a95baf49606924e96121092be228b98b72dcc5af90e2993f01502106866c2465

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Size

344KB
MD5

21db8f6917edabda8019067da20c4e20
SHA1

432f89d0e4d02231870f444ac329b1832037a6bb
SHA256

a95baf49606924e96121092be228b98b72dcc5af90e2993f01502106866c2465
SHA512

e7cfaabf08c2fef2ea73c6daa13dcb39db14748f39adb815262c594a6ff170398e0665cc8c22278e0084ddc30ebae90aa0879282835b3176f7a03912b3ee1eb3
SSDEEP

3072:mEGh0oMlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGilqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DF6EBB5-0841-481f-A153-767D1DA9F287}	{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D0BB61-82E0-49e1-B762-153570B52756}\stubpath = "C:\\Windows\\{31D0BB61-82E0-49e1-B762-153570B52756}.exe"	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}\stubpath = "C:\\Windows\\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe"	{31D0BB61-82E0-49e1-B762-153570B52756}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}\stubpath = "C:\\Windows\\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe"	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0C965D0-5FDA-474d-953F-D558C2D334E9}	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B280EB7B-9452-4a81-9A50-1551EA083827}	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEA58600-1581-44a9-9450-314A2406EF0E}	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEA58600-1581-44a9-9450-314A2406EF0E}\stubpath = "C:\\Windows\\{CEA58600-1581-44a9-9450-314A2406EF0E}.exe"	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0C965D0-5FDA-474d-953F-D558C2D334E9}\stubpath = "C:\\Windows\\{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe"	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}	{31D0BB61-82E0-49e1-B762-153570B52756}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}\stubpath = "C:\\Windows\\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe"	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}\stubpath = "C:\\Windows\\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe"	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}\stubpath = "C:\\Windows\\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe"	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}\stubpath = "C:\\Windows\\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe"	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DF6EBB5-0841-481f-A153-767D1DA9F287}\stubpath = "C:\\Windows\\{5DF6EBB5-0841-481f-A153-767D1DA9F287}.exe"	{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}\stubpath = "C:\\Windows\\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe"	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D0BB61-82E0-49e1-B762-153570B52756}	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B280EB7B-9452-4a81-9A50-1551EA083827}\stubpath = "C:\\Windows\\{B280EB7B-9452-4a81-9A50-1551EA083827}.exe"	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe
644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe
2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe
1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe
1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe
3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe
732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe
3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe
448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe
2896	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe
3328	{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe
3380	{5DF6EBB5-0841-481f-A153-767D1DA9F287}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe	{31D0BB61-82E0-49e1-B762-153570B52756}.exe
File created	C:\Windows\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe
File created	C:\Windows\{5DF6EBB5-0841-481f-A153-767D1DA9F287}.exe	{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe
File created	C:\Windows\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe
File created	C:\Windows\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe
File created	C:\Windows\{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe
File created	C:\Windows\{B280EB7B-9452-4a81-9A50-1551EA083827}.exe	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe
File created	C:\Windows\{CEA58600-1581-44a9-9450-314A2406EF0E}.exe	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
File created	C:\Windows\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe
File created	C:\Windows\{31D0BB61-82E0-49e1-B762-153570B52756}.exe	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe
File created	C:\Windows\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe
File created	C:\Windows\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1892	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe
Token: SeIncBasePriorityPrivilege	644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe
Token: SeIncBasePriorityPrivilege	2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe
Token: SeIncBasePriorityPrivilege	1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe
Token: SeIncBasePriorityPrivilege	1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe
Token: SeIncBasePriorityPrivilege	3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe
Token: SeIncBasePriorityPrivilege	732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe
Token: SeIncBasePriorityPrivilege	3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe
Token: SeIncBasePriorityPrivilege	448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe
Token: SeIncBasePriorityPrivilege	2896	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe
Token: SeIncBasePriorityPrivilege	3328	{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1056	1892	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	94
PID 1892 wrote to memory of 1056	1892	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	94
PID 1892 wrote to memory of 1056	1892	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	94
PID 1892 wrote to memory of 2268	1892	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	95
PID 1892 wrote to memory of 2268	1892	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	95
PID 1892 wrote to memory of 2268	1892	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	95
PID 1056 wrote to memory of 644	1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe	98
PID 1056 wrote to memory of 644	1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe	98
PID 1056 wrote to memory of 644	1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe	98
PID 1056 wrote to memory of 1680	1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe	99
PID 1056 wrote to memory of 1680	1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe	99
PID 1056 wrote to memory of 1680	1056	{CEA58600-1581-44a9-9450-314A2406EF0E}.exe	99
PID 644 wrote to memory of 2388	644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe	102
PID 644 wrote to memory of 2388	644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe	102
PID 644 wrote to memory of 2388	644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe	102
PID 644 wrote to memory of 228	644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe	101
PID 644 wrote to memory of 228	644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe	101
PID 644 wrote to memory of 228	644	{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe	101
PID 2388 wrote to memory of 1076	2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe	103
PID 2388 wrote to memory of 1076	2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe	103
PID 2388 wrote to memory of 1076	2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe	103
PID 2388 wrote to memory of 3816	2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe	104
PID 2388 wrote to memory of 3816	2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe	104
PID 2388 wrote to memory of 3816	2388	{31D0BB61-82E0-49e1-B762-153570B52756}.exe	104
PID 1076 wrote to memory of 1956	1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe	105
PID 1076 wrote to memory of 1956	1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe	105
PID 1076 wrote to memory of 1956	1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe	105
PID 1076 wrote to memory of 3064	1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe	106
PID 1076 wrote to memory of 3064	1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe	106
PID 1076 wrote to memory of 3064	1076	{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe	106
PID 1956 wrote to memory of 3572	1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe	107
PID 1956 wrote to memory of 3572	1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe	107
PID 1956 wrote to memory of 3572	1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe	107
PID 1956 wrote to memory of 2140	1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe	108
PID 1956 wrote to memory of 2140	1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe	108
PID 1956 wrote to memory of 2140	1956	{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe	108
PID 3572 wrote to memory of 732	3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe	109
PID 3572 wrote to memory of 732	3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe	109
PID 3572 wrote to memory of 732	3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe	109
PID 3572 wrote to memory of 5008	3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe	110
PID 3572 wrote to memory of 5008	3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe	110
PID 3572 wrote to memory of 5008	3572	{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe	110
PID 732 wrote to memory of 3248	732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe	111
PID 732 wrote to memory of 3248	732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe	111
PID 732 wrote to memory of 3248	732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe	111
PID 732 wrote to memory of 3656	732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe	112
PID 732 wrote to memory of 3656	732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe	112
PID 732 wrote to memory of 3656	732	{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe	112
PID 3248 wrote to memory of 448	3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe	113
PID 3248 wrote to memory of 448	3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe	113
PID 3248 wrote to memory of 448	3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe	113
PID 3248 wrote to memory of 440	3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe	114
PID 3248 wrote to memory of 440	3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe	114
PID 3248 wrote to memory of 440	3248	{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe	114
PID 448 wrote to memory of 2896	448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe	115
PID 448 wrote to memory of 2896	448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe	115
PID 448 wrote to memory of 2896	448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe	115
PID 448 wrote to memory of 1968	448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe	116
PID 448 wrote to memory of 1968	448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe	116
PID 448 wrote to memory of 1968	448	{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe	116
PID 2896 wrote to memory of 3328	2896	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe	117
PID 2896 wrote to memory of 3328	2896	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe	117
PID 2896 wrote to memory of 3328	2896	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe	117
PID 2896 wrote to memory of 2192	2896	{B280EB7B-9452-4a81-9A50-1551EA083827}.exe	118

C:\Users\Admin\AppData\Local\Temp\2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\{CEA58600-1581-44a9-9450-314A2406EF0E}.exe
  C:\Windows\{CEA58600-1581-44a9-9450-314A2406EF0E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe
    C:\Windows\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{359CF~1.EXE > nul
      4⤵
      PID:228
  - - C:\Windows\{31D0BB61-82E0-49e1-B762-153570B52756}.exe
      C:\Windows\{31D0BB61-82E0-49e1-B762-153570B52756}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe
        
        C:\Windows\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe
        
        C:\Windows\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe
        
        C:\Windows\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe
        
        C:\Windows\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe
        
        C:\Windows\{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe
        
        C:\Windows\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{B280EB7B-9452-4a81-9A50-1551EA083827}.exe
        
        C:\Windows\{B280EB7B-9452-4a81-9A50-1551EA083827}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe
        
        C:\Windows\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\{5DF6EBB5-0841-481f-A153-767D1DA9F287}.exe
        
        C:\Windows\{5DF6EBB5-0841-481f-A153-767D1DA9F287}.exe
        13⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9C16~1.EXE > nul
        13⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B280E~1.EXE > nul
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{860FF~1.EXE > nul
        11⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0C96~1.EXE > nul
        10⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71634~1.EXE > nul
        9⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C373~1.EXE > nul
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC61B~1.EXE > nul
        7⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB975~1.EXE > nul
        6⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31D0B~1.EXE > nul
        5⤵
        
        PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CEA58~1.EXE > nul
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{31D0BB61-82E0-49e1-B762-153570B52756}.exe

Filesize
344KB

MD5
bfb4e097d26d7cd6ea2e055c7468e20c

SHA1
a7946764847e12ee50e26a93d1511458763cfc53

SHA256
21c19800e95e1ee3dac3f2167c0689786fba8c92084fd0ee3439d6488a8583f6

SHA512
6e4d27bd33265b62950ec87b68326e131f493735b7169afdfdbd08ec9cc775b53f47d19b8a55aad804101f2cd8128aafafdafb65f14e4420112f60e590d6b30d

Download Submit
C:\Windows\{31D0BB61-82E0-49e1-B762-153570B52756}.exe

Filesize
344KB

MD5
bfb4e097d26d7cd6ea2e055c7468e20c

SHA1
a7946764847e12ee50e26a93d1511458763cfc53

SHA256
21c19800e95e1ee3dac3f2167c0689786fba8c92084fd0ee3439d6488a8583f6

SHA512
6e4d27bd33265b62950ec87b68326e131f493735b7169afdfdbd08ec9cc775b53f47d19b8a55aad804101f2cd8128aafafdafb65f14e4420112f60e590d6b30d

Download Submit
C:\Windows\{31D0BB61-82E0-49e1-B762-153570B52756}.exe

Filesize
344KB

MD5
bfb4e097d26d7cd6ea2e055c7468e20c

SHA1
a7946764847e12ee50e26a93d1511458763cfc53

SHA256
21c19800e95e1ee3dac3f2167c0689786fba8c92084fd0ee3439d6488a8583f6

SHA512
6e4d27bd33265b62950ec87b68326e131f493735b7169afdfdbd08ec9cc775b53f47d19b8a55aad804101f2cd8128aafafdafb65f14e4420112f60e590d6b30d

Download Submit
C:\Windows\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe

Filesize
344KB

MD5
dd56d77a28e2a0fe7c5edc3e24f1d5d9

SHA1
0097f4b2c64af440b5ecdafd79ab9031d970d479

SHA256
024e0f399847e6afae27b96562b3e66fbdfd275c65b22eb8a5f8e127f44a4e77

SHA512
fcd75c1850c854c2f1ae661ffd291950c7f752a8d53b0718fea8b1be854ddfee5f740ad78978566e8a30cdfd98aad35786eef6ba0ca5b0622cb73dc63ee4764b

Download Submit
C:\Windows\{359CF6B9-AAC9-4e0f-A657-4A05EDD7CA81}.exe

Filesize
344KB

MD5
dd56d77a28e2a0fe7c5edc3e24f1d5d9

SHA1
0097f4b2c64af440b5ecdafd79ab9031d970d479

SHA256
024e0f399847e6afae27b96562b3e66fbdfd275c65b22eb8a5f8e127f44a4e77

SHA512
fcd75c1850c854c2f1ae661ffd291950c7f752a8d53b0718fea8b1be854ddfee5f740ad78978566e8a30cdfd98aad35786eef6ba0ca5b0622cb73dc63ee4764b

Download Submit
C:\Windows\{5DF6EBB5-0841-481f-A153-767D1DA9F287}.exe

Filesize
344KB

MD5
f0eccecc915fbd8606170eb6b436a8e2

SHA1
8ef1c46ae524ddc40a65d539cd83f4ef22799691

SHA256
1ce723d1240afae8f17e632c3b8db0d34ec4a17554514ebd910272f9d7834612

SHA512
1d09843e3accc500cd27b4adaa2d4b73defa37be4098e4e47100aa8179b8672d9a2c240f661b97559bbcc5276e49e66cfce1833fa8c572f9cf546335b9f44939

Download Submit
C:\Windows\{5DF6EBB5-0841-481f-A153-767D1DA9F287}.exe

Filesize
344KB

MD5
f0eccecc915fbd8606170eb6b436a8e2

SHA1
8ef1c46ae524ddc40a65d539cd83f4ef22799691

SHA256
1ce723d1240afae8f17e632c3b8db0d34ec4a17554514ebd910272f9d7834612

SHA512
1d09843e3accc500cd27b4adaa2d4b73defa37be4098e4e47100aa8179b8672d9a2c240f661b97559bbcc5276e49e66cfce1833fa8c572f9cf546335b9f44939

Download Submit
C:\Windows\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe

Filesize
344KB

MD5
d9ef81e1b53fe9d8d22c4eb04edbb64f

SHA1
ff10217c920077c6d92ac0ad1031250535a00690

SHA256
4c79d7586a9d4413b6b4c712a99b3603b71c5972848a886b6f162973e99351d4

SHA512
8f31c433228b571023435213d7345059a5ac2ca478a119a7de607fa98ced5b1fb1999b5c0b40a5a364d7d329ead01d7d3afd72f089bb2677c7a24d06b115f227

Download Submit
C:\Windows\{71634B82-CD2A-4f84-A91A-7AD49A46D8A5}.exe

Filesize
344KB

MD5
d9ef81e1b53fe9d8d22c4eb04edbb64f

SHA1
ff10217c920077c6d92ac0ad1031250535a00690

SHA256
4c79d7586a9d4413b6b4c712a99b3603b71c5972848a886b6f162973e99351d4

SHA512
8f31c433228b571023435213d7345059a5ac2ca478a119a7de607fa98ced5b1fb1999b5c0b40a5a364d7d329ead01d7d3afd72f089bb2677c7a24d06b115f227

Download Submit
C:\Windows\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe

Filesize
344KB

MD5
e6aa04945479625949af889079b6acb9

SHA1
3a8de1ccef832b641ef4d90822d83b73c0ea5f45

SHA256
8785092e951b560f4404d77623cad091b0b775cf1106e67fd495eecb91b22cca

SHA512
ae30b3032627ef6e57c6e50df593d62c617da2683cf6d07cd25efb464162e9c3d44bb827036ac3254c5a7d6ea2eff7bc104078f637f5c61f7035722f4e07dc6b

Download Submit
C:\Windows\{7C373AF7-03BB-4b0f-8422-492E3C45A3E7}.exe

Filesize
344KB

MD5
e6aa04945479625949af889079b6acb9

SHA1
3a8de1ccef832b641ef4d90822d83b73c0ea5f45

SHA256
8785092e951b560f4404d77623cad091b0b775cf1106e67fd495eecb91b22cca

SHA512
ae30b3032627ef6e57c6e50df593d62c617da2683cf6d07cd25efb464162e9c3d44bb827036ac3254c5a7d6ea2eff7bc104078f637f5c61f7035722f4e07dc6b

Download Submit
C:\Windows\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe

Filesize
344KB

MD5
6a7a296438d321b401a68e9cfd95718e

SHA1
568de133db59cd3bab030327a629347a843d42dd

SHA256
d61fbbbd009bdc2fe6f18d719480c95765adfe02f8a2bde49e74a3f7cecfbda7

SHA512
a1b91778648c5006dcde565c517150cbe88469a15c253516b374b045606950a1e7cfc3e13262716b53f147aae73f0d1085e7bfe60f6cd16a8af89654ba055c74

Download Submit
C:\Windows\{860FFF6C-D5CF-4401-9889-36CA27DEB55E}.exe

Filesize
344KB

MD5
6a7a296438d321b401a68e9cfd95718e

SHA1
568de133db59cd3bab030327a629347a843d42dd

SHA256
d61fbbbd009bdc2fe6f18d719480c95765adfe02f8a2bde49e74a3f7cecfbda7

SHA512
a1b91778648c5006dcde565c517150cbe88469a15c253516b374b045606950a1e7cfc3e13262716b53f147aae73f0d1085e7bfe60f6cd16a8af89654ba055c74

Download Submit
C:\Windows\{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe

Filesize
344KB

MD5
b8339ef7756a75242e8bfdb9c220c777

SHA1
b0c9ee66d16396cd21b2a5d922a4d3689eb7afd9

SHA256
6c7230b425d61a2b5f954443c7c3fe929a39a9d93bdaba037560f0813682285a

SHA512
62248fd3319193ce812d55722a86e108225849473b9a211b158f254f616ab095af50a0e2c5921e5198ee9380db9f54ba500573a50d76f8208bb66974e9b7739e

Download Submit
C:\Windows\{B0C965D0-5FDA-474d-953F-D558C2D334E9}.exe

Filesize
344KB

MD5
b8339ef7756a75242e8bfdb9c220c777

SHA1
b0c9ee66d16396cd21b2a5d922a4d3689eb7afd9

SHA256
6c7230b425d61a2b5f954443c7c3fe929a39a9d93bdaba037560f0813682285a

SHA512
62248fd3319193ce812d55722a86e108225849473b9a211b158f254f616ab095af50a0e2c5921e5198ee9380db9f54ba500573a50d76f8208bb66974e9b7739e

Download Submit
C:\Windows\{B280EB7B-9452-4a81-9A50-1551EA083827}.exe

Filesize
344KB

MD5
f7831091bc0da54253af75eb8f5a6fd9

SHA1
667e978dc3dd7ad436d18540772ccdad4781e801

SHA256
753980b6d3634ff773a19917ca99ab596e7b9ee4d9e6fabcf5685efb756b1032

SHA512
de9bf5d537af601c04fcfc1228681dac1f7f66e4611b96648020f9393cb69e642039a2830fcb9cdd68f2024e071a2beb882e25ea58d4379fda7bcb81568837a9

Download Submit
C:\Windows\{B280EB7B-9452-4a81-9A50-1551EA083827}.exe

Filesize
344KB

MD5
f7831091bc0da54253af75eb8f5a6fd9

SHA1
667e978dc3dd7ad436d18540772ccdad4781e801

SHA256
753980b6d3634ff773a19917ca99ab596e7b9ee4d9e6fabcf5685efb756b1032

SHA512
de9bf5d537af601c04fcfc1228681dac1f7f66e4611b96648020f9393cb69e642039a2830fcb9cdd68f2024e071a2beb882e25ea58d4379fda7bcb81568837a9

Download Submit
C:\Windows\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe

Filesize
344KB

MD5
aadfc1aeceabee872719b281cb13dabe

SHA1
f9e4600c39fdbe5e454ba33d6a0d84130c442637

SHA256
c304ddc1934531db8ec820917ad4bd2cc907b1b5ad14c3c02cd366b3d81b3ab6

SHA512
f9c5685eacc675348c56b577e6ff78c5005ad707814c4311d29a21b3dd76d42504517274eca82c883b852acbac93ee5182b2bf26315819de36e38eb5d880be0f

Download Submit
C:\Windows\{C9C1647C-E0D5-4034-BAA5-807D5AC97AF4}.exe

Filesize
344KB

MD5
aadfc1aeceabee872719b281cb13dabe

SHA1
f9e4600c39fdbe5e454ba33d6a0d84130c442637

SHA256
c304ddc1934531db8ec820917ad4bd2cc907b1b5ad14c3c02cd366b3d81b3ab6

SHA512
f9c5685eacc675348c56b577e6ff78c5005ad707814c4311d29a21b3dd76d42504517274eca82c883b852acbac93ee5182b2bf26315819de36e38eb5d880be0f

Download Submit
C:\Windows\{CEA58600-1581-44a9-9450-314A2406EF0E}.exe

Filesize
344KB

MD5
e551279f13b8598bee218279cad376a4

SHA1
809b0a09fcf17cbacae9d3cd488b17fb4d9fa9aa

SHA256
7e0f37e584693dd183a0ab69353afd6ef9232f32e9b95d518a8f3d7a58a3c57a

SHA512
85e44934d9c4d51de0340e83b583752fe9523d72c8ed4a49d0278bb4238672687613cbb262c473efef334a4ddec859b5664b5b36f215a2616931faca3753ac8f

Download Submit
C:\Windows\{CEA58600-1581-44a9-9450-314A2406EF0E}.exe

Filesize
344KB

MD5
e551279f13b8598bee218279cad376a4

SHA1
809b0a09fcf17cbacae9d3cd488b17fb4d9fa9aa

SHA256
7e0f37e584693dd183a0ab69353afd6ef9232f32e9b95d518a8f3d7a58a3c57a

SHA512
85e44934d9c4d51de0340e83b583752fe9523d72c8ed4a49d0278bb4238672687613cbb262c473efef334a4ddec859b5664b5b36f215a2616931faca3753ac8f

Download Submit
C:\Windows\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe

Filesize
344KB

MD5
45fdbf019a685686e05605544ae897c7

SHA1
eb14cbbc0da9e67bc30900120915fa0c8e92e964

SHA256
a8f1e0471582e397b4ce19e2709810411f6829365c00bae110bb2106d5fb7496

SHA512
f9823ac03f713f06f24d00eee307482f53dc8801ef638c0b8562a5153c37dfc88d071c4f61efc15ca250bcac92dd2208db02181cf046a8a7d6bcfc8356770445

Download Submit
C:\Windows\{DB975EF8-A3D5-42ce-88F1-ACEB93EB9480}.exe

Filesize
344KB

MD5
45fdbf019a685686e05605544ae897c7

SHA1
eb14cbbc0da9e67bc30900120915fa0c8e92e964

SHA256
a8f1e0471582e397b4ce19e2709810411f6829365c00bae110bb2106d5fb7496

SHA512
f9823ac03f713f06f24d00eee307482f53dc8801ef638c0b8562a5153c37dfc88d071c4f61efc15ca250bcac92dd2208db02181cf046a8a7d6bcfc8356770445

Download Submit
C:\Windows\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe

Filesize
344KB

MD5
d7a05ae4c56bd5f4563ce57a1fda735b

SHA1
21310f19fd8d14caac80e47ed01bb4bc08429910

SHA256
73cac8ca7af715697218b38be65986aff2eb7fb04e041832af47cc3ee5b187bd

SHA512
c5d499b3e3257da71261dd700701505634153dc3db92d3428a455bb3acef081cf77d137fc9bbed06eb085ecc105a8ab26f812b2bcf1481d211f34bd0512d7804

Download Submit
C:\Windows\{DC61BA0F-7574-4711-BFDE-DCFE46DBF34D}.exe

Filesize
344KB

MD5
d7a05ae4c56bd5f4563ce57a1fda735b

SHA1
21310f19fd8d14caac80e47ed01bb4bc08429910

SHA256
73cac8ca7af715697218b38be65986aff2eb7fb04e041832af47cc3ee5b187bd

SHA512
c5d499b3e3257da71261dd700701505634153dc3db92d3428a455bb3acef081cf77d137fc9bbed06eb085ecc105a8ab26f812b2bcf1481d211f34bd0512d7804

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads