7a44d8d9c4329150e3e10440da6d141dd1991954c22e4a2a14a2b5fb62fddf6f

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Size

192KB
MD5

6e058e5a1c38b5284e7d68094ef56fec
SHA1

c1cd6fb7172198502ac8e9fa8bb13a9450a9d38c
SHA256

7a44d8d9c4329150e3e10440da6d141dd1991954c22e4a2a14a2b5fb62fddf6f
SHA512

5ca2be30081b8611948578059cddde68e7c210b38095d8ac37536fd78ab336cde34d98a9bfe727efb8d31104a9969769f88e06a392ac3d7a094995b199a98fa6
SSDEEP

1536:1EGh0oHl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oHl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}\stubpath = "C:\\Windows\\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe"	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5574A69D-23C9-42da-9ABB-72474CF227A8}	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}	{D733CF00-749C-490e-B340-72AFB45BD863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1928322F-8C99-444e-9577-35E728B961CE}\stubpath = "C:\\Windows\\{1928322F-8C99-444e-9577-35E728B961CE}.exe"	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}\stubpath = "C:\\Windows\\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe"	{1928322F-8C99-444e-9577-35E728B961CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69857C8E-7020-4237-A52E-874F4B8553FC}	{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}\stubpath = "C:\\Windows\\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe"	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D733CF00-749C-490e-B340-72AFB45BD863}\stubpath = "C:\\Windows\\{D733CF00-749C-490e-B340-72AFB45BD863}.exe"	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}	{1928322F-8C99-444e-9577-35E728B961CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2473569D-9402-42c3-9264-E03BFEC42AA6}\stubpath = "C:\\Windows\\{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe"	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4144375-122F-4e8b-A042-081948F3789B}\stubpath = "C:\\Windows\\{A4144375-122F-4e8b-A042-081948F3789B}.exe"	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}	{A4144375-122F-4e8b-A042-081948F3789B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}\stubpath = "C:\\Windows\\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe"	{A4144375-122F-4e8b-A042-081948F3789B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69857C8E-7020-4237-A52E-874F4B8553FC}\stubpath = "C:\\Windows\\{69857C8E-7020-4237-A52E-874F4B8553FC}.exe"	{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5574A69D-23C9-42da-9ABB-72474CF227A8}\stubpath = "C:\\Windows\\{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe"	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}\stubpath = "C:\\Windows\\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe"	{D733CF00-749C-490e-B340-72AFB45BD863}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1928322F-8C99-444e-9577-35E728B961CE}	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2473569D-9402-42c3-9264-E03BFEC42AA6}	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C3F806-B74C-4362-9CE5-323E059130F4}	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51C3F806-B74C-4362-9CE5-323E059130F4}\stubpath = "C:\\Windows\\{51C3F806-B74C-4362-9CE5-323E059130F4}.exe"	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D733CF00-749C-490e-B340-72AFB45BD863}	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4144375-122F-4e8b-A042-081948F3789B}	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe
1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe
4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe
3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe
3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe
3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe
4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe
1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe
728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe
4896	{A4144375-122F-4e8b-A042-081948F3789B}.exe
312	{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe
2772	{69857C8E-7020-4237-A52E-874F4B8553FC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
File created	C:\Windows\{D733CF00-749C-490e-B340-72AFB45BD863}.exe	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe
File created	C:\Windows\{1928322F-8C99-444e-9577-35E728B961CE}.exe	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe
File created	C:\Windows\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe	{1928322F-8C99-444e-9577-35E728B961CE}.exe
File created	C:\Windows\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe	{A4144375-122F-4e8b-A042-081948F3789B}.exe
File created	C:\Windows\{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe
File created	C:\Windows\{51C3F806-B74C-4362-9CE5-323E059130F4}.exe	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe
File created	C:\Windows\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe
File created	C:\Windows\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe	{D733CF00-749C-490e-B340-72AFB45BD863}.exe
File created	C:\Windows\{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe
File created	C:\Windows\{A4144375-122F-4e8b-A042-081948F3789B}.exe	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe
File created	C:\Windows\{69857C8E-7020-4237-A52E-874F4B8553FC}.exe	{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe
Token: SeIncBasePriorityPrivilege	1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe
Token: SeIncBasePriorityPrivilege	4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe
Token: SeIncBasePriorityPrivilege	3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe
Token: SeIncBasePriorityPrivilege	3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe
Token: SeIncBasePriorityPrivilege	3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe
Token: SeIncBasePriorityPrivilege	4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe
Token: SeIncBasePriorityPrivilege	1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe
Token: SeIncBasePriorityPrivilege	728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe
Token: SeIncBasePriorityPrivilege	4896	{A4144375-122F-4e8b-A042-081948F3789B}.exe
Token: SeIncBasePriorityPrivilege	312	{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2096	2356	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	91
PID 2356 wrote to memory of 2096	2356	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	91
PID 2356 wrote to memory of 2096	2356	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	91
PID 2356 wrote to memory of 4304	2356	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	92
PID 2356 wrote to memory of 4304	2356	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	92
PID 2356 wrote to memory of 4304	2356	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	92
PID 2096 wrote to memory of 1220	2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe	97
PID 2096 wrote to memory of 1220	2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe	97
PID 2096 wrote to memory of 1220	2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe	97
PID 2096 wrote to memory of 1060	2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe	98
PID 2096 wrote to memory of 1060	2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe	98
PID 2096 wrote to memory of 1060	2096	{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe	98
PID 1220 wrote to memory of 4264	1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe	102
PID 1220 wrote to memory of 4264	1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe	102
PID 1220 wrote to memory of 4264	1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe	102
PID 1220 wrote to memory of 3320	1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe	101
PID 1220 wrote to memory of 3320	1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe	101
PID 1220 wrote to memory of 3320	1220	{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe	101
PID 4264 wrote to memory of 3940	4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe	103
PID 4264 wrote to memory of 3940	4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe	103
PID 4264 wrote to memory of 3940	4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe	103
PID 4264 wrote to memory of 4976	4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe	104
PID 4264 wrote to memory of 4976	4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe	104
PID 4264 wrote to memory of 4976	4264	{51C3F806-B74C-4362-9CE5-323E059130F4}.exe	104
PID 3940 wrote to memory of 3896	3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe	106
PID 3940 wrote to memory of 3896	3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe	106
PID 3940 wrote to memory of 3896	3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe	106
PID 3940 wrote to memory of 3440	3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe	105
PID 3940 wrote to memory of 3440	3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe	105
PID 3940 wrote to memory of 3440	3940	{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe	105
PID 3896 wrote to memory of 3860	3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe	109
PID 3896 wrote to memory of 3860	3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe	109
PID 3896 wrote to memory of 3860	3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe	109
PID 3896 wrote to memory of 2928	3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe	108
PID 3896 wrote to memory of 2928	3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe	108
PID 3896 wrote to memory of 2928	3896	{D733CF00-749C-490e-B340-72AFB45BD863}.exe	108
PID 3860 wrote to memory of 4412	3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe	110
PID 3860 wrote to memory of 4412	3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe	110
PID 3860 wrote to memory of 4412	3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe	110
PID 3860 wrote to memory of 3552	3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe	111
PID 3860 wrote to memory of 3552	3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe	111
PID 3860 wrote to memory of 3552	3860	{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe	111
PID 4412 wrote to memory of 1352	4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe	112
PID 4412 wrote to memory of 1352	4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe	112
PID 4412 wrote to memory of 1352	4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe	112
PID 4412 wrote to memory of 2072	4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe	113
PID 4412 wrote to memory of 2072	4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe	113
PID 4412 wrote to memory of 2072	4412	{1928322F-8C99-444e-9577-35E728B961CE}.exe	113
PID 1352 wrote to memory of 728	1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe	122
PID 1352 wrote to memory of 728	1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe	122
PID 1352 wrote to memory of 728	1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe	122
PID 1352 wrote to memory of 2500	1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe	121
PID 1352 wrote to memory of 2500	1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe	121
PID 1352 wrote to memory of 2500	1352	{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe	121
PID 728 wrote to memory of 4896	728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe	123
PID 728 wrote to memory of 4896	728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe	123
PID 728 wrote to memory of 4896	728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe	123
PID 728 wrote to memory of 5024	728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe	124
PID 728 wrote to memory of 5024	728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe	124
PID 728 wrote to memory of 5024	728	{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe	124
PID 4896 wrote to memory of 312	4896	{A4144375-122F-4e8b-A042-081948F3789B}.exe	127
PID 4896 wrote to memory of 312	4896	{A4144375-122F-4e8b-A042-081948F3789B}.exe	127
PID 4896 wrote to memory of 312	4896	{A4144375-122F-4e8b-A042-081948F3789B}.exe	127
PID 4896 wrote to memory of 1840	4896	{A4144375-122F-4e8b-A042-081948F3789B}.exe	126

C:\Users\Admin\AppData\Local\Temp\2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe
  C:\Windows\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe
    C:\Windows\{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5574A~1.EXE > nul
      4⤵
      PID:3320
  - - C:\Windows\{51C3F806-B74C-4362-9CE5-323E059130F4}.exe
      C:\Windows\{51C3F806-B74C-4362-9CE5-323E059130F4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe
        
        C:\Windows\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9CFB~1.EXE > nul
        6⤵
        
        PID:3440
      - C:\Windows\{D733CF00-749C-490e-B340-72AFB45BD863}.exe
        
        C:\Windows\{D733CF00-749C-490e-B340-72AFB45BD863}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D733C~1.EXE > nul
        7⤵
        
        PID:2928
        
        C:\Windows\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe
        
        C:\Windows\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\{1928322F-8C99-444e-9577-35E728B961CE}.exe
        
        C:\Windows\{1928322F-8C99-444e-9577-35E728B961CE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe
        
        C:\Windows\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC77B~1.EXE > nul
        10⤵
        
        PID:2500
        
        C:\Windows\{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe
        
        C:\Windows\{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\{A4144375-122F-4e8b-A042-081948F3789B}.exe
        
        C:\Windows\{A4144375-122F-4e8b-A042-081948F3789B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4144~1.EXE > nul
        12⤵
        
        PID:1840
        
        C:\Windows\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe
        
        C:\Windows\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\{69857C8E-7020-4237-A52E-874F4B8553FC}.exe
        
        C:\Windows\{69857C8E-7020-4237-A52E-874F4B8553FC}.exe
        13⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A36F~1.EXE > nul
        13⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24735~1.EXE > nul
        11⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19283~1.EXE > nul
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9FF7~1.EXE > nul
        8⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51C3F~1.EXE > nul
        5⤵
        
        PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9FDBF~1.EXE > nul
    3⤵
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1928322F-8C99-444e-9577-35E728B961CE}.exe

Filesize
192KB

MD5
d3a93b0950ecd3af098e8830a11a3c66

SHA1
32be701b2ada14f73f240a983993dcca6b143926

SHA256
e5a684a397deaa66650e6bf2bafa02bb52eb0ed55bc6eff36df74725f27d3291

SHA512
44668aa509bb5e5951bf7d6ecde5c962a28513bdc546391cac458126cb65ff999d8ef2ecdd28f7b833ab36a2097125e7c5ff88322a04a9095fbeaf7190480fd3

Download Submit
C:\Windows\{1928322F-8C99-444e-9577-35E728B961CE}.exe

Filesize
192KB

MD5
d3a93b0950ecd3af098e8830a11a3c66

SHA1
32be701b2ada14f73f240a983993dcca6b143926

SHA256
e5a684a397deaa66650e6bf2bafa02bb52eb0ed55bc6eff36df74725f27d3291

SHA512
44668aa509bb5e5951bf7d6ecde5c962a28513bdc546391cac458126cb65ff999d8ef2ecdd28f7b833ab36a2097125e7c5ff88322a04a9095fbeaf7190480fd3

Download Submit
C:\Windows\{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe

Filesize
192KB

MD5
8a6fb7173c40732a14c796c0c35de8e1

SHA1
5bbf33f127013af82d13067550d28a8b7148c5f6

SHA256
0fc11c568529025f3edc4bce325272c101f69ab39c93852383e0a97ee1a61cb8

SHA512
625092b7ab59c2341ba9b3fe0b0809dd7169d750ff2fb25115579a26e98c58a9025e5e4851febf2b8924e93680ba7f20075a126af6716cc069618d834f1f74f9

Download Submit
C:\Windows\{2473569D-9402-42c3-9264-E03BFEC42AA6}.exe

Filesize
192KB

MD5
8a6fb7173c40732a14c796c0c35de8e1

SHA1
5bbf33f127013af82d13067550d28a8b7148c5f6

SHA256
0fc11c568529025f3edc4bce325272c101f69ab39c93852383e0a97ee1a61cb8

SHA512
625092b7ab59c2341ba9b3fe0b0809dd7169d750ff2fb25115579a26e98c58a9025e5e4851febf2b8924e93680ba7f20075a126af6716cc069618d834f1f74f9

Download Submit
C:\Windows\{51C3F806-B74C-4362-9CE5-323E059130F4}.exe

Filesize
192KB

MD5
b90e48015173e5fa302ee08371038d2a

SHA1
332034a1bcfc715cb0ffe9b9f1a2bb51923a00de

SHA256
46163a0b079ea5fea540b074517f32601727238297a21181362fef5abdefff89

SHA512
638cf41cf886ad8fa00798be7d0d37508ba668614b1c261502100d6054671b4f7f3b5adfa219b6d259b44f68d02aebb5407daebbf024f70bd5ae264e71e9623f

Download Submit
C:\Windows\{51C3F806-B74C-4362-9CE5-323E059130F4}.exe

Filesize
192KB

MD5
b90e48015173e5fa302ee08371038d2a

SHA1
332034a1bcfc715cb0ffe9b9f1a2bb51923a00de

SHA256
46163a0b079ea5fea540b074517f32601727238297a21181362fef5abdefff89

SHA512
638cf41cf886ad8fa00798be7d0d37508ba668614b1c261502100d6054671b4f7f3b5adfa219b6d259b44f68d02aebb5407daebbf024f70bd5ae264e71e9623f

Download Submit
C:\Windows\{51C3F806-B74C-4362-9CE5-323E059130F4}.exe

Filesize
192KB

MD5
b90e48015173e5fa302ee08371038d2a

SHA1
332034a1bcfc715cb0ffe9b9f1a2bb51923a00de

SHA256
46163a0b079ea5fea540b074517f32601727238297a21181362fef5abdefff89

SHA512
638cf41cf886ad8fa00798be7d0d37508ba668614b1c261502100d6054671b4f7f3b5adfa219b6d259b44f68d02aebb5407daebbf024f70bd5ae264e71e9623f

Download Submit
C:\Windows\{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe

Filesize
192KB

MD5
ea172b34165cfef7000dc010a8d7c6cd

SHA1
f926a6cf7585dfd74f4686fd3c384751afd1e7be

SHA256
91093535749d066d32cab547873e7eb9058636a20d9bf11ba07661a1a65e8f90

SHA512
446dd497d7b0d9f67bf22980f56c20b8b9c970e0f7ee705d80cac7da085eaf970788bedec3e90e160cf5aecf2e24a7b7d915bde40808638e167087f3a6682c05

Download Submit
C:\Windows\{5574A69D-23C9-42da-9ABB-72474CF227A8}.exe

Filesize
192KB

MD5
ea172b34165cfef7000dc010a8d7c6cd

SHA1
f926a6cf7585dfd74f4686fd3c384751afd1e7be

SHA256
91093535749d066d32cab547873e7eb9058636a20d9bf11ba07661a1a65e8f90

SHA512
446dd497d7b0d9f67bf22980f56c20b8b9c970e0f7ee705d80cac7da085eaf970788bedec3e90e160cf5aecf2e24a7b7d915bde40808638e167087f3a6682c05

Download Submit
C:\Windows\{69857C8E-7020-4237-A52E-874F4B8553FC}.exe

Filesize
192KB

MD5
64d601971354e1fd1bdbf4534bd92528

SHA1
06a17edec2ec6cb0d9fe7714519ad08bb1ba4ccb

SHA256
e2a8ea47a15ddc3b55e9bb32d10fd4316aa52f5486a37c197144928507fcab19

SHA512
63ba8fe7cb8b3124923261e9b4ee1b7a7683304a2df58780b075d4f5224737ee2323922e9d0695352a01098f9f7e95b6b91a7cfcbf72555852ca6061d049e206

Download Submit
C:\Windows\{69857C8E-7020-4237-A52E-874F4B8553FC}.exe

Filesize
192KB

MD5
64d601971354e1fd1bdbf4534bd92528

SHA1
06a17edec2ec6cb0d9fe7714519ad08bb1ba4ccb

SHA256
e2a8ea47a15ddc3b55e9bb32d10fd4316aa52f5486a37c197144928507fcab19

SHA512
63ba8fe7cb8b3124923261e9b4ee1b7a7683304a2df58780b075d4f5224737ee2323922e9d0695352a01098f9f7e95b6b91a7cfcbf72555852ca6061d049e206

Download Submit
C:\Windows\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe

Filesize
192KB

MD5
de21170e977080149e196287c485e10f

SHA1
ac0a526371b2676e5596058492e470a2e079909a

SHA256
7a18ac6d466984ddf0b98b44484d1211fd0d505bf1cb4fc288ce1d526253e341

SHA512
e3376a98ac596862d81f7c381fb37a0f12d796b88b6052f03f3d2e0f87c48541e10e86a7d3b39e05dee71b23f69114fc4ac410e28a0be3128785d6b4e4362f04

Download Submit
C:\Windows\{6A36FC12-47F5-4f17-B1A6-2CE3087A1DBE}.exe

Filesize
192KB

MD5
de21170e977080149e196287c485e10f

SHA1
ac0a526371b2676e5596058492e470a2e079909a

SHA256
7a18ac6d466984ddf0b98b44484d1211fd0d505bf1cb4fc288ce1d526253e341

SHA512
e3376a98ac596862d81f7c381fb37a0f12d796b88b6052f03f3d2e0f87c48541e10e86a7d3b39e05dee71b23f69114fc4ac410e28a0be3128785d6b4e4362f04

Download Submit
C:\Windows\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe

Filesize
192KB

MD5
dc10fac34ad9576bd362d625d663eb77

SHA1
50507a0ed85fbbe5231b3e458d96b053499856bc

SHA256
c4e934b701dd6e38b709eed08afcf97a835373167ac013cee309cb2b4b3f8d77

SHA512
01ac9b16a45a94d1d9b1ee4bb36ba15ba669d23c572f88133b651fbe532f2f698f79bc819cdf1afccbd21be7c4dbb7f45373faa5e1f9c28a3300f3bcb599399f

Download Submit
C:\Windows\{9FDBF2C6-A381-443f-B037-D58B6178B8D9}.exe

Filesize
192KB

MD5
dc10fac34ad9576bd362d625d663eb77

SHA1
50507a0ed85fbbe5231b3e458d96b053499856bc

SHA256
c4e934b701dd6e38b709eed08afcf97a835373167ac013cee309cb2b4b3f8d77

SHA512
01ac9b16a45a94d1d9b1ee4bb36ba15ba669d23c572f88133b651fbe532f2f698f79bc819cdf1afccbd21be7c4dbb7f45373faa5e1f9c28a3300f3bcb599399f

Download Submit
C:\Windows\{A4144375-122F-4e8b-A042-081948F3789B}.exe

Filesize
192KB

MD5
976ea610a668dd3e565595e356f6c557

SHA1
f3dfe74876b5563c702f5fc64e7e13d56fa06188

SHA256
950e6cf89bf4a5fb550617f7763f13c9dc1dd743dfcde3eb35cab00b1a77a657

SHA512
99b54e00303d4ef845a7320992760209a623607799c8c26bf56595a06e6055e9e38ae013c564523f7de2f8265ccb5144a447ebea3df34b2fa6be9739efb485e3

Download Submit
C:\Windows\{A4144375-122F-4e8b-A042-081948F3789B}.exe

Filesize
192KB

MD5
976ea610a668dd3e565595e356f6c557

SHA1
f3dfe74876b5563c702f5fc64e7e13d56fa06188

SHA256
950e6cf89bf4a5fb550617f7763f13c9dc1dd743dfcde3eb35cab00b1a77a657

SHA512
99b54e00303d4ef845a7320992760209a623607799c8c26bf56595a06e6055e9e38ae013c564523f7de2f8265ccb5144a447ebea3df34b2fa6be9739efb485e3

Download Submit
C:\Windows\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe

Filesize
192KB

MD5
55edb3f1c46a7eecd3cd719029329acd

SHA1
ebfc6f266ccd4c5dd2dae540fb2c2201bf4305a9

SHA256
5ad7ef8efe4294f680dffca10d0a18d37c011604f6145dabb14a19a10f067631

SHA512
96888d4ea85929fc71229086d442d9337d32dd9e3fc110ec98c3304a20f66f4a747a7323be831304e3fe0d7a82c05be550ec1a49c5570a574c6526a90622f995

Download Submit
C:\Windows\{C9FF75AC-AF4D-43f4-BB63-582E4BA6A55D}.exe

Filesize
192KB

MD5
55edb3f1c46a7eecd3cd719029329acd

SHA1
ebfc6f266ccd4c5dd2dae540fb2c2201bf4305a9

SHA256
5ad7ef8efe4294f680dffca10d0a18d37c011604f6145dabb14a19a10f067631

SHA512
96888d4ea85929fc71229086d442d9337d32dd9e3fc110ec98c3304a20f66f4a747a7323be831304e3fe0d7a82c05be550ec1a49c5570a574c6526a90622f995

Download Submit
C:\Windows\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe

Filesize
192KB

MD5
2be876a0beb2705d72bf9e55cb8a93a9

SHA1
d2572195ebcf65b94a42651368aa920718cdf66f

SHA256
027f572f2e269ccf08339c280c8025332d437a8ee99af5272f4efcd74e334ede

SHA512
b19e7776575cdcc1391a6e6243aab3c16ff1f67316bc4e887663613587692fd21f459dc56d01d0f077d9e436550ed7fc081b5837605409035e0c296250c0d7ec

Download Submit
C:\Windows\{CC77BB2E-F7F3-45cb-831E-FB3B24F74106}.exe

Filesize
192KB

MD5
2be876a0beb2705d72bf9e55cb8a93a9

SHA1
d2572195ebcf65b94a42651368aa920718cdf66f

SHA256
027f572f2e269ccf08339c280c8025332d437a8ee99af5272f4efcd74e334ede

SHA512
b19e7776575cdcc1391a6e6243aab3c16ff1f67316bc4e887663613587692fd21f459dc56d01d0f077d9e436550ed7fc081b5837605409035e0c296250c0d7ec

Download Submit
C:\Windows\{D733CF00-749C-490e-B340-72AFB45BD863}.exe

Filesize
192KB

MD5
30b87d025a96b2baf6353fb54a8abaf1

SHA1
e0ea1d2dfe43416895a47fe1add5a0649de40ff3

SHA256
37c19c3816fa9e5aacf8aedc5352ce66f9d7acc097db474df0a63db94c8899c3

SHA512
ea9014b96b828a7146bbd66545855ebaada667549a7340f40425600d28e9f1420d374b5c10b9de5c6210c89eed2b402220624c3aa03da457a70f704c8eef023a

Download Submit
C:\Windows\{D733CF00-749C-490e-B340-72AFB45BD863}.exe

Filesize
192KB

MD5
30b87d025a96b2baf6353fb54a8abaf1

SHA1
e0ea1d2dfe43416895a47fe1add5a0649de40ff3

SHA256
37c19c3816fa9e5aacf8aedc5352ce66f9d7acc097db474df0a63db94c8899c3

SHA512
ea9014b96b828a7146bbd66545855ebaada667549a7340f40425600d28e9f1420d374b5c10b9de5c6210c89eed2b402220624c3aa03da457a70f704c8eef023a

Download Submit
C:\Windows\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe

Filesize
192KB

MD5
33eb597b6e6bd37fa045faff940d2731

SHA1
b5d34e0d1a7127d7d4353160a647bcb8832310d9

SHA256
2ad33cea2bb5cdffb6a25c76dd4bbdd0b04dda93629156d528a0c98437cecb13

SHA512
0038e2a23c5d5b2fe95d1b1f82b96041e00c147784437cfd5ccdccf692e31682ca2d1346ed73b52ec3fdb917933d6403c25e6842dfa61e45bb6f66751e9e4448

Download Submit
C:\Windows\{E9CFB50A-BAD1-4704-BCD5-F46146B5C3CC}.exe

Filesize
192KB

MD5
33eb597b6e6bd37fa045faff940d2731

SHA1
b5d34e0d1a7127d7d4353160a647bcb8832310d9

SHA256
2ad33cea2bb5cdffb6a25c76dd4bbdd0b04dda93629156d528a0c98437cecb13

SHA512
0038e2a23c5d5b2fe95d1b1f82b96041e00c147784437cfd5ccdccf692e31682ca2d1346ed73b52ec3fdb917933d6403c25e6842dfa61e45bb6f66751e9e4448

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads