d29010b901492df29eb67d5518e42cf63e4d2133ceb03e6930b85698e5ebbaaa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 10:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe
Size

380KB
MD5

a4fc9286743c9e59ace1cfccc9b751d8
SHA1

9a1e4f68fd379bf3ed2945fbf934e190156ebbec
SHA256

d29010b901492df29eb67d5518e42cf63e4d2133ceb03e6930b85698e5ebbaaa
SHA512

79db87365485420110e9ab3dc3f6a1ef04214d9f9774d58a9679bf5f748a3eb6ebc61165ab1efe032e5030d93440349f50ef88492eaa97c81d442b765cdfad19
SSDEEP

3072:mEGh0otlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGjl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}\stubpath = "C:\\Windows\\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe"	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}\stubpath = "C:\\Windows\\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe"	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D7C0643-392D-41a3-832F-055A9537EA89}	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D7C0643-392D-41a3-832F-055A9537EA89}\stubpath = "C:\\Windows\\{2D7C0643-392D-41a3-832F-055A9537EA89}.exe"	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49160C37-81F7-42ab-B45D-54A2AD745BD0}\stubpath = "C:\\Windows\\{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe"	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA6A62B-334D-473b-A944-994AAB2C90DA}\stubpath = "C:\\Windows\\{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe"	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD520792-DD4D-4773-9D79-5A12B408DA66}\stubpath = "C:\\Windows\\{BD520792-DD4D-4773-9D79-5A12B408DA66}.exe"	{2D7C0643-392D-41a3-832F-055A9537EA89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F036D8-268B-4163-BB16-81449EBEE80D}\stubpath = "C:\\Windows\\{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe"	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}\stubpath = "C:\\Windows\\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe"	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C07A121-61C8-453d-BFE5-AB062ED44A31}	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}\stubpath = "C:\\Windows\\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe"	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}\stubpath = "C:\\Windows\\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe"	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F036D8-268B-4163-BB16-81449EBEE80D}	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD520792-DD4D-4773-9D79-5A12B408DA66}	{2D7C0643-392D-41a3-832F-055A9537EA89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49160C37-81F7-42ab-B45D-54A2AD745BD0}	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA6A62B-334D-473b-A944-994AAB2C90DA}	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C07A121-61C8-453d-BFE5-AB062ED44A31}\stubpath = "C:\\Windows\\{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe"	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}\stubpath = "C:\\Windows\\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe"	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe
1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe
2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe
4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe
4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe
2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe
4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe
3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe
4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe
4784	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe
2252	{2D7C0643-392D-41a3-832F-055A9537EA89}.exe
3180	{BD520792-DD4D-4773-9D79-5A12B408DA66}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe
File created	C:\Windows\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe
File created	C:\Windows\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe
File created	C:\Windows\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe
File created	C:\Windows\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe
File created	C:\Windows\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe
File created	C:\Windows\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe
File created	C:\Windows\{2D7C0643-392D-41a3-832F-055A9537EA89}.exe	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe
File created	C:\Windows\{BD520792-DD4D-4773-9D79-5A12B408DA66}.exe	{2D7C0643-392D-41a3-832F-055A9537EA89}.exe
File created	C:\Windows\{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe
File created	C:\Windows\{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe
File created	C:\Windows\{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	404	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe
Token: SeIncBasePriorityPrivilege	1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe
Token: SeIncBasePriorityPrivilege	2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe
Token: SeIncBasePriorityPrivilege	4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe
Token: SeIncBasePriorityPrivilege	4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe
Token: SeIncBasePriorityPrivilege	2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe
Token: SeIncBasePriorityPrivilege	4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe
Token: SeIncBasePriorityPrivilege	3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe
Token: SeIncBasePriorityPrivilege	4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe
Token: SeIncBasePriorityPrivilege	4784	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe
Token: SeIncBasePriorityPrivilege	2252	{2D7C0643-392D-41a3-832F-055A9537EA89}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4460	404	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe	95
PID 404 wrote to memory of 4460	404	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe	95
PID 404 wrote to memory of 4460	404	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe	95
PID 404 wrote to memory of 1164	404	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe	96
PID 404 wrote to memory of 1164	404	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe	96
PID 404 wrote to memory of 1164	404	2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe	96
PID 4460 wrote to memory of 1848	4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe	97
PID 4460 wrote to memory of 1848	4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe	97
PID 4460 wrote to memory of 1848	4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe	97
PID 4460 wrote to memory of 1936	4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe	98
PID 4460 wrote to memory of 1936	4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe	98
PID 4460 wrote to memory of 1936	4460	{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe	98
PID 1848 wrote to memory of 2744	1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe	102
PID 1848 wrote to memory of 2744	1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe	102
PID 1848 wrote to memory of 2744	1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe	102
PID 1848 wrote to memory of 2612	1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe	101
PID 1848 wrote to memory of 2612	1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe	101
PID 1848 wrote to memory of 2612	1848	{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe	101
PID 2744 wrote to memory of 4644	2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe	103
PID 2744 wrote to memory of 4644	2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe	103
PID 2744 wrote to memory of 4644	2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe	103
PID 2744 wrote to memory of 3688	2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe	104
PID 2744 wrote to memory of 3688	2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe	104
PID 2744 wrote to memory of 3688	2744	{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe	104
PID 4644 wrote to memory of 4768	4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe	106
PID 4644 wrote to memory of 4768	4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe	106
PID 4644 wrote to memory of 4768	4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe	106
PID 4644 wrote to memory of 1604	4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe	105
PID 4644 wrote to memory of 1604	4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe	105
PID 4644 wrote to memory of 1604	4644	{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe	105
PID 4768 wrote to memory of 2932	4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe	108
PID 4768 wrote to memory of 2932	4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe	108
PID 4768 wrote to memory of 2932	4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe	108
PID 4768 wrote to memory of 4304	4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe	109
PID 4768 wrote to memory of 4304	4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe	109
PID 4768 wrote to memory of 4304	4768	{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe	109
PID 2932 wrote to memory of 4720	2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe	110
PID 2932 wrote to memory of 4720	2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe	110
PID 2932 wrote to memory of 4720	2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe	110
PID 2932 wrote to memory of 4224	2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe	111
PID 2932 wrote to memory of 4224	2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe	111
PID 2932 wrote to memory of 4224	2932	{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe	111
PID 4720 wrote to memory of 3488	4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe	112
PID 4720 wrote to memory of 3488	4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe	112
PID 4720 wrote to memory of 3488	4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe	112
PID 4720 wrote to memory of 4672	4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe	113
PID 4720 wrote to memory of 4672	4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe	113
PID 4720 wrote to memory of 4672	4720	{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe	113
PID 3488 wrote to memory of 4592	3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe	116
PID 3488 wrote to memory of 4592	3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe	116
PID 3488 wrote to memory of 4592	3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe	116
PID 3488 wrote to memory of 3736	3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe	117
PID 3488 wrote to memory of 3736	3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe	117
PID 3488 wrote to memory of 3736	3488	{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe	117
PID 4592 wrote to memory of 4784	4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe	120
PID 4592 wrote to memory of 4784	4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe	120
PID 4592 wrote to memory of 4784	4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe	120
PID 4592 wrote to memory of 4656	4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe	121
PID 4592 wrote to memory of 4656	4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe	121
PID 4592 wrote to memory of 4656	4592	{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe	121
PID 4784 wrote to memory of 2252	4784	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe	124
PID 4784 wrote to memory of 2252	4784	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe	124
PID 4784 wrote to memory of 2252	4784	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe	124
PID 4784 wrote to memory of 700	4784	{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe	125

C:\Users\Admin\AppData\Local\Temp\2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_a4fc9286743c9e59ace1cfccc9b751d8_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe
  C:\Windows\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe
    C:\Windows\{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49160~1.EXE > nul
      4⤵
      PID:2612
  - - C:\Windows\{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe
      C:\Windows\{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe
        
        C:\Windows\{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C07A~1.EXE > nul
        6⤵
        
        PID:1604
      - C:\Windows\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe
        
        C:\Windows\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe
        
        C:\Windows\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe
        
        C:\Windows\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe
        
        C:\Windows\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe
        
        C:\Windows\{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe
        
        C:\Windows\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{2D7C0643-392D-41a3-832F-055A9537EA89}.exe
        
        C:\Windows\{2D7C0643-392D-41a3-832F-055A9537EA89}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{BD520792-DD4D-4773-9D79-5A12B408DA66}.exe
        
        C:\Windows\{BD520792-DD4D-4773-9D79-5A12B408DA66}.exe
        13⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D7C0~1.EXE > nul
        13⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F40B4~1.EXE > nul
        12⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F03~1.EXE > nul
        11⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32D97~1.EXE > nul
        10⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5DCF~1.EXE > nul
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13E86~1.EXE > nul
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{707DD~1.EXE > nul
        7⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA6A~1.EXE > nul
        5⤵
        
        PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32EA3~1.EXE > nul
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe

Filesize
380KB

MD5
ef87a7ca274d8a2e1d69ef71fd32d859

SHA1
42d947003a5410790cbfe76f3ff4d6feeac8cf6b

SHA256
b234e71cc12b4eda8dabb8b914e9623627de793c70f5abcb38d2f7073ea6fafe

SHA512
11ea855d663dbe2df18a927a72e20c6a91649a279c8f69b645c3c10c688f97afcb43545372f142218633dd2077852cb10b876d45b10f771e09f2b90ef2fafc0f

Download Submit
C:\Windows\{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe

Filesize
380KB

MD5
ef87a7ca274d8a2e1d69ef71fd32d859

SHA1
42d947003a5410790cbfe76f3ff4d6feeac8cf6b

SHA256
b234e71cc12b4eda8dabb8b914e9623627de793c70f5abcb38d2f7073ea6fafe

SHA512
11ea855d663dbe2df18a927a72e20c6a91649a279c8f69b645c3c10c688f97afcb43545372f142218633dd2077852cb10b876d45b10f771e09f2b90ef2fafc0f

Download Submit
C:\Windows\{0DA6A62B-334D-473b-A944-994AAB2C90DA}.exe

Filesize
380KB

MD5
ef87a7ca274d8a2e1d69ef71fd32d859

SHA1
42d947003a5410790cbfe76f3ff4d6feeac8cf6b

SHA256
b234e71cc12b4eda8dabb8b914e9623627de793c70f5abcb38d2f7073ea6fafe

SHA512
11ea855d663dbe2df18a927a72e20c6a91649a279c8f69b645c3c10c688f97afcb43545372f142218633dd2077852cb10b876d45b10f771e09f2b90ef2fafc0f

Download Submit
C:\Windows\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe

Filesize
380KB

MD5
ecf162b57ff82a5545d83c72603633c0

SHA1
b14ac914f21051685db40b829fe0a628c7093173

SHA256
6c03b8ede0e881fdc6f9e3beb054a446ab75d2a933fabe0f9413c630b6edaa3b

SHA512
3d234af1b9e085195d0e43fd9b0290fa8b9d1b5071984aaa5947eea388686fac1da99f707b69e102147c2acdff36cad7757499e694665ef7fab31c4e051f0c4f

Download Submit
C:\Windows\{13E86BF5-6370-4824-A3E2-B75DFF27C5B2}.exe

Filesize
380KB

MD5
ecf162b57ff82a5545d83c72603633c0

SHA1
b14ac914f21051685db40b829fe0a628c7093173

SHA256
6c03b8ede0e881fdc6f9e3beb054a446ab75d2a933fabe0f9413c630b6edaa3b

SHA512
3d234af1b9e085195d0e43fd9b0290fa8b9d1b5071984aaa5947eea388686fac1da99f707b69e102147c2acdff36cad7757499e694665ef7fab31c4e051f0c4f

Download Submit
C:\Windows\{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe

Filesize
380KB

MD5
1bc38727d31b608f3fe9a5b704985433

SHA1
af2093eba8bc44399a0b729f4c8d37e23a453db4

SHA256
11223210cdb5123515c337a73128c0780306bc0cb81a2dff131a5e13a6a7e90c

SHA512
55c13d657e4f97b25ea35a2accce2b35f128e872fea3ea4785f2b496f406c191216d85b33ec993fb4ece1a635de985a304545c3e5492e505d9d311e9c945da9c

Download Submit
C:\Windows\{1C07A121-61C8-453d-BFE5-AB062ED44A31}.exe

Filesize
380KB

MD5
1bc38727d31b608f3fe9a5b704985433

SHA1
af2093eba8bc44399a0b729f4c8d37e23a453db4

SHA256
11223210cdb5123515c337a73128c0780306bc0cb81a2dff131a5e13a6a7e90c

SHA512
55c13d657e4f97b25ea35a2accce2b35f128e872fea3ea4785f2b496f406c191216d85b33ec993fb4ece1a635de985a304545c3e5492e505d9d311e9c945da9c

Download Submit
C:\Windows\{2D7C0643-392D-41a3-832F-055A9537EA89}.exe

Filesize
380KB

MD5
3796e5d0f21756cf80c13e7ae5c0546e

SHA1
c1aefb8274b68f14e0f33b942f049f0ffa46dab0

SHA256
4a29fcb96f8c70256e685296189bf2f5d1db207b17736b8da899b0f5e36877b3

SHA512
c963c787537c98e827133ff30d36398c1f30ceda2607071363737e04e03c9903ef940532be73e8e3c74cbf0b65d5c1949ffebce600d07fd11dc00fb1653871fa

Download Submit
C:\Windows\{2D7C0643-392D-41a3-832F-055A9537EA89}.exe

Filesize
380KB

MD5
3796e5d0f21756cf80c13e7ae5c0546e

SHA1
c1aefb8274b68f14e0f33b942f049f0ffa46dab0

SHA256
4a29fcb96f8c70256e685296189bf2f5d1db207b17736b8da899b0f5e36877b3

SHA512
c963c787537c98e827133ff30d36398c1f30ceda2607071363737e04e03c9903ef940532be73e8e3c74cbf0b65d5c1949ffebce600d07fd11dc00fb1653871fa

Download Submit
C:\Windows\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe

Filesize
380KB

MD5
dc008e0d5564b2259fa43da488dd3c3b

SHA1
10ddd9c20bd624ff5df7a9beaa5e7000ece21356

SHA256
8d3399b479568dfdc8a14341022417d375a3b2b1167a77a7b72fc311a69ecf74

SHA512
3f370a3408a9584eb8035cbfb541d83549bf25bc048640398256d2401715ecf811603cdf50e811c0334e5467653249bf7126f198dd491a0d3069cc019a4020ad

Download Submit
C:\Windows\{32D97FC4-CB73-4f47-9ABB-3437EFBC9952}.exe

Filesize
380KB

MD5
dc008e0d5564b2259fa43da488dd3c3b

SHA1
10ddd9c20bd624ff5df7a9beaa5e7000ece21356

SHA256
8d3399b479568dfdc8a14341022417d375a3b2b1167a77a7b72fc311a69ecf74

SHA512
3f370a3408a9584eb8035cbfb541d83549bf25bc048640398256d2401715ecf811603cdf50e811c0334e5467653249bf7126f198dd491a0d3069cc019a4020ad

Download Submit
C:\Windows\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe

Filesize
380KB

MD5
73b748ea32ce9cda22715ef610485142

SHA1
c5e7b088e5c9d9794a9a5ba3f4bf3696c6baa3e6

SHA256
243cb34cc8cfa407cb88abb6e5e98c7cbfa5c0320daed02d0fc66dad2ab9fb41

SHA512
bafa9378dc789f468898cc5aa2f2c4f598124ba6c07dc67287c8016ece2e939143a6c3e20088d23cb8849e3a71d818b910563c2d0c362464ee0bf70fdef36fe7

Download Submit
C:\Windows\{32EA38C1-BA15-4074-A33E-6B28572DFEC9}.exe

Filesize
380KB

MD5
73b748ea32ce9cda22715ef610485142

SHA1
c5e7b088e5c9d9794a9a5ba3f4bf3696c6baa3e6

SHA256
243cb34cc8cfa407cb88abb6e5e98c7cbfa5c0320daed02d0fc66dad2ab9fb41

SHA512
bafa9378dc789f468898cc5aa2f2c4f598124ba6c07dc67287c8016ece2e939143a6c3e20088d23cb8849e3a71d818b910563c2d0c362464ee0bf70fdef36fe7

Download Submit
C:\Windows\{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe

Filesize
380KB

MD5
e0a870d2b097b61acae83e43259c350f

SHA1
4a9db4304a97ce4eaa0be647f5f1f71da0e6329b

SHA256
b715ec4c51ecfd7219bc4fee36717e777c8df866ec5f36d347e03ae6fd61d28f

SHA512
02125ac34a2a171eb15f43df7be975bda83a6dcb7bf42cd16ce3c6ea91aeb64ac242261f999d78fd64902094396398dda626d6dbc3865cfddd9e78c5e3916d92

Download Submit
C:\Windows\{49160C37-81F7-42ab-B45D-54A2AD745BD0}.exe

Filesize
380KB

MD5
e0a870d2b097b61acae83e43259c350f

SHA1
4a9db4304a97ce4eaa0be647f5f1f71da0e6329b

SHA256
b715ec4c51ecfd7219bc4fee36717e777c8df866ec5f36d347e03ae6fd61d28f

SHA512
02125ac34a2a171eb15f43df7be975bda83a6dcb7bf42cd16ce3c6ea91aeb64ac242261f999d78fd64902094396398dda626d6dbc3865cfddd9e78c5e3916d92

Download Submit
C:\Windows\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe

Filesize
380KB

MD5
74a5131585e0a1848686f84bb4f68452

SHA1
23473739d4fe359e53dbf331fbd96a78799633d9

SHA256
21250404f080626eeb3c088622c17b4a834f668c796ae6fccfeabd82eed4626e

SHA512
de5dfcc66d9bf7fcc7a51174136b74adb3c1a0bfe56aa9f87628041816843bd4de881bb7c014b3aeaa72dbad45afc0a3b5bc71013b0727b13364be6292974524

Download Submit
C:\Windows\{707DD75F-C184-4fa0-BAB3-9FBF263EE352}.exe

Filesize
380KB

MD5
74a5131585e0a1848686f84bb4f68452

SHA1
23473739d4fe359e53dbf331fbd96a78799633d9

SHA256
21250404f080626eeb3c088622c17b4a834f668c796ae6fccfeabd82eed4626e

SHA512
de5dfcc66d9bf7fcc7a51174136b74adb3c1a0bfe56aa9f87628041816843bd4de881bb7c014b3aeaa72dbad45afc0a3b5bc71013b0727b13364be6292974524

Download Submit
C:\Windows\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe

Filesize
380KB

MD5
101f032fc767f4d2f2ea54f4bf71701b

SHA1
834c77842e906561268a1927531ba90c1347081d

SHA256
bfb063fcc2ae64c3b3de6cc240e25cb70d8171aa3ddf0b41d19b99bda3ed037b

SHA512
21851295710f01a0c341c066e01b2f1df79dd2e29dc5f5eed84b15351d133fd8b5cfb39b5bcd6e75aad21e3972a56da9e2edc1ddc88fd11a7b0ef572cc0f64ca

Download Submit
C:\Windows\{B5DCFEC2-134C-43ad-99FC-224FFB3256A8}.exe

Filesize
380KB

MD5
101f032fc767f4d2f2ea54f4bf71701b

SHA1
834c77842e906561268a1927531ba90c1347081d

SHA256
bfb063fcc2ae64c3b3de6cc240e25cb70d8171aa3ddf0b41d19b99bda3ed037b

SHA512
21851295710f01a0c341c066e01b2f1df79dd2e29dc5f5eed84b15351d133fd8b5cfb39b5bcd6e75aad21e3972a56da9e2edc1ddc88fd11a7b0ef572cc0f64ca

Download Submit
C:\Windows\{BD520792-DD4D-4773-9D79-5A12B408DA66}.exe

Filesize
380KB

MD5
e7dd37cedff2d4d5afb69027852fb41d

SHA1
83d24cf51f33fa5990fb61a22ddf1f180cd82e20

SHA256
f5fb077b92354ee86e7c0ad4916537f00f621cbe361e8c6181f913e1dd891ff9

SHA512
7520838502057321c4bf7d1eec00dfd30f2b8ef22da7cb711db522d5bfb4c0a67acf55139fc43c3203427f588c54ce7a1584b16527e9e20f4c6f515899b4201a

Download Submit
C:\Windows\{BD520792-DD4D-4773-9D79-5A12B408DA66}.exe

Filesize
380KB

MD5
e7dd37cedff2d4d5afb69027852fb41d

SHA1
83d24cf51f33fa5990fb61a22ddf1f180cd82e20

SHA256
f5fb077b92354ee86e7c0ad4916537f00f621cbe361e8c6181f913e1dd891ff9

SHA512
7520838502057321c4bf7d1eec00dfd30f2b8ef22da7cb711db522d5bfb4c0a67acf55139fc43c3203427f588c54ce7a1584b16527e9e20f4c6f515899b4201a

Download Submit
C:\Windows\{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe

Filesize
380KB

MD5
ddf7b4338ee3d3be5f0c6cf93e6c2e38

SHA1
92605ba6dc5feb6a92b3073932b7506c8205e513

SHA256
57c353512569b0965cf42edfa4808f095191d90802d7860f940b1db793a5e7cc

SHA512
84e32cf2c7c7b6e1c602ee8ded43eb559194edc90347a7b004282d27a7fe5a0a902df310f255586fc87004e5a7b74c68f838d13056a6fc5929c6192b8dab8f35

Download Submit
C:\Windows\{C9F036D8-268B-4163-BB16-81449EBEE80D}.exe

Filesize
380KB

MD5
ddf7b4338ee3d3be5f0c6cf93e6c2e38

SHA1
92605ba6dc5feb6a92b3073932b7506c8205e513

SHA256
57c353512569b0965cf42edfa4808f095191d90802d7860f940b1db793a5e7cc

SHA512
84e32cf2c7c7b6e1c602ee8ded43eb559194edc90347a7b004282d27a7fe5a0a902df310f255586fc87004e5a7b74c68f838d13056a6fc5929c6192b8dab8f35

Download Submit
C:\Windows\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe

Filesize
380KB

MD5
d65e8ee3f8c5010e41bf85d24ecb1791

SHA1
cf3603fdadca82219dd02a98a7298c59016c04fa

SHA256
5d80ed176b2fa764fb9e9f92cf4d11e0844a58f2e92730b4ec68bcf95ba2d694

SHA512
6f93132797c3e7ebd0e14e60c1494becde98992bc510473f045a983e9357856cd02938722ddebf8f8dff0e12bfa649db5d86f77ee08a2876bf55c33c0415a35b

Download Submit
C:\Windows\{F40B4DB5-973C-4c7d-AF92-CC59580DA61A}.exe

Filesize
380KB

MD5
d65e8ee3f8c5010e41bf85d24ecb1791

SHA1
cf3603fdadca82219dd02a98a7298c59016c04fa

SHA256
5d80ed176b2fa764fb9e9f92cf4d11e0844a58f2e92730b4ec68bcf95ba2d694

SHA512
6f93132797c3e7ebd0e14e60c1494becde98992bc510473f045a983e9357856cd02938722ddebf8f8dff0e12bfa649db5d86f77ee08a2876bf55c33c0415a35b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads