0184dceec8ff786009c1a7dee97166c117efbb68055d3c5e2e7c9620d5329db8

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
Size

204KB
MD5

ebfbaeb76ed3c7295e435d66601537c1
SHA1

4b2f7b11aab22259f99c7a0988598a0e54604f51
SHA256

0184dceec8ff786009c1a7dee97166c117efbb68055d3c5e2e7c9620d5329db8
SHA512

7e7fa766fcd7da0fc25f7a513e17bf9496e6de8298218b2f4487b8037872ae5f182bfaa9bfbfe85c80ab6e41acba381a69788150277009e168a1a6e8d91ed477
SSDEEP

1536:1EGh0oPl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{591CE396-B7C3-4c66-B0BD-72D78419862B}	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F0EBB50-E261-4601-B6C0-6111056B8D70}	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}\stubpath = "C:\\Windows\\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe"	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}\stubpath = "C:\\Windows\\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe"	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20E5C02A-6C85-496f-8205-51D7F9860367}	{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20E5C02A-6C85-496f-8205-51D7F9860367}\stubpath = "C:\\Windows\\{20E5C02A-6C85-496f-8205-51D7F9860367}.exe"	{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DFC881-4199-48aa-B9EE-39BB971CB407}\stubpath = "C:\\Windows\\{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe"	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D25BB68A-0A93-4ad6-9F64-043782A5E288}\stubpath = "C:\\Windows\\{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe"	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D25BB68A-0A93-4ad6-9F64-043782A5E288}	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DFC881-4199-48aa-B9EE-39BB971CB407}	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7184603-8A35-4382-A25E-826D2A7774BD}	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}\stubpath = "C:\\Windows\\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe"	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{591CE396-B7C3-4c66-B0BD-72D78419862B}\stubpath = "C:\\Windows\\{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe"	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B888EB04-B6F9-4704-BF06-A64D714C5569}\stubpath = "C:\\Windows\\{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe"	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}\stubpath = "C:\\Windows\\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe"	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E14110A7-5495-47be-A41E-3D8371B6BB3E}\stubpath = "C:\\Windows\\{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe"	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7184603-8A35-4382-A25E-826D2A7774BD}\stubpath = "C:\\Windows\\{F7184603-8A35-4382-A25E-826D2A7774BD}.exe"	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F0EBB50-E261-4601-B6C0-6111056B8D70}\stubpath = "C:\\Windows\\{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe"	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B888EB04-B6F9-4704-BF06-A64D714C5569}	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E14110A7-5495-47be-A41E-3D8371B6BB3E}	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe

Executes dropped EXE 12 IoCs

pid	Process
4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe
4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe
1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe
3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe
2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe
2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe
1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe
3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe
4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe
3256	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe
2996	{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe
4420	{20E5C02A-6C85-496f-8205-51D7F9860367}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe
File created	C:\Windows\{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe
File created	C:\Windows\{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe
File created	C:\Windows\{20E5C02A-6C85-496f-8205-51D7F9860367}.exe	{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe
File created	C:\Windows\{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
File created	C:\Windows\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe
File created	C:\Windows\{F7184603-8A35-4382-A25E-826D2A7774BD}.exe	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe
File created	C:\Windows\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe
File created	C:\Windows\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe
File created	C:\Windows\{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe
File created	C:\Windows\{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe
File created	C:\Windows\{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	116	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe
Token: SeIncBasePriorityPrivilege	4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe
Token: SeIncBasePriorityPrivilege	1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe
Token: SeIncBasePriorityPrivilege	3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe
Token: SeIncBasePriorityPrivilege	2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe
Token: SeIncBasePriorityPrivilege	2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe
Token: SeIncBasePriorityPrivilege	1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe
Token: SeIncBasePriorityPrivilege	3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe
Token: SeIncBasePriorityPrivilege	4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe
Token: SeIncBasePriorityPrivilege	3256	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe
Token: SeIncBasePriorityPrivilege	2996	{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4444	116	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	87
PID 116 wrote to memory of 4444	116	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	87
PID 116 wrote to memory of 4444	116	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	87
PID 116 wrote to memory of 1340	116	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	88
PID 116 wrote to memory of 1340	116	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	88
PID 116 wrote to memory of 1340	116	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	88
PID 4444 wrote to memory of 4296	4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe	89
PID 4444 wrote to memory of 4296	4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe	89
PID 4444 wrote to memory of 4296	4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe	89
PID 4444 wrote to memory of 4132	4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe	90
PID 4444 wrote to memory of 4132	4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe	90
PID 4444 wrote to memory of 4132	4444	{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe	90
PID 4296 wrote to memory of 1696	4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe	94
PID 4296 wrote to memory of 1696	4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe	94
PID 4296 wrote to memory of 1696	4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe	94
PID 4296 wrote to memory of 2000	4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe	93
PID 4296 wrote to memory of 2000	4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe	93
PID 4296 wrote to memory of 2000	4296	{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe	93
PID 1696 wrote to memory of 3232	1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe	96
PID 1696 wrote to memory of 3232	1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe	96
PID 1696 wrote to memory of 3232	1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe	96
PID 1696 wrote to memory of 2740	1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe	97
PID 1696 wrote to memory of 2740	1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe	97
PID 1696 wrote to memory of 2740	1696	{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe	97
PID 3232 wrote to memory of 2768	3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe	98
PID 3232 wrote to memory of 2768	3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe	98
PID 3232 wrote to memory of 2768	3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe	98
PID 3232 wrote to memory of 4388	3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe	99
PID 3232 wrote to memory of 4388	3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe	99
PID 3232 wrote to memory of 4388	3232	{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe	99
PID 2768 wrote to memory of 2248	2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe	100
PID 2768 wrote to memory of 2248	2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe	100
PID 2768 wrote to memory of 2248	2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe	100
PID 2768 wrote to memory of 2256	2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe	101
PID 2768 wrote to memory of 2256	2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe	101
PID 2768 wrote to memory of 2256	2768	{F7184603-8A35-4382-A25E-826D2A7774BD}.exe	101
PID 2248 wrote to memory of 1700	2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe	102
PID 2248 wrote to memory of 1700	2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe	102
PID 2248 wrote to memory of 1700	2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe	102
PID 2248 wrote to memory of 2416	2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe	103
PID 2248 wrote to memory of 2416	2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe	103
PID 2248 wrote to memory of 2416	2248	{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe	103
PID 1700 wrote to memory of 3776	1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe	104
PID 1700 wrote to memory of 3776	1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe	104
PID 1700 wrote to memory of 3776	1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe	104
PID 1700 wrote to memory of 3012	1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe	105
PID 1700 wrote to memory of 3012	1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe	105
PID 1700 wrote to memory of 3012	1700	{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe	105
PID 3776 wrote to memory of 4164	3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe	106
PID 3776 wrote to memory of 4164	3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe	106
PID 3776 wrote to memory of 4164	3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe	106
PID 3776 wrote to memory of 2360	3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe	107
PID 3776 wrote to memory of 2360	3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe	107
PID 3776 wrote to memory of 2360	3776	{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe	107
PID 4164 wrote to memory of 3256	4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe	108
PID 4164 wrote to memory of 3256	4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe	108
PID 4164 wrote to memory of 3256	4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe	108
PID 4164 wrote to memory of 3812	4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe	109
PID 4164 wrote to memory of 3812	4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe	109
PID 4164 wrote to memory of 3812	4164	{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe	109
PID 3256 wrote to memory of 2996	3256	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe	110
PID 3256 wrote to memory of 2996	3256	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe	110
PID 3256 wrote to memory of 2996	3256	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe	110
PID 3256 wrote to memory of 3560	3256	{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe	111

C:\Users\Admin\AppData\Local\Temp\2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe
  C:\Windows\{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe
    C:\Windows\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{35B70~1.EXE > nul
      4⤵
      PID:2000
  - - C:\Windows\{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe
      C:\Windows\{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe
        
        C:\Windows\{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\{F7184603-8A35-4382-A25E-826D2A7774BD}.exe
        
        C:\Windows\{F7184603-8A35-4382-A25E-826D2A7774BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe
        
        C:\Windows\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe
        
        C:\Windows\{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe
        
        C:\Windows\{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe
        
        C:\Windows\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe
        
        C:\Windows\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe
        
        C:\Windows\{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{20E5C02A-6C85-496f-8205-51D7F9860367}.exe
        
        C:\Windows\{20E5C02A-6C85-496f-8205-51D7F9860367}.exe
        13⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B888E~1.EXE > nul
        13⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32AFC~1.EXE > nul
        12⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AFDA~1.EXE > nul
        11⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F0EB~1.EXE > nul
        10⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{591CE~1.EXE > nul
        9⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81BE5~1.EXE > nul
        8⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7184~1.EXE > nul
        7⤵
        
        PID:2256
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36DFC~1.EXE > nul
        6⤵
        
        PID:4388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D25BB~1.EXE > nul
        5⤵
        
        PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1411~1.EXE > nul
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20E5C02A-6C85-496f-8205-51D7F9860367}.exe

Filesize
204KB

MD5
b7edb982d64de070dcc3634467f085fb

SHA1
e1bde62bc22748cdf9fec7f711fa72629e8684d4

SHA256
a00be46a1c297f8d457cf6b3d11e8a46ee4a3242fb31ff6d74b890dbee09606e

SHA512
6080f5843f26ced1bfda7e79417b22cdee5a3e0f5c10c0562a56f62f02576cc4bc8e7ed07272d19a108bcc4a2055f5e0a99681440fba88ee3525f96005614d79

Download Submit
C:\Windows\{20E5C02A-6C85-496f-8205-51D7F9860367}.exe

Filesize
204KB

MD5
b7edb982d64de070dcc3634467f085fb

SHA1
e1bde62bc22748cdf9fec7f711fa72629e8684d4

SHA256
a00be46a1c297f8d457cf6b3d11e8a46ee4a3242fb31ff6d74b890dbee09606e

SHA512
6080f5843f26ced1bfda7e79417b22cdee5a3e0f5c10c0562a56f62f02576cc4bc8e7ed07272d19a108bcc4a2055f5e0a99681440fba88ee3525f96005614d79

Download Submit
C:\Windows\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe

Filesize
204KB

MD5
d3290639b522e5300b0f200a8606fe40

SHA1
d92657107261a677815e61503be7f2e17e15f905

SHA256
58c735e7e8edbd5051a017393ebc0e6d18d8d48973271a9ba2c752b03e83d2c3

SHA512
37056a5a738432abc50b4a504652758a762e73546ceb1464ffba422939e9c058dbbb8884a02bb4cde7aa005e2454324ef7d5efd1680076a7d3deb327621df9d3

Download Submit
C:\Windows\{32AFCEDC-C179-474f-91A8-E580BC48C8B7}.exe

Filesize
204KB

MD5
d3290639b522e5300b0f200a8606fe40

SHA1
d92657107261a677815e61503be7f2e17e15f905

SHA256
58c735e7e8edbd5051a017393ebc0e6d18d8d48973271a9ba2c752b03e83d2c3

SHA512
37056a5a738432abc50b4a504652758a762e73546ceb1464ffba422939e9c058dbbb8884a02bb4cde7aa005e2454324ef7d5efd1680076a7d3deb327621df9d3

Download Submit
C:\Windows\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe

Filesize
204KB

MD5
581e2bca7e0522ddd153bcdfc6356b34

SHA1
97673f106cd6093db5bbea7ae3851fc0492e0d21

SHA256
3546adecd88c0b6c0328ead4e156297e8412558bd2c6bb548bd3b36f52f5f61d

SHA512
099348bdd728b33e57d9c96cf208110041cb25f6b2009095064e3ed3629f1cb26c877b862c6eb24258e02addb3fa24c1ab96ba1e4b8d498c2fb0f5f3b0c3bf50

Download Submit
C:\Windows\{35B70887-7425-46a7-BAEE-486C7F0ECB1F}.exe

Filesize
204KB

MD5
581e2bca7e0522ddd153bcdfc6356b34

SHA1
97673f106cd6093db5bbea7ae3851fc0492e0d21

SHA256
3546adecd88c0b6c0328ead4e156297e8412558bd2c6bb548bd3b36f52f5f61d

SHA512
099348bdd728b33e57d9c96cf208110041cb25f6b2009095064e3ed3629f1cb26c877b862c6eb24258e02addb3fa24c1ab96ba1e4b8d498c2fb0f5f3b0c3bf50

Download Submit
C:\Windows\{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe

Filesize
204KB

MD5
36b1cd9d4ef410f487d17bd9f97b5bfe

SHA1
ca5bfdd24210c69b3bf922728da1ff79c1eb4680

SHA256
2f335d71a55d045afc9bae72bca6c606e9a016c0673aa7c676a495005e9d0a15

SHA512
3cb8ae9510e0b9034b1d45e998532f12c450bb076b799bb76ba8d3f070901e84ea690891a7599feb907816bcd74c5982eddf88eafe5d70de215cfa98d2f212ca

Download Submit
C:\Windows\{36DFC881-4199-48aa-B9EE-39BB971CB407}.exe

Filesize
204KB

MD5
36b1cd9d4ef410f487d17bd9f97b5bfe

SHA1
ca5bfdd24210c69b3bf922728da1ff79c1eb4680

SHA256
2f335d71a55d045afc9bae72bca6c606e9a016c0673aa7c676a495005e9d0a15

SHA512
3cb8ae9510e0b9034b1d45e998532f12c450bb076b799bb76ba8d3f070901e84ea690891a7599feb907816bcd74c5982eddf88eafe5d70de215cfa98d2f212ca

Download Submit
C:\Windows\{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe

Filesize
204KB

MD5
2a1b1b9216cb3d63927414b4145945b3

SHA1
5c340c90c45c3a7eb4dfbfdf34236dc8b6d57937

SHA256
5495b8b2bbe5d4ace00c259c157f1136a615431326ca38b1d04a8e87f7bc6524

SHA512
7b689823c58b51e7b0e2960228b5f9250ff92e84b0481402e364362c2cabdb050f751d448b4399af94c10aa5c328f3b6a93037ff8634778a956fc58929e7352f

Download Submit
C:\Windows\{591CE396-B7C3-4c66-B0BD-72D78419862B}.exe

Filesize
204KB

MD5
2a1b1b9216cb3d63927414b4145945b3

SHA1
5c340c90c45c3a7eb4dfbfdf34236dc8b6d57937

SHA256
5495b8b2bbe5d4ace00c259c157f1136a615431326ca38b1d04a8e87f7bc6524

SHA512
7b689823c58b51e7b0e2960228b5f9250ff92e84b0481402e364362c2cabdb050f751d448b4399af94c10aa5c328f3b6a93037ff8634778a956fc58929e7352f

Download Submit
C:\Windows\{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe

Filesize
204KB

MD5
8802172aa0b48ae80d56618af89834b1

SHA1
5a28bebefa293e5c9a1792536b989a3dfb09f87d

SHA256
98dc0136f22b2a2b7f31125185017016ee94d3722fecaa68dcb1aad3c993a4fe

SHA512
3d84ee7bb17804657d9875708698b2014d6530cfec7f7d2ea230bad573185c670166c640dd3abef5d32dde5b14f8e141ccc761026bd74df037eada0c6b68192c

Download Submit
C:\Windows\{6F0EBB50-E261-4601-B6C0-6111056B8D70}.exe

Filesize
204KB

MD5
8802172aa0b48ae80d56618af89834b1

SHA1
5a28bebefa293e5c9a1792536b989a3dfb09f87d

SHA256
98dc0136f22b2a2b7f31125185017016ee94d3722fecaa68dcb1aad3c993a4fe

SHA512
3d84ee7bb17804657d9875708698b2014d6530cfec7f7d2ea230bad573185c670166c640dd3abef5d32dde5b14f8e141ccc761026bd74df037eada0c6b68192c

Download Submit
C:\Windows\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe

Filesize
204KB

MD5
c773855464d8d4801503f83f266eecd5

SHA1
f58bedb6ca6e144c8edd683d05c03716f91f0203

SHA256
2701b465bd31d0dd10df66491f0bbdba79f96c90990f502c103179129009a94e

SHA512
29315e5fb889c6a51ab6a50073cdbbb5cddd6bcc6fa38b8716f97655c24c6b0d81432fd42c5c25a50d73c7b0bf79964c84515e9372f0a64ab2866dec6612e4e5

Download Submit
C:\Windows\{81BE59F5-812C-44f8-BCE5-F31E456C89EC}.exe

Filesize
204KB

MD5
c773855464d8d4801503f83f266eecd5

SHA1
f58bedb6ca6e144c8edd683d05c03716f91f0203

SHA256
2701b465bd31d0dd10df66491f0bbdba79f96c90990f502c103179129009a94e

SHA512
29315e5fb889c6a51ab6a50073cdbbb5cddd6bcc6fa38b8716f97655c24c6b0d81432fd42c5c25a50d73c7b0bf79964c84515e9372f0a64ab2866dec6612e4e5

Download Submit
C:\Windows\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe

Filesize
204KB

MD5
28d27efb56b059e4cbd48279a125682f

SHA1
e23d08fea8f72d7624042366f2099e137e6e6490

SHA256
e4cb6704da253e67fefaa95199130533f5eaee0fec823bc7643ff7f8ff3f4b88

SHA512
124ca52e5d425d2a4c18fbcecef58c68d4491c5317f7d3e5770b31b8951fc982dff5d133a4e6aa2859a47ba43b9ceb10abdfc67ad5ca949205b44f55264e4d7c

Download Submit
C:\Windows\{8AFDAF5E-BB1A-457e-9014-F65639D41C96}.exe

Filesize
204KB

MD5
28d27efb56b059e4cbd48279a125682f

SHA1
e23d08fea8f72d7624042366f2099e137e6e6490

SHA256
e4cb6704da253e67fefaa95199130533f5eaee0fec823bc7643ff7f8ff3f4b88

SHA512
124ca52e5d425d2a4c18fbcecef58c68d4491c5317f7d3e5770b31b8951fc982dff5d133a4e6aa2859a47ba43b9ceb10abdfc67ad5ca949205b44f55264e4d7c

Download Submit
C:\Windows\{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe

Filesize
204KB

MD5
95a6b2dc252eebad0018785e947c2f60

SHA1
87b40d4f629078b7bf1e7b6cbea1fb5f4cefbffb

SHA256
6717cd2a51bbeefe921df4d24f6c5d2fa9c5baed9b0b8c2a88db524267734bfc

SHA512
49e7dd5ed625dbd67c512ca18581a1e03a5f06cffda7ead216b29bb55cd907ad7330602d92efbefd70754ee122ab5a61941eb625bed41f70eea154115d8ef9c3

Download Submit
C:\Windows\{B888EB04-B6F9-4704-BF06-A64D714C5569}.exe

Filesize
204KB

MD5
95a6b2dc252eebad0018785e947c2f60

SHA1
87b40d4f629078b7bf1e7b6cbea1fb5f4cefbffb

SHA256
6717cd2a51bbeefe921df4d24f6c5d2fa9c5baed9b0b8c2a88db524267734bfc

SHA512
49e7dd5ed625dbd67c512ca18581a1e03a5f06cffda7ead216b29bb55cd907ad7330602d92efbefd70754ee122ab5a61941eb625bed41f70eea154115d8ef9c3

Download Submit
C:\Windows\{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe

Filesize
204KB

MD5
9a6f55ca627a5d9cae8768afac6c4e1d

SHA1
107cf965f5607c04084991458454386828303e6c

SHA256
2ab9f94fb35700f6807177abfe47f80fb0537c7160886bad82d820ba1aa69ff3

SHA512
f080962d3c62e1b1c08f4e9e4a7cd7ce129e371fc6f4bafa492ce41de7ea6ac81b4141a519a73b2adfd3e7c5d4421556dc82c6d82cc3c2b4997bd5c2a4467817

Download Submit
C:\Windows\{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe

Filesize
204KB

MD5
9a6f55ca627a5d9cae8768afac6c4e1d

SHA1
107cf965f5607c04084991458454386828303e6c

SHA256
2ab9f94fb35700f6807177abfe47f80fb0537c7160886bad82d820ba1aa69ff3

SHA512
f080962d3c62e1b1c08f4e9e4a7cd7ce129e371fc6f4bafa492ce41de7ea6ac81b4141a519a73b2adfd3e7c5d4421556dc82c6d82cc3c2b4997bd5c2a4467817

Download Submit
C:\Windows\{D25BB68A-0A93-4ad6-9F64-043782A5E288}.exe

Filesize
204KB

MD5
9a6f55ca627a5d9cae8768afac6c4e1d

SHA1
107cf965f5607c04084991458454386828303e6c

SHA256
2ab9f94fb35700f6807177abfe47f80fb0537c7160886bad82d820ba1aa69ff3

SHA512
f080962d3c62e1b1c08f4e9e4a7cd7ce129e371fc6f4bafa492ce41de7ea6ac81b4141a519a73b2adfd3e7c5d4421556dc82c6d82cc3c2b4997bd5c2a4467817

Download Submit
C:\Windows\{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe

Filesize
204KB

MD5
01227e84b9b3dd4e27c6cc675b90cf60

SHA1
cf7272c7346c1345314ea45370d57b2c523efffe

SHA256
6aae3f8b2dbf5863b3b58cad2b276503623fb332a530327376b3169b61f9b26d

SHA512
e0d6a043e0381b8d62182b9b7c80240e90ad1f6b111b086e6de2b7f904523fc1b95883c301b1830ddc1ed99f5747a12671b2713c31c8f32cbb0a415c31eb15ad

Download Submit
C:\Windows\{E14110A7-5495-47be-A41E-3D8371B6BB3E}.exe

Filesize
204KB

MD5
01227e84b9b3dd4e27c6cc675b90cf60

SHA1
cf7272c7346c1345314ea45370d57b2c523efffe

SHA256
6aae3f8b2dbf5863b3b58cad2b276503623fb332a530327376b3169b61f9b26d

SHA512
e0d6a043e0381b8d62182b9b7c80240e90ad1f6b111b086e6de2b7f904523fc1b95883c301b1830ddc1ed99f5747a12671b2713c31c8f32cbb0a415c31eb15ad

Download Submit
C:\Windows\{F7184603-8A35-4382-A25E-826D2A7774BD}.exe

Filesize
204KB

MD5
47464e5ca6d8f197d08b2193772e9a0c

SHA1
6c7d2a9be154faa6700e7ab7806f708bef20a973

SHA256
dad6cd23147d85aa958c9d8b660c82942b440ff8709a230a2afafbcda0a61311

SHA512
28018a2fbc7fc4afb3d225d95bfce50da6920a7e3a43b1e9b36a44e66c69aad8de679f5f93430d54095a9a29d602f664586ce9777cbf4228b27bf6494fc15a17

Download Submit
C:\Windows\{F7184603-8A35-4382-A25E-826D2A7774BD}.exe

Filesize
204KB

MD5
47464e5ca6d8f197d08b2193772e9a0c

SHA1
6c7d2a9be154faa6700e7ab7806f708bef20a973

SHA256
dad6cd23147d85aa958c9d8b660c82942b440ff8709a230a2afafbcda0a61311

SHA512
28018a2fbc7fc4afb3d225d95bfce50da6920a7e3a43b1e9b36a44e66c69aad8de679f5f93430d54095a9a29d602f664586ce9777cbf4228b27bf6494fc15a17

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads