242cb6f91ebde413682271a2391efd8a06bd7b6734685f65b5c89b0448265c98

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Size

204KB
MD5

6a39fb81aff4d385b397cef69bc1b97a
SHA1

20d7c6e223534e5dca4955a85ac362971f876ad0
SHA256

242cb6f91ebde413682271a2391efd8a06bd7b6734685f65b5c89b0448265c98
SHA512

3c1dc97d3bd4e89688110b29882830f2eb407407ad3fb1a490df6ae2860f202d85331186bef55360d047470f97e5e248402485f347edf94820656e703aeaa181
SSDEEP

1536:1EGh0oILl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}\stubpath = "C:\\Windows\\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe"	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1311928D-E242-4923-8DC4-06294D73CEF5}\stubpath = "C:\\Windows\\{1311928D-E242-4923-8DC4-06294D73CEF5}.exe"	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4096739-B812-4c7e-BB98-54C322907AF3}	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}\stubpath = "C:\\Windows\\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe"	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5498A99E-E7EE-4bce-887A-F98023BF1F08}	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E04BB5F4-65CB-450c-84B9-2462181456EC}	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1311928D-E242-4923-8DC4-06294D73CEF5}	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}\stubpath = "C:\\Windows\\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe"	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}\stubpath = "C:\\Windows\\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe"	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4737FC-6500-4221-BAD1-E7EE64B05638}	{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4737FC-6500-4221-BAD1-E7EE64B05638}\stubpath = "C:\\Windows\\{AD4737FC-6500-4221-BAD1-E7EE64B05638}.exe"	{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5498A99E-E7EE-4bce-887A-F98023BF1F08}\stubpath = "C:\\Windows\\{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe"	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E04BB5F4-65CB-450c-84B9-2462181456EC}\stubpath = "C:\\Windows\\{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe"	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4096739-B812-4c7e-BB98-54C322907AF3}\stubpath = "C:\\Windows\\{D4096739-B812-4c7e-BB98-54C322907AF3}.exe"	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}\stubpath = "C:\\Windows\\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe"	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}\stubpath = "C:\\Windows\\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe"	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}\stubpath = "C:\\Windows\\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe"	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe
1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe
5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe
2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe
4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe
1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe
3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe
3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe
2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe
3096	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe
3116	{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe
4384	{AD4737FC-6500-4221-BAD1-E7EE64B05638}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AD4737FC-6500-4221-BAD1-E7EE64B05638}.exe	{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe
File created	C:\Windows\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe
File created	C:\Windows\{1311928D-E242-4923-8DC4-06294D73CEF5}.exe	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe
File created	C:\Windows\{D4096739-B812-4c7e-BB98-54C322907AF3}.exe	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe
File created	C:\Windows\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe
File created	C:\Windows\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe
File created	C:\Windows\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe
File created	C:\Windows\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe
File created	C:\Windows\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
File created	C:\Windows\{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe
File created	C:\Windows\{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe
File created	C:\Windows\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4520	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe
Token: SeIncBasePriorityPrivilege	1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe
Token: SeIncBasePriorityPrivilege	5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe
Token: SeIncBasePriorityPrivilege	2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe
Token: SeIncBasePriorityPrivilege	4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe
Token: SeIncBasePriorityPrivilege	1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe
Token: SeIncBasePriorityPrivilege	3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe
Token: SeIncBasePriorityPrivilege	3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe
Token: SeIncBasePriorityPrivilege	2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe
Token: SeIncBasePriorityPrivilege	3096	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe
Token: SeIncBasePriorityPrivilege	3116	{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 1356	4520	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	87
PID 4520 wrote to memory of 1356	4520	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	87
PID 4520 wrote to memory of 1356	4520	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	87
PID 4520 wrote to memory of 1984	4520	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	88
PID 4520 wrote to memory of 1984	4520	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	88
PID 4520 wrote to memory of 1984	4520	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	88
PID 1356 wrote to memory of 1660	1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe	89
PID 1356 wrote to memory of 1660	1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe	89
PID 1356 wrote to memory of 1660	1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe	89
PID 1356 wrote to memory of 4328	1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe	90
PID 1356 wrote to memory of 4328	1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe	90
PID 1356 wrote to memory of 4328	1356	{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe	90
PID 1660 wrote to memory of 5056	1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe	95
PID 1660 wrote to memory of 5056	1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe	95
PID 1660 wrote to memory of 5056	1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe	95
PID 1660 wrote to memory of 1480	1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe	94
PID 1660 wrote to memory of 1480	1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe	94
PID 1660 wrote to memory of 1480	1660	{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe	94
PID 5056 wrote to memory of 2236	5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe	96
PID 5056 wrote to memory of 2236	5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe	96
PID 5056 wrote to memory of 2236	5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe	96
PID 5056 wrote to memory of 1136	5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe	97
PID 5056 wrote to memory of 1136	5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe	97
PID 5056 wrote to memory of 1136	5056	{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe	97
PID 2236 wrote to memory of 4848	2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe	98
PID 2236 wrote to memory of 4848	2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe	98
PID 2236 wrote to memory of 4848	2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe	98
PID 2236 wrote to memory of 4580	2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe	99
PID 2236 wrote to memory of 4580	2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe	99
PID 2236 wrote to memory of 4580	2236	{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe	99
PID 4848 wrote to memory of 1768	4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe	100
PID 4848 wrote to memory of 1768	4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe	100
PID 4848 wrote to memory of 1768	4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe	100
PID 4848 wrote to memory of 3016	4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe	101
PID 4848 wrote to memory of 3016	4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe	101
PID 4848 wrote to memory of 3016	4848	{1311928D-E242-4923-8DC4-06294D73CEF5}.exe	101
PID 1768 wrote to memory of 3448	1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe	102
PID 1768 wrote to memory of 3448	1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe	102
PID 1768 wrote to memory of 3448	1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe	102
PID 1768 wrote to memory of 1216	1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe	103
PID 1768 wrote to memory of 1216	1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe	103
PID 1768 wrote to memory of 1216	1768	{D4096739-B812-4c7e-BB98-54C322907AF3}.exe	103
PID 3448 wrote to memory of 3368	3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe	104
PID 3448 wrote to memory of 3368	3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe	104
PID 3448 wrote to memory of 3368	3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe	104
PID 3448 wrote to memory of 2164	3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe	105
PID 3448 wrote to memory of 2164	3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe	105
PID 3448 wrote to memory of 2164	3448	{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe	105
PID 3368 wrote to memory of 2952	3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe	106
PID 3368 wrote to memory of 2952	3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe	106
PID 3368 wrote to memory of 2952	3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe	106
PID 3368 wrote to memory of 1416	3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe	107
PID 3368 wrote to memory of 1416	3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe	107
PID 3368 wrote to memory of 1416	3368	{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe	107
PID 2952 wrote to memory of 3096	2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe	108
PID 2952 wrote to memory of 3096	2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe	108
PID 2952 wrote to memory of 3096	2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe	108
PID 2952 wrote to memory of 2560	2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe	109
PID 2952 wrote to memory of 2560	2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe	109
PID 2952 wrote to memory of 2560	2952	{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe	109
PID 3096 wrote to memory of 3116	3096	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe	110
PID 3096 wrote to memory of 3116	3096	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe	110
PID 3096 wrote to memory of 3116	3096	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe	110
PID 3096 wrote to memory of 4712	3096	{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe	111

C:\Users\Admin\AppData\Local\Temp\2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe
  C:\Windows\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe
    C:\Windows\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F7A8A~1.EXE > nul
      4⤵
      PID:1480
  - - C:\Windows\{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe
      C:\Windows\{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe
        
        C:\Windows\{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\{1311928D-E242-4923-8DC4-06294D73CEF5}.exe
        
        C:\Windows\{1311928D-E242-4923-8DC4-06294D73CEF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{D4096739-B812-4c7e-BB98-54C322907AF3}.exe
        
        C:\Windows\{D4096739-B812-4c7e-BB98-54C322907AF3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe
        
        C:\Windows\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe
        
        C:\Windows\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe
        
        C:\Windows\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe
        
        C:\Windows\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe
        
        C:\Windows\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Windows\{AD4737FC-6500-4221-BAD1-E7EE64B05638}.exe
        
        C:\Windows\{AD4737FC-6500-4221-BAD1-E7EE64B05638}.exe
        13⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC383~1.EXE > nul
        13⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D3A0~1.EXE > nul
        12⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A29E~1.EXE > nul
        11⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D3B~1.EXE > nul
        10⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C9E8~1.EXE > nul
        9⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4096~1.EXE > nul
        8⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13119~1.EXE > nul
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E04BB~1.EXE > nul
        6⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5498A~1.EXE > nul
        5⤵
        
        PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8EEB4~1.EXE > nul
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1311928D-E242-4923-8DC4-06294D73CEF5}.exe

Filesize
204KB

MD5
3866e01882eceb57bc13f4ee87ef1827

SHA1
9957a3019f87f44164ffecaffc19e85b3b7c090e

SHA256
0ce5e582288b8efec503c8600869fce50fceb4ec8db94525c62d010873789fe5

SHA512
29e3f92b6f16a646b8d946ce43a2d3c51216c58a9e2c3ae033b7e073a3e51e2a231fb4e52804b8e1a4ddefb96150543571f914932067b75ac62c0d6d1fbfe8ba

Download Submit
C:\Windows\{1311928D-E242-4923-8DC4-06294D73CEF5}.exe

Filesize
204KB

MD5
3866e01882eceb57bc13f4ee87ef1827

SHA1
9957a3019f87f44164ffecaffc19e85b3b7c090e

SHA256
0ce5e582288b8efec503c8600869fce50fceb4ec8db94525c62d010873789fe5

SHA512
29e3f92b6f16a646b8d946ce43a2d3c51216c58a9e2c3ae033b7e073a3e51e2a231fb4e52804b8e1a4ddefb96150543571f914932067b75ac62c0d6d1fbfe8ba

Download Submit
C:\Windows\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe

Filesize
204KB

MD5
aafe035bee92d32a3327e99f935c7575

SHA1
4d6597509eaad1ec50b53e76a3c9e18344edd1b3

SHA256
bcb3e932693bb804417687d7d651d196e545d24c52afc679e14e22897998b3b9

SHA512
6085a05b12c7dcfc8440a0fb55b3d41dda3b26973f11be87d7f9472a6f12ac0f70bc601c63b9f4a2d5ad2b02a449f775369bac8e3c1b8472fbc412d9300d2276

Download Submit
C:\Windows\{1A29E1A5-CC25-4ddf-B86E-5C9CFC6B3860}.exe

Filesize
204KB

MD5
aafe035bee92d32a3327e99f935c7575

SHA1
4d6597509eaad1ec50b53e76a3c9e18344edd1b3

SHA256
bcb3e932693bb804417687d7d651d196e545d24c52afc679e14e22897998b3b9

SHA512
6085a05b12c7dcfc8440a0fb55b3d41dda3b26973f11be87d7f9472a6f12ac0f70bc601c63b9f4a2d5ad2b02a449f775369bac8e3c1b8472fbc412d9300d2276

Download Submit
C:\Windows\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe

Filesize
204KB

MD5
a8df61af271627535988cda2b2267d3e

SHA1
27d83b07b5a1596b10a7eee4087d4b7add51b20a

SHA256
7143a68658e4205a3f95fef5ffa2046461368a6758d22f886f7e5b385921ff38

SHA512
32ca758f63fdb970eca929d96e81d8d409be2b20785c83cc07e15930f66b95adb627b301570a68d1ba2c27473d003149c41f95b557da996ca6ffcfd71d0f340c

Download Submit
C:\Windows\{1C9E8EBF-3A6D-45e5-AB23-E9F9821039C5}.exe

Filesize
204KB

MD5
a8df61af271627535988cda2b2267d3e

SHA1
27d83b07b5a1596b10a7eee4087d4b7add51b20a

SHA256
7143a68658e4205a3f95fef5ffa2046461368a6758d22f886f7e5b385921ff38

SHA512
32ca758f63fdb970eca929d96e81d8d409be2b20785c83cc07e15930f66b95adb627b301570a68d1ba2c27473d003149c41f95b557da996ca6ffcfd71d0f340c

Download Submit
C:\Windows\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe

Filesize
204KB

MD5
d50a71e5ad24fcc30d25a337686c09eb

SHA1
eb00d179d127b5ca0081fe656ba33a4393a84d05

SHA256
4c8a53daa5cedc0bdb9532327a4456d8905d6e9c881064bf125d1e5003aa6fd4

SHA512
51c22000d532067d267dcf2ef4ded3f2b4c873fe76645f7ff7b633c6b86ac61574863ea4e3785e28559782d60e161f0b4a6260958d9430559f6cae0258547983

Download Submit
C:\Windows\{1D3A0017-985E-4f11-B999-8FCCFAE35DF5}.exe

Filesize
204KB

MD5
d50a71e5ad24fcc30d25a337686c09eb

SHA1
eb00d179d127b5ca0081fe656ba33a4393a84d05

SHA256
4c8a53daa5cedc0bdb9532327a4456d8905d6e9c881064bf125d1e5003aa6fd4

SHA512
51c22000d532067d267dcf2ef4ded3f2b4c873fe76645f7ff7b633c6b86ac61574863ea4e3785e28559782d60e161f0b4a6260958d9430559f6cae0258547983

Download Submit
C:\Windows\{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe

Filesize
204KB

MD5
64c50a2a0e226a7c1813a87fa5de953f

SHA1
f503a3faafcc55c2adb0ca81778cae260b83dfe6

SHA256
252134908332d83863876c737c11801a8d17d39216214111ff99ff38f84fc1d0

SHA512
ff301380d50b122466b516878939148caca3343f03a4ef5888696e3b4032a730853c82265a57e61c516979ca47905b7aa92d30a26110b3a8deac9c68ab805479

Download Submit
C:\Windows\{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe

Filesize
204KB

MD5
64c50a2a0e226a7c1813a87fa5de953f

SHA1
f503a3faafcc55c2adb0ca81778cae260b83dfe6

SHA256
252134908332d83863876c737c11801a8d17d39216214111ff99ff38f84fc1d0

SHA512
ff301380d50b122466b516878939148caca3343f03a4ef5888696e3b4032a730853c82265a57e61c516979ca47905b7aa92d30a26110b3a8deac9c68ab805479

Download Submit
C:\Windows\{5498A99E-E7EE-4bce-887A-F98023BF1F08}.exe

Filesize
204KB

MD5
64c50a2a0e226a7c1813a87fa5de953f

SHA1
f503a3faafcc55c2adb0ca81778cae260b83dfe6

SHA256
252134908332d83863876c737c11801a8d17d39216214111ff99ff38f84fc1d0

SHA512
ff301380d50b122466b516878939148caca3343f03a4ef5888696e3b4032a730853c82265a57e61c516979ca47905b7aa92d30a26110b3a8deac9c68ab805479

Download Submit
C:\Windows\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe

Filesize
204KB

MD5
1994a6c7fdce4a25edfddfdf20cb368f

SHA1
81af82464476e91bd4e1c44ae5627be5f3f85472

SHA256
9a9a3682a2591e58a942bc44bac7779135691b54ec1327ed33f7ca303d849776

SHA512
9bbf395d872f8e310fd242f1d3d8ac8eecd4f941ba7b9e1d71577c2f74ace65134dfa8e8a16a4c4a218af0278667d9cc2dac378c90763276183ee32227edbcd4

Download Submit
C:\Windows\{8EEB4F78-C4DB-4194-885C-EA8A2E7A180F}.exe

Filesize
204KB

MD5
1994a6c7fdce4a25edfddfdf20cb368f

SHA1
81af82464476e91bd4e1c44ae5627be5f3f85472

SHA256
9a9a3682a2591e58a942bc44bac7779135691b54ec1327ed33f7ca303d849776

SHA512
9bbf395d872f8e310fd242f1d3d8ac8eecd4f941ba7b9e1d71577c2f74ace65134dfa8e8a16a4c4a218af0278667d9cc2dac378c90763276183ee32227edbcd4

Download Submit
C:\Windows\{AD4737FC-6500-4221-BAD1-E7EE64B05638}.exe

Filesize
204KB

MD5
2e63830929c33016e8f13754428ff0b3

SHA1
a38ab587e6e7a00dec69c6f0210110b65abf567c

SHA256
29cb04a68375df323ca2d281b227d73a81a542789ef9433b2828b0dd25f46f00

SHA512
62f6e76dedb7bee4f47f5233676f20cba6c6adc44e6eb0facae8016653f2ecfdb72ccbd002e0d95abce6ad37089576f2095847bd0ccbcc1695282f5078e6a734

Download Submit
C:\Windows\{AD4737FC-6500-4221-BAD1-E7EE64B05638}.exe

Filesize
204KB

MD5
2e63830929c33016e8f13754428ff0b3

SHA1
a38ab587e6e7a00dec69c6f0210110b65abf567c

SHA256
29cb04a68375df323ca2d281b227d73a81a542789ef9433b2828b0dd25f46f00

SHA512
62f6e76dedb7bee4f47f5233676f20cba6c6adc44e6eb0facae8016653f2ecfdb72ccbd002e0d95abce6ad37089576f2095847bd0ccbcc1695282f5078e6a734

Download Submit
C:\Windows\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe

Filesize
204KB

MD5
7a1f86233835e60f9171bf455fcf6986

SHA1
00089a64683395fdd9d63e699a06f5f6ce625c25

SHA256
bd448978e76043eabd73ebc9b0e1ba9c71b4bc3802d7c74b2be616bc3ef7f32f

SHA512
687e5e5f5315a319c65c04891b10109c571552adba113c1035bc455def9088dd24abc1ecaf2069bf664965ba518439bf839d89dd98de91adb1a5dc8c40cf90fa

Download Submit
C:\Windows\{B9D3BAD0-2A1E-4120-B76A-271305BB444A}.exe

Filesize
204KB

MD5
7a1f86233835e60f9171bf455fcf6986

SHA1
00089a64683395fdd9d63e699a06f5f6ce625c25

SHA256
bd448978e76043eabd73ebc9b0e1ba9c71b4bc3802d7c74b2be616bc3ef7f32f

SHA512
687e5e5f5315a319c65c04891b10109c571552adba113c1035bc455def9088dd24abc1ecaf2069bf664965ba518439bf839d89dd98de91adb1a5dc8c40cf90fa

Download Submit
C:\Windows\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe

Filesize
204KB

MD5
eafa1568755f5b1fc1ffe0a4dfed4d30

SHA1
a5da4cd562d0db5e3165495de232730380d9b97c

SHA256
27dde8cc1e640ea362ce3960ffb11fd4042841298eeb4ffb7262cc2cb4211c8b

SHA512
3eb0b269fca00c028bdb9fce7b995096a6e45e2f8ebacd17bfa835daf25fa88c55ed9815f1a2fabebfa7502322acc1235480c424a5ca28531960a7e0897042d4

Download Submit
C:\Windows\{CC3832D8-0DD1-476e-ABB3-7FFFF2F8C31C}.exe

Filesize
204KB

MD5
eafa1568755f5b1fc1ffe0a4dfed4d30

SHA1
a5da4cd562d0db5e3165495de232730380d9b97c

SHA256
27dde8cc1e640ea362ce3960ffb11fd4042841298eeb4ffb7262cc2cb4211c8b

SHA512
3eb0b269fca00c028bdb9fce7b995096a6e45e2f8ebacd17bfa835daf25fa88c55ed9815f1a2fabebfa7502322acc1235480c424a5ca28531960a7e0897042d4

Download Submit
C:\Windows\{D4096739-B812-4c7e-BB98-54C322907AF3}.exe

Filesize
204KB

MD5
bb35bfd426c945331b153f19349994dc

SHA1
78cc28f94ad8a1a60c6a9eb06bbe931e8652cacb

SHA256
5d86848701a5c9e8fbbed434b982cd36b58fb9f0dd9c6b6d1abdd8a7b7f6b048

SHA512
c64c36f8d704c6dea20c3d907cd76f0499a28058a8268d30903f35f4bad0f484dacdfc15409f407f53bdc319c5b6549441ddc38b15f28ef69824a0a2f1006a1d

Download Submit
C:\Windows\{D4096739-B812-4c7e-BB98-54C322907AF3}.exe

Filesize
204KB

MD5
bb35bfd426c945331b153f19349994dc

SHA1
78cc28f94ad8a1a60c6a9eb06bbe931e8652cacb

SHA256
5d86848701a5c9e8fbbed434b982cd36b58fb9f0dd9c6b6d1abdd8a7b7f6b048

SHA512
c64c36f8d704c6dea20c3d907cd76f0499a28058a8268d30903f35f4bad0f484dacdfc15409f407f53bdc319c5b6549441ddc38b15f28ef69824a0a2f1006a1d

Download Submit
C:\Windows\{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe

Filesize
204KB

MD5
76f79d25239cff0bcb0f6e7e95893d6d

SHA1
001263cf3a93a6be150a8ef687e1b65c05c6ba59

SHA256
3e1c243ae57d8d12a3f26eac754fad88dd14c47618274e8981f025defa8f3e07

SHA512
9cd123d75caff6d9d15dae4dda8b3a4ad39be1645a226e36ea7678fb39ccc2cea96821e34b8d6661a4d6a410d754c71a3594fef6ebdba5de6daf2424dbdf7326

Download Submit
C:\Windows\{E04BB5F4-65CB-450c-84B9-2462181456EC}.exe

Filesize
204KB

MD5
76f79d25239cff0bcb0f6e7e95893d6d

SHA1
001263cf3a93a6be150a8ef687e1b65c05c6ba59

SHA256
3e1c243ae57d8d12a3f26eac754fad88dd14c47618274e8981f025defa8f3e07

SHA512
9cd123d75caff6d9d15dae4dda8b3a4ad39be1645a226e36ea7678fb39ccc2cea96821e34b8d6661a4d6a410d754c71a3594fef6ebdba5de6daf2424dbdf7326

Download Submit
C:\Windows\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe

Filesize
204KB

MD5
ef32809b9bfc3612b699dd3d774228ca

SHA1
9f7e3abc683dc56897b8b6b7f34c3ba8f66adb2a

SHA256
8c5d3795b7b232df2fc9a5e85ac47c11de07d4b5aeb13339668e4087510b5869

SHA512
b9997c791e48b0fcf7dad67589ac914279354ac9032b915b0a8fbd89be2375a534265914449c19b63e42137a4f19efc2fb0cd6b58fd176ce26cd3971666e367c

Download Submit
C:\Windows\{F7A8A213-BF76-4dc0-9655-DE85250C49A3}.exe

Filesize
204KB

MD5
ef32809b9bfc3612b699dd3d774228ca

SHA1
9f7e3abc683dc56897b8b6b7f34c3ba8f66adb2a

SHA256
8c5d3795b7b232df2fc9a5e85ac47c11de07d4b5aeb13339668e4087510b5869

SHA512
b9997c791e48b0fcf7dad67589ac914279354ac9032b915b0a8fbd89be2375a534265914449c19b63e42137a4f19efc2fb0cd6b58fd176ce26cd3971666e367c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads