d842f44ee3bd216677452d5b6cf7ea5e474606ab0e078d7da7b81224beb89452

Analysis

max time kernel
185s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Size

372KB
MD5

8196297da593e9dfea891011b6ea9938
SHA1

92dfdc15952dc57818c4aa938535acb5213560b6
SHA256

d842f44ee3bd216677452d5b6cf7ea5e474606ab0e078d7da7b81224beb89452
SHA512

327515cebcbb23801befe41368bb5c6221cd2298d91d83db16ee46235d8b28d1daf74de897d2957f4e726a38f604dba182b50f40ca7eb3cc96de663e58a87265
SSDEEP

3072:CEGh0oTlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGZlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}\stubpath = "C:\\Windows\\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe"	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}\stubpath = "C:\\Windows\\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe"	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C73A55-FD50-418a-B9AD-A92688029FF5}	{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24106A0-F072-478f-9026-18DF2068C333}\stubpath = "C:\\Windows\\{B24106A0-F072-478f-9026-18DF2068C333}.exe"	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D6BAE8-6BB0-4310-889F-7850F959228B}	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24106A0-F072-478f-9026-18DF2068C333}	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}	{B24106A0-F072-478f-9026-18DF2068C333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D6BAE8-6BB0-4310-889F-7850F959228B}\stubpath = "C:\\Windows\\{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe"	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9202308-58BE-4577-B257-BDB075ECAAE1}\stubpath = "C:\\Windows\\{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe"	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C73A55-FD50-418a-B9AD-A92688029FF5}\stubpath = "C:\\Windows\\{A1C73A55-FD50-418a-B9AD-A92688029FF5}.exe"	{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}\stubpath = "C:\\Windows\\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe"	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}\stubpath = "C:\\Windows\\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe"	{B24106A0-F072-478f-9026-18DF2068C333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A98C3068-F407-4f6e-907F-3C0621C11693}\stubpath = "C:\\Windows\\{A98C3068-F407-4f6e-907F-3C0621C11693}.exe"	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FCFC449-EC20-4db6-9923-E6959C3656C4}\stubpath = "C:\\Windows\\{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe"	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FCFC449-EC20-4db6-9923-E6959C3656C4}	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9202308-58BE-4577-B257-BDB075ECAAE1}	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}\stubpath = "C:\\Windows\\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe"	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}\stubpath = "C:\\Windows\\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe"	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A98C3068-F407-4f6e-907F-3C0621C11693}	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe

Executes dropped EXE 11 IoCs

pid	Process
4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe
5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe
2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe
4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe
3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe
4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe
2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe
396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe
3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe
1488	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe
3524	{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A98C3068-F407-4f6e-907F-3C0621C11693}.exe	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe
File created	C:\Windows\{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe
File created	C:\Windows\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe
File created	C:\Windows\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe
File created	C:\Windows\{B24106A0-F072-478f-9026-18DF2068C333}.exe	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe
File created	C:\Windows\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe	{B24106A0-F072-478f-9026-18DF2068C333}.exe
File created	C:\Windows\{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe
File created	C:\Windows\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe
File created	C:\Windows\{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe
File created	C:\Windows\{A1C73A55-FD50-418a-B9AD-A92688029FF5}.exe	{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe
File created	C:\Windows\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
File created	C:\Windows\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1876	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe
Token: SeIncBasePriorityPrivilege	5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe
Token: SeIncBasePriorityPrivilege	2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe
Token: SeIncBasePriorityPrivilege	4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe
Token: SeIncBasePriorityPrivilege	3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe
Token: SeIncBasePriorityPrivilege	4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe
Token: SeIncBasePriorityPrivilege	2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe
Token: SeIncBasePriorityPrivilege	396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe
Token: SeIncBasePriorityPrivilege	3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe
Token: SeIncBasePriorityPrivilege	1488	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4640	1876	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	93
PID 1876 wrote to memory of 4640	1876	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	93
PID 1876 wrote to memory of 4640	1876	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	93
PID 1876 wrote to memory of 4636	1876	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	94
PID 1876 wrote to memory of 4636	1876	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	94
PID 1876 wrote to memory of 4636	1876	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	94
PID 4640 wrote to memory of 5000	4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe	96
PID 4640 wrote to memory of 5000	4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe	96
PID 4640 wrote to memory of 5000	4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe	96
PID 4640 wrote to memory of 4512	4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe	97
PID 4640 wrote to memory of 4512	4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe	97
PID 4640 wrote to memory of 4512	4640	{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe	97
PID 5000 wrote to memory of 2352	5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe	100
PID 5000 wrote to memory of 2352	5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe	100
PID 5000 wrote to memory of 2352	5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe	100
PID 5000 wrote to memory of 2828	5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe	101
PID 5000 wrote to memory of 2828	5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe	101
PID 5000 wrote to memory of 2828	5000	{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe	101
PID 2352 wrote to memory of 4100	2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe	103
PID 2352 wrote to memory of 4100	2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe	103
PID 2352 wrote to memory of 4100	2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe	103
PID 2352 wrote to memory of 3708	2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe	104
PID 2352 wrote to memory of 3708	2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe	104
PID 2352 wrote to memory of 3708	2352	{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe	104
PID 4100 wrote to memory of 3344	4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe	105
PID 4100 wrote to memory of 3344	4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe	105
PID 4100 wrote to memory of 3344	4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe	105
PID 4100 wrote to memory of 3804	4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe	106
PID 4100 wrote to memory of 3804	4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe	106
PID 4100 wrote to memory of 3804	4100	{B24106A0-F072-478f-9026-18DF2068C333}.exe	106
PID 3344 wrote to memory of 4648	3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe	107
PID 3344 wrote to memory of 4648	3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe	107
PID 3344 wrote to memory of 4648	3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe	107
PID 3344 wrote to memory of 2844	3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe	108
PID 3344 wrote to memory of 2844	3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe	108
PID 3344 wrote to memory of 2844	3344	{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe	108
PID 4648 wrote to memory of 2512	4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe	109
PID 4648 wrote to memory of 2512	4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe	109
PID 4648 wrote to memory of 2512	4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe	109
PID 4648 wrote to memory of 3796	4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe	110
PID 4648 wrote to memory of 3796	4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe	110
PID 4648 wrote to memory of 3796	4648	{A98C3068-F407-4f6e-907F-3C0621C11693}.exe	110
PID 2512 wrote to memory of 396	2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe	111
PID 2512 wrote to memory of 396	2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe	111
PID 2512 wrote to memory of 396	2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe	111
PID 2512 wrote to memory of 536	2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe	112
PID 2512 wrote to memory of 536	2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe	112
PID 2512 wrote to memory of 536	2512	{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe	112
PID 396 wrote to memory of 3320	396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe	113
PID 396 wrote to memory of 3320	396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe	113
PID 396 wrote to memory of 3320	396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe	113
PID 396 wrote to memory of 1616	396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe	114
PID 396 wrote to memory of 1616	396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe	114
PID 396 wrote to memory of 1616	396	{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe	114
PID 3320 wrote to memory of 1488	3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe	115
PID 3320 wrote to memory of 1488	3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe	115
PID 3320 wrote to memory of 1488	3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe	115
PID 3320 wrote to memory of 1436	3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe	116
PID 3320 wrote to memory of 1436	3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe	116
PID 3320 wrote to memory of 1436	3320	{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe	116
PID 1488 wrote to memory of 3524	1488	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe	121
PID 1488 wrote to memory of 3524	1488	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe	121
PID 1488 wrote to memory of 3524	1488	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe	121
PID 1488 wrote to memory of 1764	1488	{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe	122

C:\Users\Admin\AppData\Local\Temp\2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe
  C:\Windows\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe
    C:\Windows\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe
      C:\Windows\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\{B24106A0-F072-478f-9026-18DF2068C333}.exe
        
        C:\Windows\{B24106A0-F072-478f-9026-18DF2068C333}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe
        
        C:\Windows\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\{A98C3068-F407-4f6e-907F-3C0621C11693}.exe
        
        C:\Windows\{A98C3068-F407-4f6e-907F-3C0621C11693}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe
        
        C:\Windows\{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe
        
        C:\Windows\{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe
        
        C:\Windows\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe
        
        C:\Windows\{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe
        
        C:\Windows\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9202~1.EXE > nul
        12⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDD24~1.EXE > nul
        11⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D6B~1.EXE > nul
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FCFC~1.EXE > nul
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A98C3~1.EXE > nul
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71610~1.EXE > nul
        7⤵
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2410~1.EXE > nul
        6⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4AA3~1.EXE > nul
        5⤵
        
        PID:3708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{747C1~1.EXE > nul
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{95FA9~1.EXE > nul
    3⤵
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe

Filesize
372KB

MD5
e2d251dc89c09071d744ba92270ee4f4

SHA1
538874886dcd1d34a7a2e1b19c7d2bdb51cb3039

SHA256
125a3fc89df1bd0e55ba27fc80c8accc2ba6bda9232cbf10fa5fbdceda8902ca

SHA512
f08422b0d5bb380a0b0dc62299c0ac31b8d4df6b8cbfec73ea9575084066f34122e6bb7bef435c0bd5b78c2ce0ab2a55ff9e143dae7218bb399eabfcae2948e1

Download Submit
C:\Windows\{71610C89-EC8C-4ff5-AA9B-C7CC323FF10A}.exe

Filesize
372KB

MD5
e2d251dc89c09071d744ba92270ee4f4

SHA1
538874886dcd1d34a7a2e1b19c7d2bdb51cb3039

SHA256
125a3fc89df1bd0e55ba27fc80c8accc2ba6bda9232cbf10fa5fbdceda8902ca

SHA512
f08422b0d5bb380a0b0dc62299c0ac31b8d4df6b8cbfec73ea9575084066f34122e6bb7bef435c0bd5b78c2ce0ab2a55ff9e143dae7218bb399eabfcae2948e1

Download Submit
C:\Windows\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe

Filesize
372KB

MD5
0321a70dcbb366f9520d787d635509ab

SHA1
b9643e6a504184cf43883c5376f16548237ac743

SHA256
26c93d062d3e77431763b810cefc86f95ebe8c62f2fb75b8062f235d2ebf8d1d

SHA512
f32c82c714e7525bf007514b5e5ccccf18feef4b106c6de0e799de48c9af91a28467bbb80facf5569165674d87e58c1f1841f44aa7390db710ffff664b0327e6

Download Submit
C:\Windows\{747C1EC2-2405-4ff7-A781-4BBCE4EA03C4}.exe

Filesize
372KB

MD5
0321a70dcbb366f9520d787d635509ab

SHA1
b9643e6a504184cf43883c5376f16548237ac743

SHA256
26c93d062d3e77431763b810cefc86f95ebe8c62f2fb75b8062f235d2ebf8d1d

SHA512
f32c82c714e7525bf007514b5e5ccccf18feef4b106c6de0e799de48c9af91a28467bbb80facf5569165674d87e58c1f1841f44aa7390db710ffff664b0327e6

Download Submit
C:\Windows\{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe

Filesize
372KB

MD5
a01cc4adb9ab92be59829a57902a6865

SHA1
23f245d9558c97da5b793c66e0b29535b22260ca

SHA256
8aae6e3b50b2e36eb81bc64d5d2c583e63204aa0cd82975ffb93f8729d0518b2

SHA512
85798f429fdf2fbc99b7e5628fbd60d59367a40e5d923346c2427e2c5132f6518c5c6b74c148e9326bd9694eedc10a88b8e7501742da659dafed4810f564ffbf

Download Submit
C:\Windows\{7FCFC449-EC20-4db6-9923-E6959C3656C4}.exe

Filesize
372KB

MD5
a01cc4adb9ab92be59829a57902a6865

SHA1
23f245d9558c97da5b793c66e0b29535b22260ca

SHA256
8aae6e3b50b2e36eb81bc64d5d2c583e63204aa0cd82975ffb93f8729d0518b2

SHA512
85798f429fdf2fbc99b7e5628fbd60d59367a40e5d923346c2427e2c5132f6518c5c6b74c148e9326bd9694eedc10a88b8e7501742da659dafed4810f564ffbf

Download Submit
C:\Windows\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe

Filesize
372KB

MD5
91cf3392ce498240748a9a982077dc71

SHA1
3b28a71f6f8d466e2608aa611aa1ae23e35f868c

SHA256
4d0355f5df705c67afb66f65c5bc4e32c124750db0373c3bbb753824c673feac

SHA512
80b5af33192da52098902110d158c83afae1fac83794a806e87b61fa418923b33e288c3755dc615d3f68ccdb0337e393d5285ac91fa8e20f052160562eab8fc8

Download Submit
C:\Windows\{95FA9863-EB42-4c39-91E6-8E6CDFA19691}.exe

Filesize
372KB

MD5
91cf3392ce498240748a9a982077dc71

SHA1
3b28a71f6f8d466e2608aa611aa1ae23e35f868c

SHA256
4d0355f5df705c67afb66f65c5bc4e32c124750db0373c3bbb753824c673feac

SHA512
80b5af33192da52098902110d158c83afae1fac83794a806e87b61fa418923b33e288c3755dc615d3f68ccdb0337e393d5285ac91fa8e20f052160562eab8fc8

Download Submit
C:\Windows\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe

Filesize
372KB

MD5
8a8047b02f6b692c5f1fcb8bb4ed10de

SHA1
af11fd6d45ca413d8b82bdd31d84db0bb5c30308

SHA256
7ac6720dcff56de392285320921327907b6491a2fc0014bee2c105854940fe53

SHA512
60799466fb277c143c96262b4a03f2ac853f2abf672d7002e5992716f78da5a88704f6a7cd57948d67def43a11442265e6177f70ce5c8ac2fa2b88c5506e1b26

Download Submit
C:\Windows\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe

Filesize
372KB

MD5
8a8047b02f6b692c5f1fcb8bb4ed10de

SHA1
af11fd6d45ca413d8b82bdd31d84db0bb5c30308

SHA256
7ac6720dcff56de392285320921327907b6491a2fc0014bee2c105854940fe53

SHA512
60799466fb277c143c96262b4a03f2ac853f2abf672d7002e5992716f78da5a88704f6a7cd57948d67def43a11442265e6177f70ce5c8ac2fa2b88c5506e1b26

Download Submit
C:\Windows\{A4AA3CC3-A7BF-4050-BAE5-E746290297D9}.exe

Filesize
372KB

MD5
8a8047b02f6b692c5f1fcb8bb4ed10de

SHA1
af11fd6d45ca413d8b82bdd31d84db0bb5c30308

SHA256
7ac6720dcff56de392285320921327907b6491a2fc0014bee2c105854940fe53

SHA512
60799466fb277c143c96262b4a03f2ac853f2abf672d7002e5992716f78da5a88704f6a7cd57948d67def43a11442265e6177f70ce5c8ac2fa2b88c5506e1b26

Download Submit
C:\Windows\{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe

Filesize
372KB

MD5
5f0c997a7e0f55c2d566912aaa178bbd

SHA1
909ca3d3779a2e08d3914d9593df2a8874be6d88

SHA256
28025061f20a7176aa5dbaa5b0e221de1643c84fc642b88b72aaecbd0e4c25dc

SHA512
ada2f770048d519a4a2b836e36b90e4bdf6028c15a250233ca59f6aab75c65f838fdb771a8de55d9bbaa5fee8a6e37cc3f67c8f0542b2d550d8418148786e9b4

Download Submit
C:\Windows\{A6D6BAE8-6BB0-4310-889F-7850F959228B}.exe

Filesize
372KB

MD5
5f0c997a7e0f55c2d566912aaa178bbd

SHA1
909ca3d3779a2e08d3914d9593df2a8874be6d88

SHA256
28025061f20a7176aa5dbaa5b0e221de1643c84fc642b88b72aaecbd0e4c25dc

SHA512
ada2f770048d519a4a2b836e36b90e4bdf6028c15a250233ca59f6aab75c65f838fdb771a8de55d9bbaa5fee8a6e37cc3f67c8f0542b2d550d8418148786e9b4

Download Submit
C:\Windows\{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe

Filesize
372KB

MD5
1a10413b494c1413ef7c45672cfb377f

SHA1
1bbcac07beb6cdab5f2a22e31c0b8276dc72eb00

SHA256
9b8daa03d97ced394396544b26cdd1042d5ef2d0cc48ef26662fda7bf403a045

SHA512
dc24dbd50b141692769cd5563213bd7b5f99c374a158ff4d380d2f54a2ff60ed2c227e861ab71022e1bb658d579cb6e500cb14511d21485de3d87c42e655196b

Download Submit
C:\Windows\{A9202308-58BE-4577-B257-BDB075ECAAE1}.exe

Filesize
372KB

MD5
1a10413b494c1413ef7c45672cfb377f

SHA1
1bbcac07beb6cdab5f2a22e31c0b8276dc72eb00

SHA256
9b8daa03d97ced394396544b26cdd1042d5ef2d0cc48ef26662fda7bf403a045

SHA512
dc24dbd50b141692769cd5563213bd7b5f99c374a158ff4d380d2f54a2ff60ed2c227e861ab71022e1bb658d579cb6e500cb14511d21485de3d87c42e655196b

Download Submit
C:\Windows\{A98C3068-F407-4f6e-907F-3C0621C11693}.exe

Filesize
372KB

MD5
1a5ec7f380f1171e6b8ef26fe7685826

SHA1
64a4ea9825bcf1c80baeb331bc2203bf237231b0

SHA256
4ea56608443f52fb6b427f76e3464b9af1f7dba1e5514f4684eb04655c159849

SHA512
e3411d6fee5f205b7f5b051be027b4394e46de779d59a07f92372da2c3437546abb80dc02f37511ed03fcb4e75eb3d764089a8d9e3684ae821df22dc4772c7b0

Download Submit
C:\Windows\{A98C3068-F407-4f6e-907F-3C0621C11693}.exe

Filesize
372KB

MD5
1a5ec7f380f1171e6b8ef26fe7685826

SHA1
64a4ea9825bcf1c80baeb331bc2203bf237231b0

SHA256
4ea56608443f52fb6b427f76e3464b9af1f7dba1e5514f4684eb04655c159849

SHA512
e3411d6fee5f205b7f5b051be027b4394e46de779d59a07f92372da2c3437546abb80dc02f37511ed03fcb4e75eb3d764089a8d9e3684ae821df22dc4772c7b0

Download Submit
C:\Windows\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe

Filesize
372KB

MD5
86581a2c825b706d499a2ffa0bb3ca0e

SHA1
46f1e1b229515719b6b6b0b42cd8fd9a9b49b577

SHA256
e12aa4f4045138dccce3e7f8ed7915b2da15f252ba76504e3f4db953384555bf

SHA512
90798ab42b43dc4b5978be47b93052ef9478567cb41da45772d1138108c507dcc19342a5947cc7f2abca9355aae44ce399b82ebe2e916d3c87698e509b334b47

Download Submit
C:\Windows\{AF6BD828-5DEA-4dbe-93E3-BFCBC2C67923}.exe

Filesize
372KB

MD5
86581a2c825b706d499a2ffa0bb3ca0e

SHA1
46f1e1b229515719b6b6b0b42cd8fd9a9b49b577

SHA256
e12aa4f4045138dccce3e7f8ed7915b2da15f252ba76504e3f4db953384555bf

SHA512
90798ab42b43dc4b5978be47b93052ef9478567cb41da45772d1138108c507dcc19342a5947cc7f2abca9355aae44ce399b82ebe2e916d3c87698e509b334b47

Download Submit
C:\Windows\{B24106A0-F072-478f-9026-18DF2068C333}.exe

Filesize
372KB

MD5
10eb7e38ba94f0ebf629d3dbebd059f1

SHA1
44c7a1086c74fc6e8db41ee8cec4e2e4882e8111

SHA256
34c3bd9638d6877fac001efd8c7aa18cd1e126aa9f62cf4a8a6d5ee34e0438da

SHA512
4b9d6584f3d73a73d9797ccb21ab0cc2938e4383858f55a508efb4fbc506072cfb25aa95a69a3a246b704f64ec69deb48006c69ec42f427651ff5c3169e856f9

Download Submit
C:\Windows\{B24106A0-F072-478f-9026-18DF2068C333}.exe

Filesize
372KB

MD5
10eb7e38ba94f0ebf629d3dbebd059f1

SHA1
44c7a1086c74fc6e8db41ee8cec4e2e4882e8111

SHA256
34c3bd9638d6877fac001efd8c7aa18cd1e126aa9f62cf4a8a6d5ee34e0438da

SHA512
4b9d6584f3d73a73d9797ccb21ab0cc2938e4383858f55a508efb4fbc506072cfb25aa95a69a3a246b704f64ec69deb48006c69ec42f427651ff5c3169e856f9

Download Submit
C:\Windows\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe

Filesize
372KB

MD5
c26cb21e7953af74173f9647a968d2a9

SHA1
0c461e356ab29c87cb5ad7286ec365c2518d1961

SHA256
51e3ac34a45b73e95b8d77bee7790acddee6aff4010bac19cd15a9b58bbab680

SHA512
285f3fbc8434dc628152dd1ab4da88a9d893114d9f851a2aa072a6498dac9f4cd3203871154b4fd1fc8caaf746547e6ee52b9a57734cc31a37580515b525c2d7

Download Submit
C:\Windows\{DDD24CBD-1F8F-4359-B01F-41243D306D0B}.exe

Filesize
372KB

MD5
c26cb21e7953af74173f9647a968d2a9

SHA1
0c461e356ab29c87cb5ad7286ec365c2518d1961

SHA256
51e3ac34a45b73e95b8d77bee7790acddee6aff4010bac19cd15a9b58bbab680

SHA512
285f3fbc8434dc628152dd1ab4da88a9d893114d9f851a2aa072a6498dac9f4cd3203871154b4fd1fc8caaf746547e6ee52b9a57734cc31a37580515b525c2d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads