
1a862826268a2f371c4ffa14ce19d54adf7154ba7db5a483aa38211743416b18e3abe3ea6a4f8655569fa73d69e610aa0e8f989cc5ed1a78c2d877f3e3a49e31

Download Submit
C:\Windows\{238D048B-F7AF-40f6-B31B-FCF59C4185C1}.exe

Filesize
192KB

MD5
42bc251a8f6fba8dd0062bde627a0980

SHA1
0a81c85947e430aebfe135e7f2027aa1b1237ab8

SHA256
1a79552a7eba5a349c54d70e9ff5ffde24d30b5443644a7e66f0e557e3dd22e6

SHA512
1a862826268a2f371c4ffa14ce19d54adf7154ba7db5a483aa38211743416b18e3abe3ea6a4f8655569fa73d69e610aa0e8f989cc5ed1a78c2d877f3e3a49e31

Download Submit
C:\Windows\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe

Filesize
192KB

MD5
d50b5f547ea3dede35ff9cebe2bb29d6

SHA1
7c20da80392c2445b0c049f8ddd479f559fe3c77

SHA256
d51f0e4aafa1455f5f8a8ee2919fed0633a85826840dba22063de2993a6cc046

SHA512
f47e2654dcd9f3decbe8d2b2bd3ee38c0c8ebd042fab70370fee1b5a859a7b5324f13c8f9bc80bc91d995e068a2a4817f67b19fa83d2ae1d16005e68f60ea990

Download Submit
C:\Windows\{2EFF206E-A433-4f18-B3FB-2DE3E8321217}.exe

Filesize
192KB

MD5
d50b5f547ea3dede35ff9cebe2bb29d6

SHA1
7c20da80392c2445b0c049f8ddd479f559fe3c77

SHA256
d51f0e4aafa1455f5f8a8ee2919fed0633a85826840dba22063de2993a6cc046

SHA512
f47e2654dcd9f3decbe8d2b2bd3ee38c0c8ebd042fab70370fee1b5a859a7b5324f13c8f9bc80bc91d995e068a2a4817f67b19fa83d2ae1d16005e68f60ea990

Download Submit
C:\Windows\{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe

Filesize
192KB

MD5
d3833d055701c222285de1ee8d44f99e

SHA1
5c373c5882b6c490a4b1387f33c36a9d6499c0bc

SHA256
237d023095b1b6b175822717b856aef964c3385e08e4bb6b90ab51cd4a489003

SHA512
228514b263940ea6129fdea1ebcdf4183813484f9878700f300893a6cb28767f56f327471b658e904a0ad06191c9f27fe1049a6aa5a34030b0d11a6c4a5a54b7

Download Submit
C:\Windows\{391DB70B-418B-448e-B4A3-B29BE41110B3}.exe

Filesize
192KB

MD5
d3833d055701c222285de1ee8d44f99e

SHA1
5c373c5882b6c490a4b1387f33c36a9d6499c0bc

SHA256
237d023095b1b6b175822717b856aef964c3385e08e4bb6b90ab51cd4a489003

SHA512
228514b263940ea6129fdea1ebcdf4183813484f9878700f300893a6cb28767f56f327471b658e904a0ad06191c9f27fe1049a6aa5a34030b0d11a6c4a5a54b7

Download Submit
C:\Windows\{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe

Filesize
192KB

MD5
0fdd41d7baba7b3f34fe4926bef23ed9

SHA1
6e26fdee28529a422b8669be265f06716eb9133d

SHA256
7c8f05c71a20776d90da04ea7c356363bf5d53ebc904ceefb50118fef0eac296

SHA512
70466da98f5e34cc16065dbe613d8a0923d5ccedd3709cbd64301076724de732f3dee3c8882653baac0ff658a99a5ad7b8a3bd695153066635ed860315fc04ac

Download Submit
C:\Windows\{8462640D-78B4-460f-BF62-4C38AAA3E485}.exe

Filesize
192KB

MD5
0fdd41d7baba7b3f34fe4926bef23ed9

SHA1
6e26fdee28529a422b8669be265f06716eb9133d

SHA256
7c8f05c71a20776d90da04ea7c356363bf5d53ebc904ceefb50118fef0eac296

SHA512
70466da98f5e34cc16065dbe613d8a0923d5ccedd3709cbd64301076724de732f3dee3c8882653baac0ff658a99a5ad7b8a3bd695153066635ed860315fc04ac

Download Submit
C:\Windows\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe

Filesize
192KB

MD5
2b2c5cd0bdef13bb65420864062d68c3

SHA1
73607e2e625cad3f1fb25740d691623cc4f5698b

SHA256
5e9f6b0afd0d4760ae95da1bbc32454dcf1015a4efd1031fbb5e2a0e34a4c793

SHA512
9cbd9c535f96fb440cc4309b04cab4c1e8f60ff1fbdf952922ac3a16daf55d026cc341ddfc6d8fdf1bf0b3b08c509a96d57088211e945d4d976efc6fed8a73c9

Download Submit
C:\Windows\{9ACE634C-ACE7-456c-92B7-457D14C3A82B}.exe

Filesize
192KB

MD5
2b2c5cd0bdef13bb65420864062d68c3

SHA1
73607e2e625cad3f1fb25740d691623cc4f5698b

SHA256
5e9f6b0afd0d4760ae95da1bbc32454dcf1015a4efd1031fbb5e2a0e34a4c793

SHA512
9cbd9c535f96fb440cc4309b04cab4c1e8f60ff1fbdf952922ac3a16daf55d026cc341ddfc6d8fdf1bf0b3b08c509a96d57088211e945d4d976efc6fed8a73c9

Download Submit
C:\Windows\{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe

Filesize
192KB

MD5
ceb52f0e33cb2906af7e576bf8798f7d

SHA1
af17da62386e53ba3830c9411cf46c7ea00f1453

SHA256
d9a06b34cc5c49e75ebc01c535915221c1a04c3d00073c218deb869c9181bef0

SHA512
89ed0ec2bfc3db683da78ba3acc5df43f752a38a44eae71b9e6ac3059b39008887807360824b4b71ca169d88a1101382514d4e26c241dff2fc30485e21aa76d9

Download Submit
C:\Windows\{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe

Filesize
192KB

MD5
ceb52f0e33cb2906af7e576bf8798f7d

SHA1
af17da62386e53ba3830c9411cf46c7ea00f1453

SHA256
d9a06b34cc5c49e75ebc01c535915221c1a04c3d00073c218deb869c9181bef0

SHA512
89ed0ec2bfc3db683da78ba3acc5df43f752a38a44eae71b9e6ac3059b39008887807360824b4b71ca169d88a1101382514d4e26c241dff2fc30485e21aa76d9

Download Submit
C:\Windows\{C884BCA7-3931-4cc4-ADF5-0396C5672756}.exe

Filesize
192KB

MD5
ceb52f0e33cb2906af7e576bf8798f7d

SHA1
af17da62386e53ba3830c9411cf46c7ea00f1453

SHA256
d9a06b34cc5c49e75ebc01c535915221c1a04c3d00073c218deb869c9181bef0

SHA512
89ed0ec2bfc3db683da78ba3acc5df43f752a38a44eae71b9e6ac3059b39008887807360824b4b71ca169d88a1101382514d4e26c241dff2fc30485e21aa76d9

Download Submit
C:\Windows\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe

Filesize
192KB

MD5
1736b8aaa6226a9d04a89cda6b5b044d

SHA1
76991d95f4f246b5a2bf2c116116067b4bf60168

SHA256
98e21ca21a38475988ca41aea087c9b5acaea1a4ebbb883853f66b4dd8db92f3

SHA512
c740859591a38a7dd1bb46f4d13be1ac02fe05a8437308cd5259aeaf2a8e4dbdd5abbd485beaa57c9ac2d2ec8ea8b2699be1308a2add6c7e8ea350672c483d07

Download Submit
C:\Windows\{D7D2C5FA-07AA-4350-ABDD-0E78D0FCD02D}.exe

Filesize
192KB

MD5
1736b8aaa6226a9d04a89cda6b5b044d

SHA1
76991d95f4f246b5a2bf2c116116067b4bf60168

SHA256
98e21ca21a38475988ca41aea087c9b5acaea1a4ebbb883853f66b4dd8db92f3

SHA512
c740859591a38a7dd1bb46f4d13be1ac02fe05a8437308cd5259aeaf2a8e4dbdd5abbd485beaa57c9ac2d2ec8ea8b2699be1308a2add6c7e8ea350672c483d07

Download Submit
C:\Windows\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe

Filesize
192KB

MD5
b5e996a2e66ff855d0fd87be39054912

SHA1
f2c335db329221f25a21f0504d98e0c9fb3fcd8b

SHA256
221859f5ee05fce0c3efbee86265edbeea0bae60605f12988d2ad096b157c614

SHA512
73cbba5ed025a58035fd213fded5998991fefb23e59d0aeef676e7eb976d5c03201bf8f6732bb55bbbd8123dd8620a44a4e33dc933bb4914a526dd1dc386f1da

Download Submit
C:\Windows\{DB517547-5FD9-4d51-B5FB-5EF13F61A907}.exe

Filesize
192KB

MD5
b5e996a2e66ff855d0fd87be39054912

SHA1
f2c335db329221f25a21f0504d98e0c9fb3fcd8b

SHA256
221859f5ee05fce0c3efbee86265edbeea0bae60605f12988d2ad096b157c614

SHA512
73cbba5ed025a58035fd213fded5998991fefb23e59d0aeef676e7eb976d5c03201bf8f6732bb55bbbd8123dd8620a44a4e33dc933bb4914a526dd1dc386f1da

Download Submit
C:\Windows\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe

Filesize
192KB

MD5
d558109d280b55feab5701ec64603ef5

SHA1
52239fb673b894a39f2b58f4038093a84f460922

SHA256
632969540cb0fbb7b4de046e0fdbc73c0d1e0daabac0851e40f8ef93e908602a

SHA512
17293524e68ceca8dea72ab35cd624934e3afbb7482994772dd3e6877b3659b63c572595b6862e63d82680c3026fb82bf6dcb3ad30bcfe60987e8918f5c4b741

Download Submit
C:\Windows\{E7EE65C7-E76D-46ce-8B98-57A00182E57E}.exe

Filesize
192KB

MD5
d558109d280b55feab5701ec64603ef5

SHA1
52239fb673b894a39f2b58f4038093a84f460922

SHA256
632969540cb0fbb7b4de046e0fdbc73c0d1e0daabac0851e40f8ef93e908602a

SHA512
17293524e68ceca8dea72ab35cd624934e3afbb7482994772dd3e6877b3659b63c572595b6862e63d82680c3026fb82bf6dcb3ad30bcfe60987e8918f5c4b741

Download Submit
C:\Windows\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}.exe

Filesize
192KB

MD5
a6367df75fc32c36df0818f44020a22d

SHA1
0636153449377eb9c4cd58130e6b7b2dc1af4f9e

SHA256
fa94d07bca0e7d34135c5fd08293a39c157273ddeebbdfd836abae6993867be1

SHA512
6b691d0eecc643e3f1b3e7102d57df1f7aa4a35688b090ff433e9d86baa872f7b1d3c4043575c6b1afc0a715150b36c937d87c2f03fc7d518b78a2314619f4e3

Download Submit
C:\Windows\{F5B21EF8-22ED-4328-8F4D-926032AA2E7F}.exe

Filesize
192KB

MD5
a6367df75fc32c36df0818f44020a22d

SHA1
0636153449377eb9c4cd58130e6b7b2dc1af4f9e

SHA256
fa94d07bca0e7d34135c5fd08293a39c157273ddeebbdfd836abae6993867be1

SHA512
6b691d0eecc643e3f1b3e7102d57df1f7aa4a35688b090ff433e9d86baa872f7b1d3c4043575c6b1afc0a715150b36c937d87c2f03fc7d518b78a2314619f4e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads