cdb93bbfcdbbcb77ece19bae42a7af9ad532dc33cc59b0a7466bbba1430e26e7

Analysis

max time kernel
144s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 17:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Size

408KB
MD5

3ee20f55e75bccf290bd1b81fdb78598
SHA1

a04085d08f771523573c711fb83aa70d8e59d8f6
SHA256

cdb93bbfcdbbcb77ece19bae42a7af9ad532dc33cc59b0a7466bbba1430e26e7
SHA512

3bc4b5dafa6c1adbab976d67a1ea636c3cbea615877c8b56122721584eaceb5114321cf747b0dec7ee822757576ad9fa7e73682ad7a14d542e58e06757e0f097
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGhldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}\stubpath = "C:\\Windows\\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe"	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}\stubpath = "C:\\Windows\\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}.exe"	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}\stubpath = "C:\\Windows\\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe"	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}\stubpath = "C:\\Windows\\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe"	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}\stubpath = "C:\\Windows\\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe"	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}\stubpath = "C:\\Windows\\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe"	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667904A5-37E8-4bfa-AA3A-ABB15268C306}\stubpath = "C:\\Windows\\{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe"	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}\stubpath = "C:\\Windows\\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe"	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}\stubpath = "C:\\Windows\\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe"	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD3CB119-0899-4fa6-A869-11D12E32587D}	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}\stubpath = "C:\\Windows\\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe"	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667904A5-37E8-4bfa-AA3A-ABB15268C306}	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD3CB119-0899-4fa6-A869-11D12E32587D}\stubpath = "C:\\Windows\\{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe"	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe

Executes dropped EXE 11 IoCs

pid	Process
1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe
3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe
3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe
1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe
4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe
2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe
1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe
4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe
1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe
3172	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe
3000	{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}.exe	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe
File created	C:\Windows\{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
File created	C:\Windows\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe
File created	C:\Windows\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe
File created	C:\Windows\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe
File created	C:\Windows\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe
File created	C:\Windows\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe
File created	C:\Windows\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe
File created	C:\Windows\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe
File created	C:\Windows\{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe
File created	C:\Windows\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1148	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe
Token: SeIncBasePriorityPrivilege	3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe
Token: SeIncBasePriorityPrivilege	3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe
Token: SeIncBasePriorityPrivilege	1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe
Token: SeIncBasePriorityPrivilege	4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe
Token: SeIncBasePriorityPrivilege	2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe
Token: SeIncBasePriorityPrivilege	1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe
Token: SeIncBasePriorityPrivilege	4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe
Token: SeIncBasePriorityPrivilege	1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe
Token: SeIncBasePriorityPrivilege	3172	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1808	1148	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	99
PID 1148 wrote to memory of 1808	1148	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	99
PID 1148 wrote to memory of 1808	1148	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	99
PID 1148 wrote to memory of 4012	1148	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	100
PID 1148 wrote to memory of 4012	1148	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	100
PID 1148 wrote to memory of 4012	1148	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	100
PID 1808 wrote to memory of 3688	1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe	101
PID 1808 wrote to memory of 3688	1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe	101
PID 1808 wrote to memory of 3688	1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe	101
PID 1808 wrote to memory of 3136	1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe	102
PID 1808 wrote to memory of 3136	1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe	102
PID 1808 wrote to memory of 3136	1808	{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe	102
PID 3688 wrote to memory of 3444	3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe	105
PID 3688 wrote to memory of 3444	3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe	105
PID 3688 wrote to memory of 3444	3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe	105
PID 3688 wrote to memory of 2196	3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe	104
PID 3688 wrote to memory of 2196	3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe	104
PID 3688 wrote to memory of 2196	3688	{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe	104
PID 3444 wrote to memory of 1120	3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe	106
PID 3444 wrote to memory of 1120	3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe	106
PID 3444 wrote to memory of 1120	3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe	106
PID 3444 wrote to memory of 4348	3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe	107
PID 3444 wrote to memory of 4348	3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe	107
PID 3444 wrote to memory of 4348	3444	{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe	107
PID 1120 wrote to memory of 4104	1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe	108
PID 1120 wrote to memory of 4104	1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe	108
PID 1120 wrote to memory of 4104	1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe	108
PID 1120 wrote to memory of 4796	1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe	109
PID 1120 wrote to memory of 4796	1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe	109
PID 1120 wrote to memory of 4796	1120	{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe	109
PID 4104 wrote to memory of 2968	4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe	110
PID 4104 wrote to memory of 2968	4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe	110
PID 4104 wrote to memory of 2968	4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe	110
PID 4104 wrote to memory of 1228	4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe	111
PID 4104 wrote to memory of 1228	4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe	111
PID 4104 wrote to memory of 1228	4104	{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe	111
PID 2968 wrote to memory of 1468	2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe	112
PID 2968 wrote to memory of 1468	2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe	112
PID 2968 wrote to memory of 1468	2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe	112
PID 2968 wrote to memory of 3704	2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe	113
PID 2968 wrote to memory of 3704	2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe	113
PID 2968 wrote to memory of 3704	2968	{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe	113
PID 1468 wrote to memory of 4544	1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe	114
PID 1468 wrote to memory of 4544	1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe	114
PID 1468 wrote to memory of 4544	1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe	114
PID 1468 wrote to memory of 4176	1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe	115
PID 1468 wrote to memory of 4176	1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe	115
PID 1468 wrote to memory of 4176	1468	{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe	115
PID 4544 wrote to memory of 1248	4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe	116
PID 4544 wrote to memory of 1248	4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe	116
PID 4544 wrote to memory of 1248	4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe	116
PID 4544 wrote to memory of 1916	4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe	117
PID 4544 wrote to memory of 1916	4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe	117
PID 4544 wrote to memory of 1916	4544	{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe	117
PID 1248 wrote to memory of 3172	1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe	119
PID 1248 wrote to memory of 3172	1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe	119
PID 1248 wrote to memory of 3172	1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe	119
PID 1248 wrote to memory of 5072	1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe	118
PID 1248 wrote to memory of 5072	1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe	118
PID 1248 wrote to memory of 5072	1248	{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe	118
PID 3172 wrote to memory of 3000	3172	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe	121
PID 3172 wrote to memory of 3000	3172	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe	121
PID 3172 wrote to memory of 3000	3172	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe	121
PID 3172 wrote to memory of 784	3172	{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe	120

C:\Users\Admin\AppData\Local\Temp\2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe
  C:\Windows\{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe
    C:\Windows\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC55E~1.EXE > nul
      4⤵
      PID:2196
  - - C:\Windows\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe
      C:\Windows\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe
        
        C:\Windows\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe
        
        C:\Windows\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe
        
        C:\Windows\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe
        
        C:\Windows\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe
        
        C:\Windows\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe
        
        C:\Windows\{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66790~1.EXE > nul
        11⤵
        
        PID:5072
        
        C:\Windows\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe
        
        C:\Windows\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E638A~1.EXE > nul
        12⤵
        
        PID:784
        
        C:\Windows\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}.exe
        
        C:\Windows\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}.exe
        12⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E2C~1.EXE > nul
        10⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A01D5~1.EXE > nul
        9⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C88A8~1.EXE > nul
        8⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E44AA~1.EXE > nul
        7⤵
        
        PID:1228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14776~1.EXE > nul
        6⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0281~1.EXE > nul
        5⤵
        
        PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD3CB~1.EXE > nul
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe

Filesize
408KB

MD5
ef5d0d446322272d38787b496bb6a2e4

SHA1
2472ca1602fd066df1dff57d70a45406be318001

SHA256
79e15481383f409ace6e2d925bc7e0474b04f435a6916000c0d24359a08936eb

SHA512
076459616558d5ecb7888e75063a5fcb2d6b7d821d4e9350b791d16685ad7b6f90391e7fe9982b661085fb864a81a60414c11fbef24760077d2122fba748a223

Download Submit
C:\Windows\{147763F5-CE2B-4ec1-8D70-106E56B4DD5C}.exe

Filesize
408KB

MD5
ef5d0d446322272d38787b496bb6a2e4

SHA1
2472ca1602fd066df1dff57d70a45406be318001

SHA256
79e15481383f409ace6e2d925bc7e0474b04f435a6916000c0d24359a08936eb

SHA512
076459616558d5ecb7888e75063a5fcb2d6b7d821d4e9350b791d16685ad7b6f90391e7fe9982b661085fb864a81a60414c11fbef24760077d2122fba748a223

Download Submit
C:\Windows\{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe

Filesize
408KB

MD5
6549c4825db07b395e745392d8c4a94a

SHA1
81efad238c8838f826eb050e2f27ad945a1fd147

SHA256
8b8023be42bdc9f5f897a95c26dc16e79a1e6da3284c727adb86c5957a3a67f1

SHA512
a1bde55ad898c5c23bd048d31453f5f427a22b71fb9038d0fa3d95fce04517b32eee4e467ff68e1d6448990a7391fefe6fab4b4a12ac90034c54ff081ccb0395

Download Submit
C:\Windows\{667904A5-37E8-4bfa-AA3A-ABB15268C306}.exe

Filesize
408KB

MD5
6549c4825db07b395e745392d8c4a94a

SHA1
81efad238c8838f826eb050e2f27ad945a1fd147

SHA256
8b8023be42bdc9f5f897a95c26dc16e79a1e6da3284c727adb86c5957a3a67f1

SHA512
a1bde55ad898c5c23bd048d31453f5f427a22b71fb9038d0fa3d95fce04517b32eee4e467ff68e1d6448990a7391fefe6fab4b4a12ac90034c54ff081ccb0395

Download Submit
C:\Windows\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}.exe

Filesize
408KB

MD5
fd32d92328e7600488958a27e495614e

SHA1
42bc18473b3cb2598c935343a587caadcfaab4d3

SHA256
0580cd1e50431bd8d1c499a002017abfa41cd2a446c230ed63ca4813d8ade3cc

SHA512
bbb518cdb44e46d58ab8619d6d4482c64dc6aa8cd33df6164393ee6c0fa5219b080064a86eccde21de932286cef14d922d554263dc13557ec90803105d678a96

Download Submit
C:\Windows\{7C9D5E2B-9FAA-46b0-9733-7D0466040AE7}.exe

Filesize
408KB

MD5
fd32d92328e7600488958a27e495614e

SHA1
42bc18473b3cb2598c935343a587caadcfaab4d3

SHA256
0580cd1e50431bd8d1c499a002017abfa41cd2a446c230ed63ca4813d8ade3cc

SHA512
bbb518cdb44e46d58ab8619d6d4482c64dc6aa8cd33df6164393ee6c0fa5219b080064a86eccde21de932286cef14d922d554263dc13557ec90803105d678a96

Download Submit
C:\Windows\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe

Filesize
408KB

MD5
68334fb7ade88e22324370560ec06c59

SHA1
34fdbc95c49f75e952c50519920a756b49f0350d

SHA256
557ee5c7676f6fdb65803cab6f0cf151fd6a5fca85d1ddd83e691a1aee0bf2af

SHA512
f2285e965d58376fe4e59597464c950836b8be4fd0523d83f2e2345201fc4ed359cf675a0f60b86a994e70a8e0b3c116e25c4ad74e69e61731af0265ef38d0bf

Download Submit
C:\Windows\{A01D5CF4-9A8A-462b-868C-13FDA6BD4FBB}.exe

Filesize
408KB

MD5
68334fb7ade88e22324370560ec06c59

SHA1
34fdbc95c49f75e952c50519920a756b49f0350d

SHA256
557ee5c7676f6fdb65803cab6f0cf151fd6a5fca85d1ddd83e691a1aee0bf2af

SHA512
f2285e965d58376fe4e59597464c950836b8be4fd0523d83f2e2345201fc4ed359cf675a0f60b86a994e70a8e0b3c116e25c4ad74e69e61731af0265ef38d0bf

Download Submit
C:\Windows\{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe

Filesize
408KB

MD5
e8f1b326c9faae60b724d495f38db077

SHA1
b83408de3714052667231f0d634cbf770b3ee75d

SHA256
2a74e9b6e683589c16f5859bd3cede02e5a0411e2dd9b7ec02a03edde879f0fc

SHA512
5c991ba1cc110d924423a68bebd0786e0039d68559c127d12df3d78db586b1a76d31fca4d53c9c7d44a718600698647ede77e2ba1843d7a38e09db316a186f25

Download Submit
C:\Windows\{BD3CB119-0899-4fa6-A869-11D12E32587D}.exe

Filesize
408KB

MD5
e8f1b326c9faae60b724d495f38db077

SHA1
b83408de3714052667231f0d634cbf770b3ee75d

SHA256
2a74e9b6e683589c16f5859bd3cede02e5a0411e2dd9b7ec02a03edde879f0fc

SHA512
5c991ba1cc110d924423a68bebd0786e0039d68559c127d12df3d78db586b1a76d31fca4d53c9c7d44a718600698647ede77e2ba1843d7a38e09db316a186f25

Download Submit
C:\Windows\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe

Filesize
408KB

MD5
d02f7192911f4ad3aa59a1251c9c9fc3

SHA1
848d7442ad576b3f479f2a33af7777cada486201

SHA256
ea577e02f4f4320f1a43ebda9eed73cd898b519c0a525b55ed05de80300bcae9

SHA512
a811df1ba48520b5686dbc13f73a767a438efc60763718cb40d3097bac141d5a0e37e2a4feb8dfbf73678a4931ecb75d40a1b8c218afc5ab9581f929bb5749f0

Download Submit
C:\Windows\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe

Filesize
408KB

MD5
d02f7192911f4ad3aa59a1251c9c9fc3

SHA1
848d7442ad576b3f479f2a33af7777cada486201

SHA256
ea577e02f4f4320f1a43ebda9eed73cd898b519c0a525b55ed05de80300bcae9

SHA512
a811df1ba48520b5686dbc13f73a767a438efc60763718cb40d3097bac141d5a0e37e2a4feb8dfbf73678a4931ecb75d40a1b8c218afc5ab9581f929bb5749f0

Download Submit
C:\Windows\{C02819CF-2CC0-4cda-BBF9-E7EB4D301996}.exe

Filesize
408KB

MD5
d02f7192911f4ad3aa59a1251c9c9fc3

SHA1
848d7442ad576b3f479f2a33af7777cada486201

SHA256
ea577e02f4f4320f1a43ebda9eed73cd898b519c0a525b55ed05de80300bcae9

SHA512
a811df1ba48520b5686dbc13f73a767a438efc60763718cb40d3097bac141d5a0e37e2a4feb8dfbf73678a4931ecb75d40a1b8c218afc5ab9581f929bb5749f0

Download Submit
C:\Windows\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe

Filesize
408KB

MD5
0514ff6b18204352fe61eeb3676d2d97

SHA1
9b5948e806a94a81689352be4c5e156edd2416f3

SHA256
7e572938406fcfd0a5f6ce04175ebcafc5c91801cf7b9ce7640ba8938d760e6d

SHA512
1dfd8c44cf1483b3df1c3b371e2942664aa34e18fbfec5d92653a66c4a2fa106668333d0f2228b0ce675b909ffac626dc79f1017c9b551874c74adc5bac526ef

Download Submit
C:\Windows\{C4E2C98A-5CEE-4bf7-827A-FA3214BFC872}.exe

Filesize
408KB

MD5
0514ff6b18204352fe61eeb3676d2d97

SHA1
9b5948e806a94a81689352be4c5e156edd2416f3

SHA256
7e572938406fcfd0a5f6ce04175ebcafc5c91801cf7b9ce7640ba8938d760e6d

SHA512
1dfd8c44cf1483b3df1c3b371e2942664aa34e18fbfec5d92653a66c4a2fa106668333d0f2228b0ce675b909ffac626dc79f1017c9b551874c74adc5bac526ef

Download Submit
C:\Windows\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe

Filesize
408KB

MD5
12dcd2fc0ba4a79307e79ddd9220f2c8

SHA1
e7db064f78c39ce85278fb8059daad098e46f018

SHA256
4cedbdc2af3c7cdfb97bfb730ee02010c69fdfbb41308c7d43da71e470f0a761

SHA512
4ec57197655c5bec59e81007a6c5ce3d192167bc9cdbc30e9221db190e1c91b0338ede7deca98714e9528a70e67bffe072b805c48bcc1f4ab1700ff1e24aa162

Download Submit
C:\Windows\{C88A812B-8ACA-4b0a-9F8E-9F58D84257F5}.exe

Filesize
408KB

MD5
12dcd2fc0ba4a79307e79ddd9220f2c8

SHA1
e7db064f78c39ce85278fb8059daad098e46f018

SHA256
4cedbdc2af3c7cdfb97bfb730ee02010c69fdfbb41308c7d43da71e470f0a761

SHA512
4ec57197655c5bec59e81007a6c5ce3d192167bc9cdbc30e9221db190e1c91b0338ede7deca98714e9528a70e67bffe072b805c48bcc1f4ab1700ff1e24aa162

Download Submit
C:\Windows\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe

Filesize
408KB

MD5
ce5fe67f08b950ce615363ef914e3c8a

SHA1
a24e88f22f1b6153e7f7c7a76bed5da775e7c0b0

SHA256
622109fc33e41a7ab47c92cc3aa4421cf3749a5dcc7dcd84ba732ef168732b7d

SHA512
87345c9b1ed18b059543068484037607ba889b5ae59fe2b4f63f893d548af26b58fdd4f101e9f6a23dcc1bbf55c80cb8c9498173ce7be1d40eccadcb35f01c56

Download Submit
C:\Windows\{E44AA52B-4BBA-4031-ADBE-F15A8BAA3866}.exe

Filesize
408KB

MD5
ce5fe67f08b950ce615363ef914e3c8a

SHA1
a24e88f22f1b6153e7f7c7a76bed5da775e7c0b0

SHA256
622109fc33e41a7ab47c92cc3aa4421cf3749a5dcc7dcd84ba732ef168732b7d

SHA512
87345c9b1ed18b059543068484037607ba889b5ae59fe2b4f63f893d548af26b58fdd4f101e9f6a23dcc1bbf55c80cb8c9498173ce7be1d40eccadcb35f01c56

Download Submit
C:\Windows\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe

Filesize
408KB

MD5
4d9fd4f9eee0d07244335f8572077d68

SHA1
c403c51dc419851ce96a3649db09728a5c3bdd86

SHA256
bf55857b50ab62ab4ca83fe97b367a640a4883ed0d60614606d8ffa04a660903

SHA512
a3112d74b54fa7d2774e475807c7859f22e682a370878be8d8086ca5442a1c14ba38851e521e601993b866ab063e3143a3178241bacae78683fe1ad46540b1ad

Download Submit
C:\Windows\{E638A8DE-47F1-4a12-8CE3-70CCE103AC19}.exe

Filesize
408KB

MD5
4d9fd4f9eee0d07244335f8572077d68

SHA1
c403c51dc419851ce96a3649db09728a5c3bdd86

SHA256
bf55857b50ab62ab4ca83fe97b367a640a4883ed0d60614606d8ffa04a660903

SHA512
a3112d74b54fa7d2774e475807c7859f22e682a370878be8d8086ca5442a1c14ba38851e521e601993b866ab063e3143a3178241bacae78683fe1ad46540b1ad

Download Submit
C:\Windows\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe

Filesize
408KB

MD5
da65db2ca4b15fb2c873eb87a4ab9575

SHA1
dbc6e0f2c904bcecd5e43061684e511790fecc62

SHA256
04ca9d88b73ce4df742e26a05b45229d19913300e940aece411282e9af623c4b

SHA512
e35a68408d78f085ebfcd0abd7c25ae56ace0fec4b05840a6ab7221f57492460961b1631ae4aafb56f0e1d4b238000fd2379fd10925936dbe1b73a8d9c61de9f

Download Submit
C:\Windows\{EC55E7A8-673E-4669-BD07-E2D93BAF708D}.exe

Filesize
408KB

MD5
da65db2ca4b15fb2c873eb87a4ab9575

SHA1
dbc6e0f2c904bcecd5e43061684e511790fecc62

SHA256
04ca9d88b73ce4df742e26a05b45229d19913300e940aece411282e9af623c4b

SHA512
e35a68408d78f085ebfcd0abd7c25ae56ace0fec4b05840a6ab7221f57492460961b1631ae4aafb56f0e1d4b238000fd2379fd10925936dbe1b73a8d9c61de9f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads