be58fd51ce1f682bc52eb7bd58a4a699212da8aa83687c149474f24b158ea303

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Size

380KB
MD5

c109bdf99dc6f488ddc1bf66f50c10d2
SHA1

33c61ceee8cb2157fa972f73ca1209952fbe9ea5
SHA256

be58fd51ce1f682bc52eb7bd58a4a699212da8aa83687c149474f24b158ea303
SHA512

1e8a151aea97905913cfc993c2d583b67083e95b995e28606b4f7d37e42a5ecae80f0ce8942aa43e059f0b5b54a29380b057ad64b4162fd909b719b2a491c519
SSDEEP

3072:mEGh0owlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027D52DF-529C-4e17-B921-19954EE078F9}\stubpath = "C:\\Windows\\{027D52DF-529C-4e17-B921-19954EE078F9}.exe"	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF0AF239-1778-451b-AADD-513F1757339F}\stubpath = "C:\\Windows\\{BF0AF239-1778-451b-AADD-513F1757339F}.exe"	{027D52DF-529C-4e17-B921-19954EE078F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{450A0918-1451-4743-8D7B-C3039022D2D1}	{BF0AF239-1778-451b-AADD-513F1757339F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}	{47C80405-9622-4602-9594-F1B3E7D72153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E2CA53-A4D7-49be-82AD-618716B9145F}\stubpath = "C:\\Windows\\{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe"	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027D52DF-529C-4e17-B921-19954EE078F9}	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{450A0918-1451-4743-8D7B-C3039022D2D1}\stubpath = "C:\\Windows\\{450A0918-1451-4743-8D7B-C3039022D2D1}.exe"	{BF0AF239-1778-451b-AADD-513F1757339F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}\stubpath = "C:\\Windows\\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}.exe"	{47C80405-9622-4602-9594-F1B3E7D72153}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}\stubpath = "C:\\Windows\\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe"	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47C80405-9622-4602-9594-F1B3E7D72153}\stubpath = "C:\\Windows\\{47C80405-9622-4602-9594-F1B3E7D72153}.exe"	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}\stubpath = "C:\\Windows\\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe"	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}\stubpath = "C:\\Windows\\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe"	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}\stubpath = "C:\\Windows\\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe"	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E2CA53-A4D7-49be-82AD-618716B9145F}	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF0AF239-1778-451b-AADD-513F1757339F}	{027D52DF-529C-4e17-B921-19954EE078F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47C80405-9622-4602-9594-F1B3E7D72153}	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe

Executes dropped EXE 10 IoCs

pid	Process
2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe
3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe
3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe
3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe
1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe
4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe
2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe
4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe
4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe
1640	{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe
File created	C:\Windows\{027D52DF-529C-4e17-B921-19954EE078F9}.exe	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe
File created	C:\Windows\{450A0918-1451-4743-8D7B-C3039022D2D1}.exe	{BF0AF239-1778-451b-AADD-513F1757339F}.exe
File created	C:\Windows\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe
File created	C:\Windows\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe
File created	C:\Windows\{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe
File created	C:\Windows\{BF0AF239-1778-451b-AADD-513F1757339F}.exe	{027D52DF-529C-4e17-B921-19954EE078F9}.exe
File created	C:\Windows\{47C80405-9622-4602-9594-F1B3E7D72153}.exe	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe
File created	C:\Windows\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}.exe	{47C80405-9622-4602-9594-F1B3E7D72153}.exe
File created	C:\Windows\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3356	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe
Token: SeIncBasePriorityPrivilege	3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe
Token: SeIncBasePriorityPrivilege	3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe
Token: SeIncBasePriorityPrivilege	3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe
Token: SeIncBasePriorityPrivilege	1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe
Token: SeIncBasePriorityPrivilege	4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe
Token: SeIncBasePriorityPrivilege	2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe
Token: SeIncBasePriorityPrivilege	4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe
Token: SeIncBasePriorityPrivilege	4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2364	3356	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	88
PID 3356 wrote to memory of 2364	3356	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	88
PID 3356 wrote to memory of 2364	3356	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	88
PID 3356 wrote to memory of 2028	3356	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	90
PID 3356 wrote to memory of 2028	3356	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	90
PID 3356 wrote to memory of 2028	3356	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	90
PID 2364 wrote to memory of 3972	2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe	96
PID 2364 wrote to memory of 3972	2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe	96
PID 2364 wrote to memory of 3972	2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe	96
PID 2364 wrote to memory of 2320	2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe	97
PID 2364 wrote to memory of 2320	2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe	97
PID 2364 wrote to memory of 2320	2364	{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe	97
PID 3972 wrote to memory of 3396	3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe	100
PID 3972 wrote to memory of 3396	3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe	100
PID 3972 wrote to memory of 3396	3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe	100
PID 3972 wrote to memory of 1252	3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe	101
PID 3972 wrote to memory of 1252	3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe	101
PID 3972 wrote to memory of 1252	3972	{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe	101
PID 3396 wrote to memory of 3336	3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe	102
PID 3396 wrote to memory of 3336	3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe	102
PID 3396 wrote to memory of 3336	3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe	102
PID 3396 wrote to memory of 5088	3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe	103
PID 3396 wrote to memory of 5088	3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe	103
PID 3396 wrote to memory of 5088	3396	{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe	103
PID 3336 wrote to memory of 1052	3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe	105
PID 3336 wrote to memory of 1052	3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe	105
PID 3336 wrote to memory of 1052	3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe	105
PID 3336 wrote to memory of 2648	3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe	106
PID 3336 wrote to memory of 2648	3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe	106
PID 3336 wrote to memory of 2648	3336	{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe	106
PID 1052 wrote to memory of 4684	1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe	107
PID 1052 wrote to memory of 4684	1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe	107
PID 1052 wrote to memory of 4684	1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe	107
PID 1052 wrote to memory of 4892	1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe	108
PID 1052 wrote to memory of 4892	1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe	108
PID 1052 wrote to memory of 4892	1052	{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe	108
PID 4684 wrote to memory of 2200	4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe	110
PID 4684 wrote to memory of 2200	4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe	110
PID 4684 wrote to memory of 2200	4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe	110
PID 4684 wrote to memory of 5080	4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe	111
PID 4684 wrote to memory of 5080	4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe	111
PID 4684 wrote to memory of 5080	4684	{027D52DF-529C-4e17-B921-19954EE078F9}.exe	111
PID 2200 wrote to memory of 4904	2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe	113
PID 2200 wrote to memory of 4904	2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe	113
PID 2200 wrote to memory of 4904	2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe	113
PID 2200 wrote to memory of 4624	2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe	114
PID 2200 wrote to memory of 4624	2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe	114
PID 2200 wrote to memory of 4624	2200	{BF0AF239-1778-451b-AADD-513F1757339F}.exe	114
PID 4904 wrote to memory of 4992	4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe	115
PID 4904 wrote to memory of 4992	4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe	115
PID 4904 wrote to memory of 4992	4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe	115
PID 4904 wrote to memory of 2256	4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe	116
PID 4904 wrote to memory of 2256	4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe	116
PID 4904 wrote to memory of 2256	4904	{450A0918-1451-4743-8D7B-C3039022D2D1}.exe	116
PID 4992 wrote to memory of 1640	4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe	117
PID 4992 wrote to memory of 1640	4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe	117
PID 4992 wrote to memory of 1640	4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe	117
PID 4992 wrote to memory of 4956	4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe	118
PID 4992 wrote to memory of 4956	4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe	118
PID 4992 wrote to memory of 4956	4992	{47C80405-9622-4602-9594-F1B3E7D72153}.exe	118

C:\Users\Admin\AppData\Local\Temp\2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe
  C:\Windows\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe
    C:\Windows\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe
      C:\Windows\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe
        
        C:\Windows\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
      - C:\Windows\{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe
        
        C:\Windows\{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{027D52DF-529C-4e17-B921-19954EE078F9}.exe
        
        C:\Windows\{027D52DF-529C-4e17-B921-19954EE078F9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{BF0AF239-1778-451b-AADD-513F1757339F}.exe
        
        C:\Windows\{BF0AF239-1778-451b-AADD-513F1757339F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{450A0918-1451-4743-8D7B-C3039022D2D1}.exe
        
        C:\Windows\{450A0918-1451-4743-8D7B-C3039022D2D1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\{47C80405-9622-4602-9594-F1B3E7D72153}.exe
        
        C:\Windows\{47C80405-9622-4602-9594-F1B3E7D72153}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}.exe
        
        C:\Windows\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}.exe
        11⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47C80~1.EXE > nul
        11⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{450A0~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF0AF~1.EXE > nul
        9⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{027D5~1.EXE > nul
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5E2C~1.EXE > nul
        7⤵
        
        PID:4892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEEA8~1.EXE > nul
        6⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F09~1.EXE > nul
        5⤵
        
        PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A65BB~1.EXE > nul
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1CBF~1.EXE > nul
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{027D52DF-529C-4e17-B921-19954EE078F9}.exe

Filesize
380KB

MD5
6898041ff7984ffefc0809212d1ecc85

SHA1
9295fc62f7b7643f20e29c94269e29b35885ad2c

SHA256
ff3e1864d0f9fb9ac56e59d5e6d2922a9f2e0e891918260ddbb0c44a484e1cb9

SHA512
3f471fa1dbb8e11f93c8dfe891e2fefa80ade2bb2b600d161effb395ad7975ce72a85fa8cfc2a1c4b5c415200cc3bd54b696f7eddb2e9160cb75ec5fe8b2b4af

Download Submit
C:\Windows\{027D52DF-529C-4e17-B921-19954EE078F9}.exe

Filesize
380KB

MD5
6898041ff7984ffefc0809212d1ecc85

SHA1
9295fc62f7b7643f20e29c94269e29b35885ad2c

SHA256
ff3e1864d0f9fb9ac56e59d5e6d2922a9f2e0e891918260ddbb0c44a484e1cb9

SHA512
3f471fa1dbb8e11f93c8dfe891e2fefa80ade2bb2b600d161effb395ad7975ce72a85fa8cfc2a1c4b5c415200cc3bd54b696f7eddb2e9160cb75ec5fe8b2b4af

Download Submit
C:\Windows\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe

Filesize
380KB

MD5
3c6ab93737620fd1cf87e1be3d47e9f7

SHA1
21785313c387e86e6ff6343bd6bcb827e2c7dfdb

SHA256
c457540bcc738f692ba9da4536cb401f5170f99449c47bb232e5f14fcb2759ac

SHA512
cd917537322634df21cf85e6d9a0224ae2e11246de8551514fc91ddf702bedb58cd5753e6cdfca7f772314283bf97b559a385277e2b9e4ce6f4d7b19604e08cd

Download Submit
C:\Windows\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe

Filesize
380KB

MD5
3c6ab93737620fd1cf87e1be3d47e9f7

SHA1
21785313c387e86e6ff6343bd6bcb827e2c7dfdb

SHA256
c457540bcc738f692ba9da4536cb401f5170f99449c47bb232e5f14fcb2759ac

SHA512
cd917537322634df21cf85e6d9a0224ae2e11246de8551514fc91ddf702bedb58cd5753e6cdfca7f772314283bf97b559a385277e2b9e4ce6f4d7b19604e08cd

Download Submit
C:\Windows\{18F0984D-3F7B-48fa-A02A-C34AA28974D2}.exe

Filesize
380KB

MD5
3c6ab93737620fd1cf87e1be3d47e9f7

SHA1
21785313c387e86e6ff6343bd6bcb827e2c7dfdb

SHA256
c457540bcc738f692ba9da4536cb401f5170f99449c47bb232e5f14fcb2759ac

SHA512
cd917537322634df21cf85e6d9a0224ae2e11246de8551514fc91ddf702bedb58cd5753e6cdfca7f772314283bf97b559a385277e2b9e4ce6f4d7b19604e08cd

Download Submit
C:\Windows\{450A0918-1451-4743-8D7B-C3039022D2D1}.exe

Filesize
380KB

MD5
1d23c47f90ea5882b4f68d041483e99a

SHA1
3abfcb36e326437b7821d9864aca41696de6bdc1

SHA256
935ff9c72ef68d11a55a77e9737ed84d263f095e5d48cd55a25422fa4b098ee8

SHA512
c68c57b3a0ca034704bcb275d444cd49cf02fa21bfbaa882ba0ece85ecb3e1442ad7049f6061b614b50a3c57416bb3ed0554fba03b6a8c2ca0faec6f572055ba

Download Submit
C:\Windows\{450A0918-1451-4743-8D7B-C3039022D2D1}.exe

Filesize
380KB

MD5
1d23c47f90ea5882b4f68d041483e99a

SHA1
3abfcb36e326437b7821d9864aca41696de6bdc1

SHA256
935ff9c72ef68d11a55a77e9737ed84d263f095e5d48cd55a25422fa4b098ee8

SHA512
c68c57b3a0ca034704bcb275d444cd49cf02fa21bfbaa882ba0ece85ecb3e1442ad7049f6061b614b50a3c57416bb3ed0554fba03b6a8c2ca0faec6f572055ba

Download Submit
C:\Windows\{47C80405-9622-4602-9594-F1B3E7D72153}.exe

Filesize
380KB

MD5
560d5475457ab59174cf404d9442662a

SHA1
ce4eaa7b76db259c195a77670e136a580df05309

SHA256
1967887dd06f4e2cc2894ec6b03dc3718bffdcd7c0b65d2ae9c882310a83b9bb

SHA512
6b68c0307f75aae515daed65edbe93953dd4a23d1733c9deb2f49df416fa86bd45939aa14e654cc121cc129a9feb40ef9d63235a08e82a83aa672b76b3adce34

Download Submit
C:\Windows\{47C80405-9622-4602-9594-F1B3E7D72153}.exe

Filesize
380KB

MD5
560d5475457ab59174cf404d9442662a

SHA1
ce4eaa7b76db259c195a77670e136a580df05309

SHA256
1967887dd06f4e2cc2894ec6b03dc3718bffdcd7c0b65d2ae9c882310a83b9bb

SHA512
6b68c0307f75aae515daed65edbe93953dd4a23d1733c9deb2f49df416fa86bd45939aa14e654cc121cc129a9feb40ef9d63235a08e82a83aa672b76b3adce34

Download Submit
C:\Windows\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe

Filesize
380KB

MD5
811a6cd33c515c5bff648f80cc942889

SHA1
f5cc595605865e614e20f381513f0427424027f7

SHA256
99155f1869ce3119718a2b054096825ae45d5be94d1bc865fd4ff7db727a746b

SHA512
96f72e03e4aed066bb972e3a5c7c717557ed730dc935512b84eb1213c7ca45428cf45e285deadf2d512ddf59830bbc4592ac0b5e0e0fc4e2d415736249e83d4a

Download Submit
C:\Windows\{A65BBAE9-49A1-41a9-9092-ADD45989CABD}.exe

Filesize
380KB

MD5
811a6cd33c515c5bff648f80cc942889

SHA1
f5cc595605865e614e20f381513f0427424027f7

SHA256
99155f1869ce3119718a2b054096825ae45d5be94d1bc865fd4ff7db727a746b

SHA512
96f72e03e4aed066bb972e3a5c7c717557ed730dc935512b84eb1213c7ca45428cf45e285deadf2d512ddf59830bbc4592ac0b5e0e0fc4e2d415736249e83d4a

Download Submit
C:\Windows\{BF0AF239-1778-451b-AADD-513F1757339F}.exe

Filesize
380KB

MD5
981f9cd270ec31d53c615630895d090b

SHA1
347a2f694c5de253e9ed5ab172c3adb401737f30

SHA256
54bda56fc32a80ec4fde77c54c0d1828746e556250eff4101e4514b6499ff757

SHA512
06c9d3fed799cd3048b5de9b3d69bc5b62e8fc2bf7ec33039d9efc99a4c6428722e017b5569d20b0e086341ad0a2fb4b90d0e45bfbcb3039a2888ccd0e9545d4

Download Submit
C:\Windows\{BF0AF239-1778-451b-AADD-513F1757339F}.exe

Filesize
380KB

MD5
981f9cd270ec31d53c615630895d090b

SHA1
347a2f694c5de253e9ed5ab172c3adb401737f30

SHA256
54bda56fc32a80ec4fde77c54c0d1828746e556250eff4101e4514b6499ff757

SHA512
06c9d3fed799cd3048b5de9b3d69bc5b62e8fc2bf7ec33039d9efc99a4c6428722e017b5569d20b0e086341ad0a2fb4b90d0e45bfbcb3039a2888ccd0e9545d4

Download Submit
C:\Windows\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}.exe

Filesize
380KB

MD5
6b6ca3981a6c0c169e2ae0f80e5d6f72

SHA1
539aa4e07760e08e6bcee670d7af59fa503faf54

SHA256
3e2c684d16a2ac9ff5f316cec1ef2cef1d11911001807ef7e6525ba7d8f1bc65

SHA512
a5c805b3904110c742aa9de12736dc2796e8672e68b3e1609895024c2a278776fd3422ec8977b00b3f3223052ddbcfbd3880d84773062bdc8ceb1979e8cd5800

Download Submit
C:\Windows\{C4E4910E-9A06-4d3f-905D-1FBB2EEDE50C}.exe

Filesize
380KB

MD5
6b6ca3981a6c0c169e2ae0f80e5d6f72

SHA1
539aa4e07760e08e6bcee670d7af59fa503faf54

SHA256
3e2c684d16a2ac9ff5f316cec1ef2cef1d11911001807ef7e6525ba7d8f1bc65

SHA512
a5c805b3904110c742aa9de12736dc2796e8672e68b3e1609895024c2a278776fd3422ec8977b00b3f3223052ddbcfbd3880d84773062bdc8ceb1979e8cd5800

Download Submit
C:\Windows\{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe

Filesize
380KB

MD5
fcd96e67cbd1e532c9efcdace5a04624

SHA1
7ab92779d3f360a3319b270ff8bd51cd6d7822c8

SHA256
331b92ee2f7f81d6ac4950dacfd4ff4f9642d4b236b571e9305e08e5365e8b32

SHA512
db43e53d70001154076212f08e211e1bd8d19e621e6be30c66e8294267e4de6e7231c99fdd38e88bff937a49c6c3976dbc1f59e0a4ae21e9d1f53e17697581ed

Download Submit
C:\Windows\{C5E2CA53-A4D7-49be-82AD-618716B9145F}.exe

Filesize
380KB

MD5
fcd96e67cbd1e532c9efcdace5a04624

SHA1
7ab92779d3f360a3319b270ff8bd51cd6d7822c8

SHA256
331b92ee2f7f81d6ac4950dacfd4ff4f9642d4b236b571e9305e08e5365e8b32

SHA512
db43e53d70001154076212f08e211e1bd8d19e621e6be30c66e8294267e4de6e7231c99fdd38e88bff937a49c6c3976dbc1f59e0a4ae21e9d1f53e17697581ed

Download Submit
C:\Windows\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe

Filesize
380KB

MD5
e0ed39fb0ce22f70ff91e04edead5217

SHA1
e7081a5d733913484799b42f6f525fd13f7848a6

SHA256
f05c9ec20f3edacc50d0f3bae2ffdd6941048b2aadbf85aadd1614c4e112baa5

SHA512
bd9c18a470294953ae1d1bf90645a409913b6111f446a0f572fc5b1675a7ba752fa4c411d14bf5f58f162b56b0ac4c99f8d03350eab38f39b01b725eb7762a6b

Download Submit
C:\Windows\{F1CBF642-277F-4a62-B05F-DD761F03B4E7}.exe

Filesize
380KB

MD5
e0ed39fb0ce22f70ff91e04edead5217

SHA1
e7081a5d733913484799b42f6f525fd13f7848a6

SHA256
f05c9ec20f3edacc50d0f3bae2ffdd6941048b2aadbf85aadd1614c4e112baa5

SHA512
bd9c18a470294953ae1d1bf90645a409913b6111f446a0f572fc5b1675a7ba752fa4c411d14bf5f58f162b56b0ac4c99f8d03350eab38f39b01b725eb7762a6b

Download Submit
C:\Windows\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe

Filesize
380KB

MD5
77eb0429689f0c2943a12304dccde673

SHA1
b49130bc65c7e594f4c297a3392b73ed439142ae

SHA256
cf09e61be2c1338d3a239f070525fc9d26c1f0758a751204843aad6e1d03be2a

SHA512
e430f87111d206325c6f72a03ff2cb902894b7d7b0fff95ce0cc0554b989cab96db8252e2d172f7bb56e25e0361a25305ec8a6214574c4274850b5e4608b2090

Download Submit
C:\Windows\{FEEA8725-CDD0-4ebe-ACB5-6F2A2E370142}.exe

Filesize
380KB

MD5
77eb0429689f0c2943a12304dccde673

SHA1
b49130bc65c7e594f4c297a3392b73ed439142ae

SHA256
cf09e61be2c1338d3a239f070525fc9d26c1f0758a751204843aad6e1d03be2a

SHA512
e430f87111d206325c6f72a03ff2cb902894b7d7b0fff95ce0cc0554b989cab96db8252e2d172f7bb56e25e0361a25305ec8a6214574c4274850b5e4608b2090

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads