8d9a11308df2ff098273591def5f96f0a3b648b9c2368d6f99efd70849d6e646

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Size

408KB
MD5

01de9a1d02c2505c42189d3df8943358
SHA1

1d2452fd9641069e04623dc961a86bcb8f8701f3
SHA256

8d9a11308df2ff098273591def5f96f0a3b648b9c2368d6f99efd70849d6e646
SHA512

b22c3cbf219e90f507dd40812d9a72799a7a1251b56521640638691ef08eeee97efac83bcda8471d17b277b6f873ec87beb88eb5c608eaea8aa32463174bd110
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGSldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}\stubpath = "C:\\Windows\\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe"	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{152D15AE-1E28-41cb-B010-C431681B3B2A}\stubpath = "C:\\Windows\\{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe"	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16EF4861-60A0-4b56-A593-15052FA8F498}	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}\stubpath = "C:\\Windows\\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe"	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}\stubpath = "C:\\Windows\\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe"	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}\stubpath = "C:\\Windows\\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe"	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}\stubpath = "C:\\Windows\\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe"	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}\stubpath = "C:\\Windows\\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe"	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B99DF140-4413-4bcf-BC51-78709A7E27EA}\stubpath = "C:\\Windows\\{B99DF140-4413-4bcf-BC51-78709A7E27EA}.exe"	{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D0B4CD-9651-4193-9036-AC88895F9875}\stubpath = "C:\\Windows\\{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe"	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}\stubpath = "C:\\Windows\\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe"	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}\stubpath = "C:\\Windows\\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe"	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16EF4861-60A0-4b56-A593-15052FA8F498}\stubpath = "C:\\Windows\\{16EF4861-60A0-4b56-A593-15052FA8F498}.exe"	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D0B4CD-9651-4193-9036-AC88895F9875}	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{152D15AE-1E28-41cb-B010-C431681B3B2A}	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B99DF140-4413-4bcf-BC51-78709A7E27EA}	{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe
4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe
1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe
532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe
3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe
4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe
1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe
1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe
1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe
2808	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe
2860	{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe
2908	{B99DF140-4413-4bcf-BC51-78709A7E27EA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{16EF4861-60A0-4b56-A593-15052FA8F498}.exe	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe
File created	C:\Windows\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe
File created	C:\Windows\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe
File created	C:\Windows\{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe
File created	C:\Windows\{B99DF140-4413-4bcf-BC51-78709A7E27EA}.exe	{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe
File created	C:\Windows\{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe
File created	C:\Windows\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
File created	C:\Windows\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe
File created	C:\Windows\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe
File created	C:\Windows\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe
File created	C:\Windows\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe
File created	C:\Windows\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3820	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe
Token: SeIncBasePriorityPrivilege	4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe
Token: SeIncBasePriorityPrivilege	1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe
Token: SeIncBasePriorityPrivilege	532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe
Token: SeIncBasePriorityPrivilege	3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe
Token: SeIncBasePriorityPrivilege	4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe
Token: SeIncBasePriorityPrivilege	1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe
Token: SeIncBasePriorityPrivilege	1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe
Token: SeIncBasePriorityPrivilege	1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe
Token: SeIncBasePriorityPrivilege	2808	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe
Token: SeIncBasePriorityPrivilege	2860	{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 3824	3820	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	96
PID 3820 wrote to memory of 3824	3820	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	96
PID 3820 wrote to memory of 3824	3820	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	96
PID 3820 wrote to memory of 1056	3820	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	97
PID 3820 wrote to memory of 1056	3820	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	97
PID 3820 wrote to memory of 1056	3820	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	97
PID 3824 wrote to memory of 4984	3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe	98
PID 3824 wrote to memory of 4984	3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe	98
PID 3824 wrote to memory of 4984	3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe	98
PID 3824 wrote to memory of 1496	3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe	99
PID 3824 wrote to memory of 1496	3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe	99
PID 3824 wrote to memory of 1496	3824	{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe	99
PID 4984 wrote to memory of 1768	4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe	102
PID 4984 wrote to memory of 1768	4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe	102
PID 4984 wrote to memory of 1768	4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe	102
PID 4984 wrote to memory of 3192	4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe	103
PID 4984 wrote to memory of 3192	4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe	103
PID 4984 wrote to memory of 3192	4984	{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe	103
PID 1768 wrote to memory of 532	1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe	104
PID 1768 wrote to memory of 532	1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe	104
PID 1768 wrote to memory of 532	1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe	104
PID 1768 wrote to memory of 1400	1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe	105
PID 1768 wrote to memory of 1400	1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe	105
PID 1768 wrote to memory of 1400	1768	{16EF4861-60A0-4b56-A593-15052FA8F498}.exe	105
PID 532 wrote to memory of 3500	532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe	106
PID 532 wrote to memory of 3500	532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe	106
PID 532 wrote to memory of 3500	532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe	106
PID 532 wrote to memory of 2036	532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe	107
PID 532 wrote to memory of 2036	532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe	107
PID 532 wrote to memory of 2036	532	{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe	107
PID 3500 wrote to memory of 4516	3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe	113
PID 3500 wrote to memory of 4516	3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe	113
PID 3500 wrote to memory of 4516	3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe	113
PID 3500 wrote to memory of 1520	3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe	114
PID 3500 wrote to memory of 1520	3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe	114
PID 3500 wrote to memory of 1520	3500	{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe	114
PID 4516 wrote to memory of 1920	4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe	115
PID 4516 wrote to memory of 1920	4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe	115
PID 4516 wrote to memory of 1920	4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe	115
PID 4516 wrote to memory of 4028	4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe	116
PID 4516 wrote to memory of 4028	4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe	116
PID 4516 wrote to memory of 4028	4516	{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe	116
PID 1920 wrote to memory of 1496	1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe	119
PID 1920 wrote to memory of 1496	1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe	119
PID 1920 wrote to memory of 1496	1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe	119
PID 1920 wrote to memory of 3824	1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe	118
PID 1920 wrote to memory of 3824	1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe	118
PID 1920 wrote to memory of 3824	1920	{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe	118
PID 1496 wrote to memory of 1924	1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe	121
PID 1496 wrote to memory of 1924	1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe	121
PID 1496 wrote to memory of 1924	1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe	121
PID 1496 wrote to memory of 2164	1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe	122
PID 1496 wrote to memory of 2164	1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe	122
PID 1496 wrote to memory of 2164	1496	{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe	122
PID 1924 wrote to memory of 2808	1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe	123
PID 1924 wrote to memory of 2808	1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe	123
PID 1924 wrote to memory of 2808	1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe	123
PID 1924 wrote to memory of 4016	1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe	124
PID 1924 wrote to memory of 4016	1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe	124
PID 1924 wrote to memory of 4016	1924	{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe	124
PID 2808 wrote to memory of 2860	2808	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe	125
PID 2808 wrote to memory of 2860	2808	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe	125
PID 2808 wrote to memory of 2860	2808	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe	125
PID 2808 wrote to memory of 2116	2808	{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe	126

C:\Users\Admin\AppData\Local\Temp\2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe
  C:\Windows\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe
    C:\Windows\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\{16EF4861-60A0-4b56-A593-15052FA8F498}.exe
      C:\Windows\{16EF4861-60A0-4b56-A593-15052FA8F498}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe
        
        C:\Windows\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe
        
        C:\Windows\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe
        
        C:\Windows\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe
        
        C:\Windows\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1C5F~1.EXE > nul
        9⤵
        
        PID:3824
        
        C:\Windows\{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe
        
        C:\Windows\{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe
        
        C:\Windows\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe
        
        C:\Windows\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe
        
        C:\Windows\{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{B99DF140-4413-4bcf-BC51-78709A7E27EA}.exe
        
        C:\Windows\{B99DF140-4413-4bcf-BC51-78709A7E27EA}.exe
        13⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{152D1~1.EXE > nul
        13⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04B31~1.EXE > nul
        12⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBC3C~1.EXE > nul
        11⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D0B~1.EXE > nul
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4AB9~1.EXE > nul
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC896~1.EXE > nul
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD4C2~1.EXE > nul
        6⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16EF4~1.EXE > nul
        5⤵
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A79A4~1.EXE > nul
      4⤵
      PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{43963~1.EXE > nul
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe

Filesize
408KB

MD5
b6d64a90141ca73711aa8f09ae6454a8

SHA1
328c6acfe2966e3296838fb36ec40c77d53cbc87

SHA256
d0ecfd12b13ccafa018016a9ee3fcca91a552c885e4a565e16586d949cc7c878

SHA512
2b0c47a3e96ab9ec9d2ea487d67322fb2f589c4a5e6b3f161218274900f5aeb6f27724ffe732c3791eef1a53791bc4612b6fd444f93fa5860eb93a2b3ea4dec4

Download Submit
C:\Windows\{04B31C39-AFAC-4402-A13C-03CEA51A3B59}.exe

Filesize
408KB

MD5
b6d64a90141ca73711aa8f09ae6454a8

SHA1
328c6acfe2966e3296838fb36ec40c77d53cbc87

SHA256
d0ecfd12b13ccafa018016a9ee3fcca91a552c885e4a565e16586d949cc7c878

SHA512
2b0c47a3e96ab9ec9d2ea487d67322fb2f589c4a5e6b3f161218274900f5aeb6f27724ffe732c3791eef1a53791bc4612b6fd444f93fa5860eb93a2b3ea4dec4

Download Submit
C:\Windows\{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe

Filesize
408KB

MD5
cca7ff49122fe6c9ed2bc236afa71b5b

SHA1
7a1347f817caa91803c7ab93259dced3e51c8a76

SHA256
1b294af3117195edbb46842f3e1cc385c69388091d8b631eb3a81db0581c2e0d

SHA512
358ad02017498a19c4d3094025c4b424bc62c3e514224fd0feccbe6603b77b46c5e73eba2f9854458310528c2a5ea283adc69348ff79de8a20c2637ff32c1487

Download Submit
C:\Windows\{152D15AE-1E28-41cb-B010-C431681B3B2A}.exe

Filesize
408KB

MD5
cca7ff49122fe6c9ed2bc236afa71b5b

SHA1
7a1347f817caa91803c7ab93259dced3e51c8a76

SHA256
1b294af3117195edbb46842f3e1cc385c69388091d8b631eb3a81db0581c2e0d

SHA512
358ad02017498a19c4d3094025c4b424bc62c3e514224fd0feccbe6603b77b46c5e73eba2f9854458310528c2a5ea283adc69348ff79de8a20c2637ff32c1487

Download Submit
C:\Windows\{16EF4861-60A0-4b56-A593-15052FA8F498}.exe

Filesize
408KB

MD5
99c3adf83bffdff5ef097f5e13b0ca53

SHA1
7b1dcb5e90bb694eb6e9455bf06fa03617936f1f

SHA256
8dda4b5f5753bc16ac58e347fcf8be7338b7bfeddddc71d54cfae8b5d6b8485a

SHA512
ddaceb2ba4ed2f1c3bfcfb8cb432a7a885af417e5b81a2462e5fd0359dc934167d1b2ac8c885a4e9d27423b42263e92486e16d66529a8e2a9b1dc07b574361b9

Download Submit
C:\Windows\{16EF4861-60A0-4b56-A593-15052FA8F498}.exe

Filesize
408KB

MD5
99c3adf83bffdff5ef097f5e13b0ca53

SHA1
7b1dcb5e90bb694eb6e9455bf06fa03617936f1f

SHA256
8dda4b5f5753bc16ac58e347fcf8be7338b7bfeddddc71d54cfae8b5d6b8485a

SHA512
ddaceb2ba4ed2f1c3bfcfb8cb432a7a885af417e5b81a2462e5fd0359dc934167d1b2ac8c885a4e9d27423b42263e92486e16d66529a8e2a9b1dc07b574361b9

Download Submit
C:\Windows\{16EF4861-60A0-4b56-A593-15052FA8F498}.exe

Filesize
408KB

MD5
99c3adf83bffdff5ef097f5e13b0ca53

SHA1
7b1dcb5e90bb694eb6e9455bf06fa03617936f1f

SHA256
8dda4b5f5753bc16ac58e347fcf8be7338b7bfeddddc71d54cfae8b5d6b8485a

SHA512
ddaceb2ba4ed2f1c3bfcfb8cb432a7a885af417e5b81a2462e5fd0359dc934167d1b2ac8c885a4e9d27423b42263e92486e16d66529a8e2a9b1dc07b574361b9

Download Submit
C:\Windows\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe

Filesize
408KB

MD5
39fed02d0afb1775935dc9624dfc91e8

SHA1
841e704057a97265ee3bf0d519c367917579d430

SHA256
7096b273b4ea8b17a98f83911657eaacfce54c2fc70e24dd2f365359e34ca748

SHA512
8f95466058b6f2e293e3521514555bf30c1f0a74253e16da28f1f37211b29db417dbf89961cdd2f087c88fb0771c444b0639a774d0baec30a557d902cb892779

Download Submit
C:\Windows\{43963109-9AE2-43aa-AA4C-0E78F73CE9FF}.exe

Filesize
408KB

MD5
39fed02d0afb1775935dc9624dfc91e8

SHA1
841e704057a97265ee3bf0d519c367917579d430

SHA256
7096b273b4ea8b17a98f83911657eaacfce54c2fc70e24dd2f365359e34ca748

SHA512
8f95466058b6f2e293e3521514555bf30c1f0a74253e16da28f1f37211b29db417dbf89961cdd2f087c88fb0771c444b0639a774d0baec30a557d902cb892779

Download Submit
C:\Windows\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe

Filesize
408KB

MD5
ef8cdac7f46f49661a78eb2095260db9

SHA1
66bff31ec017d5b42e34e57434a4169639c2bfda

SHA256
ed689ed6369120715db8c2f492f2cb690d283c475ce3ac0c500b6bc27f809897

SHA512
c27b81b60e6c9d3473e77a9ff640c56f50ec5ab19ec897824ea89ad041ba5dcc5dba2f173199ed561f06bc16d15278af741ddbdb9f27d30035d9d8000c6322b2

Download Submit
C:\Windows\{A79A4454-F7EB-480c-BB17-3D9CAAE97A11}.exe

Filesize
408KB

MD5
ef8cdac7f46f49661a78eb2095260db9

SHA1
66bff31ec017d5b42e34e57434a4169639c2bfda

SHA256
ed689ed6369120715db8c2f492f2cb690d283c475ce3ac0c500b6bc27f809897

SHA512
c27b81b60e6c9d3473e77a9ff640c56f50ec5ab19ec897824ea89ad041ba5dcc5dba2f173199ed561f06bc16d15278af741ddbdb9f27d30035d9d8000c6322b2

Download Submit
C:\Windows\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe

Filesize
408KB

MD5
2abe9dbcde2feea1901ac62ff056bdc7

SHA1
bf8bf473e66e1bb1548f811aebba3690a55468be

SHA256
5f1b8ca6c92c07434c0082353567557139562555ba818a90cc08ed97110f7890

SHA512
49f8dae0b405f6f9b34309b52a101c877165e5e37d09373532fcbe8acbd74a830c6c4c6ede53d3dd163414b7bd67c184337c2edba87c7f17d797dd418486f283

Download Submit
C:\Windows\{B1C5F922-81D3-4c2f-8212-6A19B556C5D9}.exe

Filesize
408KB

MD5
2abe9dbcde2feea1901ac62ff056bdc7

SHA1
bf8bf473e66e1bb1548f811aebba3690a55468be

SHA256
5f1b8ca6c92c07434c0082353567557139562555ba818a90cc08ed97110f7890

SHA512
49f8dae0b405f6f9b34309b52a101c877165e5e37d09373532fcbe8acbd74a830c6c4c6ede53d3dd163414b7bd67c184337c2edba87c7f17d797dd418486f283

Download Submit
C:\Windows\{B99DF140-4413-4bcf-BC51-78709A7E27EA}.exe

Filesize
408KB

MD5
e9b111e6249270d636c82ec71bc87540

SHA1
d90c9db2db6e47ff589b56ee7aad3f970f12f4ed

SHA256
3318b66b8ad9c085c35a04503b19115f10128c635caca1e81e7338db3db91576

SHA512
92f6d3d2bfe4c75bc4dc6acff27d75082cea3a02bf53873fc02423cea89d5ffd4a34205c2795743bbdbe41c328cb6e87ecc7f332f3c1355e1e6395bb302b3e6e

Download Submit
C:\Windows\{B99DF140-4413-4bcf-BC51-78709A7E27EA}.exe

Filesize
408KB

MD5
e9b111e6249270d636c82ec71bc87540

SHA1
d90c9db2db6e47ff589b56ee7aad3f970f12f4ed

SHA256
3318b66b8ad9c085c35a04503b19115f10128c635caca1e81e7338db3db91576

SHA512
92f6d3d2bfe4c75bc4dc6acff27d75082cea3a02bf53873fc02423cea89d5ffd4a34205c2795743bbdbe41c328cb6e87ecc7f332f3c1355e1e6395bb302b3e6e

Download Submit
C:\Windows\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe

Filesize
408KB

MD5
15be51ceaf72ed0c7910dec24f517efb

SHA1
b88b213148dbcdeadb7b42ef68160a406d010872

SHA256
898f9b40d9958db13b88f695d7715b066aea96801160b76e3558f0589efe47cb

SHA512
64ce4cee665f6e6f85f8b5b0e3d2032be123dd1170c851a160cf01f06863c7877d4823800a0a71285ce0488bafe8559f84ae3e77f7b0606d022444c17726977d

Download Submit
C:\Windows\{BC8961F9-7DB8-441b-A15D-016FDA7C958C}.exe

Filesize
408KB

MD5
15be51ceaf72ed0c7910dec24f517efb

SHA1
b88b213148dbcdeadb7b42ef68160a406d010872

SHA256
898f9b40d9958db13b88f695d7715b066aea96801160b76e3558f0589efe47cb

SHA512
64ce4cee665f6e6f85f8b5b0e3d2032be123dd1170c851a160cf01f06863c7877d4823800a0a71285ce0488bafe8559f84ae3e77f7b0606d022444c17726977d

Download Submit
C:\Windows\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe

Filesize
408KB

MD5
e6a2472bd0b3a33e28dd41edb58dfe48

SHA1
a5cbbf44d7a4e98e300ce21f9c8a5203c9456144

SHA256
04a82b4f85cc404b2ad9f9cc589412f9cc84aee52599a888da88c18364d296e9

SHA512
6d685510de3476a2e62fd943acd5b041b502b4a8fdafefdb8c61f0bab38d138d1af9094db953b3cf7fb06fccf2611bb41fe3f4964bf890880abaf65997ef2a51

Download Submit
C:\Windows\{DD4C2A04-E413-4d0a-8A2A-A6B610C0B2C8}.exe

Filesize
408KB

MD5
e6a2472bd0b3a33e28dd41edb58dfe48

SHA1
a5cbbf44d7a4e98e300ce21f9c8a5203c9456144

SHA256
04a82b4f85cc404b2ad9f9cc589412f9cc84aee52599a888da88c18364d296e9

SHA512
6d685510de3476a2e62fd943acd5b041b502b4a8fdafefdb8c61f0bab38d138d1af9094db953b3cf7fb06fccf2611bb41fe3f4964bf890880abaf65997ef2a51

Download Submit
C:\Windows\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe

Filesize
408KB

MD5
87494161dd44a070265929375e0976dc

SHA1
9957c4a1fcc1e33abab686ad4000394a287d0859

SHA256
36add648be2bb2105c58362401ba4f15d9633d47ef907c3d6feed77700cd64e1

SHA512
f9bc7bac5353cbb167a3ff39bffcbc5b2149db0df8a35732af7f51e0343fdc6daca34c6e631ec353618818b7696a8ed523516b920a1fc330277e7803390c3e9f

Download Submit
C:\Windows\{E4AB98A1-6BBA-4784-BA7A-C543414A0F69}.exe

Filesize
408KB

MD5
87494161dd44a070265929375e0976dc

SHA1
9957c4a1fcc1e33abab686ad4000394a287d0859

SHA256
36add648be2bb2105c58362401ba4f15d9633d47ef907c3d6feed77700cd64e1

SHA512
f9bc7bac5353cbb167a3ff39bffcbc5b2149db0df8a35732af7f51e0343fdc6daca34c6e631ec353618818b7696a8ed523516b920a1fc330277e7803390c3e9f

Download Submit
C:\Windows\{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe

Filesize
408KB

MD5
e2daf3c2b4c07bedf4bff02e448c6d0a

SHA1
8f3c9fd5c45b45b44fd8cfea4c8a140a324fa572

SHA256
97fe2555d48bc6849382b1c43c20322c8e3fb6005b5d0c6d42d18a4d159b721a

SHA512
f42c000f2a7a4e179d3bd3e7bf37e5f1f170c3e55a094dc5eb367e46206aa0a63557f645855a90fa720b8987a4d26f1fa8246e02cdb453fe4d84c23238cb57f5

Download Submit
C:\Windows\{E9D0B4CD-9651-4193-9036-AC88895F9875}.exe

Filesize
408KB

MD5
e2daf3c2b4c07bedf4bff02e448c6d0a

SHA1
8f3c9fd5c45b45b44fd8cfea4c8a140a324fa572

SHA256
97fe2555d48bc6849382b1c43c20322c8e3fb6005b5d0c6d42d18a4d159b721a

SHA512
f42c000f2a7a4e179d3bd3e7bf37e5f1f170c3e55a094dc5eb367e46206aa0a63557f645855a90fa720b8987a4d26f1fa8246e02cdb453fe4d84c23238cb57f5

Download Submit
C:\Windows\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe

Filesize
408KB

MD5
b31b5e56c9b990f1ac5e726232f30ef1

SHA1
6c268f8b89fff04ea543458e0165d7d18231141f

SHA256
ef83df6050aeffbe54992e93b484f493e9ec2ee764f57a38e4d3a0b910359fa9

SHA512
089b8f83d6f07a58ad83e2cfe4a37c883e7d4f53701546546fb3f7e75dca5d0aef1de1dd4850715af012d7423fd4889050ad419d9b1a3ad2f04b2046ed453d0e

Download Submit
C:\Windows\{EBC3CACA-9518-4e1a-8A10-28CC60172C3F}.exe

Filesize
408KB

MD5
b31b5e56c9b990f1ac5e726232f30ef1

SHA1
6c268f8b89fff04ea543458e0165d7d18231141f

SHA256
ef83df6050aeffbe54992e93b484f493e9ec2ee764f57a38e4d3a0b910359fa9

SHA512
089b8f83d6f07a58ad83e2cfe4a37c883e7d4f53701546546fb3f7e75dca5d0aef1de1dd4850715af012d7423fd4889050ad419d9b1a3ad2f04b2046ed453d0e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads