e085e458dea3be0f1031fcdb3c4bc2d2d074187c349bb89b61b5cff25a2db38e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Size

408KB
MD5

26ca6942dd85f99b76c9300d49188935
SHA1

aa07ee978002ab86e1ecdb29f2cb25ed22828954
SHA256

e085e458dea3be0f1031fcdb3c4bc2d2d074187c349bb89b61b5cff25a2db38e
SHA512

7832bce86947060edb7a4ee0ae2f1a2f6edd1c672d2d6122a3eee73b46d63f2cce194a21f9fc7a987020b3c1e1052cc0b3f4a615e753459cb42bf6fa941f635b
SSDEEP

3072:CEGh0oql3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGMldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6A7ABB8-483C-4163-BED6-1723644FD82B}	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E0C5E3-D0AA-4c99-BB02-976251259E56}\stubpath = "C:\\Windows\\{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe"	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83ECA73D-A34F-4466-99B7-DB33506F5355}\stubpath = "C:\\Windows\\{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe"	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}\stubpath = "C:\\Windows\\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe"	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}\stubpath = "C:\\Windows\\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe"	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}\stubpath = "C:\\Windows\\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe"	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}\stubpath = "C:\\Windows\\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe"	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}	{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}\stubpath = "C:\\Windows\\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe"	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8497447A-439B-4b86-9431-F421CA9B15AE}	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8497447A-439B-4b86-9431-F421CA9B15AE}\stubpath = "C:\\Windows\\{8497447A-439B-4b86-9431-F421CA9B15AE}.exe"	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}\stubpath = "C:\\Windows\\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}.exe"	{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}\stubpath = "C:\\Windows\\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe"	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83ECA73D-A34F-4466-99B7-DB33506F5355}	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}\stubpath = "C:\\Windows\\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe"	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6A7ABB8-483C-4163-BED6-1723644FD82B}\stubpath = "C:\\Windows\\{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe"	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E0C5E3-D0AA-4c99-BB02-976251259E56}	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe

Executes dropped EXE 12 IoCs

pid	Process
2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe
4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe
2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe
2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe
4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe
1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe
1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe
3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe
4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe
4516	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe
2196	{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe
3664	{B22777EC-BBC6-4f10-823A-6B6EE70095CD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe
File created	C:\Windows\{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe
File created	C:\Windows\{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe
File created	C:\Windows\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe
File created	C:\Windows\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}.exe	{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe
File created	C:\Windows\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe
File created	C:\Windows\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
File created	C:\Windows\{8497447A-439B-4b86-9431-F421CA9B15AE}.exe	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe
File created	C:\Windows\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe
File created	C:\Windows\{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe
File created	C:\Windows\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe
File created	C:\Windows\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2432	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe
Token: SeIncBasePriorityPrivilege	4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe
Token: SeIncBasePriorityPrivilege	2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe
Token: SeIncBasePriorityPrivilege	2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe
Token: SeIncBasePriorityPrivilege	4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe
Token: SeIncBasePriorityPrivilege	1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe
Token: SeIncBasePriorityPrivilege	1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe
Token: SeIncBasePriorityPrivilege	3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe
Token: SeIncBasePriorityPrivilege	4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe
Token: SeIncBasePriorityPrivilege	4516	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe
Token: SeIncBasePriorityPrivilege	2196	{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2024	2432	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	87
PID 2432 wrote to memory of 2024	2432	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	87
PID 2432 wrote to memory of 2024	2432	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	87
PID 2432 wrote to memory of 884	2432	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	88
PID 2432 wrote to memory of 884	2432	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	88
PID 2432 wrote to memory of 884	2432	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	88
PID 2024 wrote to memory of 4212	2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe	89
PID 2024 wrote to memory of 4212	2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe	89
PID 2024 wrote to memory of 4212	2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe	89
PID 2024 wrote to memory of 4264	2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe	90
PID 2024 wrote to memory of 4264	2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe	90
PID 2024 wrote to memory of 4264	2024	{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe	90
PID 4212 wrote to memory of 2844	4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe	95
PID 4212 wrote to memory of 2844	4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe	95
PID 4212 wrote to memory of 2844	4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe	95
PID 4212 wrote to memory of 2120	4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe	94
PID 4212 wrote to memory of 2120	4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe	94
PID 4212 wrote to memory of 2120	4212	{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe	94
PID 2844 wrote to memory of 2380	2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe	96
PID 2844 wrote to memory of 2380	2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe	96
PID 2844 wrote to memory of 2380	2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe	96
PID 2844 wrote to memory of 5052	2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe	97
PID 2844 wrote to memory of 5052	2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe	97
PID 2844 wrote to memory of 5052	2844	{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe	97
PID 2380 wrote to memory of 4600	2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe	98
PID 2380 wrote to memory of 4600	2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe	98
PID 2380 wrote to memory of 4600	2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe	98
PID 2380 wrote to memory of 4412	2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe	99
PID 2380 wrote to memory of 4412	2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe	99
PID 2380 wrote to memory of 4412	2380	{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe	99
PID 4600 wrote to memory of 1764	4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe	100
PID 4600 wrote to memory of 1764	4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe	100
PID 4600 wrote to memory of 1764	4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe	100
PID 4600 wrote to memory of 5012	4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe	101
PID 4600 wrote to memory of 5012	4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe	101
PID 4600 wrote to memory of 5012	4600	{8497447A-439B-4b86-9431-F421CA9B15AE}.exe	101
PID 1764 wrote to memory of 1676	1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe	102
PID 1764 wrote to memory of 1676	1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe	102
PID 1764 wrote to memory of 1676	1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe	102
PID 1764 wrote to memory of 4332	1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe	103
PID 1764 wrote to memory of 4332	1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe	103
PID 1764 wrote to memory of 4332	1764	{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe	103
PID 1676 wrote to memory of 3108	1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe	104
PID 1676 wrote to memory of 3108	1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe	104
PID 1676 wrote to memory of 3108	1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe	104
PID 1676 wrote to memory of 4700	1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe	105
PID 1676 wrote to memory of 4700	1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe	105
PID 1676 wrote to memory of 4700	1676	{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe	105
PID 3108 wrote to memory of 4720	3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe	106
PID 3108 wrote to memory of 4720	3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe	106
PID 3108 wrote to memory of 4720	3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe	106
PID 3108 wrote to memory of 4448	3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe	107
PID 3108 wrote to memory of 4448	3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe	107
PID 3108 wrote to memory of 4448	3108	{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe	107
PID 4720 wrote to memory of 4516	4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe	108
PID 4720 wrote to memory of 4516	4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe	108
PID 4720 wrote to memory of 4516	4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe	108
PID 4720 wrote to memory of 5108	4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe	109
PID 4720 wrote to memory of 5108	4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe	109
PID 4720 wrote to memory of 5108	4720	{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe	109
PID 4516 wrote to memory of 2196	4516	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe	110
PID 4516 wrote to memory of 2196	4516	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe	110
PID 4516 wrote to memory of 2196	4516	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe	110
PID 4516 wrote to memory of 4112	4516	{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe	111

C:\Users\Admin\AppData\Local\Temp\2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe
  C:\Windows\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe
    C:\Windows\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BD143~1.EXE > nul
      4⤵
      PID:2120
  - - C:\Windows\{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe
      C:\Windows\{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe
        
        C:\Windows\{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\{8497447A-439B-4b86-9431-F421CA9B15AE}.exe
        
        C:\Windows\{8497447A-439B-4b86-9431-F421CA9B15AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe
        
        C:\Windows\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe
        
        C:\Windows\{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe
        
        C:\Windows\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe
        
        C:\Windows\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe
        
        C:\Windows\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe
        
        C:\Windows\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}.exe
        
        C:\Windows\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}.exe
        13⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CBF4~1.EXE > nul
        13⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D15EB~1.EXE > nul
        12⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A78F6~1.EXE > nul
        11⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8508~1.EXE > nul
        10⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49E0C~1.EXE > nul
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFEBF~1.EXE > nul
        8⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84974~1.EXE > nul
        7⤵
        
        PID:5012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6A7A~1.EXE > nul
        6⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83ECA~1.EXE > nul
        5⤵
        
        PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4883~1.EXE > nul
    3⤵
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe

Filesize
408KB

MD5
7bccec45c1e0acb4b0e93adf7eb8c678

SHA1
3d466e028972c94f6e21b9c62095af6e61f7fc2f

SHA256
901de579fbbe7d709e5664e7863d0df78b2b71e3d1689fdd7eecd33e5c1bbb53

SHA512
7cd74847236aee43412633111813e045b7abbc783805a78bc70493e8b26b67464e1042d743ec4ee2b3da38cb519c5d8d140cda96690f15f41ed513632f00ae1c

Download Submit
C:\Windows\{49E0C5E3-D0AA-4c99-BB02-976251259E56}.exe

Filesize
408KB

MD5
7bccec45c1e0acb4b0e93adf7eb8c678

SHA1
3d466e028972c94f6e21b9c62095af6e61f7fc2f

SHA256
901de579fbbe7d709e5664e7863d0df78b2b71e3d1689fdd7eecd33e5c1bbb53

SHA512
7cd74847236aee43412633111813e045b7abbc783805a78bc70493e8b26b67464e1042d743ec4ee2b3da38cb519c5d8d140cda96690f15f41ed513632f00ae1c

Download Submit
C:\Windows\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe

Filesize
408KB

MD5
1f0a6f31fd80bdbd424a270dc2efef84

SHA1
5fbcede746cafa4a9592337624e0e65410da10be

SHA256
1fb1e884391c0285b89271beb3aa673e111b1a324e945eaf1f6b158aa3cb7f0b

SHA512
d1ac6068a9d903f2d15314707a6e955c30bde334d2509054d491d565a85fde88d9dad1206466efda56b724551e83d42bedf4aa58b83ab5d43d5e23654bc78d2f

Download Submit
C:\Windows\{5CBF46A5-CB7C-44fc-9BA7-3E15007F42E0}.exe

Filesize
408KB

MD5
1f0a6f31fd80bdbd424a270dc2efef84

SHA1
5fbcede746cafa4a9592337624e0e65410da10be

SHA256
1fb1e884391c0285b89271beb3aa673e111b1a324e945eaf1f6b158aa3cb7f0b

SHA512
d1ac6068a9d903f2d15314707a6e955c30bde334d2509054d491d565a85fde88d9dad1206466efda56b724551e83d42bedf4aa58b83ab5d43d5e23654bc78d2f

Download Submit
C:\Windows\{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe

Filesize
408KB

MD5
55ad2aacc5c5d3e564d0cf0dd1567229

SHA1
429db1a4b5fa322c41ac108378779312feb670d7

SHA256
addc8c831024f589f301597ac1e3cf805546bb5d1c033a0f2a55a159e6482ba3

SHA512
483f24d73913e589ad8e7cff51874f90bb5b2911096d5cb105ef079c2ff94dc8987c23177ede86e648d6a5d3a23a61770e859a8bbf6e59a67a71e9957b6103f2

Download Submit
C:\Windows\{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe

Filesize
408KB

MD5
55ad2aacc5c5d3e564d0cf0dd1567229

SHA1
429db1a4b5fa322c41ac108378779312feb670d7

SHA256
addc8c831024f589f301597ac1e3cf805546bb5d1c033a0f2a55a159e6482ba3

SHA512
483f24d73913e589ad8e7cff51874f90bb5b2911096d5cb105ef079c2ff94dc8987c23177ede86e648d6a5d3a23a61770e859a8bbf6e59a67a71e9957b6103f2

Download Submit
C:\Windows\{83ECA73D-A34F-4466-99B7-DB33506F5355}.exe

Filesize
408KB

MD5
55ad2aacc5c5d3e564d0cf0dd1567229

SHA1
429db1a4b5fa322c41ac108378779312feb670d7

SHA256
addc8c831024f589f301597ac1e3cf805546bb5d1c033a0f2a55a159e6482ba3

SHA512
483f24d73913e589ad8e7cff51874f90bb5b2911096d5cb105ef079c2ff94dc8987c23177ede86e648d6a5d3a23a61770e859a8bbf6e59a67a71e9957b6103f2

Download Submit
C:\Windows\{8497447A-439B-4b86-9431-F421CA9B15AE}.exe

Filesize
408KB

MD5
2a9c8556f2a3296c372c1f16e85b611f

SHA1
44b79fdb9ce134e96a8d5a1b95cef232e1b5fb18

SHA256
0d52b0ab9f01e544c28a541e4cf5718c015dfb939d84725feda07bd75147e496

SHA512
7c8b9258774fa513a61ebb773385e7d88f9c85a320a60cf69b94ceff12878b0a30db60f09c6f22a75cf731d65742875e00603e24e5607277f5fc242a8b40eefa

Download Submit
C:\Windows\{8497447A-439B-4b86-9431-F421CA9B15AE}.exe

Filesize
408KB

MD5
2a9c8556f2a3296c372c1f16e85b611f

SHA1
44b79fdb9ce134e96a8d5a1b95cef232e1b5fb18

SHA256
0d52b0ab9f01e544c28a541e4cf5718c015dfb939d84725feda07bd75147e496

SHA512
7c8b9258774fa513a61ebb773385e7d88f9c85a320a60cf69b94ceff12878b0a30db60f09c6f22a75cf731d65742875e00603e24e5607277f5fc242a8b40eefa

Download Submit
C:\Windows\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe

Filesize
408KB

MD5
fed6e907ebe7da5c3213e783aa8f33a4

SHA1
c131d3f7da4339b38436f9d98c2cf32c6e070170

SHA256
04edcee44303b0dd912bbe7a699e243c44b0c7eb67e0ec80263ba67e5865d43a

SHA512
419c95a1a02c6ffc76067dbcd471532cd94d41c42e38a57c001a77b7f9fdfa2b7d7ec6cac81a956cfc6349547be056a838c7c1014ec11ddc93428f99427c43c4

Download Submit
C:\Windows\{A78F67EA-A1C9-4c3d-9A71-35007F27A184}.exe

Filesize
408KB

MD5
fed6e907ebe7da5c3213e783aa8f33a4

SHA1
c131d3f7da4339b38436f9d98c2cf32c6e070170

SHA256
04edcee44303b0dd912bbe7a699e243c44b0c7eb67e0ec80263ba67e5865d43a

SHA512
419c95a1a02c6ffc76067dbcd471532cd94d41c42e38a57c001a77b7f9fdfa2b7d7ec6cac81a956cfc6349547be056a838c7c1014ec11ddc93428f99427c43c4

Download Submit
C:\Windows\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}.exe

Filesize
408KB

MD5
e4bc81f3e2864ac5ce45945db6fdf1ff

SHA1
8feb7af0d3d9e947028b2d327c47860833322f33

SHA256
d349a1036ef2433019000aa91415e8528e5e483711f328a3eaa5d45ab5c8d25b

SHA512
9565857a22e5dc4970f9fa089bddfc7d5847fbfa1b601a50ad83da142ab80ce818eec4a778a67f361fbd235dbcfd705672628f476b7d2b82f29c9e92d9a123b9

Download Submit
C:\Windows\{B22777EC-BBC6-4f10-823A-6B6EE70095CD}.exe

Filesize
408KB

MD5
e4bc81f3e2864ac5ce45945db6fdf1ff

SHA1
8feb7af0d3d9e947028b2d327c47860833322f33

SHA256
d349a1036ef2433019000aa91415e8528e5e483711f328a3eaa5d45ab5c8d25b

SHA512
9565857a22e5dc4970f9fa089bddfc7d5847fbfa1b601a50ad83da142ab80ce818eec4a778a67f361fbd235dbcfd705672628f476b7d2b82f29c9e92d9a123b9

Download Submit
C:\Windows\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe

Filesize
408KB

MD5
52bf96218a89f7f29564c99cb269e3ef

SHA1
1f232432c8e3fda3f24423303b1014b258cfedea

SHA256
9852d711f3e056131b75fb20306f46b238e4ed62606f107f074ee60fa1f45539

SHA512
75890a1d74634703fd404638e9eebf8b783cf86f5d9a470d36eafab5c48cd65c80efa3171918678c075e9c731755f38d182b8f741553ed643094ddeafa8e01df

Download Submit
C:\Windows\{BD1430E9-3D89-4fe3-B2F9-BB6F115258C3}.exe

Filesize
408KB

MD5
52bf96218a89f7f29564c99cb269e3ef

SHA1
1f232432c8e3fda3f24423303b1014b258cfedea

SHA256
9852d711f3e056131b75fb20306f46b238e4ed62606f107f074ee60fa1f45539

SHA512
75890a1d74634703fd404638e9eebf8b783cf86f5d9a470d36eafab5c48cd65c80efa3171918678c075e9c731755f38d182b8f741553ed643094ddeafa8e01df

Download Submit
C:\Windows\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe

Filesize
408KB

MD5
aa192c7733cb05df7e909e9d61257502

SHA1
86dfbde8b6b7307e570b7de746a0b116e8389716

SHA256
c5a0266c4a9a715b6101364499f93c1fcf1bc1ca003f42e7bc8085d2f6889643

SHA512
5c890bbbf14e7ee7e4b5e4e640891543087323974525593f90217c1d3eed37acdf14ae06bfdd451ea86c0209d02a6537fa93bff5cac0b5e8c86ce8d8b8d96526

Download Submit
C:\Windows\{BFEBF412-3FF3-464a-A5A0-82ED198C682D}.exe

Filesize
408KB

MD5
aa192c7733cb05df7e909e9d61257502

SHA1
86dfbde8b6b7307e570b7de746a0b116e8389716

SHA256
c5a0266c4a9a715b6101364499f93c1fcf1bc1ca003f42e7bc8085d2f6889643

SHA512
5c890bbbf14e7ee7e4b5e4e640891543087323974525593f90217c1d3eed37acdf14ae06bfdd451ea86c0209d02a6537fa93bff5cac0b5e8c86ce8d8b8d96526

Download Submit
C:\Windows\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe

Filesize
408KB

MD5
778cf5f0b433ebf3f43c9e02d98b6258

SHA1
47a0b4258f71c16ff455e393f491911863f14b18

SHA256
b697163594badcd1ff5454d7daa3328b6ba3510749bb5daa9d72a252da8dbe37

SHA512
8b2cc9dc7bee7fe1048ad40c7e33653137bd4c49cd2c34cc6c1fbd3add45130a00296aa521d82399152965ccb4e2e4c50fe2ceb2216e753a84377644d62c23ec

Download Submit
C:\Windows\{C8508B8D-A8BD-45f1-8893-28BBBF158A71}.exe

Filesize
408KB

MD5
778cf5f0b433ebf3f43c9e02d98b6258

SHA1
47a0b4258f71c16ff455e393f491911863f14b18

SHA256
b697163594badcd1ff5454d7daa3328b6ba3510749bb5daa9d72a252da8dbe37

SHA512
8b2cc9dc7bee7fe1048ad40c7e33653137bd4c49cd2c34cc6c1fbd3add45130a00296aa521d82399152965ccb4e2e4c50fe2ceb2216e753a84377644d62c23ec

Download Submit
C:\Windows\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe

Filesize
408KB

MD5
fd97f32ee809a4e914b500aaa554ba97

SHA1
3d7853622cbb45215e6f2d0e23aaf6757514971c

SHA256
43d7c89879b6f4c91bf09c13760b7c3b50a9f4a801dbb533938156bba65877c4

SHA512
c1ea5c04a2bebca1b82450c9e71a841be3bc4c8e7cceacdc3c3454b43744d2a92c1553d094c4c10cf5644af813522b3df74b4b8ecffce94569d2a2bcdd86688e

Download Submit
C:\Windows\{D15EB4E2-5B03-4aec-9D24-544B6D029E51}.exe

Filesize
408KB

MD5
fd97f32ee809a4e914b500aaa554ba97

SHA1
3d7853622cbb45215e6f2d0e23aaf6757514971c

SHA256
43d7c89879b6f4c91bf09c13760b7c3b50a9f4a801dbb533938156bba65877c4

SHA512
c1ea5c04a2bebca1b82450c9e71a841be3bc4c8e7cceacdc3c3454b43744d2a92c1553d094c4c10cf5644af813522b3df74b4b8ecffce94569d2a2bcdd86688e

Download Submit
C:\Windows\{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe

Filesize
408KB

MD5
d32d104daabbd43f75e4d7cf8a101f1d

SHA1
948c99f48c9de2676cd9b0315bb2ff3dfe68ef43

SHA256
2c05b4db38c3038fc6d925c472248ea7e180dd5394c5da22d9651c4ec2c5f44c

SHA512
b1913b97b610d4e12f0707b0d971d5b8178d13f8dbb1c70dd5df1414904f5ba44cfa871a4eb6043d791c224d1177d5dbb83c956c7f3be39cfa71bf09e9be775f

Download Submit
C:\Windows\{D6A7ABB8-483C-4163-BED6-1723644FD82B}.exe

Filesize
408KB

MD5
d32d104daabbd43f75e4d7cf8a101f1d

SHA1
948c99f48c9de2676cd9b0315bb2ff3dfe68ef43

SHA256
2c05b4db38c3038fc6d925c472248ea7e180dd5394c5da22d9651c4ec2c5f44c

SHA512
b1913b97b610d4e12f0707b0d971d5b8178d13f8dbb1c70dd5df1414904f5ba44cfa871a4eb6043d791c224d1177d5dbb83c956c7f3be39cfa71bf09e9be775f

Download Submit
C:\Windows\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe

Filesize
408KB

MD5
d532d23af3dec10a650b263988aade4c

SHA1
bac534efe010088ece312da35267ae4b211e7c41

SHA256
e0672306c182add6687a43cf960065c1d72841ba64b9c6fba2f05bfc4b04bf72

SHA512
ab3b3ca21d5d2d61891fa7340f8858b94c0070760a71a08aff73ade23a9a74a7190746a05141fedd42685f1081719a60f436605db3742a14a630a2d7907c93cb

Download Submit
C:\Windows\{E4883198-2A8E-46fc-9DA8-FA9361EC45B2}.exe

Filesize
408KB

MD5
d532d23af3dec10a650b263988aade4c

SHA1
bac534efe010088ece312da35267ae4b211e7c41

SHA256
e0672306c182add6687a43cf960065c1d72841ba64b9c6fba2f05bfc4b04bf72

SHA512
ab3b3ca21d5d2d61891fa7340f8858b94c0070760a71a08aff73ade23a9a74a7190746a05141fedd42685f1081719a60f436605db3742a14a630a2d7907c93cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads