a573ccfd54f6b06429bb93fbe61e8f8a5aab987c4e76ef1ad866f283bb0896af

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2023, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
Size

380KB
MD5

176645ee628951b5a5b4215959c64568
SHA1

20bccd9a3e14dae0ad1c84732bcdfab9b44db601
SHA256

a573ccfd54f6b06429bb93fbe61e8f8a5aab987c4e76ef1ad866f283bb0896af
SHA512

ffe65511db859b84d84328ae7804f05d87a69b074af16bd81146c0b6ecc779650f2069db23d384b5cf11f98cc25885cc246439a42019749b83b78f9a020c7ef5
SSDEEP

3072:mEGh0ooZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGil7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{542E84DF-0B31-4589-AD39-9D62DA6196BF}	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC2B2E4-1986-484d-9173-9D689970C855}	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16C5404-2970-4a40-8C4A-11B46F89A31F}	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C40E6C0-91FD-4f83-8E57-489450489868}\stubpath = "C:\\Windows\\{5C40E6C0-91FD-4f83-8E57-489450489868}.exe"	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646A7429-C06C-4085-B657-F72B1667FA44}\stubpath = "C:\\Windows\\{646A7429-C06C-4085-B657-F72B1667FA44}.exe"	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}\stubpath = "C:\\Windows\\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe"	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99319794-0CA2-4350-BF58-0DAB185A0018}\stubpath = "C:\\Windows\\{99319794-0CA2-4350-BF58-0DAB185A0018}.exe"	{646A7429-C06C-4085-B657-F72B1667FA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99319794-0CA2-4350-BF58-0DAB185A0018}	{646A7429-C06C-4085-B657-F72B1667FA44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC2B2E4-1986-484d-9173-9D689970C855}\stubpath = "C:\\Windows\\{AEC2B2E4-1986-484d-9173-9D689970C855}.exe"	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1722CB-A854-4670-81D4-95CAC95D2704}	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{542E84DF-0B31-4589-AD39-9D62DA6196BF}\stubpath = "C:\\Windows\\{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe"	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}\stubpath = "C:\\Windows\\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe"	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16C5404-2970-4a40-8C4A-11B46F89A31F}\stubpath = "C:\\Windows\\{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe"	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}\stubpath = "C:\\Windows\\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe"	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C40E6C0-91FD-4f83-8E57-489450489868}	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1722CB-A854-4670-81D4-95CAC95D2704}\stubpath = "C:\\Windows\\{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe"	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4320948-D2A5-448c-857E-AB1E270EF0B2}	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}\stubpath = "C:\\Windows\\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe"	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{646A7429-C06C-4085-B657-F72B1667FA44}	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4320948-D2A5-448c-857E-AB1E270EF0B2}\stubpath = "C:\\Windows\\{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe"	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe

Executes dropped EXE 12 IoCs

pid	Process
3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe
1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe
2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe
2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe
1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe
1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe
2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe
4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe
4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe
4692	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe
4792	{646A7429-C06C-4085-B657-F72B1667FA44}.exe
4180	{99319794-0CA2-4350-BF58-0DAB185A0018}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe
File created	C:\Windows\{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe
File created	C:\Windows\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe
File created	C:\Windows\{5C40E6C0-91FD-4f83-8E57-489450489868}.exe	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe
File created	C:\Windows\{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
File created	C:\Windows\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe
File created	C:\Windows\{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe
File created	C:\Windows\{AEC2B2E4-1986-484d-9173-9D689970C855}.exe	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe
File created	C:\Windows\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe
File created	C:\Windows\{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe
File created	C:\Windows\{646A7429-C06C-4085-B657-F72B1667FA44}.exe	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe
File created	C:\Windows\{99319794-0CA2-4350-BF58-0DAB185A0018}.exe	{646A7429-C06C-4085-B657-F72B1667FA44}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe
Token: SeIncBasePriorityPrivilege	1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe
Token: SeIncBasePriorityPrivilege	2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe
Token: SeIncBasePriorityPrivilege	2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe
Token: SeIncBasePriorityPrivilege	1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe
Token: SeIncBasePriorityPrivilege	1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe
Token: SeIncBasePriorityPrivilege	2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe
Token: SeIncBasePriorityPrivilege	4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe
Token: SeIncBasePriorityPrivilege	4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe
Token: SeIncBasePriorityPrivilege	4692	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe
Token: SeIncBasePriorityPrivilege	4792	{646A7429-C06C-4085-B657-F72B1667FA44}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3660	2304	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	89
PID 2304 wrote to memory of 3660	2304	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	89
PID 2304 wrote to memory of 3660	2304	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	89
PID 2304 wrote to memory of 2696	2304	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	90
PID 2304 wrote to memory of 2696	2304	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	90
PID 2304 wrote to memory of 2696	2304	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	90
PID 3660 wrote to memory of 1912	3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe	91
PID 3660 wrote to memory of 1912	3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe	91
PID 3660 wrote to memory of 1912	3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe	91
PID 3660 wrote to memory of 3684	3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe	92
PID 3660 wrote to memory of 3684	3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe	92
PID 3660 wrote to memory of 3684	3660	{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe	92
PID 1912 wrote to memory of 2068	1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe	98
PID 1912 wrote to memory of 2068	1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe	98
PID 1912 wrote to memory of 2068	1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe	98
PID 1912 wrote to memory of 2416	1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe	97
PID 1912 wrote to memory of 2416	1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe	97
PID 1912 wrote to memory of 2416	1912	{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe	97
PID 2068 wrote to memory of 2784	2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe	99
PID 2068 wrote to memory of 2784	2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe	99
PID 2068 wrote to memory of 2784	2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe	99
PID 2068 wrote to memory of 4932	2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe	100
PID 2068 wrote to memory of 4932	2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe	100
PID 2068 wrote to memory of 4932	2068	{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe	100
PID 2784 wrote to memory of 1676	2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe	101
PID 2784 wrote to memory of 1676	2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe	101
PID 2784 wrote to memory of 1676	2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe	101
PID 2784 wrote to memory of 4136	2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe	102
PID 2784 wrote to memory of 4136	2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe	102
PID 2784 wrote to memory of 4136	2784	{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe	102
PID 1676 wrote to memory of 1172	1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe	103
PID 1676 wrote to memory of 1172	1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe	103
PID 1676 wrote to memory of 1172	1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe	103
PID 1676 wrote to memory of 2248	1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe	104
PID 1676 wrote to memory of 2248	1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe	104
PID 1676 wrote to memory of 2248	1676	{AEC2B2E4-1986-484d-9173-9D689970C855}.exe	104
PID 1172 wrote to memory of 2780	1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe	105
PID 1172 wrote to memory of 2780	1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe	105
PID 1172 wrote to memory of 2780	1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe	105
PID 1172 wrote to memory of 3476	1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe	106
PID 1172 wrote to memory of 3476	1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe	106
PID 1172 wrote to memory of 3476	1172	{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe	106
PID 2780 wrote to memory of 4728	2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe	110
PID 2780 wrote to memory of 4728	2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe	110
PID 2780 wrote to memory of 4728	2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe	110
PID 2780 wrote to memory of 1472	2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe	111
PID 2780 wrote to memory of 1472	2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe	111
PID 2780 wrote to memory of 1472	2780	{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe	111
PID 4728 wrote to memory of 4044	4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe	112
PID 4728 wrote to memory of 4044	4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe	112
PID 4728 wrote to memory of 4044	4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe	112
PID 4728 wrote to memory of 4924	4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe	113
PID 4728 wrote to memory of 4924	4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe	113
PID 4728 wrote to memory of 4924	4728	{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe	113
PID 4044 wrote to memory of 4692	4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe	114
PID 4044 wrote to memory of 4692	4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe	114
PID 4044 wrote to memory of 4692	4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe	114
PID 4044 wrote to memory of 1248	4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe	115
PID 4044 wrote to memory of 1248	4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe	115
PID 4044 wrote to memory of 1248	4044	{5C40E6C0-91FD-4f83-8E57-489450489868}.exe	115
PID 4692 wrote to memory of 4792	4692	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe	116
PID 4692 wrote to memory of 4792	4692	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe	116
PID 4692 wrote to memory of 4792	4692	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe	116
PID 4692 wrote to memory of 3944	4692	{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe	117

C:\Users\Admin\AppData\Local\Temp\2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe
  C:\Windows\{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe
    C:\Windows\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9EAD~1.EXE > nul
      4⤵
      PID:2416
  - - C:\Windows\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe
      C:\Windows\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe
        
        C:\Windows\{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\{AEC2B2E4-1986-484d-9173-9D689970C855}.exe
        
        C:\Windows\{AEC2B2E4-1986-484d-9173-9D689970C855}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe
        
        C:\Windows\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe
        
        C:\Windows\{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe
        
        C:\Windows\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{5C40E6C0-91FD-4f83-8E57-489450489868}.exe
        
        C:\Windows\{5C40E6C0-91FD-4f83-8E57-489450489868}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe
        
        C:\Windows\{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{646A7429-C06C-4085-B657-F72B1667FA44}.exe
        
        C:\Windows\{646A7429-C06C-4085-B657-F72B1667FA44}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\{99319794-0CA2-4350-BF58-0DAB185A0018}.exe
        
        C:\Windows\{99319794-0CA2-4350-BF58-0DAB185A0018}.exe
        13⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{646A7~1.EXE > nul
        13⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F172~1.EXE > nul
        12⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C40E~1.EXE > nul
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06B96~1.EXE > nul
        10⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B16C5~1.EXE > nul
        9⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C43C0~1.EXE > nul
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC2B~1.EXE > nul
        7⤵
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{542E8~1.EXE > nul
        6⤵
        
        PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3E14~1.EXE > nul
        5⤵
        
        PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A4320~1.EXE > nul
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe

Filesize
380KB

MD5
d635e6c244be19ea60f2aa78d52aef6f

SHA1
d263430df363b02e8668a89e05fb35f820b7fec1

SHA256
5fcddff6bd2f89a15d0c309d0bd41ade08e4077989720a09132f18d63dd91369

SHA512
43e21260b8c673421e4e98e0daa86b52180fb63cbaa5f8a546103044ebdffaa2e2ccda1d289f189d4eb5f078aa6cbf561c65ec42d4ac53e8813c311f9bc03106

Download Submit
C:\Windows\{06B96208-6DFD-46cf-A0C4-39C6F61454F4}.exe

Filesize
380KB

MD5
d635e6c244be19ea60f2aa78d52aef6f

SHA1
d263430df363b02e8668a89e05fb35f820b7fec1

SHA256
5fcddff6bd2f89a15d0c309d0bd41ade08e4077989720a09132f18d63dd91369

SHA512
43e21260b8c673421e4e98e0daa86b52180fb63cbaa5f8a546103044ebdffaa2e2ccda1d289f189d4eb5f078aa6cbf561c65ec42d4ac53e8813c311f9bc03106

Download Submit
C:\Windows\{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe

Filesize
380KB

MD5
0c85f73303349f35a9bcd597fbcd523f

SHA1
cf9015e9735653b05c14b047d723cd48eaf6a8a1

SHA256
6ab21e331a23afadd61285c16d19b9a97fcdc3e56ce56635160678570e3d55b2

SHA512
2896b1ae3cedea3f917b5b8cc8119d3c7c8204fd7ccfd4c43bf824c67408d6ab6aac3b2fa86d6c11d62a81ee53371375cf243a4b787a9f6602c37c18a0faf9ac

Download Submit
C:\Windows\{2F1722CB-A854-4670-81D4-95CAC95D2704}.exe

Filesize
380KB

MD5
0c85f73303349f35a9bcd597fbcd523f

SHA1
cf9015e9735653b05c14b047d723cd48eaf6a8a1

SHA256
6ab21e331a23afadd61285c16d19b9a97fcdc3e56ce56635160678570e3d55b2

SHA512
2896b1ae3cedea3f917b5b8cc8119d3c7c8204fd7ccfd4c43bf824c67408d6ab6aac3b2fa86d6c11d62a81ee53371375cf243a4b787a9f6602c37c18a0faf9ac

Download Submit
C:\Windows\{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe

Filesize
380KB

MD5
074f4166d6659bc69785544372692173

SHA1
a1128f73f2580323615d15517e5107982f4db21e

SHA256
7442b635109c4aec32361c8a2a45195959d6d8df0227aed15dfbb719a7228775

SHA512
ba6b5944d17ab25eddd6b7317887bddb7f95b96ac5b05f6489d83e37e07310ac57484b3619ae6030112c457e792b0c318715ef0a86704e4f42b13709763d93d9

Download Submit
C:\Windows\{542E84DF-0B31-4589-AD39-9D62DA6196BF}.exe

Filesize
380KB

MD5
074f4166d6659bc69785544372692173

SHA1
a1128f73f2580323615d15517e5107982f4db21e

SHA256
7442b635109c4aec32361c8a2a45195959d6d8df0227aed15dfbb719a7228775

SHA512
ba6b5944d17ab25eddd6b7317887bddb7f95b96ac5b05f6489d83e37e07310ac57484b3619ae6030112c457e792b0c318715ef0a86704e4f42b13709763d93d9

Download Submit
C:\Windows\{5C40E6C0-91FD-4f83-8E57-489450489868}.exe

Filesize
380KB

MD5
af0ba44de650c2f3081ab612c4c3a8b6

SHA1
096e7228cea7bac46814097a6b0e04a377b25108

SHA256
5a78db07fb5d90c2729045d8b9f78cb2554e8572dd63696dd5934187a653ae50

SHA512
2c5fb111829af72ac80b38f267ddfe989d91bf8b46c74a9ac564be905ccf072873126409da4ec97789c6387edde12d2860c451c5ea04a946c037b5e7aee6c6ab

Download Submit
C:\Windows\{5C40E6C0-91FD-4f83-8E57-489450489868}.exe

Filesize
380KB

MD5
af0ba44de650c2f3081ab612c4c3a8b6

SHA1
096e7228cea7bac46814097a6b0e04a377b25108

SHA256
5a78db07fb5d90c2729045d8b9f78cb2554e8572dd63696dd5934187a653ae50

SHA512
2c5fb111829af72ac80b38f267ddfe989d91bf8b46c74a9ac564be905ccf072873126409da4ec97789c6387edde12d2860c451c5ea04a946c037b5e7aee6c6ab

Download Submit
C:\Windows\{646A7429-C06C-4085-B657-F72B1667FA44}.exe

Filesize
380KB

MD5
14d20c847382e343d71d49f288dc88a0

SHA1
2e880b02cd3fbbaa564d5ee0efafb0d9dd7f336a

SHA256
e41db56367d63dff1f3cc789abbb31dc4adc7fcf4867c74ad16fab27002aef0d

SHA512
a69af09167be570af71d68da70ab27c00a75d3549509a5f16631cca24cd93e19782bb7b0d8398d20a034f7b9f2fc9ee6e296eba03e43af78c5226d32bdcde296

Download Submit
C:\Windows\{646A7429-C06C-4085-B657-F72B1667FA44}.exe

Filesize
380KB

MD5
14d20c847382e343d71d49f288dc88a0

SHA1
2e880b02cd3fbbaa564d5ee0efafb0d9dd7f336a

SHA256
e41db56367d63dff1f3cc789abbb31dc4adc7fcf4867c74ad16fab27002aef0d

SHA512
a69af09167be570af71d68da70ab27c00a75d3549509a5f16631cca24cd93e19782bb7b0d8398d20a034f7b9f2fc9ee6e296eba03e43af78c5226d32bdcde296

Download Submit
C:\Windows\{99319794-0CA2-4350-BF58-0DAB185A0018}.exe

Filesize
380KB

MD5
422816c6d2ecfa777a64930e6a425cea

SHA1
18763e00d57fb1d1757587aa7fba8e02c0fd29a8

SHA256
48bf4e17f18ee5f66303b70738e99092933589325cee877514db4cbe0949b59d

SHA512
7ae6f724694d31162649719e4e06343faded3e231697678f75f7ce331d0b609a8850c8a18546371ccad968f05b10d323f2cb223f85d0a2fbe541459dd2effdd6

Download Submit
C:\Windows\{99319794-0CA2-4350-BF58-0DAB185A0018}.exe

Filesize
380KB

MD5
422816c6d2ecfa777a64930e6a425cea

SHA1
18763e00d57fb1d1757587aa7fba8e02c0fd29a8

SHA256
48bf4e17f18ee5f66303b70738e99092933589325cee877514db4cbe0949b59d

SHA512
7ae6f724694d31162649719e4e06343faded3e231697678f75f7ce331d0b609a8850c8a18546371ccad968f05b10d323f2cb223f85d0a2fbe541459dd2effdd6

Download Submit
C:\Windows\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe

Filesize
380KB

MD5
86153918a03a4af2a2936cbea98a5606

SHA1
c7cff66fda27fc4ecb4b76e84fd580e533a80455

SHA256
29c0fe06b88cd7e6f743c3b403acd9795e6c042a3fe86567ec86db2ce893f337

SHA512
62f40d56dc0c93f2c055a9b3c32855304759343256f556be6be04223c2a624660f4a50a4b5d62a1fcd17fc5b5e610b17f84ef53120cb1509856da649a9e0d7bf

Download Submit
C:\Windows\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe

Filesize
380KB

MD5
86153918a03a4af2a2936cbea98a5606

SHA1
c7cff66fda27fc4ecb4b76e84fd580e533a80455

SHA256
29c0fe06b88cd7e6f743c3b403acd9795e6c042a3fe86567ec86db2ce893f337

SHA512
62f40d56dc0c93f2c055a9b3c32855304759343256f556be6be04223c2a624660f4a50a4b5d62a1fcd17fc5b5e610b17f84ef53120cb1509856da649a9e0d7bf

Download Submit
C:\Windows\{A3E14886-1FBE-4c05-8963-D8BA89E9C298}.exe

Filesize
380KB

MD5
86153918a03a4af2a2936cbea98a5606

SHA1
c7cff66fda27fc4ecb4b76e84fd580e533a80455

SHA256
29c0fe06b88cd7e6f743c3b403acd9795e6c042a3fe86567ec86db2ce893f337

SHA512
62f40d56dc0c93f2c055a9b3c32855304759343256f556be6be04223c2a624660f4a50a4b5d62a1fcd17fc5b5e610b17f84ef53120cb1509856da649a9e0d7bf

Download Submit
C:\Windows\{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe

Filesize
380KB

MD5
0e51c565007a8d522528a25d3a118184

SHA1
5816a2d1097c93c8444a849bd82ecacad05625f5

SHA256
2e69b0382dbab8dcac76f6e00d1b6b9588e9cd7d543c0b0ed119d476d560a3dc

SHA512
edca3e709a123747bfc56809b396c54cef1cac2c5c30340d243fc22b435c45616b5cf84b62c9a0dedb37df35b397037d92f489bbc09908e9037d401d858ecdcc

Download Submit
C:\Windows\{A4320948-D2A5-448c-857E-AB1E270EF0B2}.exe

Filesize
380KB

MD5
0e51c565007a8d522528a25d3a118184

SHA1
5816a2d1097c93c8444a849bd82ecacad05625f5

SHA256
2e69b0382dbab8dcac76f6e00d1b6b9588e9cd7d543c0b0ed119d476d560a3dc

SHA512
edca3e709a123747bfc56809b396c54cef1cac2c5c30340d243fc22b435c45616b5cf84b62c9a0dedb37df35b397037d92f489bbc09908e9037d401d858ecdcc

Download Submit
C:\Windows\{AEC2B2E4-1986-484d-9173-9D689970C855}.exe

Filesize
380KB

MD5
abc06b7e0f2bbda8faf5d38f1631bd43

SHA1
da768935ec2ab5dd704e3182c1038b01e8aa5b17

SHA256
0e58b6a9b0ed60794a33163b740d4363a37aa60d970400e0a1ddb6cb95422f64

SHA512
bb7eb705b85d59225b88b3e0944089858eb32f456fe365a43603c0515870d6ca5644695f3eb98f8f6b0764a4a5c339cbbf81fb9e3ed5404379b5f0b08e9e702d

Download Submit
C:\Windows\{AEC2B2E4-1986-484d-9173-9D689970C855}.exe

Filesize
380KB

MD5
abc06b7e0f2bbda8faf5d38f1631bd43

SHA1
da768935ec2ab5dd704e3182c1038b01e8aa5b17

SHA256
0e58b6a9b0ed60794a33163b740d4363a37aa60d970400e0a1ddb6cb95422f64

SHA512
bb7eb705b85d59225b88b3e0944089858eb32f456fe365a43603c0515870d6ca5644695f3eb98f8f6b0764a4a5c339cbbf81fb9e3ed5404379b5f0b08e9e702d

Download Submit
C:\Windows\{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe

Filesize
380KB

MD5
950e1e5ea0a12b353ffc842c99e21841

SHA1
f3735d8fe5e5458733dd2f34575711cf69a32ed0

SHA256
92c3f5dae68facb74b56e208851930b5841d3359856d6f81a685a64308d3a925

SHA512
7012cc67e2578dada25c8bc4fcb745ae6337c864522ceba0f3d5afe659a802b422a4f15e7ad33722d48863894ab8d60158b19cf7a5a16ef14e008d10fd9b386a

Download Submit
C:\Windows\{B16C5404-2970-4a40-8C4A-11B46F89A31F}.exe

Filesize
380KB

MD5
950e1e5ea0a12b353ffc842c99e21841

SHA1
f3735d8fe5e5458733dd2f34575711cf69a32ed0

SHA256
92c3f5dae68facb74b56e208851930b5841d3359856d6f81a685a64308d3a925

SHA512
7012cc67e2578dada25c8bc4fcb745ae6337c864522ceba0f3d5afe659a802b422a4f15e7ad33722d48863894ab8d60158b19cf7a5a16ef14e008d10fd9b386a

Download Submit
C:\Windows\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe

Filesize
380KB

MD5
3f92951617cb8ed29c510fb2c0b78ecf

SHA1
2b1709fcae7fb6a5681e89dbe9d568ea6fbbb515

SHA256
adf3052a6dcd1a3b5b981302d8874e5d0bc333efdfa51eaede31a881a8636b4a

SHA512
c159e029e1db5b6bd07491c80ffac09349c98853f5885e452d553c032a3dd974a9a4790a657b88b04ccaa0612b79290f06c5205123728eccd52a73bd5760181c

Download Submit
C:\Windows\{C43C0415-6356-4b2f-BE63-E43DCC351BEF}.exe

Filesize
380KB

MD5
3f92951617cb8ed29c510fb2c0b78ecf

SHA1
2b1709fcae7fb6a5681e89dbe9d568ea6fbbb515

SHA256
adf3052a6dcd1a3b5b981302d8874e5d0bc333efdfa51eaede31a881a8636b4a

SHA512
c159e029e1db5b6bd07491c80ffac09349c98853f5885e452d553c032a3dd974a9a4790a657b88b04ccaa0612b79290f06c5205123728eccd52a73bd5760181c

Download Submit
C:\Windows\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe

Filesize
380KB

MD5
15ca34323563c8ce8b3d7d570cdcc12d

SHA1
7970990aabf74aa03fec1cd4c53365f3dcdcf1d8

SHA256
1440330663478ed9f3e352c52c08c0c13045140a019e810a18e149aa40868e4d

SHA512
30bf0b8f4aa1f1a4fe8fde9024c0825c4326dbb1eb89b94ab1cad31d9278517ef765cb3bcda9cd95b143dcc4248315b25a7b38af30df8b384a30d5fc9d9ebac7

Download Submit
C:\Windows\{F9EAD508-4FD7-4cf5-AB3F-8EF6782325D5}.exe

Filesize
380KB

MD5
15ca34323563c8ce8b3d7d570cdcc12d

SHA1
7970990aabf74aa03fec1cd4c53365f3dcdcf1d8

SHA256
1440330663478ed9f3e352c52c08c0c13045140a019e810a18e149aa40868e4d

SHA512
30bf0b8f4aa1f1a4fe8fde9024c0825c4326dbb1eb89b94ab1cad31d9278517ef765cb3bcda9cd95b143dcc4248315b25a7b38af30df8b384a30d5fc9d9ebac7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads