e5120eed01212086e60e5c1ec8d5403d1c288b594b12577bb23055a4c099e2a8

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 12:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe
Size

372KB
MD5

2fb4ea8f8e1cc1256dbf08abee47fcd6
SHA1

2771c20a7d781c24ba3e85132f93a59f840b2561
SHA256

e5120eed01212086e60e5c1ec8d5403d1c288b594b12577bb23055a4c099e2a8
SHA512

9cf5aef689ced0a821c7998454a589235d0d2cd3fb88d770b6cd097cc185d23810e38c2c4cb850828c090a6fee5d807702a0865e5bde55f409ce729818c52104
SSDEEP

3072:CEGh0oslMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG2lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA1B65F3-9958-4e07-AACD-26C64535DB54}	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}\stubpath = "C:\\Windows\\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe"	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}	{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}\stubpath = "C:\\Windows\\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe"	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{832977EE-CEB1-4337-947B-AD414A80EB37}	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08135603-6183-41bc-84F4-422B17E32A5B}	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}\stubpath = "C:\\Windows\\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}.exe"	{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D930A7FA-0E44-4650-9411-E1D63774D953}\stubpath = "C:\\Windows\\{D930A7FA-0E44-4650-9411-E1D63774D953}.exe"	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919B89DB-6D45-4788-AA60-4B357CC7097C}	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08135603-6183-41bc-84F4-422B17E32A5B}\stubpath = "C:\\Windows\\{08135603-6183-41bc-84F4-422B17E32A5B}.exe"	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}	{08135603-6183-41bc-84F4-422B17E32A5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D930A7FA-0E44-4650-9411-E1D63774D953}	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD6B475-4257-4bc0-8A43-29D515FE2534}	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919B89DB-6D45-4788-AA60-4B357CC7097C}\stubpath = "C:\\Windows\\{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe"	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA1B65F3-9958-4e07-AACD-26C64535DB54}\stubpath = "C:\\Windows\\{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe"	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}\stubpath = "C:\\Windows\\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe"	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}\stubpath = "C:\\Windows\\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe"	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{832977EE-CEB1-4337-947B-AD414A80EB37}\stubpath = "C:\\Windows\\{832977EE-CEB1-4337-947B-AD414A80EB37}.exe"	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD6B475-4257-4bc0-8A43-29D515FE2534}\stubpath = "C:\\Windows\\{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe"	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}\stubpath = "C:\\Windows\\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe"	{08135603-6183-41bc-84F4-422B17E32A5B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe
2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe
4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe
2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe
4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe
4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe
1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe
456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe
1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe
3068	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe
4756	{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe
2992	{79EA6A3D-961B-48a1-9D13-AAD625A39B70}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{08135603-6183-41bc-84F4-422B17E32A5B}.exe	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe
File created	C:\Windows\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}.exe	{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe
File created	C:\Windows\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe
File created	C:\Windows\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe
File created	C:\Windows\{832977EE-CEB1-4337-947B-AD414A80EB37}.exe	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe
File created	C:\Windows\{D930A7FA-0E44-4650-9411-E1D63774D953}.exe	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe
File created	C:\Windows\{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe
File created	C:\Windows\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe
File created	C:\Windows\{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe
File created	C:\Windows\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe	{08135603-6183-41bc-84F4-422B17E32A5B}.exe
File created	C:\Windows\{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe
File created	C:\Windows\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5052	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe
Token: SeIncBasePriorityPrivilege	2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe
Token: SeIncBasePriorityPrivilege	4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe
Token: SeIncBasePriorityPrivilege	2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe
Token: SeIncBasePriorityPrivilege	4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe
Token: SeIncBasePriorityPrivilege	4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe
Token: SeIncBasePriorityPrivilege	1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe
Token: SeIncBasePriorityPrivilege	456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe
Token: SeIncBasePriorityPrivilege	1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe
Token: SeIncBasePriorityPrivilege	3068	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe
Token: SeIncBasePriorityPrivilege	4756	{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4584	5052	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe	94
PID 5052 wrote to memory of 4584	5052	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe	94
PID 5052 wrote to memory of 4584	5052	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe	94
PID 5052 wrote to memory of 4864	5052	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe	95
PID 5052 wrote to memory of 4864	5052	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe	95
PID 5052 wrote to memory of 4864	5052	2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe	95
PID 4584 wrote to memory of 2260	4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe	100
PID 4584 wrote to memory of 2260	4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe	100
PID 4584 wrote to memory of 2260	4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe	100
PID 4584 wrote to memory of 2612	4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe	101
PID 4584 wrote to memory of 2612	4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe	101
PID 4584 wrote to memory of 2612	4584	{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe	101
PID 2260 wrote to memory of 4948	2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe	103
PID 2260 wrote to memory of 4948	2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe	103
PID 2260 wrote to memory of 4948	2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe	103
PID 2260 wrote to memory of 1536	2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe	104
PID 2260 wrote to memory of 1536	2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe	104
PID 2260 wrote to memory of 1536	2260	{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe	104
PID 4948 wrote to memory of 2308	4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe	105
PID 4948 wrote to memory of 2308	4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe	105
PID 4948 wrote to memory of 2308	4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe	105
PID 4948 wrote to memory of 4120	4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe	106
PID 4948 wrote to memory of 4120	4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe	106
PID 4948 wrote to memory of 4120	4948	{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe	106
PID 2308 wrote to memory of 4480	2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe	107
PID 2308 wrote to memory of 4480	2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe	107
PID 2308 wrote to memory of 4480	2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe	107
PID 2308 wrote to memory of 1760	2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe	108
PID 2308 wrote to memory of 1760	2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe	108
PID 2308 wrote to memory of 1760	2308	{832977EE-CEB1-4337-947B-AD414A80EB37}.exe	108
PID 4480 wrote to memory of 4352	4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe	109
PID 4480 wrote to memory of 4352	4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe	109
PID 4480 wrote to memory of 4352	4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe	109
PID 4480 wrote to memory of 2632	4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe	110
PID 4480 wrote to memory of 2632	4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe	110
PID 4480 wrote to memory of 2632	4480	{D930A7FA-0E44-4650-9411-E1D63774D953}.exe	110
PID 4352 wrote to memory of 1284	4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe	111
PID 4352 wrote to memory of 1284	4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe	111
PID 4352 wrote to memory of 1284	4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe	111
PID 4352 wrote to memory of 832	4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe	112
PID 4352 wrote to memory of 832	4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe	112
PID 4352 wrote to memory of 832	4352	{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe	112
PID 1284 wrote to memory of 456	1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe	113
PID 1284 wrote to memory of 456	1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe	113
PID 1284 wrote to memory of 456	1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe	113
PID 1284 wrote to memory of 3728	1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe	114
PID 1284 wrote to memory of 3728	1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe	114
PID 1284 wrote to memory of 3728	1284	{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe	114
PID 456 wrote to memory of 1740	456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe	115
PID 456 wrote to memory of 1740	456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe	115
PID 456 wrote to memory of 1740	456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe	115
PID 456 wrote to memory of 4472	456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe	116
PID 456 wrote to memory of 4472	456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe	116
PID 456 wrote to memory of 4472	456	{08135603-6183-41bc-84F4-422B17E32A5B}.exe	116
PID 1740 wrote to memory of 3068	1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe	117
PID 1740 wrote to memory of 3068	1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe	117
PID 1740 wrote to memory of 3068	1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe	117
PID 1740 wrote to memory of 2488	1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe	118
PID 1740 wrote to memory of 2488	1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe	118
PID 1740 wrote to memory of 2488	1740	{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe	118
PID 3068 wrote to memory of 4756	3068	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe	119
PID 3068 wrote to memory of 4756	3068	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe	119
PID 3068 wrote to memory of 4756	3068	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe	119
PID 3068 wrote to memory of 2292	3068	{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe	120

C:\Users\Admin\AppData\Local\Temp\2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_2fb4ea8f8e1cc1256dbf08abee47fcd6_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe
  C:\Windows\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe
    C:\Windows\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe
      C:\Windows\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\{832977EE-CEB1-4337-947B-AD414A80EB37}.exe
        
        C:\Windows\{832977EE-CEB1-4337-947B-AD414A80EB37}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\{D930A7FA-0E44-4650-9411-E1D63774D953}.exe
        
        C:\Windows\{D930A7FA-0E44-4650-9411-E1D63774D953}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe
        
        C:\Windows\{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe
        
        C:\Windows\{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\{08135603-6183-41bc-84F4-422B17E32A5B}.exe
        
        C:\Windows\{08135603-6183-41bc-84F4-422B17E32A5B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe
        
        C:\Windows\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe
        
        C:\Windows\{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe
        
        C:\Windows\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}.exe
        
        C:\Windows\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}.exe
        13⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B428~1.EXE > nul
        13⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA1B6~1.EXE > nul
        12⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{114B4~1.EXE > nul
        11⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08135~1.EXE > nul
        10⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{919B8~1.EXE > nul
        9⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD6B~1.EXE > nul
        8⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D930A~1.EXE > nul
        7⤵
        
        PID:2632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83297~1.EXE > nul
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45F2B~1.EXE > nul
        5⤵
        
        PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6461D~1.EXE > nul
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E335F~1.EXE > nul
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08135603-6183-41bc-84F4-422B17E32A5B}.exe

Filesize
372KB

MD5
5d0d8f5ddd6428c13bad2cffbb1551c8

SHA1
c567b1ebd5077dfd4c638e4de81bab01ae05cb60

SHA256
cef6e7e4179d98dc7dad685d0ce7640971eefb1d5ff6b993a70b241339099df7

SHA512
50ef266342684b0a48cd61ab79e4006afe2c3670ef3c37be9940c54106432cbbcb598b5f004055601f6091c437bd28c882db3c6b29c16be8822bcf5f741cc5c4

Download Submit
C:\Windows\{08135603-6183-41bc-84F4-422B17E32A5B}.exe

Filesize
372KB

MD5
5d0d8f5ddd6428c13bad2cffbb1551c8

SHA1
c567b1ebd5077dfd4c638e4de81bab01ae05cb60

SHA256
cef6e7e4179d98dc7dad685d0ce7640971eefb1d5ff6b993a70b241339099df7

SHA512
50ef266342684b0a48cd61ab79e4006afe2c3670ef3c37be9940c54106432cbbcb598b5f004055601f6091c437bd28c882db3c6b29c16be8822bcf5f741cc5c4

Download Submit
C:\Windows\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe

Filesize
372KB

MD5
2aa1b4e5acc353e449d13da5dcd0a301

SHA1
fe0cd165ad02d56b105910e95524ac0a98a00724

SHA256
529faebde7d71d2c6fdefd0916b88742a623bf07831f8a1f221cbf3f5081ba41

SHA512
7ca951f2fb35880c8f86ed2eadf7a5b7250b8e22095b8858e199e36a1cd5456365ab5af96babbb1487e35e58107d5b5417057113f4ba7f96ec9db49a9d53744e

Download Submit
C:\Windows\{114B447D-2CF4-4a1f-B0FF-992859D9D9E5}.exe

Filesize
372KB

MD5
2aa1b4e5acc353e449d13da5dcd0a301

SHA1
fe0cd165ad02d56b105910e95524ac0a98a00724

SHA256
529faebde7d71d2c6fdefd0916b88742a623bf07831f8a1f221cbf3f5081ba41

SHA512
7ca951f2fb35880c8f86ed2eadf7a5b7250b8e22095b8858e199e36a1cd5456365ab5af96babbb1487e35e58107d5b5417057113f4ba7f96ec9db49a9d53744e

Download Submit
C:\Windows\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe

Filesize
372KB

MD5
d713fa8d03d79d1dea43769eeeaf39f2

SHA1
94f041e2af4137760052b41106a038da65f04456

SHA256
60504a27b36b59c4ae01cc603609fd066b2a42b4628d5a971a99262f3454378d

SHA512
39105c37c430fdb98d81afa48467bf7dc0e3a246da1d18eabe734c2bd231a8063ff7198f935e56f31a8c090978260e76d8f33f593fcb8380ab7fddfaaaf716e3

Download Submit
C:\Windows\{2B428158-4C9C-450d-9F5B-F7048EB2AD27}.exe

Filesize
372KB

MD5
d713fa8d03d79d1dea43769eeeaf39f2

SHA1
94f041e2af4137760052b41106a038da65f04456

SHA256
60504a27b36b59c4ae01cc603609fd066b2a42b4628d5a971a99262f3454378d

SHA512
39105c37c430fdb98d81afa48467bf7dc0e3a246da1d18eabe734c2bd231a8063ff7198f935e56f31a8c090978260e76d8f33f593fcb8380ab7fddfaaaf716e3

Download Submit
C:\Windows\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe

Filesize
372KB

MD5
1f5fb87f671c6a96c33a884ae070a9b5

SHA1
10243d66926d4b46ecbb425a9d03c477d03f9c25

SHA256
a1239f8e83bb222864f0dc3cc5ee26fc68ed9cc1bcc39ba315aeee5ff47d2880

SHA512
b9e29e72abd5f4aee8ad411bb2b25a4b77cbbc89d0f2ec9784b17ad03cfef8809e42050f9faff0142ab84cd1d0417ca4d3028e0bdde84e24bfbc4a648e8a5e8f

Download Submit
C:\Windows\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe

Filesize
372KB

MD5
1f5fb87f671c6a96c33a884ae070a9b5

SHA1
10243d66926d4b46ecbb425a9d03c477d03f9c25

SHA256
a1239f8e83bb222864f0dc3cc5ee26fc68ed9cc1bcc39ba315aeee5ff47d2880

SHA512
b9e29e72abd5f4aee8ad411bb2b25a4b77cbbc89d0f2ec9784b17ad03cfef8809e42050f9faff0142ab84cd1d0417ca4d3028e0bdde84e24bfbc4a648e8a5e8f

Download Submit
C:\Windows\{45F2BEC5-01E4-48f1-A284-761F1F990FEA}.exe

Filesize
372KB

MD5
1f5fb87f671c6a96c33a884ae070a9b5

SHA1
10243d66926d4b46ecbb425a9d03c477d03f9c25

SHA256
a1239f8e83bb222864f0dc3cc5ee26fc68ed9cc1bcc39ba315aeee5ff47d2880

SHA512
b9e29e72abd5f4aee8ad411bb2b25a4b77cbbc89d0f2ec9784b17ad03cfef8809e42050f9faff0142ab84cd1d0417ca4d3028e0bdde84e24bfbc4a648e8a5e8f

Download Submit
C:\Windows\{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe

Filesize
372KB

MD5
f9bea33c221183f645f3fac10a2fa3cd

SHA1
927927edaaf5e1c676de28970de255593d7f8382

SHA256
7c30b36dcb2760b5070ee4a28794eb3c34b5f874385c815d07100651e33c4126

SHA512
dc337ef0f2fbdc4675116470d3417939b0b0d727fe0f43bdbdd8393a4c1d95ffee25d73bc764c3abe6b8a65f3c2332587ddb2f5c2f0aadfbfa5c1aa174aec763

Download Submit
C:\Windows\{4DD6B475-4257-4bc0-8A43-29D515FE2534}.exe

Filesize
372KB

MD5
f9bea33c221183f645f3fac10a2fa3cd

SHA1
927927edaaf5e1c676de28970de255593d7f8382

SHA256
7c30b36dcb2760b5070ee4a28794eb3c34b5f874385c815d07100651e33c4126

SHA512
dc337ef0f2fbdc4675116470d3417939b0b0d727fe0f43bdbdd8393a4c1d95ffee25d73bc764c3abe6b8a65f3c2332587ddb2f5c2f0aadfbfa5c1aa174aec763

Download Submit
C:\Windows\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe

Filesize
372KB

MD5
b21553ce7629d8e56d181b653633d020

SHA1
fb21e97f69b00f7837cafa068c7769b5595d2f18

SHA256
9d5f0fadccc5066f2e4b1b2e5490913cfdace3b06e3b60ba20cfb3793b63af2a

SHA512
51fdf104d60f9cbfc4b91eb1c81e6c877a30372d45cb325e9bf9ac7d6f40ffaf86cd979ffbabc6b1c46f02aef9851e98a66c5f776a70e936a15eb15af42fb394

Download Submit
C:\Windows\{6461DA3F-76D7-45c5-9DC6-422B21D68B63}.exe

Filesize
372KB

MD5
b21553ce7629d8e56d181b653633d020

SHA1
fb21e97f69b00f7837cafa068c7769b5595d2f18

SHA256
9d5f0fadccc5066f2e4b1b2e5490913cfdace3b06e3b60ba20cfb3793b63af2a

SHA512
51fdf104d60f9cbfc4b91eb1c81e6c877a30372d45cb325e9bf9ac7d6f40ffaf86cd979ffbabc6b1c46f02aef9851e98a66c5f776a70e936a15eb15af42fb394

Download Submit
C:\Windows\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}.exe

Filesize
372KB

MD5
115c87681bb5250bd7ee99750e649465

SHA1
3bf0ec267d64fa6e45cc5f43a69093c9b5babe45

SHA256
d46e9c3c62c32f297bf4d73b55146986a35f0dee4b301910de26f31abc8e63e6

SHA512
7fb7cb34375eff10e877d762f770d90a2fdff78df95dacafcf859c2a117cc236811687c2edbfd476bf855257df5630a232641326d317151fc7606dadb78b6f31

Download Submit
C:\Windows\{79EA6A3D-961B-48a1-9D13-AAD625A39B70}.exe

Filesize
372KB

MD5
115c87681bb5250bd7ee99750e649465

SHA1
3bf0ec267d64fa6e45cc5f43a69093c9b5babe45

SHA256
d46e9c3c62c32f297bf4d73b55146986a35f0dee4b301910de26f31abc8e63e6

SHA512
7fb7cb34375eff10e877d762f770d90a2fdff78df95dacafcf859c2a117cc236811687c2edbfd476bf855257df5630a232641326d317151fc7606dadb78b6f31

Download Submit
C:\Windows\{832977EE-CEB1-4337-947B-AD414A80EB37}.exe

Filesize
372KB

MD5
72b564e424c15759ded41d40188baff9

SHA1
00c24349fcf7dea007774b24b892d7ef5e15ae70

SHA256
166ae3b749ef955a7f3285eea4f6da1430b0d249534a743144c405091cf4afee

SHA512
55bab0df16d1f6fd6c323fa7b03f3c48829111542998e45a8ca60a4b31b7e79a3501f120d31472a5d8954583f55e099a4a269cf160f0a04e5063cdff482a04b3

Download Submit
C:\Windows\{832977EE-CEB1-4337-947B-AD414A80EB37}.exe

Filesize
372KB

MD5
72b564e424c15759ded41d40188baff9

SHA1
00c24349fcf7dea007774b24b892d7ef5e15ae70

SHA256
166ae3b749ef955a7f3285eea4f6da1430b0d249534a743144c405091cf4afee

SHA512
55bab0df16d1f6fd6c323fa7b03f3c48829111542998e45a8ca60a4b31b7e79a3501f120d31472a5d8954583f55e099a4a269cf160f0a04e5063cdff482a04b3

Download Submit
C:\Windows\{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe

Filesize
372KB

MD5
b44ddee9b890bafcbf94899617b42c50

SHA1
40063c8195e500c709e79a4b35fd06be6fc91698

SHA256
dbbe0cb5c5b22516026b22628bc6f22b932c31adbb8ddd26bed5ba301731d8a3

SHA512
4ce6d041b341988e88f07189b684482dc02213dbcf9bb854d54c7e28735d429bdfc6cb0f6944ec65dd3bebec01b27ff41b4ed957de62cb6c7a53026b9982e9bf

Download Submit
C:\Windows\{919B89DB-6D45-4788-AA60-4B357CC7097C}.exe

Filesize
372KB

MD5
b44ddee9b890bafcbf94899617b42c50

SHA1
40063c8195e500c709e79a4b35fd06be6fc91698

SHA256
dbbe0cb5c5b22516026b22628bc6f22b932c31adbb8ddd26bed5ba301731d8a3

SHA512
4ce6d041b341988e88f07189b684482dc02213dbcf9bb854d54c7e28735d429bdfc6cb0f6944ec65dd3bebec01b27ff41b4ed957de62cb6c7a53026b9982e9bf

Download Submit
C:\Windows\{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe

Filesize
372KB

MD5
19917d3a5de9f576a553ba5816f7e764

SHA1
6222a489ccf1a00b9eb7e21844adc32b058c88ae

SHA256
ab63d51113f4b94b7983e5901e629332ac58ef9faba9accf8c6aa83c90b81a57

SHA512
5413ef1de86849cb037193b0d65a8b20a3750746e7cb884475a60b4277f48bf111bf95878a82c2dce79d0b8d52cda792c1c36d9799045028e80b5ce3184479c8

Download Submit
C:\Windows\{CA1B65F3-9958-4e07-AACD-26C64535DB54}.exe

Filesize
372KB

MD5
19917d3a5de9f576a553ba5816f7e764

SHA1
6222a489ccf1a00b9eb7e21844adc32b058c88ae

SHA256
ab63d51113f4b94b7983e5901e629332ac58ef9faba9accf8c6aa83c90b81a57

SHA512
5413ef1de86849cb037193b0d65a8b20a3750746e7cb884475a60b4277f48bf111bf95878a82c2dce79d0b8d52cda792c1c36d9799045028e80b5ce3184479c8

Download Submit
C:\Windows\{D930A7FA-0E44-4650-9411-E1D63774D953}.exe

Filesize
372KB

MD5
3ad0092de8f09a0fe5b1648b5be93bc4

SHA1
aa77b14a8938bc8df232720e9a0f3153bd7efe20

SHA256
e480660266d5692732778fffd8304248bc451faee676921dd98ee56ca57126ac

SHA512
1907ea8f6195bad56fdef94fc27de4da36df74a52d01aff38f2ad313d83d872886225e248993817201fa088aaef5122493ce7f765ccef9721cf22bfb1f0f7ba2

Download Submit
C:\Windows\{D930A7FA-0E44-4650-9411-E1D63774D953}.exe

Filesize
372KB

MD5
3ad0092de8f09a0fe5b1648b5be93bc4

SHA1
aa77b14a8938bc8df232720e9a0f3153bd7efe20

SHA256
e480660266d5692732778fffd8304248bc451faee676921dd98ee56ca57126ac

SHA512
1907ea8f6195bad56fdef94fc27de4da36df74a52d01aff38f2ad313d83d872886225e248993817201fa088aaef5122493ce7f765ccef9721cf22bfb1f0f7ba2

Download Submit
C:\Windows\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe

Filesize
372KB

MD5
d9d8c76e18d8966f951dfaa28ff8815f

SHA1
6c047d4bc21418150264bfe59ade051313c8095b

SHA256
e2140186b1fc464fac3ac42297eb6d43c363f4dedeb974c0d53fe1cf5cdfdf64

SHA512
de834b186795fe1d26e987b3dc4b1469d45927b5c1194fcda2de75a0291c7576d061bbf5915c1503a77eab20ac551c74f8ea58239e7c50a36e929bfeb6e6045c

Download Submit
C:\Windows\{E335FCBC-634F-41ef-A6D4-EF263706EAC6}.exe

Filesize
372KB

MD5
d9d8c76e18d8966f951dfaa28ff8815f

SHA1
6c047d4bc21418150264bfe59ade051313c8095b

SHA256
e2140186b1fc464fac3ac42297eb6d43c363f4dedeb974c0d53fe1cf5cdfdf64

SHA512
de834b186795fe1d26e987b3dc4b1469d45927b5c1194fcda2de75a0291c7576d061bbf5915c1503a77eab20ac551c74f8ea58239e7c50a36e929bfeb6e6045c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads