8f8bd3fea63ef94319c42a6a349ef9a33ed2a343e6699fd654ad44ec77590265

Analysis

max time kernel
168s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Size

204KB
MD5

1a8c4ebb8bd30f5ab30e947191e6e628
SHA1

ff2f1d81bc80979706a07d7cba115e4912a3f290
SHA256

8f8bd3fea63ef94319c42a6a349ef9a33ed2a343e6699fd654ad44ec77590265
SHA512

880b915f9bc71c5b453c24a0be6558f3280bae27f1e670d5728a11696de92fc88b56d6b9895dcf25e6c4108e192bc857141ea8b22414625a0adb00bf64ac7d18
SSDEEP

1536:1EGh0oal15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oal1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C4F5C70-719E-4c3f-9C25-883FD938162B}\stubpath = "C:\\Windows\\{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe"	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}\stubpath = "C:\\Windows\\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe"	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B088956-10B3-4728-A94C-980555865B5B}\stubpath = "C:\\Windows\\{2B088956-10B3-4728-A94C-980555865B5B}.exe"	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}	{2B088956-10B3-4728-A94C-980555865B5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13AED283-61EA-4547-B61B-4A21C5959145}	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13AED283-61EA-4547-B61B-4A21C5959145}\stubpath = "C:\\Windows\\{13AED283-61EA-4547-B61B-4A21C5959145}.exe"	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}\stubpath = "C:\\Windows\\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe"	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}\stubpath = "C:\\Windows\\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}.exe"	{13AED283-61EA-4547-B61B-4A21C5959145}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C4F5C70-719E-4c3f-9C25-883FD938162B}	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C6D01E-9754-4b5d-9C52-1977938F17A0}	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}\stubpath = "C:\\Windows\\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe"	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}\stubpath = "C:\\Windows\\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe"	{2B088956-10B3-4728-A94C-980555865B5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}\stubpath = "C:\\Windows\\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe"	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}\stubpath = "C:\\Windows\\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe"	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}\stubpath = "C:\\Windows\\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe"	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C6D01E-9754-4b5d-9C52-1977938F17A0}\stubpath = "C:\\Windows\\{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe"	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B088956-10B3-4728-A94C-980555865B5B}	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}	{13AED283-61EA-4547-B61B-4A21C5959145}.exe

Executes dropped EXE 12 IoCs

pid	Process
2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe
3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe
4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe
4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe
1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe
4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe
3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe
2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe
1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe
1756	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe
3920	{13AED283-61EA-4547-B61B-4A21C5959145}.exe
1804	{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
File created	C:\Windows\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe
File created	C:\Windows\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe
File created	C:\Windows\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe
File created	C:\Windows\{2B088956-10B3-4728-A94C-980555865B5B}.exe	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe
File created	C:\Windows\{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe
File created	C:\Windows\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe
File created	C:\Windows\{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe
File created	C:\Windows\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe
File created	C:\Windows\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe	{2B088956-10B3-4728-A94C-980555865B5B}.exe
File created	C:\Windows\{13AED283-61EA-4547-B61B-4A21C5959145}.exe	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe
File created	C:\Windows\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}.exe	{13AED283-61EA-4547-B61B-4A21C5959145}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3368	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe
Token: SeIncBasePriorityPrivilege	3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe
Token: SeIncBasePriorityPrivilege	4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe
Token: SeIncBasePriorityPrivilege	4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe
Token: SeIncBasePriorityPrivilege	1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe
Token: SeIncBasePriorityPrivilege	4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe
Token: SeIncBasePriorityPrivilege	3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe
Token: SeIncBasePriorityPrivilege	2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe
Token: SeIncBasePriorityPrivilege	1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe
Token: SeIncBasePriorityPrivilege	1756	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe
Token: SeIncBasePriorityPrivilege	3920	{13AED283-61EA-4547-B61B-4A21C5959145}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 2508	3368	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	91
PID 3368 wrote to memory of 2508	3368	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	91
PID 3368 wrote to memory of 2508	3368	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	91
PID 3368 wrote to memory of 2260	3368	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	92
PID 3368 wrote to memory of 2260	3368	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	92
PID 3368 wrote to memory of 2260	3368	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	92
PID 2508 wrote to memory of 3336	2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe	95
PID 2508 wrote to memory of 3336	2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe	95
PID 2508 wrote to memory of 3336	2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe	95
PID 2508 wrote to memory of 2864	2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe	96
PID 2508 wrote to memory of 2864	2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe	96
PID 2508 wrote to memory of 2864	2508	{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe	96
PID 3336 wrote to memory of 4396	3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe	99
PID 3336 wrote to memory of 4396	3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe	99
PID 3336 wrote to memory of 4396	3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe	99
PID 3336 wrote to memory of 4008	3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe	98
PID 3336 wrote to memory of 4008	3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe	98
PID 3336 wrote to memory of 4008	3336	{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe	98
PID 4396 wrote to memory of 4856	4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe	100
PID 4396 wrote to memory of 4856	4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe	100
PID 4396 wrote to memory of 4856	4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe	100
PID 4396 wrote to memory of 2412	4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe	101
PID 4396 wrote to memory of 2412	4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe	101
PID 4396 wrote to memory of 2412	4396	{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe	101
PID 4856 wrote to memory of 1276	4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe	102
PID 4856 wrote to memory of 1276	4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe	102
PID 4856 wrote to memory of 1276	4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe	102
PID 4856 wrote to memory of 1452	4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe	103
PID 4856 wrote to memory of 1452	4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe	103
PID 4856 wrote to memory of 1452	4856	{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe	103
PID 1276 wrote to memory of 4176	1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe	104
PID 1276 wrote to memory of 4176	1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe	104
PID 1276 wrote to memory of 4176	1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe	104
PID 1276 wrote to memory of 4936	1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe	105
PID 1276 wrote to memory of 4936	1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe	105
PID 1276 wrote to memory of 4936	1276	{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe	105
PID 4176 wrote to memory of 3096	4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe	106
PID 4176 wrote to memory of 3096	4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe	106
PID 4176 wrote to memory of 3096	4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe	106
PID 4176 wrote to memory of 1332	4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe	107
PID 4176 wrote to memory of 1332	4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe	107
PID 4176 wrote to memory of 1332	4176	{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe	107
PID 3096 wrote to memory of 2092	3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe	108
PID 3096 wrote to memory of 2092	3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe	108
PID 3096 wrote to memory of 2092	3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe	108
PID 3096 wrote to memory of 4560	3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe	109
PID 3096 wrote to memory of 4560	3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe	109
PID 3096 wrote to memory of 4560	3096	{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe	109
PID 2092 wrote to memory of 1812	2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe	110
PID 2092 wrote to memory of 1812	2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe	110
PID 2092 wrote to memory of 1812	2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe	110
PID 2092 wrote to memory of 2232	2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe	111
PID 2092 wrote to memory of 2232	2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe	111
PID 2092 wrote to memory of 2232	2092	{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe	111
PID 1812 wrote to memory of 1756	1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe	112
PID 1812 wrote to memory of 1756	1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe	112
PID 1812 wrote to memory of 1756	1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe	112
PID 1812 wrote to memory of 4440	1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe	113
PID 1812 wrote to memory of 4440	1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe	113
PID 1812 wrote to memory of 4440	1812	{2B088956-10B3-4728-A94C-980555865B5B}.exe	113
PID 1756 wrote to memory of 3920	1756	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe	114
PID 1756 wrote to memory of 3920	1756	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe	114
PID 1756 wrote to memory of 3920	1756	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe	114
PID 1756 wrote to memory of 4052	1756	{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe	115

C:\Users\Admin\AppData\Local\Temp\2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe
  C:\Windows\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe
    C:\Windows\{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0C4F5~1.EXE > nul
      4⤵
      PID:4008
  - - C:\Windows\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe
      C:\Windows\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe
        
        C:\Windows\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe
        
        C:\Windows\{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe
        
        C:\Windows\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe
        
        C:\Windows\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe
        
        C:\Windows\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{2B088956-10B3-4728-A94C-980555865B5B}.exe
        
        C:\Windows\{2B088956-10B3-4728-A94C-980555865B5B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe
        
        C:\Windows\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{13AED283-61EA-4547-B61B-4A21C5959145}.exe
        
        C:\Windows\{13AED283-61EA-4547-B61B-4A21C5959145}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}.exe
        
        C:\Windows\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}.exe
        13⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13AED~1.EXE > nul
        13⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C233C~1.EXE > nul
        12⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B088~1.EXE > nul
        11⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5DEF~1.EXE > nul
        10⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99E6C~1.EXE > nul
        9⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{206B2~1.EXE > nul
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48C6D~1.EXE > nul
        7⤵
        
        PID:4936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{849AD~1.EXE > nul
        6⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D05BF~1.EXE > nul
        5⤵
        
        PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32C0F~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe

Filesize
204KB

MD5
93cf07cb72147c7fa58b0bde4568ebca

SHA1
81aa54f0c543b4e225e508f57871aa57b1e7606f

SHA256
1d150ccb5e707bb6c2023f839f39ca2be09a2b386ee21dedf1b0c71aea5d039d

SHA512
2dc9911cae24e4fb21854bbc06eda9b250fda007d9457639313c05df83ca30faa9613975a65e3aa470cbc140126b8e02bd83b196904a96ff56f9488eaf088863

Download Submit
C:\Windows\{0C4F5C70-719E-4c3f-9C25-883FD938162B}.exe

Filesize
204KB

MD5
93cf07cb72147c7fa58b0bde4568ebca

SHA1
81aa54f0c543b4e225e508f57871aa57b1e7606f

SHA256
1d150ccb5e707bb6c2023f839f39ca2be09a2b386ee21dedf1b0c71aea5d039d

SHA512
2dc9911cae24e4fb21854bbc06eda9b250fda007d9457639313c05df83ca30faa9613975a65e3aa470cbc140126b8e02bd83b196904a96ff56f9488eaf088863

Download Submit
C:\Windows\{13AED283-61EA-4547-B61B-4A21C5959145}.exe

Filesize
204KB

MD5
bad1e7ce7ba53a71bdaa0ee13f2eef1d

SHA1
5c6b2656e3731911958f68b778c2d765768a7751

SHA256
e2604d3919546716cd7c4ae6d2a3aba8feac08d17061dda87ffd35e59a04ab6e

SHA512
a118fa18a8db708f0891592c8e1757e037990a2fa9efdf37fdb499c33847b9cd66474f2af1f06e85aa96254679e988406d6c3f1a41a7d9a52bd57ebda01eb9bb

Download Submit
C:\Windows\{13AED283-61EA-4547-B61B-4A21C5959145}.exe

Filesize
204KB

MD5
bad1e7ce7ba53a71bdaa0ee13f2eef1d

SHA1
5c6b2656e3731911958f68b778c2d765768a7751

SHA256
e2604d3919546716cd7c4ae6d2a3aba8feac08d17061dda87ffd35e59a04ab6e

SHA512
a118fa18a8db708f0891592c8e1757e037990a2fa9efdf37fdb499c33847b9cd66474f2af1f06e85aa96254679e988406d6c3f1a41a7d9a52bd57ebda01eb9bb

Download Submit
C:\Windows\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe

Filesize
204KB

MD5
e21d82161b506fa6cd3c9e09e06d0bb2

SHA1
c366d37801f63b7790ee155d11499eb98e84322c

SHA256
763e25b8600b842fbc70614ed757966cb59b630a1c1ffac914b9a92b6513cfb7

SHA512
190d0a116aadaa9ae01d5169f8c069639a0adf3f3ab5c77c5ee902b7e48caafaed2c41e160b573488f215c09f3934a0e2b9cfe7f43f8704f513c6344db4fddad

Download Submit
C:\Windows\{206B2C20-0B1D-40ef-A111-9D6D0EE0437E}.exe

Filesize
204KB

MD5
e21d82161b506fa6cd3c9e09e06d0bb2

SHA1
c366d37801f63b7790ee155d11499eb98e84322c

SHA256
763e25b8600b842fbc70614ed757966cb59b630a1c1ffac914b9a92b6513cfb7

SHA512
190d0a116aadaa9ae01d5169f8c069639a0adf3f3ab5c77c5ee902b7e48caafaed2c41e160b573488f215c09f3934a0e2b9cfe7f43f8704f513c6344db4fddad

Download Submit
C:\Windows\{2B088956-10B3-4728-A94C-980555865B5B}.exe

Filesize
204KB

MD5
8f2a9f0da1c41a9ce0ef45636c6e644a

SHA1
aa5296abc1c41e3531da83dc3cd7107dd1edf823

SHA256
b7cc89fe7c682a1af76f991a5ba7137e9335e6a428102f6e70510c9d177726f3

SHA512
e1a8e458fa60f78f91d0facc46eb146305a805b9e868b43f29ca037de1729435fd669dd99afd1ba25cfd61c6fdb17dc84708d900a9802e6da0cde9d936a2054b

Download Submit
C:\Windows\{2B088956-10B3-4728-A94C-980555865B5B}.exe

Filesize
204KB

MD5
8f2a9f0da1c41a9ce0ef45636c6e644a

SHA1
aa5296abc1c41e3531da83dc3cd7107dd1edf823

SHA256
b7cc89fe7c682a1af76f991a5ba7137e9335e6a428102f6e70510c9d177726f3

SHA512
e1a8e458fa60f78f91d0facc46eb146305a805b9e868b43f29ca037de1729435fd669dd99afd1ba25cfd61c6fdb17dc84708d900a9802e6da0cde9d936a2054b

Download Submit
C:\Windows\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe

Filesize
204KB

MD5
cac371464f7f3f9260db08e4843459de

SHA1
a70db5b3c6461abdc19a7d997b0241e0f6377962

SHA256
236d37243614d8b7a088af0d0ae5919fb58cfe964e027cca8f16d4244b53fd97

SHA512
a1de91f0e9e6135b7b6a723e97986ee9aa4c47efb7b5dd5cb557b86ca818703e5f3d63bc14ab323d86c01f46a4eeb16b072d8d3bba0ba0a09a411fbb1ad43e27

Download Submit
C:\Windows\{32C0F5EF-A76A-4af1-81F1-DBFF1418701F}.exe

Filesize
204KB

MD5
cac371464f7f3f9260db08e4843459de

SHA1
a70db5b3c6461abdc19a7d997b0241e0f6377962

SHA256
236d37243614d8b7a088af0d0ae5919fb58cfe964e027cca8f16d4244b53fd97

SHA512
a1de91f0e9e6135b7b6a723e97986ee9aa4c47efb7b5dd5cb557b86ca818703e5f3d63bc14ab323d86c01f46a4eeb16b072d8d3bba0ba0a09a411fbb1ad43e27

Download Submit
C:\Windows\{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe

Filesize
204KB

MD5
53e223340853227122f02674c7f568a7

SHA1
5491fc98b5e9c0244c0ab315efa82635e8c893b9

SHA256
396396c13bf2792840de314b187fa62633a098f174d6621f5b4b6bbde58387f2

SHA512
823bfa86e3eaa1ba16fcadc94b75858d2057663022b803a999840a43c274ad11b979d78371149a1db12a69a4a77435847b23921c332c57ad180e6444bf588cc6

Download Submit
C:\Windows\{48C6D01E-9754-4b5d-9C52-1977938F17A0}.exe

Filesize
204KB

MD5
53e223340853227122f02674c7f568a7

SHA1
5491fc98b5e9c0244c0ab315efa82635e8c893b9

SHA256
396396c13bf2792840de314b187fa62633a098f174d6621f5b4b6bbde58387f2

SHA512
823bfa86e3eaa1ba16fcadc94b75858d2057663022b803a999840a43c274ad11b979d78371149a1db12a69a4a77435847b23921c332c57ad180e6444bf588cc6

Download Submit
C:\Windows\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}.exe

Filesize
204KB

MD5
20ef21f4ddf3adcd26219912b1ac8355

SHA1
15db759a3636b3f5a08b602ba2a1439872d6073a

SHA256
b4c366b96d4cc7bee0e0b1a888c038c1901aa27b1064f9dabde0a3a69193e13c

SHA512
190f4d0d4956e40e7ef78cbb18400d142ac332056ae5f37b34e20aa8384b0d5846d42d83537d59b20bae50c8646624249029199ea61c42aa76eed2713907d0d5

Download Submit
C:\Windows\{7E2F1C13-4F32-4e8c-B786-81B6AB0DDDFC}.exe

Filesize
204KB

MD5
20ef21f4ddf3adcd26219912b1ac8355

SHA1
15db759a3636b3f5a08b602ba2a1439872d6073a

SHA256
b4c366b96d4cc7bee0e0b1a888c038c1901aa27b1064f9dabde0a3a69193e13c

SHA512
190f4d0d4956e40e7ef78cbb18400d142ac332056ae5f37b34e20aa8384b0d5846d42d83537d59b20bae50c8646624249029199ea61c42aa76eed2713907d0d5

Download Submit
C:\Windows\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe

Filesize
204KB

MD5
1f132403474e7c5587ef41d2ebfe6dc6

SHA1
59d6c8e6fd4c952e81d3ba916adfbb0e55e2f1cd

SHA256
4cd8dbcef906bee522e7c4720407948a90dc8d7c0da62c9c537cf39ce67143c5

SHA512
10377c3ce533d9c16e5fc842bcce493f70686c0a9a427c4335088aa6fa816fdab7644a81c4201ebf0b2eacae39cd5308a0faba73077fb6dbdcf078e96c7a5e7e

Download Submit
C:\Windows\{849AD4E4-3441-4638-A78A-0EEA5DFA0D14}.exe

Filesize
204KB

MD5
1f132403474e7c5587ef41d2ebfe6dc6

SHA1
59d6c8e6fd4c952e81d3ba916adfbb0e55e2f1cd

SHA256
4cd8dbcef906bee522e7c4720407948a90dc8d7c0da62c9c537cf39ce67143c5

SHA512
10377c3ce533d9c16e5fc842bcce493f70686c0a9a427c4335088aa6fa816fdab7644a81c4201ebf0b2eacae39cd5308a0faba73077fb6dbdcf078e96c7a5e7e

Download Submit
C:\Windows\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe

Filesize
204KB

MD5
7633242cdf6355fafcfc944c023b2351

SHA1
c625966a7d49c6c0dbaab47d55160044d6c6c403

SHA256
c58ffe082e4f9b6ebc22787dde1198bc7036cc0d3582e9a0ebece902a2fd0700

SHA512
1bb0832943a68fc661b5cd8bd3e67e8d5b72ec744909dfe9ce8b5c777a1cc67fbd1b1c3130af9090dbe645c91ea161c0b040929a9bbcf18873c0ba3637681044

Download Submit
C:\Windows\{99E6C49E-7EE2-4ed5-B17E-10A349FBFED3}.exe

Filesize
204KB

MD5
7633242cdf6355fafcfc944c023b2351

SHA1
c625966a7d49c6c0dbaab47d55160044d6c6c403

SHA256
c58ffe082e4f9b6ebc22787dde1198bc7036cc0d3582e9a0ebece902a2fd0700

SHA512
1bb0832943a68fc661b5cd8bd3e67e8d5b72ec744909dfe9ce8b5c777a1cc67fbd1b1c3130af9090dbe645c91ea161c0b040929a9bbcf18873c0ba3637681044

Download Submit
C:\Windows\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe

Filesize
204KB

MD5
b64a7b3179f490194d3505da00ae69a6

SHA1
7ff1830472c758a9181395a2c7b1908ef8b16580

SHA256
2dcda8d10a51f14dee4b6f6af4c5faecfdb81dab5da367feef737cc36c177fbc

SHA512
93d005b6224ca153fb0d7a01d22a8e5b6b1d52200ef98296f8903119b8b6a2755f1e74df3dac8175455e1470d5ad63b717b25ec53bfaab98500c67c61533353c

Download Submit
C:\Windows\{B5DEFDB2-CABF-4947-AFCF-5EE9E405CD0B}.exe

Filesize
204KB

MD5
b64a7b3179f490194d3505da00ae69a6

SHA1
7ff1830472c758a9181395a2c7b1908ef8b16580

SHA256
2dcda8d10a51f14dee4b6f6af4c5faecfdb81dab5da367feef737cc36c177fbc

SHA512
93d005b6224ca153fb0d7a01d22a8e5b6b1d52200ef98296f8903119b8b6a2755f1e74df3dac8175455e1470d5ad63b717b25ec53bfaab98500c67c61533353c

Download Submit
C:\Windows\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe

Filesize
204KB

MD5
7bdb9d1fa8b148ccf384b19e595e691a

SHA1
dcacd9fd4216905f816a398277ce4697affe06bb

SHA256
d9671c99824ed2b164d45fa0f87a0ae8b2351369d8996201c2ac97e535fb34a9

SHA512
18ad9fa008287ee34cb6c0265b12fa251364d33259da73d00ef7015a47536c9782e8118ddf366d0a867580668276add2a26272c95b1bda37247bab830f69dd66

Download Submit
C:\Windows\{C233CFD5-CC08-4ac3-8570-BDC77F82CAB6}.exe

Filesize
204KB

MD5
7bdb9d1fa8b148ccf384b19e595e691a

SHA1
dcacd9fd4216905f816a398277ce4697affe06bb

SHA256
d9671c99824ed2b164d45fa0f87a0ae8b2351369d8996201c2ac97e535fb34a9

SHA512
18ad9fa008287ee34cb6c0265b12fa251364d33259da73d00ef7015a47536c9782e8118ddf366d0a867580668276add2a26272c95b1bda37247bab830f69dd66

Download Submit
C:\Windows\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe

Filesize
204KB

MD5
bde109859e005cf176af5086f3b845c4

SHA1
1ba9ca78f119a8c003d40eb92ee43ea1a8c7bd10

SHA256
71f098f0c3fff9d9956a44ebf861f125e26a1121a346e4dbd973450ede340791

SHA512
88b7ddfa760155613926c3bd20d8904a0aaccf9055614dcd7f8000458d211dc33ed0e289c1e0142006c4c788af25f0b5a57c95095f5390fa51ede40b343bde47

Download Submit
C:\Windows\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe

Filesize
204KB

MD5
bde109859e005cf176af5086f3b845c4

SHA1
1ba9ca78f119a8c003d40eb92ee43ea1a8c7bd10

SHA256
71f098f0c3fff9d9956a44ebf861f125e26a1121a346e4dbd973450ede340791

SHA512
88b7ddfa760155613926c3bd20d8904a0aaccf9055614dcd7f8000458d211dc33ed0e289c1e0142006c4c788af25f0b5a57c95095f5390fa51ede40b343bde47

Download Submit
C:\Windows\{D05BF1E8-A9F6-4a4a-A6CF-498C0144BC7D}.exe

Filesize
204KB

MD5
bde109859e005cf176af5086f3b845c4

SHA1
1ba9ca78f119a8c003d40eb92ee43ea1a8c7bd10

SHA256
71f098f0c3fff9d9956a44ebf861f125e26a1121a346e4dbd973450ede340791

SHA512
88b7ddfa760155613926c3bd20d8904a0aaccf9055614dcd7f8000458d211dc33ed0e289c1e0142006c4c788af25f0b5a57c95095f5390fa51ede40b343bde47

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads