06a793a02a75ab8df3f792057906354d742349159b90e446aaab015d00349d1c

Analysis

max time kernel
160s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe
Size

408KB
MD5

e1848fad7eb1812905eaa86d9a26c1b0
SHA1

ce08d4c556cc0a74999d7808eb045ccdb4fe71ac
SHA256

06a793a02a75ab8df3f792057906354d742349159b90e446aaab015d00349d1c
SHA512

ccffdd5bda4b6d916b142256066d2ab2e085254ed458544df3043bb2559dbf2841e5601b89e1d7438438a24cc8ab25cfd6762223437070cab17361376ecfe9e1
SSDEEP

3072:CEGh0oxl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGLldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1FE7816-8017-4596-86BF-CCF11FFC112D}\stubpath = "C:\\Windows\\{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe"	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}\stubpath = "C:\\Windows\\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe"	{171F83D4-E538-442e-B784-C821E58C8989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}\stubpath = "C:\\Windows\\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe"	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{171F83D4-E538-442e-B784-C821E58C8989}\stubpath = "C:\\Windows\\{171F83D4-E538-442e-B784-C821E58C8989}.exe"	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EC7373-9331-4820-88D9-3234C39225C1}\stubpath = "C:\\Windows\\{C4EC7373-9331-4820-88D9-3234C39225C1}.exe"	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D631CA1E-D76B-4f71-822C-3B46CF974F36}\stubpath = "C:\\Windows\\{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe"	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0013362D-8F72-47f8-B273-59B13604B0BE}	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}\stubpath = "C:\\Windows\\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe"	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2A0407-3D77-4161-9083-55A2CB370347}\stubpath = "C:\\Windows\\{CA2A0407-3D77-4161-9083-55A2CB370347}.exe"	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14034ABC-690E-4c56-B20E-ABBCC1608A31}	{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{171F83D4-E538-442e-B784-C821E58C8989}	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}	{171F83D4-E538-442e-B784-C821E58C8989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}\stubpath = "C:\\Windows\\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe"	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D869CDD4-CAF7-43af-A0B5-45878B097541}	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D869CDD4-CAF7-43af-A0B5-45878B097541}\stubpath = "C:\\Windows\\{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe"	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D631CA1E-D76B-4f71-822C-3B46CF974F36}	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0013362D-8F72-47f8-B273-59B13604B0BE}\stubpath = "C:\\Windows\\{0013362D-8F72-47f8-B273-59B13604B0BE}.exe"	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14034ABC-690E-4c56-B20E-ABBCC1608A31}\stubpath = "C:\\Windows\\{14034ABC-690E-4c56-B20E-ABBCC1608A31}.exe"	{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1FE7816-8017-4596-86BF-CCF11FFC112D}	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EC7373-9331-4820-88D9-3234C39225C1}	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2A0407-3D77-4161-9083-55A2CB370347}	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe

Executes dropped EXE 12 IoCs

pid	Process
4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe
4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe
5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe
1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe
3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe
1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe
848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe
1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe
1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe
2496	{171F83D4-E538-442e-B784-C821E58C8989}.exe
3200	{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe
4156	{14034ABC-690E-4c56-B20E-ABBCC1608A31}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{14034ABC-690E-4c56-B20E-ABBCC1608A31}.exe	{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe
File created	C:\Windows\{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe
File created	C:\Windows\{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe
File created	C:\Windows\{0013362D-8F72-47f8-B273-59B13604B0BE}.exe	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe
File created	C:\Windows\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe
File created	C:\Windows\{171F83D4-E538-442e-B784-C821E58C8989}.exe	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe
File created	C:\Windows\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe	{171F83D4-E538-442e-B784-C821E58C8989}.exe
File created	C:\Windows\{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe
File created	C:\Windows\{C4EC7373-9331-4820-88D9-3234C39225C1}.exe	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe
File created	C:\Windows\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe
File created	C:\Windows\{CA2A0407-3D77-4161-9083-55A2CB370347}.exe	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe
File created	C:\Windows\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2380	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe
Token: SeIncBasePriorityPrivilege	4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe
Token: SeIncBasePriorityPrivilege	5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe
Token: SeIncBasePriorityPrivilege	1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe
Token: SeIncBasePriorityPrivilege	3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe
Token: SeIncBasePriorityPrivilege	1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe
Token: SeIncBasePriorityPrivilege	848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe
Token: SeIncBasePriorityPrivilege	1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe
Token: SeIncBasePriorityPrivilege	1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe
Token: SeIncBasePriorityPrivilege	2496	{171F83D4-E538-442e-B784-C821E58C8989}.exe
Token: SeIncBasePriorityPrivilege	3200	{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4340	2380	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe	92
PID 2380 wrote to memory of 4340	2380	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe	92
PID 2380 wrote to memory of 4340	2380	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe	92
PID 2380 wrote to memory of 3760	2380	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe	93
PID 2380 wrote to memory of 3760	2380	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe	93
PID 2380 wrote to memory of 3760	2380	2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe	93
PID 4340 wrote to memory of 4528	4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe	98
PID 4340 wrote to memory of 4528	4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe	98
PID 4340 wrote to memory of 4528	4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe	98
PID 4340 wrote to memory of 2076	4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe	99
PID 4340 wrote to memory of 2076	4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe	99
PID 4340 wrote to memory of 2076	4340	{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe	99
PID 4528 wrote to memory of 5020	4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe	101
PID 4528 wrote to memory of 5020	4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe	101
PID 4528 wrote to memory of 5020	4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe	101
PID 4528 wrote to memory of 2092	4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe	100
PID 4528 wrote to memory of 2092	4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe	100
PID 4528 wrote to memory of 2092	4528	{C4EC7373-9331-4820-88D9-3234C39225C1}.exe	100
PID 5020 wrote to memory of 1736	5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe	104
PID 5020 wrote to memory of 1736	5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe	104
PID 5020 wrote to memory of 1736	5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe	104
PID 5020 wrote to memory of 3512	5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe	105
PID 5020 wrote to memory of 3512	5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe	105
PID 5020 wrote to memory of 3512	5020	{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe	105
PID 1736 wrote to memory of 3636	1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe	106
PID 1736 wrote to memory of 3636	1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe	106
PID 1736 wrote to memory of 3636	1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe	106
PID 1736 wrote to memory of 4280	1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe	107
PID 1736 wrote to memory of 4280	1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe	107
PID 1736 wrote to memory of 4280	1736	{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe	107
PID 3636 wrote to memory of 1744	3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe	108
PID 3636 wrote to memory of 1744	3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe	108
PID 3636 wrote to memory of 1744	3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe	108
PID 3636 wrote to memory of 3892	3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe	109
PID 3636 wrote to memory of 3892	3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe	109
PID 3636 wrote to memory of 3892	3636	{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe	109
PID 1744 wrote to memory of 848	1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe	110
PID 1744 wrote to memory of 848	1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe	110
PID 1744 wrote to memory of 848	1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe	110
PID 1744 wrote to memory of 1992	1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe	111
PID 1744 wrote to memory of 1992	1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe	111
PID 1744 wrote to memory of 1992	1744	{0013362D-8F72-47f8-B273-59B13604B0BE}.exe	111
PID 848 wrote to memory of 1224	848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe	112
PID 848 wrote to memory of 1224	848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe	112
PID 848 wrote to memory of 1224	848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe	112
PID 848 wrote to memory of 2756	848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe	113
PID 848 wrote to memory of 2756	848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe	113
PID 848 wrote to memory of 2756	848	{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe	113
PID 1224 wrote to memory of 1840	1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe	114
PID 1224 wrote to memory of 1840	1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe	114
PID 1224 wrote to memory of 1840	1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe	114
PID 1224 wrote to memory of 4192	1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe	115
PID 1224 wrote to memory of 4192	1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe	115
PID 1224 wrote to memory of 4192	1224	{CA2A0407-3D77-4161-9083-55A2CB370347}.exe	115
PID 1840 wrote to memory of 2496	1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe	116
PID 1840 wrote to memory of 2496	1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe	116
PID 1840 wrote to memory of 2496	1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe	116
PID 1840 wrote to memory of 944	1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe	117
PID 1840 wrote to memory of 944	1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe	117
PID 1840 wrote to memory of 944	1840	{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe	117
PID 2496 wrote to memory of 3200	2496	{171F83D4-E538-442e-B784-C821E58C8989}.exe	118
PID 2496 wrote to memory of 3200	2496	{171F83D4-E538-442e-B784-C821E58C8989}.exe	118
PID 2496 wrote to memory of 3200	2496	{171F83D4-E538-442e-B784-C821E58C8989}.exe	118
PID 2496 wrote to memory of 1768	2496	{171F83D4-E538-442e-B784-C821E58C8989}.exe	119

C:\Users\Admin\AppData\Local\Temp\2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_e1848fad7eb1812905eaa86d9a26c1b0_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe
  C:\Windows\{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\{C4EC7373-9331-4820-88D9-3234C39225C1}.exe
    C:\Windows\{C4EC7373-9331-4820-88D9-3234C39225C1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EC7~1.EXE > nul
      4⤵
      PID:2092
  - - C:\Windows\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe
      C:\Windows\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe
        
        C:\Windows\{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe
        
        C:\Windows\{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\{0013362D-8F72-47f8-B273-59B13604B0BE}.exe
        
        C:\Windows\{0013362D-8F72-47f8-B273-59B13604B0BE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe
        
        C:\Windows\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\{CA2A0407-3D77-4161-9083-55A2CB370347}.exe
        
        C:\Windows\{CA2A0407-3D77-4161-9083-55A2CB370347}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe
        
        C:\Windows\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{171F83D4-E538-442e-B784-C821E58C8989}.exe
        
        C:\Windows\{171F83D4-E538-442e-B784-C821E58C8989}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe
        
        C:\Windows\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\{14034ABC-690E-4c56-B20E-ABBCC1608A31}.exe
        
        C:\Windows\{14034ABC-690E-4c56-B20E-ABBCC1608A31}.exe
        13⤵
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EB16~1.EXE > nul
        13⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{171F8~1.EXE > nul
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA493~1.EXE > nul
        11⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA2A0~1.EXE > nul
        10⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC6B~1.EXE > nul
        9⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00133~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D631C~1.EXE > nul
        7⤵
        
        PID:3892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D869C~1.EXE > nul
        6⤵
        
        PID:4280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE687~1.EXE > nul
        5⤵
        
        PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B1FE7~1.EXE > nul
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0013362D-8F72-47f8-B273-59B13604B0BE}.exe

Filesize
408KB

MD5
28b0047144bc3799c49a2aa463430b0c

SHA1
ad97e1709a3db1a427b7cb237dc41effb4db062c

SHA256
aee319164a97c38808a8a0ca90ab1cde979a4c95f4a7437b884ae5c66ea18e69

SHA512
1a57dec7023ba2a84f9e0f91701e17242dbdce86b71622ccb74bf9396c2099b01a789e2700feea0da2f0821fc44a44ecaa0ff740545a85b9bb50e63fc83be732

Download Submit
C:\Windows\{0013362D-8F72-47f8-B273-59B13604B0BE}.exe

Filesize
408KB

MD5
28b0047144bc3799c49a2aa463430b0c

SHA1
ad97e1709a3db1a427b7cb237dc41effb4db062c

SHA256
aee319164a97c38808a8a0ca90ab1cde979a4c95f4a7437b884ae5c66ea18e69

SHA512
1a57dec7023ba2a84f9e0f91701e17242dbdce86b71622ccb74bf9396c2099b01a789e2700feea0da2f0821fc44a44ecaa0ff740545a85b9bb50e63fc83be732

Download Submit
C:\Windows\{14034ABC-690E-4c56-B20E-ABBCC1608A31}.exe

Filesize
408KB

MD5
38478729d3aa7de5d824113c7d7827d2

SHA1
7466fddd63d87408ba2a7d121413728f0eafc74f

SHA256
566ac0631b60b9a28f247de17e414b3bc2d6374beb34f58336b542e29ba7dc4b

SHA512
2b258fd65b15a924ba18b18b4b18e8b7c83513607a15c76788cc35f6092da2b21db706b5b7c55078c1a668b8fd641af6527cf1ec29f230f80dcd207421d680fb

Download Submit
C:\Windows\{14034ABC-690E-4c56-B20E-ABBCC1608A31}.exe

Filesize
408KB

MD5
38478729d3aa7de5d824113c7d7827d2

SHA1
7466fddd63d87408ba2a7d121413728f0eafc74f

SHA256
566ac0631b60b9a28f247de17e414b3bc2d6374beb34f58336b542e29ba7dc4b

SHA512
2b258fd65b15a924ba18b18b4b18e8b7c83513607a15c76788cc35f6092da2b21db706b5b7c55078c1a668b8fd641af6527cf1ec29f230f80dcd207421d680fb

Download Submit
C:\Windows\{171F83D4-E538-442e-B784-C821E58C8989}.exe

Filesize
408KB

MD5
87a46de30241b18eb9c8dbb763952b20

SHA1
ccef252b1e2446849b28d54fb9e57d88f6b53b3c

SHA256
14f69672c1996bfa9156a36da81b9e0089d1d672fe9c49b8fd58bc6c3b5215b1

SHA512
1d2d35d91c8e13f4d032c4543d4953b40eaf9fdafa4fc58d9561d01d06513182fef330d6469f68c3b3d40705544c9d970c90c438868e93473a5640e00ff0a30f

Download Submit
C:\Windows\{171F83D4-E538-442e-B784-C821E58C8989}.exe

Filesize
408KB

MD5
87a46de30241b18eb9c8dbb763952b20

SHA1
ccef252b1e2446849b28d54fb9e57d88f6b53b3c

SHA256
14f69672c1996bfa9156a36da81b9e0089d1d672fe9c49b8fd58bc6c3b5215b1

SHA512
1d2d35d91c8e13f4d032c4543d4953b40eaf9fdafa4fc58d9561d01d06513182fef330d6469f68c3b3d40705544c9d970c90c438868e93473a5640e00ff0a30f

Download Submit
C:\Windows\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe

Filesize
408KB

MD5
66b03578844ef5cca3799a123ff469fd

SHA1
591f65b3b5760870ada091b37e81b254e7d8af5f

SHA256
a28e44fbd5cc27afd254d4bc4c0ab59ffa8c16d434b8c334335042ea4e342f4c

SHA512
d59fb5c64caf3bc41cd2fed2b83a792edb6cc744aab107de56504c149bac676a0601fadf06813d6dc22c1167c59db9c8cd0da4360b86fa3bd1365268355b9862

Download Submit
C:\Windows\{4AC6BD6F-0967-4142-BD77-EA016B8A6EF1}.exe

Filesize
408KB

MD5
66b03578844ef5cca3799a123ff469fd

SHA1
591f65b3b5760870ada091b37e81b254e7d8af5f

SHA256
a28e44fbd5cc27afd254d4bc4c0ab59ffa8c16d434b8c334335042ea4e342f4c

SHA512
d59fb5c64caf3bc41cd2fed2b83a792edb6cc744aab107de56504c149bac676a0601fadf06813d6dc22c1167c59db9c8cd0da4360b86fa3bd1365268355b9862

Download Submit
C:\Windows\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe

Filesize
408KB

MD5
ea56e58322812f69888219dadc748bdd

SHA1
724bf90038d02bf7aadb7c8db53cbc4b5acd820b

SHA256
bd031f3af58e0ba59070ce9eeaf2044e924d2fe236c367c336056be9e17e6d53

SHA512
efadf8fe3c75dad9b6a233e1ff22838f2b9bd34ff5ee3d242c42799aead3969efbfd341ac6b36857defb5bf9e406540f8eddc397aebce734c70315435eb9dadc

Download Submit
C:\Windows\{7EB1665F-EA82-4e0e-8355-D97A80E9E8E9}.exe

Filesize
408KB

MD5
ea56e58322812f69888219dadc748bdd

SHA1
724bf90038d02bf7aadb7c8db53cbc4b5acd820b

SHA256
bd031f3af58e0ba59070ce9eeaf2044e924d2fe236c367c336056be9e17e6d53

SHA512
efadf8fe3c75dad9b6a233e1ff22838f2b9bd34ff5ee3d242c42799aead3969efbfd341ac6b36857defb5bf9e406540f8eddc397aebce734c70315435eb9dadc

Download Submit
C:\Windows\{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe

Filesize
408KB

MD5
acd10c998efecf7d531b11cdbd4e6890

SHA1
ed24fc9a57e01068d79e1a70b8f0caaedcf504cd

SHA256
828e99e7b6ec2675e1189e3f6fc4c13658bfc4b9854594955ad2b62724442438

SHA512
182ce5d6ecf2347caa814a3f2eab59bfc6f3471d1233a9144420f434c2f5f6d252730e8ef92b5cfe6bb5db07cafedebad7d603fd187cbfe8e5fdad2a586d8aca

Download Submit
C:\Windows\{B1FE7816-8017-4596-86BF-CCF11FFC112D}.exe

Filesize
408KB

MD5
acd10c998efecf7d531b11cdbd4e6890

SHA1
ed24fc9a57e01068d79e1a70b8f0caaedcf504cd

SHA256
828e99e7b6ec2675e1189e3f6fc4c13658bfc4b9854594955ad2b62724442438

SHA512
182ce5d6ecf2347caa814a3f2eab59bfc6f3471d1233a9144420f434c2f5f6d252730e8ef92b5cfe6bb5db07cafedebad7d603fd187cbfe8e5fdad2a586d8aca

Download Submit
C:\Windows\{C4EC7373-9331-4820-88D9-3234C39225C1}.exe

Filesize
408KB

MD5
929e86bf2d39b5d2f3f940247a14dda7

SHA1
a43c515ca6aa9cb3aed9d9ae5896aa5b2e3afd5e

SHA256
edb4c42b19d3f33e3a01e0fe510de3ebafdadc99e9241ac58263e0841a3882df

SHA512
1436c58e0f13eed19e9efca60f99db6a2c365af0e3dfd6b9d5280ac6921948b3cc4809e00042d0bbb8ec1de1280303768f344ff65bf8aa78625c70f9f130c834

Download Submit
C:\Windows\{C4EC7373-9331-4820-88D9-3234C39225C1}.exe

Filesize
408KB

MD5
929e86bf2d39b5d2f3f940247a14dda7

SHA1
a43c515ca6aa9cb3aed9d9ae5896aa5b2e3afd5e

SHA256
edb4c42b19d3f33e3a01e0fe510de3ebafdadc99e9241ac58263e0841a3882df

SHA512
1436c58e0f13eed19e9efca60f99db6a2c365af0e3dfd6b9d5280ac6921948b3cc4809e00042d0bbb8ec1de1280303768f344ff65bf8aa78625c70f9f130c834

Download Submit
C:\Windows\{CA2A0407-3D77-4161-9083-55A2CB370347}.exe

Filesize
408KB

MD5
bdb3d312713c65d94034a91896cf2bd3

SHA1
8b509a670bc3da7fd67d5ca553eeaf40ca1657fc

SHA256
46bee0c6e4d5de76fd29f94e4d0039df4941a2bd3eb1bf5dd478c534456b4cf0

SHA512
a4891bc93ed807b11af7b9717167c99a9a222099f23a802548189380799b1caf34feead0176edc63fe336162326c986f8e1333d6434d16c6e14df7dd3a3efb9a

Download Submit
C:\Windows\{CA2A0407-3D77-4161-9083-55A2CB370347}.exe

Filesize
408KB

MD5
bdb3d312713c65d94034a91896cf2bd3

SHA1
8b509a670bc3da7fd67d5ca553eeaf40ca1657fc

SHA256
46bee0c6e4d5de76fd29f94e4d0039df4941a2bd3eb1bf5dd478c534456b4cf0

SHA512
a4891bc93ed807b11af7b9717167c99a9a222099f23a802548189380799b1caf34feead0176edc63fe336162326c986f8e1333d6434d16c6e14df7dd3a3efb9a

Download Submit
C:\Windows\{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe

Filesize
408KB

MD5
4180b9467166796e1d6465a0fbad9e00

SHA1
33f16814aeec77ea69fd043eaf1ece53494c4afa

SHA256
61b8f1e1c6da3c01ef35ec132cdaf22895ff0ecbb7129b32afafea1bf25688f9

SHA512
7d0c6af87f60f2076f589d6ad3a9bd99f626620cc346bb54ccd803c219b16436a5e0d21f9761c603cca2f63e3d2063e6afc461c9d3e25886a8b253f31fa73198

Download Submit
C:\Windows\{D631CA1E-D76B-4f71-822C-3B46CF974F36}.exe

Filesize
408KB

MD5
4180b9467166796e1d6465a0fbad9e00

SHA1
33f16814aeec77ea69fd043eaf1ece53494c4afa

SHA256
61b8f1e1c6da3c01ef35ec132cdaf22895ff0ecbb7129b32afafea1bf25688f9

SHA512
7d0c6af87f60f2076f589d6ad3a9bd99f626620cc346bb54ccd803c219b16436a5e0d21f9761c603cca2f63e3d2063e6afc461c9d3e25886a8b253f31fa73198

Download Submit
C:\Windows\{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe

Filesize
408KB

MD5
a8390f1b9e3c5ecfaf3ce8dd5392cd91

SHA1
7286b3a938d1296cd715e63ff4109e51aa770873

SHA256
f0a2d2df0bf1330611731782bb49c716eb5d1cb0bc33b6bfe0e32eb2b0c60aea

SHA512
68554713143ea45cc69def5a5ce739febb0f35efe65176065b910387688f64d3c5e73736932ccd4aeae0075e821204b18eb73f479aec90b6e556cdfcf7298ef1

Download Submit
C:\Windows\{D869CDD4-CAF7-43af-A0B5-45878B097541}.exe

Filesize
408KB

MD5
a8390f1b9e3c5ecfaf3ce8dd5392cd91

SHA1
7286b3a938d1296cd715e63ff4109e51aa770873

SHA256
f0a2d2df0bf1330611731782bb49c716eb5d1cb0bc33b6bfe0e32eb2b0c60aea

SHA512
68554713143ea45cc69def5a5ce739febb0f35efe65176065b910387688f64d3c5e73736932ccd4aeae0075e821204b18eb73f479aec90b6e556cdfcf7298ef1

Download Submit
C:\Windows\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe

Filesize
408KB

MD5
31ab47df5d9f00474df1b85467083339

SHA1
004cfcab516fcc9967777559256140ba554896d7

SHA256
99506ae330a0302b1e49f92bd04289acea2be6ac971bbe73cdfaf296c35daa63

SHA512
215f4f8ab3f152e38002307df90a06ea337abd3eb17d48b38c784356a593f70661bbf0902a7997f0724dd8ac00097ca4311ca443130fea6e43bb782d731cefad

Download Submit
C:\Windows\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe

Filesize
408KB

MD5
31ab47df5d9f00474df1b85467083339

SHA1
004cfcab516fcc9967777559256140ba554896d7

SHA256
99506ae330a0302b1e49f92bd04289acea2be6ac971bbe73cdfaf296c35daa63

SHA512
215f4f8ab3f152e38002307df90a06ea337abd3eb17d48b38c784356a593f70661bbf0902a7997f0724dd8ac00097ca4311ca443130fea6e43bb782d731cefad

Download Submit
C:\Windows\{EE6876CE-A7E4-4b4f-BB83-E7FC7EA5488B}.exe

Filesize
408KB

MD5
31ab47df5d9f00474df1b85467083339

SHA1
004cfcab516fcc9967777559256140ba554896d7

SHA256
99506ae330a0302b1e49f92bd04289acea2be6ac971bbe73cdfaf296c35daa63

SHA512
215f4f8ab3f152e38002307df90a06ea337abd3eb17d48b38c784356a593f70661bbf0902a7997f0724dd8ac00097ca4311ca443130fea6e43bb782d731cefad

Download Submit
C:\Windows\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe

Filesize
408KB

MD5
5f1cefe03e0683d9960a8f0e3acd59f1

SHA1
e356d82f50b6bfdde681c9a2336d06a13043b963

SHA256
95b85368dfaa9c661ff2068380967cbc49ac11dfd1c654c7171f0f0c6ddce6e4

SHA512
3cf2598f819e59a7207539f4cb88031c0fb29b59b81799aa97e36f4f96aa34fe96eae4c42e704e25ec513e307f5a7f9652983cec6e3c91fcad785a3b55d7b5ac

Download Submit
C:\Windows\{FA493E5C-06C1-4e5a-BCE1-DF5D1042636A}.exe

Filesize
408KB

MD5
5f1cefe03e0683d9960a8f0e3acd59f1

SHA1
e356d82f50b6bfdde681c9a2336d06a13043b963

SHA256
95b85368dfaa9c661ff2068380967cbc49ac11dfd1c654c7171f0f0c6ddce6e4

SHA512
3cf2598f819e59a7207539f4cb88031c0fb29b59b81799aa97e36f4f96aa34fe96eae4c42e704e25ec513e307f5a7f9652983cec6e3c91fcad785a3b55d7b5ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads