c12004646af549b1719a27a727b4575a43f99268d23cb7bd95da2e166689c463

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Size

168KB
MD5

830b6271b3c5fc54beb5ec2016863bd1
SHA1

600c19f2fda91ebda4d0f30dc104f791d1afce52
SHA256

c12004646af549b1719a27a727b4575a43f99268d23cb7bd95da2e166689c463
SHA512

38791b5598ce1db48e53f2cb1cb51a7199c636942265d3870ca90ba9528dd631188034d2df2dda8716f32f0d63690215d435e73bc81f00329239c36bb86f7148
SSDEEP

1536:1EGh0oPlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oPlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4662F822-108B-416c-BA4E-86310F1073EF}	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C26E663A-096D-4349-9263-C4EA5CD9D61A}\stubpath = "C:\\Windows\\{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe"	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6572F20E-65D4-4ee8-9761-008401F3A8E8}\stubpath = "C:\\Windows\\{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe"	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}\stubpath = "C:\\Windows\\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe"	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}\stubpath = "C:\\Windows\\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe"	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}	{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C26E663A-096D-4349-9263-C4EA5CD9D61A}	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}\stubpath = "C:\\Windows\\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}.exe"	{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}\stubpath = "C:\\Windows\\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe"	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}\stubpath = "C:\\Windows\\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe"	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}\stubpath = "C:\\Windows\\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe"	{4662F822-108B-416c-BA4E-86310F1073EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06DCEB1-9C91-475c-A25F-296801E0A075}	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06DCEB1-9C91-475c-A25F-296801E0A075}\stubpath = "C:\\Windows\\{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe"	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}	{4662F822-108B-416c-BA4E-86310F1073EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6572F20E-65D4-4ee8-9761-008401F3A8E8}	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}\stubpath = "C:\\Windows\\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe"	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4662F822-108B-416c-BA4E-86310F1073EF}\stubpath = "C:\\Windows\\{4662F822-108B-416c-BA4E-86310F1073EF}.exe"	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}\stubpath = "C:\\Windows\\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe"	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe
1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe
4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe
2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe
3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe
2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe
3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe
1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe
1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe
3408	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe
3756	{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe
432	{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe
File created	C:\Windows\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}.exe	{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe
File created	C:\Windows\{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
File created	C:\Windows\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe
File created	C:\Windows\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe
File created	C:\Windows\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe
File created	C:\Windows\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe
File created	C:\Windows\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe
File created	C:\Windows\{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe
File created	C:\Windows\{4662F822-108B-416c-BA4E-86310F1073EF}.exe	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe
File created	C:\Windows\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe	{4662F822-108B-416c-BA4E-86310F1073EF}.exe
File created	C:\Windows\{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1820	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe
Token: SeIncBasePriorityPrivilege	1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe
Token: SeIncBasePriorityPrivilege	4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe
Token: SeIncBasePriorityPrivilege	2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe
Token: SeIncBasePriorityPrivilege	3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe
Token: SeIncBasePriorityPrivilege	2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe
Token: SeIncBasePriorityPrivilege	3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe
Token: SeIncBasePriorityPrivilege	1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe
Token: SeIncBasePriorityPrivilege	1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe
Token: SeIncBasePriorityPrivilege	3408	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe
Token: SeIncBasePriorityPrivilege	3756	{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3268	1820	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	87
PID 1820 wrote to memory of 3268	1820	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	87
PID 1820 wrote to memory of 3268	1820	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	87
PID 1820 wrote to memory of 1440	1820	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	88
PID 1820 wrote to memory of 1440	1820	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	88
PID 1820 wrote to memory of 1440	1820	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	88
PID 3268 wrote to memory of 1420	3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe	89
PID 3268 wrote to memory of 1420	3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe	89
PID 3268 wrote to memory of 1420	3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe	89
PID 3268 wrote to memory of 2428	3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe	90
PID 3268 wrote to memory of 2428	3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe	90
PID 3268 wrote to memory of 2428	3268	{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe	90
PID 1420 wrote to memory of 4500	1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe	95
PID 1420 wrote to memory of 4500	1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe	95
PID 1420 wrote to memory of 4500	1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe	95
PID 1420 wrote to memory of 3552	1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe	94
PID 1420 wrote to memory of 3552	1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe	94
PID 1420 wrote to memory of 3552	1420	{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe	94
PID 4500 wrote to memory of 2788	4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe	96
PID 4500 wrote to memory of 2788	4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe	96
PID 4500 wrote to memory of 2788	4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe	96
PID 4500 wrote to memory of 2948	4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe	97
PID 4500 wrote to memory of 2948	4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe	97
PID 4500 wrote to memory of 2948	4500	{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe	97
PID 2788 wrote to memory of 3504	2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe	98
PID 2788 wrote to memory of 3504	2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe	98
PID 2788 wrote to memory of 3504	2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe	98
PID 2788 wrote to memory of 3056	2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe	99
PID 2788 wrote to memory of 3056	2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe	99
PID 2788 wrote to memory of 3056	2788	{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe	99
PID 3504 wrote to memory of 2712	3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe	100
PID 3504 wrote to memory of 2712	3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe	100
PID 3504 wrote to memory of 2712	3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe	100
PID 3504 wrote to memory of 812	3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe	101
PID 3504 wrote to memory of 812	3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe	101
PID 3504 wrote to memory of 812	3504	{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe	101
PID 2712 wrote to memory of 3548	2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe	102
PID 2712 wrote to memory of 3548	2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe	102
PID 2712 wrote to memory of 3548	2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe	102
PID 2712 wrote to memory of 4436	2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe	103
PID 2712 wrote to memory of 4436	2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe	103
PID 2712 wrote to memory of 4436	2712	{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe	103
PID 3548 wrote to memory of 1408	3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe	104
PID 3548 wrote to memory of 1408	3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe	104
PID 3548 wrote to memory of 1408	3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe	104
PID 3548 wrote to memory of 3328	3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe	105
PID 3548 wrote to memory of 3328	3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe	105
PID 3548 wrote to memory of 3328	3548	{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe	105
PID 1408 wrote to memory of 1732	1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe	106
PID 1408 wrote to memory of 1732	1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe	106
PID 1408 wrote to memory of 1732	1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe	106
PID 1408 wrote to memory of 4284	1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe	107
PID 1408 wrote to memory of 4284	1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe	107
PID 1408 wrote to memory of 4284	1408	{4662F822-108B-416c-BA4E-86310F1073EF}.exe	107
PID 1732 wrote to memory of 3408	1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe	108
PID 1732 wrote to memory of 3408	1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe	108
PID 1732 wrote to memory of 3408	1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe	108
PID 1732 wrote to memory of 1512	1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe	109
PID 1732 wrote to memory of 1512	1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe	109
PID 1732 wrote to memory of 1512	1732	{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe	109
PID 3408 wrote to memory of 3756	3408	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe	110
PID 3408 wrote to memory of 3756	3408	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe	110
PID 3408 wrote to memory of 3756	3408	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe	110
PID 3408 wrote to memory of 1204	3408	{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe	111

C:\Users\Admin\AppData\Local\Temp\2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe
  C:\Windows\{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe
    C:\Windows\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6220F~1.EXE > nul
      4⤵
      PID:3552
  - - C:\Windows\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe
      C:\Windows\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe
        
        C:\Windows\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe
        
        C:\Windows\{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe
        
        C:\Windows\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe
        
        C:\Windows\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{4662F822-108B-416c-BA4E-86310F1073EF}.exe
        
        C:\Windows\{4662F822-108B-416c-BA4E-86310F1073EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe
        
        C:\Windows\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe
        
        C:\Windows\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe
        
        C:\Windows\{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}.exe
        
        C:\Windows\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}.exe
        13⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C26E6~1.EXE > nul
        13⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3E1~1.EXE > nul
        12⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC13E~1.EXE > nul
        11⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4662F~1.EXE > nul
        10⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FDE7~1.EXE > nul
        9⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD0B2~1.EXE > nul
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B06DC~1.EXE > nul
        7⤵
        
        PID:812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01AC7~1.EXE > nul
        6⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{547B3~1.EXE > nul
        5⤵
        
        PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6572F~1.EXE > nul
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe

Filesize
168KB

MD5
e2b4dfb03a96123119d0ed8e55273737

SHA1
57481c419601843195d76f0c7832cc1d55d5050e

SHA256
87033555d9922df99eaec1b8c20ec7ffb1d8e4507747df88c51cad0bffd38b67

SHA512
900a591efe3dc1a2fcf608d7dff89a5b84a589eed8b39805752161921e976b354f35a2166c489da7f9bffb48cfff03942dd811d28db70d8cacf97e2ce4e7f096

Download Submit
C:\Windows\{01AC7BE3-BEC3-4af9-8906-86EA41D52D56}.exe

Filesize
168KB

MD5
e2b4dfb03a96123119d0ed8e55273737

SHA1
57481c419601843195d76f0c7832cc1d55d5050e

SHA256
87033555d9922df99eaec1b8c20ec7ffb1d8e4507747df88c51cad0bffd38b67

SHA512
900a591efe3dc1a2fcf608d7dff89a5b84a589eed8b39805752161921e976b354f35a2166c489da7f9bffb48cfff03942dd811d28db70d8cacf97e2ce4e7f096

Download Submit
C:\Windows\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe

Filesize
168KB

MD5
6e485a66dd54951b1375f84b146a4bc4

SHA1
b0062c4dc30ad6ffd859ed6760bf067d72b147c0

SHA256
b851b1094454f424773f60243fa713fe4026f201d3b47dcb87e831a8f1bc6437

SHA512
b8aa6f51d4a13560d38d86409c465a0f04b17a8ea98ff461bc327467f1b215e76a7a89bcdf5e0717dd5bd55dc31cf618b935365b9819567e709872987a90cd9f

Download Submit
C:\Windows\{3FDE70EA-9762-4deb-8B19-21F92FCE5452}.exe

Filesize
168KB

MD5
6e485a66dd54951b1375f84b146a4bc4

SHA1
b0062c4dc30ad6ffd859ed6760bf067d72b147c0

SHA256
b851b1094454f424773f60243fa713fe4026f201d3b47dcb87e831a8f1bc6437

SHA512
b8aa6f51d4a13560d38d86409c465a0f04b17a8ea98ff461bc327467f1b215e76a7a89bcdf5e0717dd5bd55dc31cf618b935365b9819567e709872987a90cd9f

Download Submit
C:\Windows\{4662F822-108B-416c-BA4E-86310F1073EF}.exe

Filesize
168KB

MD5
4951813f824bbc4b7335a5a8d4405eec

SHA1
9f92b43960a40997b6f91434afac52051606d7bb

SHA256
acab5734c0812d609dd93cf56e3d7fd922267151cb3dd2083dda8dd0578553dc

SHA512
c6ab995bdcff28d4eaba22ee1a9a0784ecc417e5ec8a20f25587231613307bb36c52398e2cb982d9b0c9d1f3e9acd214d49cc0375a8c37e29acc8a0c8cf3137c

Download Submit
C:\Windows\{4662F822-108B-416c-BA4E-86310F1073EF}.exe

Filesize
168KB

MD5
4951813f824bbc4b7335a5a8d4405eec

SHA1
9f92b43960a40997b6f91434afac52051606d7bb

SHA256
acab5734c0812d609dd93cf56e3d7fd922267151cb3dd2083dda8dd0578553dc

SHA512
c6ab995bdcff28d4eaba22ee1a9a0784ecc417e5ec8a20f25587231613307bb36c52398e2cb982d9b0c9d1f3e9acd214d49cc0375a8c37e29acc8a0c8cf3137c

Download Submit
C:\Windows\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe

Filesize
168KB

MD5
512920015e09c972922c6fdf326f2d3e

SHA1
150d459609d30992a41fb44d10589b684d68abad

SHA256
c9c12dc864e79678c2fd9ebe2a1c895d0403da35d0d4f76705c9765d79e7c4de

SHA512
1f83dd03f996aff80caa964cdf66a8b00fa4173fa193de829ddf38987452800e32390f0b9e58ae48793975443803c719c6e09938adbfa5fde1b39e9227119abe

Download Submit
C:\Windows\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe

Filesize
168KB

MD5
512920015e09c972922c6fdf326f2d3e

SHA1
150d459609d30992a41fb44d10589b684d68abad

SHA256
c9c12dc864e79678c2fd9ebe2a1c895d0403da35d0d4f76705c9765d79e7c4de

SHA512
1f83dd03f996aff80caa964cdf66a8b00fa4173fa193de829ddf38987452800e32390f0b9e58ae48793975443803c719c6e09938adbfa5fde1b39e9227119abe

Download Submit
C:\Windows\{547B3E4B-F2C0-4b27-85A2-2B2935D468B6}.exe

Filesize
168KB

MD5
512920015e09c972922c6fdf326f2d3e

SHA1
150d459609d30992a41fb44d10589b684d68abad

SHA256
c9c12dc864e79678c2fd9ebe2a1c895d0403da35d0d4f76705c9765d79e7c4de

SHA512
1f83dd03f996aff80caa964cdf66a8b00fa4173fa193de829ddf38987452800e32390f0b9e58ae48793975443803c719c6e09938adbfa5fde1b39e9227119abe

Download Submit
C:\Windows\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe

Filesize
168KB

MD5
aa7ee42692a0adeec1a11a496ce4fbd5

SHA1
09bf644cc9b56a6fc0b5b4bbe52b4d479b52bee7

SHA256
a68e2b75b7e397a3359f35636a252ff619aa1c386af46799bddc5e7acbdb981a

SHA512
6746593a48bdd122206441ab375420b5aa325da5f186afa192135bc10b2df5dd27c296e5a01a2678f00c4a170c101484e76fd28bafeb0ff2d3e5f6453923cfd1

Download Submit
C:\Windows\{6220F0D6-FC82-49a7-8FD2-76B04B8F9E54}.exe

Filesize
168KB

MD5
aa7ee42692a0adeec1a11a496ce4fbd5

SHA1
09bf644cc9b56a6fc0b5b4bbe52b4d479b52bee7

SHA256
a68e2b75b7e397a3359f35636a252ff619aa1c386af46799bddc5e7acbdb981a

SHA512
6746593a48bdd122206441ab375420b5aa325da5f186afa192135bc10b2df5dd27c296e5a01a2678f00c4a170c101484e76fd28bafeb0ff2d3e5f6453923cfd1

Download Submit
C:\Windows\{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe

Filesize
168KB

MD5
eaa79237b3004828722acd2920b0aeec

SHA1
c0f89a35a9601e8e86bb81b96878cb3b49973e07

SHA256
fd1e0e911cf7c8db438c434bc0eb72b4aefcd1988c54b04fe46eae79ab266abd

SHA512
cf8e374acbadfacf2b2b5eef82d53a08703c89bcf87296e9d1593a8970789475c1e88f75bb6a7d9b6008964018e6be53685757f707b8c3cb6aa070c611e203d5

Download Submit
C:\Windows\{6572F20E-65D4-4ee8-9761-008401F3A8E8}.exe

Filesize
168KB

MD5
eaa79237b3004828722acd2920b0aeec

SHA1
c0f89a35a9601e8e86bb81b96878cb3b49973e07

SHA256
fd1e0e911cf7c8db438c434bc0eb72b4aefcd1988c54b04fe46eae79ab266abd

SHA512
cf8e374acbadfacf2b2b5eef82d53a08703c89bcf87296e9d1593a8970789475c1e88f75bb6a7d9b6008964018e6be53685757f707b8c3cb6aa070c611e203d5

Download Submit
C:\Windows\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe

Filesize
168KB

MD5
223c799b170315a27928ee2a5eaca8a7

SHA1
f3404a23377fb8bba366d315b6cafeb7a5958acc

SHA256
440f466ca274300e8bdc8fae64af4ac1c953594cfd3fa607b2ebd2615d72baab

SHA512
546ae093e1c5ef7728071a42c6b75f7a0e1f80841e693b76b322cd0b660cde9b1f369d56b11383984b12e4bbaa7be1e910e6c5a269ce26395729f4ac6af4fd50

Download Submit
C:\Windows\{7F3E10FF-9EDA-47dd-B197-E4D9633F956C}.exe

Filesize
168KB

MD5
223c799b170315a27928ee2a5eaca8a7

SHA1
f3404a23377fb8bba366d315b6cafeb7a5958acc

SHA256
440f466ca274300e8bdc8fae64af4ac1c953594cfd3fa607b2ebd2615d72baab

SHA512
546ae093e1c5ef7728071a42c6b75f7a0e1f80841e693b76b322cd0b660cde9b1f369d56b11383984b12e4bbaa7be1e910e6c5a269ce26395729f4ac6af4fd50

Download Submit
C:\Windows\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe

Filesize
168KB

MD5
5b3fa2baa205d83875b675bd7dc01646

SHA1
d196b495ef14b704128a189a10ea728fee5dd403

SHA256
b1c396b98b039148e0f9cd7e51d05c3a3f318da2f37ec50fb2119c7782356cf9

SHA512
84fc5c66fa4c9d81b0201b7374a7ec9d432d60e8811e78dcbbdf872a061bcc81f2e828b131d2bf7b5c5596dcdf8e2f96572ec8887322ab6581c27f499db18884

Download Submit
C:\Windows\{AD0B2E86-18A5-4583-8B4C-49C02F4112F9}.exe

Filesize
168KB

MD5
5b3fa2baa205d83875b675bd7dc01646

SHA1
d196b495ef14b704128a189a10ea728fee5dd403

SHA256
b1c396b98b039148e0f9cd7e51d05c3a3f318da2f37ec50fb2119c7782356cf9

SHA512
84fc5c66fa4c9d81b0201b7374a7ec9d432d60e8811e78dcbbdf872a061bcc81f2e828b131d2bf7b5c5596dcdf8e2f96572ec8887322ab6581c27f499db18884

Download Submit
C:\Windows\{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe

Filesize
168KB

MD5
e0c48e14d35f9d058ff29e79877e75c9

SHA1
76c42909638c1ddfa3beede5ebc9605b21ebd2f0

SHA256
d74debcd24e0fdc7b4427017b84e47d1764352d2c81a27836feed67f72e25379

SHA512
33df45f23c400cbf75d531be50f11a0cb11f944cec24ce4e2539d7952232e957afb5e0b3d15a29b28067f73e6ecd5e38fa8860afacfa1c2446d78429f8963a68

Download Submit
C:\Windows\{B06DCEB1-9C91-475c-A25F-296801E0A075}.exe

Filesize
168KB

MD5
e0c48e14d35f9d058ff29e79877e75c9

SHA1
76c42909638c1ddfa3beede5ebc9605b21ebd2f0

SHA256
d74debcd24e0fdc7b4427017b84e47d1764352d2c81a27836feed67f72e25379

SHA512
33df45f23c400cbf75d531be50f11a0cb11f944cec24ce4e2539d7952232e957afb5e0b3d15a29b28067f73e6ecd5e38fa8860afacfa1c2446d78429f8963a68

Download Submit
C:\Windows\{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe

Filesize
168KB

MD5
cf89bafa6d28445e50d104ba353f1b75

SHA1
fafe7c0c0cb2c5f49c4e30a17fdaed3241315e48

SHA256
c966f225cdaf882358c9b3843c43950e96137f00632784a4d7f723218bae0ae3

SHA512
8e00d88c230d1f4ebe8e2d03d17d550720027dcd2a1d4fc466e76449321a64a0468ede02fd2b9126781febd67be4a0e38b95e1713ad6f739c5ba4d09c8e28cac

Download Submit
C:\Windows\{C26E663A-096D-4349-9263-C4EA5CD9D61A}.exe

Filesize
168KB

MD5
cf89bafa6d28445e50d104ba353f1b75

SHA1
fafe7c0c0cb2c5f49c4e30a17fdaed3241315e48

SHA256
c966f225cdaf882358c9b3843c43950e96137f00632784a4d7f723218bae0ae3

SHA512
8e00d88c230d1f4ebe8e2d03d17d550720027dcd2a1d4fc466e76449321a64a0468ede02fd2b9126781febd67be4a0e38b95e1713ad6f739c5ba4d09c8e28cac

Download Submit
C:\Windows\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}.exe

Filesize
168KB

MD5
2e621535f541e403fb402fe613386164

SHA1
bdb3afb83dcddc7490a20443ae84688be5d87dcb

SHA256
48af859d33cc45c1f48e7c2a9a03c7f87b4107781457bb19b99c9dde99880071

SHA512
257fe23c8afa4772889178b60b117ceb0b1d61a1614027bf977fae935ff9ddb146bcab885c62b3242e3124fdc0bbfb879de11b5c15027fa812fc08378afc7928

Download Submit
C:\Windows\{CEADFF54-810D-4d3e-AB75-5CED9B1BAC5A}.exe

Filesize
168KB

MD5
2e621535f541e403fb402fe613386164

SHA1
bdb3afb83dcddc7490a20443ae84688be5d87dcb

SHA256
48af859d33cc45c1f48e7c2a9a03c7f87b4107781457bb19b99c9dde99880071

SHA512
257fe23c8afa4772889178b60b117ceb0b1d61a1614027bf977fae935ff9ddb146bcab885c62b3242e3124fdc0bbfb879de11b5c15027fa812fc08378afc7928

Download Submit
C:\Windows\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe

Filesize
168KB

MD5
0c6066128cfd1a0e2891accae68fbb83

SHA1
f20dabb11fe3d3ad07010df5b27370bf7c9bcc04

SHA256
a24eb8f226667dbcea17b95e35dbe0c2d6a5658cb5e713820f6f03908b04594d

SHA512
bde53ee157e90cd2215c02c552cb75a63b544bd1ad4baba43df87f0efffb7309b233d4a6af406c17de4e458068aa53083e9f95ad85ef3b5eef9ebe3f008e26df

Download Submit
C:\Windows\{DC13ED2A-6145-47da-A487-BBBCDC91F19C}.exe

Filesize
168KB

MD5
0c6066128cfd1a0e2891accae68fbb83

SHA1
f20dabb11fe3d3ad07010df5b27370bf7c9bcc04

SHA256
a24eb8f226667dbcea17b95e35dbe0c2d6a5658cb5e713820f6f03908b04594d

SHA512
bde53ee157e90cd2215c02c552cb75a63b544bd1ad4baba43df87f0efffb7309b233d4a6af406c17de4e458068aa53083e9f95ad85ef3b5eef9ebe3f008e26df

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads