b3affaf37e50aabb522929e38fb1b8cc78fda08313cb9c37601820c1b7c80a15

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe
Size

180KB
MD5

07c90e27cdc8a1dc3a38f60adcb0c1aa
SHA1

c746f042068958330ecb1a1326897b6781f68459
SHA256

b3affaf37e50aabb522929e38fb1b8cc78fda08313cb9c37601820c1b7c80a15
SHA512

338317faf6043647ed5079375d12635ec2dd2e0e8f64f5afef53dac92cccad9db3805d1e903b2a9f5c2c9f4cf382afe51cbeb0c9a9ffb5aba1286ebaea79d5ff
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGQl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA512E2F-ED66-444e-B40D-B798F3363AE4}\stubpath = "C:\\Windows\\{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe"	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2226C090-3D80-4f37-A683-E757474BB53C}\stubpath = "C:\\Windows\\{2226C090-3D80-4f37-A683-E757474BB53C}.exe"	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}\stubpath = "C:\\Windows\\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe"	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB901373-3AE3-4de1-B5E5-F4554E39E912}\stubpath = "C:\\Windows\\{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe"	{2226C090-3D80-4f37-A683-E757474BB53C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}\stubpath = "C:\\Windows\\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe"	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}\stubpath = "C:\\Windows\\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe"	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA512E2F-ED66-444e-B40D-B798F3363AE4}	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16006C73-2B41-4bb8-982A-7B3316528076}	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16006C73-2B41-4bb8-982A-7B3316528076}\stubpath = "C:\\Windows\\{16006C73-2B41-4bb8-982A-7B3316528076}.exe"	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}\stubpath = "C:\\Windows\\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe"	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}\stubpath = "C:\\Windows\\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe"	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}\stubpath = "C:\\Windows\\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe"	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}\stubpath = "C:\\Windows\\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}.exe"	{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB901373-3AE3-4de1-B5E5-F4554E39E912}	{2226C090-3D80-4f37-A683-E757474BB53C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2226C090-3D80-4f37-A683-E757474BB53C}	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}	{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76139A9D-4D57-42a3-B436-0D4616DF6653}	{16006C73-2B41-4bb8-982A-7B3316528076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76139A9D-4D57-42a3-B436-0D4616DF6653}\stubpath = "C:\\Windows\\{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe"	{16006C73-2B41-4bb8-982A-7B3316528076}.exe

Executes dropped EXE 12 IoCs

pid	Process
560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe
4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe
4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe
5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe
4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe
3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe
4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe
3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe
1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe
4204	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe
4164	{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe
2540	{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe
File created	C:\Windows\{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe
File created	C:\Windows\{16006C73-2B41-4bb8-982A-7B3316528076}.exe	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe
File created	C:\Windows\{2226C090-3D80-4f37-A683-E757474BB53C}.exe	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe
File created	C:\Windows\{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe	{2226C090-3D80-4f37-A683-E757474BB53C}.exe
File created	C:\Windows\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe
File created	C:\Windows\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe
File created	C:\Windows\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe
File created	C:\Windows\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}.exe	{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe
File created	C:\Windows\{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe	{16006C73-2B41-4bb8-982A-7B3316528076}.exe
File created	C:\Windows\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe
File created	C:\Windows\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1196	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe
Token: SeIncBasePriorityPrivilege	4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe
Token: SeIncBasePriorityPrivilege	4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe
Token: SeIncBasePriorityPrivilege	5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe
Token: SeIncBasePriorityPrivilege	4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe
Token: SeIncBasePriorityPrivilege	3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe
Token: SeIncBasePriorityPrivilege	4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe
Token: SeIncBasePriorityPrivilege	3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe
Token: SeIncBasePriorityPrivilege	1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe
Token: SeIncBasePriorityPrivilege	4204	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe
Token: SeIncBasePriorityPrivilege	4164	{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 560	1196	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe	87
PID 1196 wrote to memory of 560	1196	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe	87
PID 1196 wrote to memory of 560	1196	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe	87
PID 1196 wrote to memory of 3492	1196	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe	88
PID 1196 wrote to memory of 3492	1196	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe	88
PID 1196 wrote to memory of 3492	1196	2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe	88
PID 560 wrote to memory of 4720	560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe	89
PID 560 wrote to memory of 4720	560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe	89
PID 560 wrote to memory of 4720	560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe	89
PID 560 wrote to memory of 3824	560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe	90
PID 560 wrote to memory of 3824	560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe	90
PID 560 wrote to memory of 3824	560	{16006C73-2B41-4bb8-982A-7B3316528076}.exe	90
PID 4720 wrote to memory of 4888	4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe	95
PID 4720 wrote to memory of 4888	4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe	95
PID 4720 wrote to memory of 4888	4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe	95
PID 4720 wrote to memory of 1624	4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe	94
PID 4720 wrote to memory of 1624	4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe	94
PID 4720 wrote to memory of 1624	4720	{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe	94
PID 4888 wrote to memory of 5072	4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe	96
PID 4888 wrote to memory of 5072	4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe	96
PID 4888 wrote to memory of 5072	4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe	96
PID 4888 wrote to memory of 4288	4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe	97
PID 4888 wrote to memory of 4288	4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe	97
PID 4888 wrote to memory of 4288	4888	{2226C090-3D80-4f37-A683-E757474BB53C}.exe	97
PID 5072 wrote to memory of 4632	5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe	98
PID 5072 wrote to memory of 4632	5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe	98
PID 5072 wrote to memory of 4632	5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe	98
PID 5072 wrote to memory of 2904	5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe	99
PID 5072 wrote to memory of 2904	5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe	99
PID 5072 wrote to memory of 2904	5072	{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe	99
PID 4632 wrote to memory of 3964	4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe	100
PID 4632 wrote to memory of 3964	4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe	100
PID 4632 wrote to memory of 3964	4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe	100
PID 4632 wrote to memory of 4620	4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe	101
PID 4632 wrote to memory of 4620	4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe	101
PID 4632 wrote to memory of 4620	4632	{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe	101
PID 3964 wrote to memory of 4712	3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe	102
PID 3964 wrote to memory of 4712	3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe	102
PID 3964 wrote to memory of 4712	3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe	102
PID 3964 wrote to memory of 776	3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe	103
PID 3964 wrote to memory of 776	3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe	103
PID 3964 wrote to memory of 776	3964	{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe	103
PID 4712 wrote to memory of 3624	4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe	107
PID 4712 wrote to memory of 3624	4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe	107
PID 4712 wrote to memory of 3624	4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe	107
PID 4712 wrote to memory of 732	4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe	108
PID 4712 wrote to memory of 732	4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe	108
PID 4712 wrote to memory of 732	4712	{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe	108
PID 3624 wrote to memory of 1420	3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe	109
PID 3624 wrote to memory of 1420	3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe	109
PID 3624 wrote to memory of 1420	3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe	109
PID 3624 wrote to memory of 1544	3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe	110
PID 3624 wrote to memory of 1544	3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe	110
PID 3624 wrote to memory of 1544	3624	{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe	110
PID 1420 wrote to memory of 4204	1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe	111
PID 1420 wrote to memory of 4204	1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe	111
PID 1420 wrote to memory of 4204	1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe	111
PID 1420 wrote to memory of 4580	1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe	112
PID 1420 wrote to memory of 4580	1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe	112
PID 1420 wrote to memory of 4580	1420	{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe	112
PID 4204 wrote to memory of 4164	4204	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe	113
PID 4204 wrote to memory of 4164	4204	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe	113
PID 4204 wrote to memory of 4164	4204	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe	113
PID 4204 wrote to memory of 3512	4204	{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe	114

C:\Users\Admin\AppData\Local\Temp\2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_07c90e27cdc8a1dc3a38f60adcb0c1aa_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\{16006C73-2B41-4bb8-982A-7B3316528076}.exe
  C:\Windows\{16006C73-2B41-4bb8-982A-7B3316528076}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe
    C:\Windows\{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{76139~1.EXE > nul
      4⤵
      PID:1624
  - - C:\Windows\{2226C090-3D80-4f37-A683-E757474BB53C}.exe
      C:\Windows\{2226C090-3D80-4f37-A683-E757474BB53C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe
        
        C:\Windows\{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe
        
        C:\Windows\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe
        
        C:\Windows\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe
        
        C:\Windows\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe
        
        C:\Windows\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe
        
        C:\Windows\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe
        
        C:\Windows\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe
        
        C:\Windows\{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}.exe
        
        C:\Windows\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA512~1.EXE > nul
        13⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93F69~1.EXE > nul
        12⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31DDF~1.EXE > nul
        11⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7EB4~1.EXE > nul
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE219~1.EXE > nul
        9⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B2FE~1.EXE > nul
        8⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E6D4~1.EXE > nul
        7⤵
        
        PID:4620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB901~1.EXE > nul
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2226C~1.EXE > nul
        5⤵
        
        PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16006~1.EXE > nul
    3⤵
    PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}.exe

Filesize
180KB

MD5
8df62e1ea666b8e0b9053d132214758f

SHA1
07cb172daa0dbb8770794e8f993fe13c5230aec4

SHA256
e912f80acf3d77f2e9e97e8683538abbb4182dba2b738cb6c57421dfa12fd2e3

SHA512
44fae5ea8fecee458eb2ad504841aa1fb36d688f7436d7ddac79226214b3ecbafeae7189780e4c76a99126c1f05b090489247bea9e02030bc2f5bfa6ac592739

Download Submit
C:\Windows\{011BC2F8-CCD2-43b5-BEB9-0F0EC07AB6E2}.exe

Filesize
180KB

MD5
8df62e1ea666b8e0b9053d132214758f

SHA1
07cb172daa0dbb8770794e8f993fe13c5230aec4

SHA256
e912f80acf3d77f2e9e97e8683538abbb4182dba2b738cb6c57421dfa12fd2e3

SHA512
44fae5ea8fecee458eb2ad504841aa1fb36d688f7436d7ddac79226214b3ecbafeae7189780e4c76a99126c1f05b090489247bea9e02030bc2f5bfa6ac592739

Download Submit
C:\Windows\{16006C73-2B41-4bb8-982A-7B3316528076}.exe

Filesize
180KB

MD5
5073c6bd8f4357998f386e0c618a15e8

SHA1
ef1786fadf5ae818437bb42268a10f6414affb64

SHA256
a8665a2436a39d8f766484dd961850dc97a09b4adaefbd9da2f541708601a8b3

SHA512
d481d37ec8e237c25c244407d3d91c510b298b9ce2d054cacacb6f6f00b33ab5bee8a29f4dac7d7ea4d0158365beccb6d65c74f0c939394d89dc3ef3fec8f89e

Download Submit
C:\Windows\{16006C73-2B41-4bb8-982A-7B3316528076}.exe

Filesize
180KB

MD5
5073c6bd8f4357998f386e0c618a15e8

SHA1
ef1786fadf5ae818437bb42268a10f6414affb64

SHA256
a8665a2436a39d8f766484dd961850dc97a09b4adaefbd9da2f541708601a8b3

SHA512
d481d37ec8e237c25c244407d3d91c510b298b9ce2d054cacacb6f6f00b33ab5bee8a29f4dac7d7ea4d0158365beccb6d65c74f0c939394d89dc3ef3fec8f89e

Download Submit
C:\Windows\{2226C090-3D80-4f37-A683-E757474BB53C}.exe

Filesize
180KB

MD5
3dd9337d346f8433b0ca566da6399480

SHA1
04a38cebb813d4182b945ef287f6335839eac9d7

SHA256
a31ee2dcc410878202bdea69e37abbb91f4676c7831e2909db214adb2199356d

SHA512
2b2f3849d28cd1a530f9464fcaf8f90581a79768373b382efba4f442c4242ab28a345db814536438477a923aedaf6e5b723fdc31d271603446bc7a1b420be24d

Download Submit
C:\Windows\{2226C090-3D80-4f37-A683-E757474BB53C}.exe

Filesize
180KB

MD5
3dd9337d346f8433b0ca566da6399480

SHA1
04a38cebb813d4182b945ef287f6335839eac9d7

SHA256
a31ee2dcc410878202bdea69e37abbb91f4676c7831e2909db214adb2199356d

SHA512
2b2f3849d28cd1a530f9464fcaf8f90581a79768373b382efba4f442c4242ab28a345db814536438477a923aedaf6e5b723fdc31d271603446bc7a1b420be24d

Download Submit
C:\Windows\{2226C090-3D80-4f37-A683-E757474BB53C}.exe

Filesize
180KB

MD5
3dd9337d346f8433b0ca566da6399480

SHA1
04a38cebb813d4182b945ef287f6335839eac9d7

SHA256
a31ee2dcc410878202bdea69e37abbb91f4676c7831e2909db214adb2199356d

SHA512
2b2f3849d28cd1a530f9464fcaf8f90581a79768373b382efba4f442c4242ab28a345db814536438477a923aedaf6e5b723fdc31d271603446bc7a1b420be24d

Download Submit
C:\Windows\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe

Filesize
180KB

MD5
0ccc86c8e5e54753d01f546d9e64c6cb

SHA1
f633739a957c03cfe50d9025d24a66882942e89e

SHA256
cd2ba2a6107edf098d2768c67d45e52c89557d96847aea106be7b56114813409

SHA512
5516df6d3fb6ffb288b8ba43ceb1580d72b315d856f17bad8400db7d4698ffc45accb925d4ab588663a9521258f2bfa7c3cd7d52d11c31df758f510d7b23b82f

Download Submit
C:\Windows\{31DDFD68-90A6-4bec-89A9-A7E9247D1F6A}.exe

Filesize
180KB

MD5
0ccc86c8e5e54753d01f546d9e64c6cb

SHA1
f633739a957c03cfe50d9025d24a66882942e89e

SHA256
cd2ba2a6107edf098d2768c67d45e52c89557d96847aea106be7b56114813409

SHA512
5516df6d3fb6ffb288b8ba43ceb1580d72b315d856f17bad8400db7d4698ffc45accb925d4ab588663a9521258f2bfa7c3cd7d52d11c31df758f510d7b23b82f

Download Submit
C:\Windows\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe

Filesize
180KB

MD5
971c02d6c979d8962d850976d65b8f83

SHA1
eb5c4a4c48cfe036c8f72dba1cceec00c617e3d3

SHA256
ea68b6de7f294e4a76d3586f1d3a0dfd56556f67b8c49e1b6cb82e59d9545358

SHA512
acd16515b6b9cd959eb639d6321f56e1bef9ad7da36d417429516a211bad680c37a3a4d1f29bb188e2b1c8e70b00f1a04524ab234878413034096f1906530987

Download Submit
C:\Windows\{4B2FE3B6-D547-4e81-998D-4D0B96E6E53D}.exe

Filesize
180KB

MD5
971c02d6c979d8962d850976d65b8f83

SHA1
eb5c4a4c48cfe036c8f72dba1cceec00c617e3d3

SHA256
ea68b6de7f294e4a76d3586f1d3a0dfd56556f67b8c49e1b6cb82e59d9545358

SHA512
acd16515b6b9cd959eb639d6321f56e1bef9ad7da36d417429516a211bad680c37a3a4d1f29bb188e2b1c8e70b00f1a04524ab234878413034096f1906530987

Download Submit
C:\Windows\{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe

Filesize
180KB

MD5
87afcdcdf66fda8e94a92187d5c1f796

SHA1
235f0b9ccf3dd75932f63059a06d5ec0531be0ca

SHA256
2a33a3e852eccbedabee8c1cc9ba8aaff886efaa747d906cffeaf44a0fa322c5

SHA512
429b2d30746866137cfc1b28ef93b0917aa690f3ab9177890d090a7b73c28006e746e3110ff91af708d0ce04206e955e8d6d2dab415c79b7e13baef9ce79adfe

Download Submit
C:\Windows\{76139A9D-4D57-42a3-B436-0D4616DF6653}.exe

Filesize
180KB

MD5
87afcdcdf66fda8e94a92187d5c1f796

SHA1
235f0b9ccf3dd75932f63059a06d5ec0531be0ca

SHA256
2a33a3e852eccbedabee8c1cc9ba8aaff886efaa747d906cffeaf44a0fa322c5

SHA512
429b2d30746866137cfc1b28ef93b0917aa690f3ab9177890d090a7b73c28006e746e3110ff91af708d0ce04206e955e8d6d2dab415c79b7e13baef9ce79adfe

Download Submit
C:\Windows\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe

Filesize
180KB

MD5
1595b7f0214f2b538c171ed87c4c3234

SHA1
d89f9c490e7987a2d2a0c80a8125327264b8a43a

SHA256
f068bfa7ec4a866eff64c68771593449abc653124485dedcfb84ea553be04158

SHA512
1af684e9ef7cac582b44b01814ee08d2bfe0ead9f4169cc5c07b9a5fe97722e4b7b86f58bf7d783f1ff44972f5bce4f975da29021b31c58bb850838f2df3b999

Download Submit
C:\Windows\{93F6923A-6E0E-4cbe-846E-36A3B17D41A8}.exe

Filesize
180KB

MD5
1595b7f0214f2b538c171ed87c4c3234

SHA1
d89f9c490e7987a2d2a0c80a8125327264b8a43a

SHA256
f068bfa7ec4a866eff64c68771593449abc653124485dedcfb84ea553be04158

SHA512
1af684e9ef7cac582b44b01814ee08d2bfe0ead9f4169cc5c07b9a5fe97722e4b7b86f58bf7d783f1ff44972f5bce4f975da29021b31c58bb850838f2df3b999

Download Submit
C:\Windows\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe

Filesize
180KB

MD5
a3c4db92690d71f5b316f22d080908e8

SHA1
c7858655521d43235052aa1886ffa27f8dfbbf68

SHA256
6ce93afa98986acaedf58d2d69e3ee015e980a802b127e16205c878e45d3b377

SHA512
495b8d616bab4a864dbea840ce75e369d0542b0d40b97f67022a3bd32b6610c9d051124bbd1ab211f7e57bcb82a103a85836afc9f24c80fc91cc4b65be1c79f5

Download Submit
C:\Windows\{9E6D46C8-ABD6-49ba-A924-466FB45ECCF0}.exe

Filesize
180KB

MD5
a3c4db92690d71f5b316f22d080908e8

SHA1
c7858655521d43235052aa1886ffa27f8dfbbf68

SHA256
6ce93afa98986acaedf58d2d69e3ee015e980a802b127e16205c878e45d3b377

SHA512
495b8d616bab4a864dbea840ce75e369d0542b0d40b97f67022a3bd32b6610c9d051124bbd1ab211f7e57bcb82a103a85836afc9f24c80fc91cc4b65be1c79f5

Download Submit
C:\Windows\{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe

Filesize
180KB

MD5
b844201e19d5462412a1f54aa67d2251

SHA1
a511efb1c0473dbdf02add0704d98b6622bcaee7

SHA256
0487c6206b7eea70ec2cc0d38a9eacd4da907b23d3717e1d0007bdcc3861386c

SHA512
07fd8022393daf770b6de5e0667f4d361b6cb27f5e35526fac01c49993b189761bfdda2a1d36e86de13f0d53c76e71875d96e2544ee43268150be5d936b28bd0

Download Submit
C:\Windows\{CA512E2F-ED66-444e-B40D-B798F3363AE4}.exe

Filesize
180KB

MD5
b844201e19d5462412a1f54aa67d2251

SHA1
a511efb1c0473dbdf02add0704d98b6622bcaee7

SHA256
0487c6206b7eea70ec2cc0d38a9eacd4da907b23d3717e1d0007bdcc3861386c

SHA512
07fd8022393daf770b6de5e0667f4d361b6cb27f5e35526fac01c49993b189761bfdda2a1d36e86de13f0d53c76e71875d96e2544ee43268150be5d936b28bd0

Download Submit
C:\Windows\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe

Filesize
180KB

MD5
6ed8cbf3e74c8e3b47753c68e5d6e14f

SHA1
a9c2711db51e146b019d547bb8f98118ff72a362

SHA256
c51f45b002b7877eb095f6dcbc893ef12a5ab8b6c2ed249171c125a97a7c7263

SHA512
6734b2f95ed49d1a8fdb37602e19ed502f67c7b97b6ce694beda419e19fc29bd183fa1a795e6f00428b4b0052d9af1dc310d3e99c5c714390b20a8802e62b1a4

Download Submit
C:\Windows\{E7EB4510-A6A6-4e6d-A7AA-5D91AC765C7E}.exe

Filesize
180KB

MD5
6ed8cbf3e74c8e3b47753c68e5d6e14f

SHA1
a9c2711db51e146b019d547bb8f98118ff72a362

SHA256
c51f45b002b7877eb095f6dcbc893ef12a5ab8b6c2ed249171c125a97a7c7263

SHA512
6734b2f95ed49d1a8fdb37602e19ed502f67c7b97b6ce694beda419e19fc29bd183fa1a795e6f00428b4b0052d9af1dc310d3e99c5c714390b20a8802e62b1a4

Download Submit
C:\Windows\{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe

Filesize
180KB

MD5
10599d891d692b16cbfd3fd5494c82b2

SHA1
dda38e4f3371a9349e264a201b04978d10bf78f4

SHA256
82065dec49b99d63a3989a23854109a263b5f05f7a5869f228efeba881d20656

SHA512
26471d6fc6e0b6e3e48d2c15b0aab8078a5b840c85a13621b509f2ffe88d43bd221612a8e7b24e4d28aee593fcb758ba7fb6f8ec69648b307b597088eadae12b

Download Submit
C:\Windows\{EB901373-3AE3-4de1-B5E5-F4554E39E912}.exe

Filesize
180KB

MD5
10599d891d692b16cbfd3fd5494c82b2

SHA1
dda38e4f3371a9349e264a201b04978d10bf78f4

SHA256
82065dec49b99d63a3989a23854109a263b5f05f7a5869f228efeba881d20656

SHA512
26471d6fc6e0b6e3e48d2c15b0aab8078a5b840c85a13621b509f2ffe88d43bd221612a8e7b24e4d28aee593fcb758ba7fb6f8ec69648b307b597088eadae12b

Download Submit
C:\Windows\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe

Filesize
180KB

MD5
8e36de801c63932a8712827cc4d654e0

SHA1
4e48c9633aba7fe9e1aa8d0417642ffa629885b7

SHA256
cfe314c79cfc1c8e8455cc98cb9bbe5a18ccb897ba86a9e0008e5691a0079039

SHA512
fe38baa4ec4619797f915714ce69be03ec7515414bbbbfa33917a1b7b4745f0897c9b0b551400d5adaf9255d4cecfc2da69391ae96aa3b91964d087d4cd59160

Download Submit
C:\Windows\{EE219883-9EE8-47f5-9EA4-8BD4C717A728}.exe

Filesize
180KB

MD5
8e36de801c63932a8712827cc4d654e0

SHA1
4e48c9633aba7fe9e1aa8d0417642ffa629885b7

SHA256
cfe314c79cfc1c8e8455cc98cb9bbe5a18ccb897ba86a9e0008e5691a0079039

SHA512
fe38baa4ec4619797f915714ce69be03ec7515414bbbbfa33917a1b7b4745f0897c9b0b551400d5adaf9255d4cecfc2da69391ae96aa3b91964d087d4cd59160

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads