368e1454f0b2e7e30448778d182ea920d63cec62ee1218887db262faa5861a82

Analysis

max time kernel
156s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe
Size

192KB
MD5

604b4bb0221d2f51d309414026fef626
SHA1

075b4c7a06d3d20767cd55bc286b8184c21f6c02
SHA256

368e1454f0b2e7e30448778d182ea920d63cec62ee1218887db262faa5861a82
SHA512

e872eee62b9dde7bf4098f3547afc76b4712fefcb52f5a7de80c71be49d582457ff35eb33f6998aa7fc5996e435202ff45f439417980254b3b99731a9442801a
SSDEEP

1536:1EGh0oZLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0otl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09454918-BB4C-45df-AD69-05454E7BC9AB}	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09454918-BB4C-45df-AD69-05454E7BC9AB}\stubpath = "C:\\Windows\\{09454918-BB4C-45df-AD69-05454E7BC9AB}.exe"	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0799FC-23B5-4477-A10A-F5F00ED16329}	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}\stubpath = "C:\\Windows\\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe"	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}\stubpath = "C:\\Windows\\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe"	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F66052B4-5331-4fa1-8609-13DA7ED63105}\stubpath = "C:\\Windows\\{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe"	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}\stubpath = "C:\\Windows\\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe"	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C8F83A0-9186-43e6-8740-64914037BD24}\stubpath = "C:\\Windows\\{3C8F83A0-9186-43e6-8740-64914037BD24}.exe"	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}\stubpath = "C:\\Windows\\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe"	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C818C0-FC23-4656-8E18-B87BB1FAA805}\stubpath = "C:\\Windows\\{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe"	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}\stubpath = "C:\\Windows\\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe"	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E0799FC-23B5-4477-A10A-F5F00ED16329}\stubpath = "C:\\Windows\\{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe"	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}\stubpath = "C:\\Windows\\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe"	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C8F83A0-9186-43e6-8740-64914037BD24}	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F66052B4-5331-4fa1-8609-13DA7ED63105}	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C818C0-FC23-4656-8E18-B87BB1FAA805}	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe

Executes dropped EXE 11 IoCs

pid	Process
388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe
3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe
3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe
668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe
4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe
5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe
1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe
3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe
984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe
4608	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe
2404	{09454918-BB4C-45df-AD69-05454E7BC9AB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe
File created	C:\Windows\{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe
File created	C:\Windows\{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe
File created	C:\Windows\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe
File created	C:\Windows\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe
File created	C:\Windows\{09454918-BB4C-45df-AD69-05454E7BC9AB}.exe	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe
File created	C:\Windows\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe
File created	C:\Windows\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe
File created	C:\Windows\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe
File created	C:\Windows\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe
File created	C:\Windows\{3C8F83A0-9186-43e6-8740-64914037BD24}.exe	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1260	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe
Token: SeIncBasePriorityPrivilege	3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe
Token: SeIncBasePriorityPrivilege	3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe
Token: SeIncBasePriorityPrivilege	668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe
Token: SeIncBasePriorityPrivilege	4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe
Token: SeIncBasePriorityPrivilege	5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe
Token: SeIncBasePriorityPrivilege	1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe
Token: SeIncBasePriorityPrivilege	3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe
Token: SeIncBasePriorityPrivilege	984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe
Token: SeIncBasePriorityPrivilege	4608	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 388	1260	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe	93
PID 1260 wrote to memory of 388	1260	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe	93
PID 1260 wrote to memory of 388	1260	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe	93
PID 1260 wrote to memory of 3968	1260	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe	94
PID 1260 wrote to memory of 3968	1260	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe	94
PID 1260 wrote to memory of 3968	1260	2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe	94
PID 388 wrote to memory of 3764	388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe	98
PID 388 wrote to memory of 3764	388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe	98
PID 388 wrote to memory of 3764	388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe	98
PID 388 wrote to memory of 3788	388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe	99
PID 388 wrote to memory of 3788	388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe	99
PID 388 wrote to memory of 3788	388	{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe	99
PID 3764 wrote to memory of 3280	3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe	100
PID 3764 wrote to memory of 3280	3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe	100
PID 3764 wrote to memory of 3280	3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe	100
PID 3764 wrote to memory of 1476	3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe	101
PID 3764 wrote to memory of 1476	3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe	101
PID 3764 wrote to memory of 1476	3764	{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe	101
PID 3280 wrote to memory of 668	3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe	103
PID 3280 wrote to memory of 668	3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe	103
PID 3280 wrote to memory of 668	3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe	103
PID 3280 wrote to memory of 1792	3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe	104
PID 3280 wrote to memory of 1792	3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe	104
PID 3280 wrote to memory of 1792	3280	{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe	104
PID 668 wrote to memory of 4528	668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe	105
PID 668 wrote to memory of 4528	668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe	105
PID 668 wrote to memory of 4528	668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe	105
PID 668 wrote to memory of 3876	668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe	106
PID 668 wrote to memory of 3876	668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe	106
PID 668 wrote to memory of 3876	668	{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe	106
PID 4528 wrote to memory of 5100	4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe	108
PID 4528 wrote to memory of 5100	4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe	108
PID 4528 wrote to memory of 5100	4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe	108
PID 4528 wrote to memory of 692	4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe	109
PID 4528 wrote to memory of 692	4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe	109
PID 4528 wrote to memory of 692	4528	{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe	109
PID 5100 wrote to memory of 1932	5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe	111
PID 5100 wrote to memory of 1932	5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe	111
PID 5100 wrote to memory of 1932	5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe	111
PID 5100 wrote to memory of 3720	5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe	112
PID 5100 wrote to memory of 3720	5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe	112
PID 5100 wrote to memory of 3720	5100	{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe	112
PID 1932 wrote to memory of 3456	1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe	113
PID 1932 wrote to memory of 3456	1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe	113
PID 1932 wrote to memory of 3456	1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe	113
PID 1932 wrote to memory of 2912	1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe	114
PID 1932 wrote to memory of 2912	1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe	114
PID 1932 wrote to memory of 2912	1932	{3C8F83A0-9186-43e6-8740-64914037BD24}.exe	114
PID 3456 wrote to memory of 984	3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe	121
PID 3456 wrote to memory of 984	3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe	121
PID 3456 wrote to memory of 984	3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe	121
PID 3456 wrote to memory of 4796	3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe	122
PID 3456 wrote to memory of 4796	3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe	122
PID 3456 wrote to memory of 4796	3456	{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe	122
PID 984 wrote to memory of 4608	984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe	123
PID 984 wrote to memory of 4608	984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe	123
PID 984 wrote to memory of 4608	984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe	123
PID 984 wrote to memory of 776	984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe	124
PID 984 wrote to memory of 776	984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe	124
PID 984 wrote to memory of 776	984	{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe	124
PID 4608 wrote to memory of 2404	4608	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe	126
PID 4608 wrote to memory of 2404	4608	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe	126
PID 4608 wrote to memory of 2404	4608	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe	126
PID 4608 wrote to memory of 3876	4608	{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe	127

C:\Users\Admin\AppData\Local\Temp\2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_604b4bb0221d2f51d309414026fef626_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe
  C:\Windows\{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe
    C:\Windows\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe
      C:\Windows\{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe
        
        C:\Windows\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
      - C:\Windows\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe
        
        C:\Windows\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe
        
        C:\Windows\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{3C8F83A0-9186-43e6-8740-64914037BD24}.exe
        
        C:\Windows\{3C8F83A0-9186-43e6-8740-64914037BD24}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe
        
        C:\Windows\{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe
        
        C:\Windows\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe
        
        C:\Windows\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{09454918-BB4C-45df-AD69-05454E7BC9AB}.exe
        
        C:\Windows\{09454918-BB4C-45df-AD69-05454E7BC9AB}.exe
        12⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9827E~1.EXE > nul
        12⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A24C3~1.EXE > nul
        11⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6605~1.EXE > nul
        10⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C8F8~1.EXE > nul
        9⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7AEA~1.EXE > nul
        8⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F20D~1.EXE > nul
        7⤵
        
        PID:692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB81~1.EXE > nul
        6⤵
        
        PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E079~1.EXE > nul
        5⤵
        
        PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7FE6D~1.EXE > nul
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31C81~1.EXE > nul
    3⤵
    PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09454918-BB4C-45df-AD69-05454E7BC9AB}.exe

Filesize
192KB

MD5
4c6c7895384cf0d2f89a5d64d8f3e5e5

SHA1
7ddf3c22d6fc3d828fd951c7758af2680608ae93

SHA256
840543e8fbbbcded078d22e7b4db86e86d681c5772dd65a9ba922ac8b91d7bdf

SHA512
62233b11023a196aa512aba9e168f69d545c0433bc2ba08dcc177a96a376d625d20edc7a500441ba63a87faaaf445005855db9d9fe4886b38966d349a41782ff

Download Submit
C:\Windows\{09454918-BB4C-45df-AD69-05454E7BC9AB}.exe

Filesize
192KB

MD5
4c6c7895384cf0d2f89a5d64d8f3e5e5

SHA1
7ddf3c22d6fc3d828fd951c7758af2680608ae93

SHA256
840543e8fbbbcded078d22e7b4db86e86d681c5772dd65a9ba922ac8b91d7bdf

SHA512
62233b11023a196aa512aba9e168f69d545c0433bc2ba08dcc177a96a376d625d20edc7a500441ba63a87faaaf445005855db9d9fe4886b38966d349a41782ff

Download Submit
C:\Windows\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe

Filesize
192KB

MD5
998efc7452b76152de658cb1b3109ef0

SHA1
f0ab57283180b6609f62be64b6bb593c26686e0e

SHA256
46c306e3ecedf6b85cb7bf0b7f39fbf7fac3c60f2a32fb6628fe93e461b2dee3

SHA512
a98ae93bcf22d27e6824fec1c8855d8e1b8e4eb414e9afbd75f7be49ce4665e54a1d8ae6d19286ccec9df54e414a395310316dc5a9298ea9fbe4556be9a60a46

Download Submit
C:\Windows\{0F20DE54-23C7-4480-9BAE-A2C9B7F28F95}.exe

Filesize
192KB

MD5
998efc7452b76152de658cb1b3109ef0

SHA1
f0ab57283180b6609f62be64b6bb593c26686e0e

SHA256
46c306e3ecedf6b85cb7bf0b7f39fbf7fac3c60f2a32fb6628fe93e461b2dee3

SHA512
a98ae93bcf22d27e6824fec1c8855d8e1b8e4eb414e9afbd75f7be49ce4665e54a1d8ae6d19286ccec9df54e414a395310316dc5a9298ea9fbe4556be9a60a46

Download Submit
C:\Windows\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe

Filesize
192KB

MD5
1120ca057ca1859b61f68b28961d5744

SHA1
9afb51597b7695891ad54c4021ae34c47f93f77a

SHA256
714f511716962d2de359d2d8b1dbb695db504a8fab47a027b9ee0628814f66e5

SHA512
7fecce05471ba2558d705a6bb7caf5f2d6cbcacad509a4758e76d8a5ef3bc37110088f512f34cfa9627b8fdb047adb51c33401055dc812dcef50670b2ed2f32b

Download Submit
C:\Windows\{0FB8109B-C6FB-4ee3-8189-B657F558C6C4}.exe

Filesize
192KB

MD5
1120ca057ca1859b61f68b28961d5744

SHA1
9afb51597b7695891ad54c4021ae34c47f93f77a

SHA256
714f511716962d2de359d2d8b1dbb695db504a8fab47a027b9ee0628814f66e5

SHA512
7fecce05471ba2558d705a6bb7caf5f2d6cbcacad509a4758e76d8a5ef3bc37110088f512f34cfa9627b8fdb047adb51c33401055dc812dcef50670b2ed2f32b

Download Submit
C:\Windows\{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe

Filesize
192KB

MD5
ff92e18c51535c1649d7fc56418683d9

SHA1
06df5966bf0c71de33d29149e94ba13bffdabd8e

SHA256
093ba83d886f511809aac7926850cbd36874b77f87f145c1f676ebbc8fe8d10a

SHA512
7e11fc6b3d35241119c198ce3197c68944a650b08d07abe607b83b4ef3130b0d5aead4736a80da20a1e485fe373af37387dc46330d10e12dc8885e8447be1a2a

Download Submit
C:\Windows\{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe

Filesize
192KB

MD5
ff92e18c51535c1649d7fc56418683d9

SHA1
06df5966bf0c71de33d29149e94ba13bffdabd8e

SHA256
093ba83d886f511809aac7926850cbd36874b77f87f145c1f676ebbc8fe8d10a

SHA512
7e11fc6b3d35241119c198ce3197c68944a650b08d07abe607b83b4ef3130b0d5aead4736a80da20a1e485fe373af37387dc46330d10e12dc8885e8447be1a2a

Download Submit
C:\Windows\{1E0799FC-23B5-4477-A10A-F5F00ED16329}.exe

Filesize
192KB

MD5
ff92e18c51535c1649d7fc56418683d9

SHA1
06df5966bf0c71de33d29149e94ba13bffdabd8e

SHA256
093ba83d886f511809aac7926850cbd36874b77f87f145c1f676ebbc8fe8d10a

SHA512
7e11fc6b3d35241119c198ce3197c68944a650b08d07abe607b83b4ef3130b0d5aead4736a80da20a1e485fe373af37387dc46330d10e12dc8885e8447be1a2a

Download Submit
C:\Windows\{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe

Filesize
192KB

MD5
3068034d586b8cb3845d1fcb85176a78

SHA1
b5a06af47e6f86740fa1a7522f81dcb78df0a210

SHA256
62cb56258f29c290ea258df4b54a0736945e5642ae29b643d182ad4550a2d1e9

SHA512
b0f90a82778144397232de447f75304baf8d205fbbd6701304aefbadc0a85bfffc29f05f136b5c8b3c1bebec19e92acd9c888006a52fefa279a8a8dfd2676598

Download Submit
C:\Windows\{31C818C0-FC23-4656-8E18-B87BB1FAA805}.exe

Filesize
192KB

MD5
3068034d586b8cb3845d1fcb85176a78

SHA1
b5a06af47e6f86740fa1a7522f81dcb78df0a210

SHA256
62cb56258f29c290ea258df4b54a0736945e5642ae29b643d182ad4550a2d1e9

SHA512
b0f90a82778144397232de447f75304baf8d205fbbd6701304aefbadc0a85bfffc29f05f136b5c8b3c1bebec19e92acd9c888006a52fefa279a8a8dfd2676598

Download Submit
C:\Windows\{3C8F83A0-9186-43e6-8740-64914037BD24}.exe

Filesize
192KB

MD5
bbc68a2cf8a05edd86c29a7759bd3443

SHA1
319bff897a15e629665e2ed837c4a4382cbfbd91

SHA256
57d7de3e38a9fb810cb3f54108025ae62be2d05642c77e0d7bd314879bdbd2b1

SHA512
9cbcd38f05dba309e2a992c3de54496ea6537bbdab09d95672c7d6827358c8eccc55e9a621e66fa525a479050b906e8f8fa5a876017da4f434fbe22e62520768

Download Submit
C:\Windows\{3C8F83A0-9186-43e6-8740-64914037BD24}.exe

Filesize
192KB

MD5
bbc68a2cf8a05edd86c29a7759bd3443

SHA1
319bff897a15e629665e2ed837c4a4382cbfbd91

SHA256
57d7de3e38a9fb810cb3f54108025ae62be2d05642c77e0d7bd314879bdbd2b1

SHA512
9cbcd38f05dba309e2a992c3de54496ea6537bbdab09d95672c7d6827358c8eccc55e9a621e66fa525a479050b906e8f8fa5a876017da4f434fbe22e62520768

Download Submit
C:\Windows\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe

Filesize
192KB

MD5
a9130ffc9905485c3bf56070a5755349

SHA1
53767b6e0c5a23c64b1209136586bc417ca5d2aa

SHA256
44854e1d4b5d19efff38e5a2bc3a9bc958e313ddd34838b1d38019509cd80ef0

SHA512
d86a3e62b82511c98134eb94f05079beaf845d1c5dd610b465cd7c3c38c837349f12f6ba53d74eae289d0e73bda43c019641d73ef473e5a51193e0ef6ff060d5

Download Submit
C:\Windows\{7FE6DB1A-7F3D-4f59-91E6-A3C3409000C6}.exe

Filesize
192KB

MD5
a9130ffc9905485c3bf56070a5755349

SHA1
53767b6e0c5a23c64b1209136586bc417ca5d2aa

SHA256
44854e1d4b5d19efff38e5a2bc3a9bc958e313ddd34838b1d38019509cd80ef0

SHA512
d86a3e62b82511c98134eb94f05079beaf845d1c5dd610b465cd7c3c38c837349f12f6ba53d74eae289d0e73bda43c019641d73ef473e5a51193e0ef6ff060d5

Download Submit
C:\Windows\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe

Filesize
192KB

MD5
99381c5692c26ea57f2b0e1b83e0a64d

SHA1
2316673b392afb52482114ed914fd15e6455b9e6

SHA256
28d6fcded467f30ec54ae5cdbb15546c46b672663555b7ae7a582e13feadad6c

SHA512
20d0cd6ff0db50f0ed06804c9ab9a1d48208691a26703cafe713c6e9d620db7d5a7dad0060944c828e3763b33a389120edd45b3b3b941180a9987ff3c3a3be74

Download Submit
C:\Windows\{9827EF5E-E0AB-4cfe-9940-90B345CA586D}.exe

Filesize
192KB

MD5
99381c5692c26ea57f2b0e1b83e0a64d

SHA1
2316673b392afb52482114ed914fd15e6455b9e6

SHA256
28d6fcded467f30ec54ae5cdbb15546c46b672663555b7ae7a582e13feadad6c

SHA512
20d0cd6ff0db50f0ed06804c9ab9a1d48208691a26703cafe713c6e9d620db7d5a7dad0060944c828e3763b33a389120edd45b3b3b941180a9987ff3c3a3be74

Download Submit
C:\Windows\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe

Filesize
192KB

MD5
fb4d9298c470f6aab9aaa9cc1017873f

SHA1
fe095efd7fb74bfc9b7532be28740d2d22c89f88

SHA256
16e2fb354e6641e0614f7e622bce4234721f263e0bb80245c2e62db772f95bb8

SHA512
b2bb238b451ec5c6da2834dada40d0bc8162cb07ad1a812c632d4da8505450931f6dba7edfb39b3501109ef19d1ed549b59dcb95c3ba9d2b0abc6bf5ea7e22d1

Download Submit
C:\Windows\{A24C3B04-0CAB-4a95-AA51-E79D4BD5896B}.exe

Filesize
192KB

MD5
fb4d9298c470f6aab9aaa9cc1017873f

SHA1
fe095efd7fb74bfc9b7532be28740d2d22c89f88

SHA256
16e2fb354e6641e0614f7e622bce4234721f263e0bb80245c2e62db772f95bb8

SHA512
b2bb238b451ec5c6da2834dada40d0bc8162cb07ad1a812c632d4da8505450931f6dba7edfb39b3501109ef19d1ed549b59dcb95c3ba9d2b0abc6bf5ea7e22d1

Download Submit
C:\Windows\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe

Filesize
192KB

MD5
b4f84d460b25cf7e7481bf9a121a230e

SHA1
c585933e2419cb593362972508ffceb79031ef76

SHA256
b07977fab3d55f5c54b71c967895763e666e424b54ec5964161366bae342ee57

SHA512
8c553d1e9dc367e5443ea7e404bae5e74af1c99dfc21699d4a849699cbf528d12241ccf4535a9bb7987414b7a2f10b5361e05e5836f891d6802786b5b119011d

Download Submit
C:\Windows\{B7AEA8C8-FE57-4ce8-AD7B-D0DC7545DC91}.exe

Filesize
192KB

MD5
b4f84d460b25cf7e7481bf9a121a230e

SHA1
c585933e2419cb593362972508ffceb79031ef76

SHA256
b07977fab3d55f5c54b71c967895763e666e424b54ec5964161366bae342ee57

SHA512
8c553d1e9dc367e5443ea7e404bae5e74af1c99dfc21699d4a849699cbf528d12241ccf4535a9bb7987414b7a2f10b5361e05e5836f891d6802786b5b119011d

Download Submit
C:\Windows\{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe

Filesize
192KB

MD5
27903b2bc7e7b367c581fcfedc9daded

SHA1
767114151734f5ca73979245cc5480c490c22bb1

SHA256
1105f91f40ac23ab1d316d1a09f6448f7718c363106d0c8cf3ea6164e934a0df

SHA512
770bb0d92f7e9796e82c462eb8fce0be269d7154195a891276f927aab1aa68a632b9ee63b34606f09a7e3a5142a6f71600651004da9ced2a3caac751be04f63c

Download Submit
C:\Windows\{F66052B4-5331-4fa1-8609-13DA7ED63105}.exe

Filesize
192KB

MD5
27903b2bc7e7b367c581fcfedc9daded

SHA1
767114151734f5ca73979245cc5480c490c22bb1

SHA256
1105f91f40ac23ab1d316d1a09f6448f7718c363106d0c8cf3ea6164e934a0df

SHA512
770bb0d92f7e9796e82c462eb8fce0be269d7154195a891276f927aab1aa68a632b9ee63b34606f09a7e3a5142a6f71600651004da9ced2a3caac751be04f63c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads