c64ecb2ac2693bef045c6a891de1f4c4d92b30ddb68bd4e88c9c4c3dffdf803b

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2023 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe
Size

380KB
MD5

79b364831d01c1339d452a6ec97ea116
SHA1

7bd133c012a87da3f34b7b608d70be46a43da35c
SHA256

c64ecb2ac2693bef045c6a891de1f4c4d92b30ddb68bd4e88c9c4c3dffdf803b
SHA512

ede6e6dc52365c49324c28c5e10fc134d298b47d8a3ec7c0803dc5eaad8917039d06e30b211f3a805cdd7f47906d6ec2140b1d432726ebc5d5980ef52cfedc2c
SSDEEP

3072:mEGh0oGlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG4l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}\stubpath = "C:\\Windows\\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe"	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD41A79-82E1-4058-9A24-5565F7F213E3}	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}\stubpath = "C:\\Windows\\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe"	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4944C0-E616-4160-A95E-2774A9421D6E}\stubpath = "C:\\Windows\\{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe"	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}\stubpath = "C:\\Windows\\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe"	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1972D55-0106-413f-B63A-83DE0627E878}	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15179415-D588-434f-9304-0264955D2E26}\stubpath = "C:\\Windows\\{15179415-D588-434f-9304-0264955D2E26}.exe"	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}	{15179415-D588-434f-9304-0264955D2E26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}\stubpath = "C:\\Windows\\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe"	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}\stubpath = "C:\\Windows\\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe"	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4944C0-E616-4160-A95E-2774A9421D6E}	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}	{A1972D55-0106-413f-B63A-83DE0627E878}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15179415-D588-434f-9304-0264955D2E26}	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}\stubpath = "C:\\Windows\\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe"	{15179415-D588-434f-9304-0264955D2E26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11C88E97-778F-47f1-8D26-36D329A8568E}	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11C88E97-778F-47f1-8D26-36D329A8568E}\stubpath = "C:\\Windows\\{11C88E97-778F-47f1-8D26-36D329A8568E}.exe"	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD41A79-82E1-4058-9A24-5565F7F213E3}\stubpath = "C:\\Windows\\{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe"	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1972D55-0106-413f-B63A-83DE0627E878}\stubpath = "C:\\Windows\\{A1972D55-0106-413f-B63A-83DE0627E878}.exe"	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}\stubpath = "C:\\Windows\\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}.exe"	{A1972D55-0106-413f-B63A-83DE0627E878}.exe

Executes dropped EXE 12 IoCs

pid	Process
320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe
2420	{15179415-D588-434f-9304-0264955D2E26}.exe
3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe
3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe
3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe
1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe
1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe
3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe
1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe
1764	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe
4216	{A1972D55-0106-413f-B63A-83DE0627E878}.exe
2776	{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{11C88E97-778F-47f1-8D26-36D329A8568E}.exe	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe
File created	C:\Windows\{15179415-D588-434f-9304-0264955D2E26}.exe	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe
File created	C:\Windows\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe	{15179415-D588-434f-9304-0264955D2E26}.exe
File created	C:\Windows\{A1972D55-0106-413f-B63A-83DE0627E878}.exe	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe
File created	C:\Windows\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}.exe	{A1972D55-0106-413f-B63A-83DE0627E878}.exe
File created	C:\Windows\{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe
File created	C:\Windows\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe
File created	C:\Windows\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe
File created	C:\Windows\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe
File created	C:\Windows\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe
File created	C:\Windows\{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe
File created	C:\Windows\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1984	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe
Token: SeIncBasePriorityPrivilege	2420	{15179415-D588-434f-9304-0264955D2E26}.exe
Token: SeIncBasePriorityPrivilege	3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe
Token: SeIncBasePriorityPrivilege	3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe
Token: SeIncBasePriorityPrivilege	3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe
Token: SeIncBasePriorityPrivilege	1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe
Token: SeIncBasePriorityPrivilege	1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe
Token: SeIncBasePriorityPrivilege	3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe
Token: SeIncBasePriorityPrivilege	1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe
Token: SeIncBasePriorityPrivilege	1764	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe
Token: SeIncBasePriorityPrivilege	4216	{A1972D55-0106-413f-B63A-83DE0627E878}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 320	1984	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe	95
PID 1984 wrote to memory of 320	1984	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe	95
PID 1984 wrote to memory of 320	1984	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe	95
PID 1984 wrote to memory of 4256	1984	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe	96
PID 1984 wrote to memory of 4256	1984	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe	96
PID 1984 wrote to memory of 4256	1984	2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe	96
PID 320 wrote to memory of 2420	320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe	97
PID 320 wrote to memory of 2420	320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe	97
PID 320 wrote to memory of 2420	320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe	97
PID 320 wrote to memory of 4832	320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe	98
PID 320 wrote to memory of 4832	320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe	98
PID 320 wrote to memory of 4832	320	{11C88E97-778F-47f1-8D26-36D329A8568E}.exe	98
PID 2420 wrote to memory of 3224	2420	{15179415-D588-434f-9304-0264955D2E26}.exe	102
PID 2420 wrote to memory of 3224	2420	{15179415-D588-434f-9304-0264955D2E26}.exe	102
PID 2420 wrote to memory of 3224	2420	{15179415-D588-434f-9304-0264955D2E26}.exe	102
PID 2420 wrote to memory of 2532	2420	{15179415-D588-434f-9304-0264955D2E26}.exe	101
PID 2420 wrote to memory of 2532	2420	{15179415-D588-434f-9304-0264955D2E26}.exe	101
PID 2420 wrote to memory of 2532	2420	{15179415-D588-434f-9304-0264955D2E26}.exe	101
PID 3224 wrote to memory of 3668	3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe	103
PID 3224 wrote to memory of 3668	3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe	103
PID 3224 wrote to memory of 3668	3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe	103
PID 3224 wrote to memory of 1308	3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe	104
PID 3224 wrote to memory of 1308	3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe	104
PID 3224 wrote to memory of 1308	3224	{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe	104
PID 3668 wrote to memory of 3644	3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe	105
PID 3668 wrote to memory of 3644	3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe	105
PID 3668 wrote to memory of 3644	3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe	105
PID 3668 wrote to memory of 3684	3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe	106
PID 3668 wrote to memory of 3684	3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe	106
PID 3668 wrote to memory of 3684	3668	{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe	106
PID 3644 wrote to memory of 1384	3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe	108
PID 3644 wrote to memory of 1384	3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe	108
PID 3644 wrote to memory of 1384	3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe	108
PID 3644 wrote to memory of 2792	3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe	109
PID 3644 wrote to memory of 2792	3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe	109
PID 3644 wrote to memory of 2792	3644	{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe	109
PID 1384 wrote to memory of 1104	1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe	110
PID 1384 wrote to memory of 1104	1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe	110
PID 1384 wrote to memory of 1104	1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe	110
PID 1384 wrote to memory of 2252	1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe	111
PID 1384 wrote to memory of 2252	1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe	111
PID 1384 wrote to memory of 2252	1384	{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe	111
PID 1104 wrote to memory of 3680	1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe	114
PID 1104 wrote to memory of 3680	1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe	114
PID 1104 wrote to memory of 3680	1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe	114
PID 1104 wrote to memory of 4796	1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe	115
PID 1104 wrote to memory of 4796	1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe	115
PID 1104 wrote to memory of 4796	1104	{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe	115
PID 3680 wrote to memory of 1976	3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe	121
PID 3680 wrote to memory of 1976	3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe	121
PID 3680 wrote to memory of 1976	3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe	121
PID 3680 wrote to memory of 3820	3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe	122
PID 3680 wrote to memory of 3820	3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe	122
PID 3680 wrote to memory of 3820	3680	{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe	122
PID 1976 wrote to memory of 1764	1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe	123
PID 1976 wrote to memory of 1764	1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe	123
PID 1976 wrote to memory of 1764	1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe	123
PID 1976 wrote to memory of 1308	1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe	124
PID 1976 wrote to memory of 1308	1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe	124
PID 1976 wrote to memory of 1308	1976	{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe	124
PID 1764 wrote to memory of 4216	1764	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe	126
PID 1764 wrote to memory of 4216	1764	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe	126
PID 1764 wrote to memory of 4216	1764	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe	126
PID 1764 wrote to memory of 2228	1764	{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe	127

C:\Users\Admin\AppData\Local\Temp\2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_79b364831d01c1339d452a6ec97ea116_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\{11C88E97-778F-47f1-8D26-36D329A8568E}.exe
  C:\Windows\{11C88E97-778F-47f1-8D26-36D329A8568E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\{15179415-D588-434f-9304-0264955D2E26}.exe
    C:\Windows\{15179415-D588-434f-9304-0264955D2E26}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15179~1.EXE > nul
      4⤵
      PID:2532
  - - C:\Windows\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe
      C:\Windows\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe
        
        C:\Windows\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe
        
        C:\Windows\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe
        
        C:\Windows\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe
        
        C:\Windows\{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe
        
        C:\Windows\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe
        
        C:\Windows\{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe
        
        C:\Windows\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{A1972D55-0106-413f-B63A-83DE0627E878}.exe
        
        C:\Windows\{A1972D55-0106-413f-B63A-83DE0627E878}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
        
        C:\Windows\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}.exe
        
        C:\Windows\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}.exe
        13⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1972~1.EXE > nul
        13⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FFBD~1.EXE > nul
        12⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E494~1.EXE > nul
        11⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47FB9~1.EXE > nul
        10⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD41~1.EXE > nul
        9⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6220~1.EXE > nul
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AACF0~1.EXE > nul
        7⤵
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94643~1.EXE > nul
        6⤵
        
        PID:3684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD642~1.EXE > nul
        5⤵
        
        PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{11C88~1.EXE > nul
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}.exe

Filesize
380KB

MD5
225729e0b645337fa6cb5b58241622d9

SHA1
1183d1c485561f4ddae5dbb93828dca45b9eba87

SHA256
7b98d8be4f5504068646e36ec2fe11104765972281a38f657ad2002cb70b914f

SHA512
76af6950a90d185792ba973ad889945ffb5d5aeae2ca4d6538688d09ca0052e8b7e8cc3f72f96f8b754de0f6384c28ff9477ae7cabdf28c3ef36471cef037d51

Download Submit
C:\Windows\{0A6AE8BA-EE4D-4124-95AB-8724F28B2919}.exe

Filesize
380KB

MD5
225729e0b645337fa6cb5b58241622d9

SHA1
1183d1c485561f4ddae5dbb93828dca45b9eba87

SHA256
7b98d8be4f5504068646e36ec2fe11104765972281a38f657ad2002cb70b914f

SHA512
76af6950a90d185792ba973ad889945ffb5d5aeae2ca4d6538688d09ca0052e8b7e8cc3f72f96f8b754de0f6384c28ff9477ae7cabdf28c3ef36471cef037d51

Download Submit
C:\Windows\{11C88E97-778F-47f1-8D26-36D329A8568E}.exe

Filesize
380KB

MD5
87a8066dbbaf52c45d9582453a3b2856

SHA1
08394908f19260ccfa108c2855cdb28e81b159e7

SHA256
eb20b3caca7f7de9edec732ffe28a1f9feb49e5fbb46968aef0d0eb0bff646b9

SHA512
2b25b638494990a7d58bdf7fd5b651c1a1ec1feaa9483e6f083c9434cef752d7167214e4d0a565b6b0e0030172625c9ff87d772d3415728a6f785577b3000080

Download Submit
C:\Windows\{11C88E97-778F-47f1-8D26-36D329A8568E}.exe

Filesize
380KB

MD5
87a8066dbbaf52c45d9582453a3b2856

SHA1
08394908f19260ccfa108c2855cdb28e81b159e7

SHA256
eb20b3caca7f7de9edec732ffe28a1f9feb49e5fbb46968aef0d0eb0bff646b9

SHA512
2b25b638494990a7d58bdf7fd5b651c1a1ec1feaa9483e6f083c9434cef752d7167214e4d0a565b6b0e0030172625c9ff87d772d3415728a6f785577b3000080

Download Submit
C:\Windows\{15179415-D588-434f-9304-0264955D2E26}.exe

Filesize
380KB

MD5
c7ecbc13a90e436bc8e989e463c0f2f0

SHA1
b140f49e4e1d52ffa36c93d661aeb74680fb889c

SHA256
261144cec18fa5714f03109cbd0c0f44e743ebe8779822c367f2672cef41f7e5

SHA512
dacb09c416aef4260a0760265d13bd4a428ed051f49ddf0f69816263ca610171ab09bd6b38379380a8bc8f0fc6c87192d7c17f3f64c7d6b5e37ceb3ede4bfbaa

Download Submit
C:\Windows\{15179415-D588-434f-9304-0264955D2E26}.exe

Filesize
380KB

MD5
c7ecbc13a90e436bc8e989e463c0f2f0

SHA1
b140f49e4e1d52ffa36c93d661aeb74680fb889c

SHA256
261144cec18fa5714f03109cbd0c0f44e743ebe8779822c367f2672cef41f7e5

SHA512
dacb09c416aef4260a0760265d13bd4a428ed051f49ddf0f69816263ca610171ab09bd6b38379380a8bc8f0fc6c87192d7c17f3f64c7d6b5e37ceb3ede4bfbaa

Download Submit
C:\Windows\{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe

Filesize
380KB

MD5
3a32750138b8b0b67b492c4156c1d0d1

SHA1
bee08c7ad2a9a4b64d7e7e442b72900fc01c08d9

SHA256
d7af0e299f2948a4b4d481f0ca8d440d5a4831df0c9b67e23864a7e1e179a12d

SHA512
9d15eff407d9b98044f81c06d40df17a83a0ca98ed05eb60e6233d73bb8558703ab2d7d125b4a9a88bdd09a8476b7a205850931bbd1c90c478116ebdc8b5fcba

Download Submit
C:\Windows\{2E4944C0-E616-4160-A95E-2774A9421D6E}.exe

Filesize
380KB

MD5
3a32750138b8b0b67b492c4156c1d0d1

SHA1
bee08c7ad2a9a4b64d7e7e442b72900fc01c08d9

SHA256
d7af0e299f2948a4b4d481f0ca8d440d5a4831df0c9b67e23864a7e1e179a12d

SHA512
9d15eff407d9b98044f81c06d40df17a83a0ca98ed05eb60e6233d73bb8558703ab2d7d125b4a9a88bdd09a8476b7a205850931bbd1c90c478116ebdc8b5fcba

Download Submit
C:\Windows\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe

Filesize
380KB

MD5
560375791c8ec4d38a7421ca2081e66d

SHA1
4bc3b93864d64387a2a30f74403d3fea462eb2f9

SHA256
1313c621d5134b9fbec728ec935e341d16eac2a011059e2d32cfaed798a915e4

SHA512
58ddb881900e461db3b749baead9b69388cb0ed0c24eec9d485396868d791d03552da5899d48132a2676ed173f63679ce548332775803080d6d1399bbc17ebf6

Download Submit
C:\Windows\{47FB93DF-3552-47de-9864-2ADCE31EF4FF}.exe

Filesize
380KB

MD5
560375791c8ec4d38a7421ca2081e66d

SHA1
4bc3b93864d64387a2a30f74403d3fea462eb2f9

SHA256
1313c621d5134b9fbec728ec935e341d16eac2a011059e2d32cfaed798a915e4

SHA512
58ddb881900e461db3b749baead9b69388cb0ed0c24eec9d485396868d791d03552da5899d48132a2676ed173f63679ce548332775803080d6d1399bbc17ebf6

Download Submit
C:\Windows\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe

Filesize
380KB

MD5
0a8cc8c61b09ff7756fe4f545d5babe4

SHA1
f869a3c2d6911991a25b126cefaf66f9ce81fcee

SHA256
26b3ca35eba1d585b4afe37af520bd86631259c0752a665895dcf24c3ef713a6

SHA512
8fd3cf3d2ce64d7bdbd4348a20841681490983451423f27e795dca2ef86869701d8cf47151b19b9def56f2d8516cda55e292be359061a7ec21053862f4937442

Download Submit
C:\Windows\{4FFBD849-60E5-4bec-AEAB-7BC2627237A5}.exe

Filesize
380KB

MD5
0a8cc8c61b09ff7756fe4f545d5babe4

SHA1
f869a3c2d6911991a25b126cefaf66f9ce81fcee

SHA256
26b3ca35eba1d585b4afe37af520bd86631259c0752a665895dcf24c3ef713a6

SHA512
8fd3cf3d2ce64d7bdbd4348a20841681490983451423f27e795dca2ef86869701d8cf47151b19b9def56f2d8516cda55e292be359061a7ec21053862f4937442

Download Submit
C:\Windows\{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe

Filesize
380KB

MD5
c6db48181988c9cd1cbd1966dc22bc20

SHA1
b3d59165a5c1fe2993f0bfbdd0a549cbabc0313d

SHA256
73c9249d6e9c8f5e707c858a46a772820b70de2b4e45257f0dfd50be2d893c0a

SHA512
e55ba3225e30eaefaa2d6fb584ef6677cf1e8f4042c63de324fd6c59c7ca02e88748eaaf314b663fe60d4336351516630fc999ba963475d2ad81e18f199f1115

Download Submit
C:\Windows\{5DD41A79-82E1-4058-9A24-5565F7F213E3}.exe

Filesize
380KB

MD5
c6db48181988c9cd1cbd1966dc22bc20

SHA1
b3d59165a5c1fe2993f0bfbdd0a549cbabc0313d

SHA256
73c9249d6e9c8f5e707c858a46a772820b70de2b4e45257f0dfd50be2d893c0a

SHA512
e55ba3225e30eaefaa2d6fb584ef6677cf1e8f4042c63de324fd6c59c7ca02e88748eaaf314b663fe60d4336351516630fc999ba963475d2ad81e18f199f1115

Download Submit
C:\Windows\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe

Filesize
380KB

MD5
42bb3b6cad1ce5936b45787fdfb2de80

SHA1
d362f12dba2c6f758cbcb5f040e32811ad76cc59

SHA256
23e6a5b9ca6b1abf5e0d497c3f4487343da2508c069e86c11e84c87063f66c80

SHA512
59d15e18db2c527cb28519f969511cb753b1bed56959e77f20ae7ee8267223cde855a5afac051cd1bca7383df92ca50e6eb147f0e8a510460ed5e0c68e21ad6c

Download Submit
C:\Windows\{94643729-ECD0-40c6-82AB-EF4BB6DBE7AC}.exe

Filesize
380KB

MD5
42bb3b6cad1ce5936b45787fdfb2de80

SHA1
d362f12dba2c6f758cbcb5f040e32811ad76cc59

SHA256
23e6a5b9ca6b1abf5e0d497c3f4487343da2508c069e86c11e84c87063f66c80

SHA512
59d15e18db2c527cb28519f969511cb753b1bed56959e77f20ae7ee8267223cde855a5afac051cd1bca7383df92ca50e6eb147f0e8a510460ed5e0c68e21ad6c

Download Submit
C:\Windows\{A1972D55-0106-413f-B63A-83DE0627E878}.exe

Filesize
380KB

MD5
ca1d07655d25eebe4aef760714c959d1

SHA1
d709ea41cb2e37e8eb2e6261f9cd65225ae78871

SHA256
6ac73a767164242f4336b451b51ae1708af9ef85340bd412f083be11c1b34674

SHA512
10791b23f57c8ff8fd0f1246d720a96e9b16767a62a5b14514b8d24e7bdcfbda87ed099aa8d7dd08d0a1512b5148637a72732b49bbcf4b787790d193d31a0719

Download Submit
C:\Windows\{A1972D55-0106-413f-B63A-83DE0627E878}.exe

Filesize
380KB

MD5
ca1d07655d25eebe4aef760714c959d1

SHA1
d709ea41cb2e37e8eb2e6261f9cd65225ae78871

SHA256
6ac73a767164242f4336b451b51ae1708af9ef85340bd412f083be11c1b34674

SHA512
10791b23f57c8ff8fd0f1246d720a96e9b16767a62a5b14514b8d24e7bdcfbda87ed099aa8d7dd08d0a1512b5148637a72732b49bbcf4b787790d193d31a0719

Download Submit
C:\Windows\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe

Filesize
380KB

MD5
e7899781f60bde7452e88de2e68b1002

SHA1
a4b3c803573ec5ea81952cbf9cd31785c36ec119

SHA256
66ee85a3a15d3810622040d77768e026cedb911f617ad6c50a83b9dc3df32c27

SHA512
6d78114aa2a6567ad6d970b4fbd52023eb094873b92598c6f34df298a738f687e4b4bab05f4c634aa66505498dbb8bb96d112eda1dccae92ac79874d4164557a

Download Submit
C:\Windows\{AACF0821-66D5-4e3e-A7D9-AF8DA1160826}.exe

Filesize
380KB

MD5
e7899781f60bde7452e88de2e68b1002

SHA1
a4b3c803573ec5ea81952cbf9cd31785c36ec119

SHA256
66ee85a3a15d3810622040d77768e026cedb911f617ad6c50a83b9dc3df32c27

SHA512
6d78114aa2a6567ad6d970b4fbd52023eb094873b92598c6f34df298a738f687e4b4bab05f4c634aa66505498dbb8bb96d112eda1dccae92ac79874d4164557a

Download Submit
C:\Windows\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe

Filesize
380KB

MD5
6af80d8d89c7cd8cfac5a84619181d3a

SHA1
ab13540d197108955cc0aa5a0ed7a86d3153370b

SHA256
f6f9ef696f53d43ebfd8f5015f2ac14d2743308b2991543480bc074a7360594e

SHA512
9483d5164cf608630182aed070854864dc1277d43c466c7d0a31c9a8b3e44e53184e55682068d49511b38729c3af03c10e68191ba82ea3ccd436d517b4de0bed

Download Submit
C:\Windows\{B6220EB2-9BBB-4021-81F0-1B3CA1590927}.exe

Filesize
380KB

MD5
6af80d8d89c7cd8cfac5a84619181d3a

SHA1
ab13540d197108955cc0aa5a0ed7a86d3153370b

SHA256
f6f9ef696f53d43ebfd8f5015f2ac14d2743308b2991543480bc074a7360594e

SHA512
9483d5164cf608630182aed070854864dc1277d43c466c7d0a31c9a8b3e44e53184e55682068d49511b38729c3af03c10e68191ba82ea3ccd436d517b4de0bed

Download Submit
C:\Windows\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe

Filesize
380KB

MD5
993ffde2ca8f4a61537c5151f9a4cb72

SHA1
08e22a59c002c72e5eb428e0fd49850af0ea2177

SHA256
4a321644032cae65a5a7a8d4c8eee3d0daac7f3972ec81c114649469990354c9

SHA512
1029483e1d4d5bd5f58c382a09ad96a6856fba7b8901bb10ffad649fa9dd87233ed6aa067c65d02cf7d7fa86770431e417059f4d3eb9d48ff34e871ac48253d9

Download Submit
C:\Windows\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe

Filesize
380KB

MD5
993ffde2ca8f4a61537c5151f9a4cb72

SHA1
08e22a59c002c72e5eb428e0fd49850af0ea2177

SHA256
4a321644032cae65a5a7a8d4c8eee3d0daac7f3972ec81c114649469990354c9

SHA512
1029483e1d4d5bd5f58c382a09ad96a6856fba7b8901bb10ffad649fa9dd87233ed6aa067c65d02cf7d7fa86770431e417059f4d3eb9d48ff34e871ac48253d9

Download Submit
C:\Windows\{FD642502-944A-4fe8-BFD9-81BC1F1416E7}.exe

Filesize
380KB

MD5
993ffde2ca8f4a61537c5151f9a4cb72

SHA1
08e22a59c002c72e5eb428e0fd49850af0ea2177

SHA256
4a321644032cae65a5a7a8d4c8eee3d0daac7f3972ec81c114649469990354c9

SHA512
1029483e1d4d5bd5f58c382a09ad96a6856fba7b8901bb10ffad649fa9dd87233ed6aa067c65d02cf7d7fa86770431e417059f4d3eb9d48ff34e871ac48253d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads