62c7628bc2f473f03ba00ad220f261cc4f8967be8afc0e37c35b1e253c731310

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 21:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe
Size

408KB
MD5

903542d0e8b48e23ee6de2bc72ddaf52
SHA1

bd2af22af506975ce9bca9c445945530f7ff8f9a
SHA256

62c7628bc2f473f03ba00ad220f261cc4f8967be8afc0e37c35b1e253c731310
SHA512

7d21ba4b5120934bacae58adb466a6dec019ffee6f1ce029ed1daf25c3614c08f15e00303ce1fa9e0918127a870bf1db19878262cb7b50323ba867216fda2368
SSDEEP

3072:CEGh0oPl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGdldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}	{EBC799F3-F251-46af-9684-48F4376D7554}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4964AAE8-F493-4aff-A979-6C24B7791FC4}\stubpath = "C:\\Windows\\{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe"	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B4674FA-8C06-4995-B91E-712D7C53E41F}\stubpath = "C:\\Windows\\{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe"	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A33680F-CC6A-454c-9EC4-96134641A8F6}\stubpath = "C:\\Windows\\{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe"	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC799F3-F251-46af-9684-48F4376D7554}\stubpath = "C:\\Windows\\{EBC799F3-F251-46af-9684-48F4376D7554}.exe"	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}\stubpath = "C:\\Windows\\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe"	{EBC799F3-F251-46af-9684-48F4376D7554}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E88FEA55-6A12-4686-A384-F60B1134F1AE}\stubpath = "C:\\Windows\\{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe"	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300F92CC-6D35-4a5f-818F-4A917F6316C3}	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300F92CC-6D35-4a5f-818F-4A917F6316C3}\stubpath = "C:\\Windows\\{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe"	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}\stubpath = "C:\\Windows\\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}.exe"	{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870BA387-200F-47ca-806A-D04E98AB45D2}	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}\stubpath = "C:\\Windows\\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe"	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}\stubpath = "C:\\Windows\\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe"	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC799F3-F251-46af-9684-48F4376D7554}	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4964AAE8-F493-4aff-A979-6C24B7791FC4}	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E88FEA55-6A12-4686-A384-F60B1134F1AE}	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}\stubpath = "C:\\Windows\\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe"	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870BA387-200F-47ca-806A-D04E98AB45D2}\stubpath = "C:\\Windows\\{870BA387-200F-47ca-806A-D04E98AB45D2}.exe"	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B4674FA-8C06-4995-B91E-712D7C53E41F}	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A33680F-CC6A-454c-9EC4-96134641A8F6}	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}	{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe
4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe
4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe
2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe
1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe
1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe
8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe
744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe
4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe
2424	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe
1920	{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe
844	{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe
File created	C:\Windows\{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe
File created	C:\Windows\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}.exe	{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe
File created	C:\Windows\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe
File created	C:\Windows\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe	{EBC799F3-F251-46af-9684-48F4376D7554}.exe
File created	C:\Windows\{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe
File created	C:\Windows\{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe
File created	C:\Windows\{870BA387-200F-47ca-806A-D04E98AB45D2}.exe	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe
File created	C:\Windows\{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe
File created	C:\Windows\{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe
File created	C:\Windows\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe
File created	C:\Windows\{EBC799F3-F251-46af-9684-48F4376D7554}.exe	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5064	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe
Token: SeIncBasePriorityPrivilege	4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe
Token: SeIncBasePriorityPrivilege	4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe
Token: SeIncBasePriorityPrivilege	2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe
Token: SeIncBasePriorityPrivilege	1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe
Token: SeIncBasePriorityPrivilege	1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe
Token: SeIncBasePriorityPrivilege	8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe
Token: SeIncBasePriorityPrivilege	744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe
Token: SeIncBasePriorityPrivilege	4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe
Token: SeIncBasePriorityPrivilege	2424	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe
Token: SeIncBasePriorityPrivilege	1920	{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2596	5064	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe	94
PID 5064 wrote to memory of 2596	5064	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe	94
PID 5064 wrote to memory of 2596	5064	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe	94
PID 5064 wrote to memory of 3352	5064	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe	95
PID 5064 wrote to memory of 3352	5064	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe	95
PID 5064 wrote to memory of 3352	5064	2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe	95
PID 2596 wrote to memory of 4900	2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe	99
PID 2596 wrote to memory of 4900	2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe	99
PID 2596 wrote to memory of 4900	2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe	99
PID 2596 wrote to memory of 4496	2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe	100
PID 2596 wrote to memory of 4496	2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe	100
PID 2596 wrote to memory of 4496	2596	{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe	100
PID 4900 wrote to memory of 4112	4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe	103
PID 4900 wrote to memory of 4112	4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe	103
PID 4900 wrote to memory of 4112	4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe	103
PID 4900 wrote to memory of 4976	4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe	102
PID 4900 wrote to memory of 4976	4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe	102
PID 4900 wrote to memory of 4976	4900	{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe	102
PID 4112 wrote to memory of 2676	4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe	104
PID 4112 wrote to memory of 2676	4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe	104
PID 4112 wrote to memory of 2676	4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe	104
PID 4112 wrote to memory of 4728	4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe	105
PID 4112 wrote to memory of 4728	4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe	105
PID 4112 wrote to memory of 4728	4112	{EBC799F3-F251-46af-9684-48F4376D7554}.exe	105
PID 2676 wrote to memory of 1244	2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe	106
PID 2676 wrote to memory of 1244	2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe	106
PID 2676 wrote to memory of 1244	2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe	106
PID 2676 wrote to memory of 2460	2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe	107
PID 2676 wrote to memory of 2460	2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe	107
PID 2676 wrote to memory of 2460	2676	{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe	107
PID 1244 wrote to memory of 1896	1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe	108
PID 1244 wrote to memory of 1896	1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe	108
PID 1244 wrote to memory of 1896	1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe	108
PID 1244 wrote to memory of 3340	1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe	109
PID 1244 wrote to memory of 3340	1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe	109
PID 1244 wrote to memory of 3340	1244	{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe	109
PID 1896 wrote to memory of 8	1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe	110
PID 1896 wrote to memory of 8	1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe	110
PID 1896 wrote to memory of 8	1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe	110
PID 1896 wrote to memory of 3696	1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe	111
PID 1896 wrote to memory of 3696	1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe	111
PID 1896 wrote to memory of 3696	1896	{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe	111
PID 8 wrote to memory of 744	8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe	112
PID 8 wrote to memory of 744	8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe	112
PID 8 wrote to memory of 744	8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe	112
PID 8 wrote to memory of 4824	8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe	113
PID 8 wrote to memory of 4824	8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe	113
PID 8 wrote to memory of 4824	8	{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe	113
PID 744 wrote to memory of 4124	744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe	114
PID 744 wrote to memory of 4124	744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe	114
PID 744 wrote to memory of 4124	744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe	114
PID 744 wrote to memory of 3716	744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe	115
PID 744 wrote to memory of 3716	744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe	115
PID 744 wrote to memory of 3716	744	{870BA387-200F-47ca-806A-D04E98AB45D2}.exe	115
PID 4124 wrote to memory of 2424	4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe	116
PID 4124 wrote to memory of 2424	4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe	116
PID 4124 wrote to memory of 2424	4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe	116
PID 4124 wrote to memory of 1196	4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe	117
PID 4124 wrote to memory of 1196	4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe	117
PID 4124 wrote to memory of 1196	4124	{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe	117
PID 2424 wrote to memory of 1920	2424	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe	118
PID 2424 wrote to memory of 1920	2424	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe	118
PID 2424 wrote to memory of 1920	2424	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe	118
PID 2424 wrote to memory of 3840	2424	{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe	119

C:\Users\Admin\AppData\Local\Temp\2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_903542d0e8b48e23ee6de2bc72ddaf52_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe
  C:\Windows\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe
    C:\Windows\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D41~1.EXE > nul
      4⤵
      PID:4976
  - - C:\Windows\{EBC799F3-F251-46af-9684-48F4376D7554}.exe
      C:\Windows\{EBC799F3-F251-46af-9684-48F4376D7554}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe
        
        C:\Windows\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe
        
        C:\Windows\{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe
        
        C:\Windows\{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe
        
        C:\Windows\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\{870BA387-200F-47ca-806A-D04E98AB45D2}.exe
        
        C:\Windows\{870BA387-200F-47ca-806A-D04E98AB45D2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe
        
        C:\Windows\{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe
        
        C:\Windows\{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe
        
        C:\Windows\{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}.exe
        
        C:\Windows\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}.exe
        13⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A336~1.EXE > nul
        13⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{300F9~1.EXE > nul
        12⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B467~1.EXE > nul
        11⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{870BA~1.EXE > nul
        10⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B2BA~1.EXE > nul
        9⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E88FE~1.EXE > nul
        8⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4964A~1.EXE > nul
        7⤵
        
        PID:3340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B70AF~1.EXE > nul
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBC79~1.EXE > nul
        5⤵
        
        PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{89110~1.EXE > nul
    3⤵
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe

Filesize
408KB

MD5
4c9c643dd17c6d906b8c4a2c152b603d

SHA1
8342a4e0c982ffd819a0e5a56e31a4649496d395

SHA256
9a801c08b92d5732c9a38329b05a3f4b6a02884450bbe4c01014d71e2b6c167e

SHA512
86720450d927d8eeaf2120eec01ebc5c6bcf28fd275a40870826d8b2f07f51a34b67bbf420da1720bcddc9b310faa0b328454bde9bdb9eb7d7c9f64ab419248e

Download Submit
C:\Windows\{2B2BA62C-15C7-4f84-8D58-BDE7470C68D5}.exe

Filesize
408KB

MD5
4c9c643dd17c6d906b8c4a2c152b603d

SHA1
8342a4e0c982ffd819a0e5a56e31a4649496d395

SHA256
9a801c08b92d5732c9a38329b05a3f4b6a02884450bbe4c01014d71e2b6c167e

SHA512
86720450d927d8eeaf2120eec01ebc5c6bcf28fd275a40870826d8b2f07f51a34b67bbf420da1720bcddc9b310faa0b328454bde9bdb9eb7d7c9f64ab419248e

Download Submit
C:\Windows\{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe

Filesize
408KB

MD5
8baf191cf1d6ba5dc07f6bad9a44cd80

SHA1
0e1d5ce5a9dea57b272404e8ebb144a40b870df6

SHA256
326bdd0e9f5ed82b7245e7299909eba0aa06ef51c683895b332c57951aa9443c

SHA512
f747d0a1b9f1f608e2a5e796b9015e7caa3c119c78c2aca148fa88f820a795e97796ac1982fb034f97e46b8f20d71b595277da16f91a202ceeb6aed9f242083b

Download Submit
C:\Windows\{300F92CC-6D35-4a5f-818F-4A917F6316C3}.exe

Filesize
408KB

MD5
8baf191cf1d6ba5dc07f6bad9a44cd80

SHA1
0e1d5ce5a9dea57b272404e8ebb144a40b870df6

SHA256
326bdd0e9f5ed82b7245e7299909eba0aa06ef51c683895b332c57951aa9443c

SHA512
f747d0a1b9f1f608e2a5e796b9015e7caa3c119c78c2aca148fa88f820a795e97796ac1982fb034f97e46b8f20d71b595277da16f91a202ceeb6aed9f242083b

Download Submit
C:\Windows\{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe

Filesize
408KB

MD5
d75a6374d3839ad34ab3c0cc7ff30e19

SHA1
f92a9dcf87ba94a7e133382e884f1ec1fb82433e

SHA256
e1c30408752511d4231973b30658b570939e4a24d284634ebf86e730470d242d

SHA512
a26b4717be7d62cc8cf496fd6948866ae4f7a77374777b39b9d0f3dea9160904cf6ff785e2c5eaa0e37dc57f61318b53c934113c17a73472c8c79886e8944902

Download Submit
C:\Windows\{4964AAE8-F493-4aff-A979-6C24B7791FC4}.exe

Filesize
408KB

MD5
d75a6374d3839ad34ab3c0cc7ff30e19

SHA1
f92a9dcf87ba94a7e133382e884f1ec1fb82433e

SHA256
e1c30408752511d4231973b30658b570939e4a24d284634ebf86e730470d242d

SHA512
a26b4717be7d62cc8cf496fd6948866ae4f7a77374777b39b9d0f3dea9160904cf6ff785e2c5eaa0e37dc57f61318b53c934113c17a73472c8c79886e8944902

Download Submit
C:\Windows\{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe

Filesize
408KB

MD5
9bb84c1fd292534fa2d7b664974fbf76

SHA1
3a256cec6a47c363190e9cefcfb8384a66ecf95d

SHA256
e0dee0ca51331bffeb9734c53ecc9b9d3d76c39171c7594a48f89b41b512f750

SHA512
e4f9bab63d0bc843e4d573cd502791c456eb20320c3bb37afae4a591a0d67dfa4a6041df63145c106f4fcb899fd5f6de7fd979ec6a6536c29a7b07d48079166e

Download Submit
C:\Windows\{4B4674FA-8C06-4995-B91E-712D7C53E41F}.exe

Filesize
408KB

MD5
9bb84c1fd292534fa2d7b664974fbf76

SHA1
3a256cec6a47c363190e9cefcfb8384a66ecf95d

SHA256
e0dee0ca51331bffeb9734c53ecc9b9d3d76c39171c7594a48f89b41b512f750

SHA512
e4f9bab63d0bc843e4d573cd502791c456eb20320c3bb37afae4a591a0d67dfa4a6041df63145c106f4fcb899fd5f6de7fd979ec6a6536c29a7b07d48079166e

Download Submit
C:\Windows\{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe

Filesize
408KB

MD5
caaebf6f22ad23f21cb58fabca75e234

SHA1
e92661a569f096e8f639e334ca7faa5f822a43fd

SHA256
0fa1e68fe8106cac6eaa371ccd034b2dc25ef85880ab6f34b6e2108c21b88d0b

SHA512
ebbcde9e235aa8e9f73978f7013f0fbb963ebc528f938603825ef5d36291774675ff9ed9e04eefb42b0b27a91ccc6cb7181115e66bbe0dc5a6e9cb1099c2ade4

Download Submit
C:\Windows\{6A33680F-CC6A-454c-9EC4-96134641A8F6}.exe

Filesize
408KB

MD5
caaebf6f22ad23f21cb58fabca75e234

SHA1
e92661a569f096e8f639e334ca7faa5f822a43fd

SHA256
0fa1e68fe8106cac6eaa371ccd034b2dc25ef85880ab6f34b6e2108c21b88d0b

SHA512
ebbcde9e235aa8e9f73978f7013f0fbb963ebc528f938603825ef5d36291774675ff9ed9e04eefb42b0b27a91ccc6cb7181115e66bbe0dc5a6e9cb1099c2ade4

Download Submit
C:\Windows\{870BA387-200F-47ca-806A-D04E98AB45D2}.exe

Filesize
408KB

MD5
349a1757294155d108f2358a746a492f

SHA1
bf10eca9f2dd7a8bc1940b2602308854c7e04e73

SHA256
d82bbb329a7eb06cebf61bbd4f3a492792dc6d41acba8c53397d318096ba1676

SHA512
160fb549d405ecdad44e127baec554cb6e613238d364eb665b412fe0134a85d5a074c234d89adbeac8e2edf32e365e490230f3e5a3de8f43167df8878cc2f487

Download Submit
C:\Windows\{870BA387-200F-47ca-806A-D04E98AB45D2}.exe

Filesize
408KB

MD5
349a1757294155d108f2358a746a492f

SHA1
bf10eca9f2dd7a8bc1940b2602308854c7e04e73

SHA256
d82bbb329a7eb06cebf61bbd4f3a492792dc6d41acba8c53397d318096ba1676

SHA512
160fb549d405ecdad44e127baec554cb6e613238d364eb665b412fe0134a85d5a074c234d89adbeac8e2edf32e365e490230f3e5a3de8f43167df8878cc2f487

Download Submit
C:\Windows\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe

Filesize
408KB

MD5
70f31fa3b9b1a3b5a60b3e15f7a9e42f

SHA1
484c56dc8c6819117f86b04c8c5d3d10e3f7301c

SHA256
57a791026651752620b9e4fdbc047317da38065195475de3cd299383ce8e1c61

SHA512
e5695adec79c11765e6ef60ead7e33c32a7ae380bedda5c767db1be9241c845ffcceadbbd5889346a4fd2c0714642e7b7edfea3bdae8953be638821fe9304171

Download Submit
C:\Windows\{89110ED3-CF0C-475d-859A-D8BE0CDC6AF4}.exe

Filesize
408KB

MD5
70f31fa3b9b1a3b5a60b3e15f7a9e42f

SHA1
484c56dc8c6819117f86b04c8c5d3d10e3f7301c

SHA256
57a791026651752620b9e4fdbc047317da38065195475de3cd299383ce8e1c61

SHA512
e5695adec79c11765e6ef60ead7e33c32a7ae380bedda5c767db1be9241c845ffcceadbbd5889346a4fd2c0714642e7b7edfea3bdae8953be638821fe9304171

Download Submit
C:\Windows\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe

Filesize
408KB

MD5
c024eb61818aacabd52a1d78b14ebd2d

SHA1
c98eb04ecf4392cb9df241229ae6b84b6f4b6ffa

SHA256
bf271d1b7243f64e979bf24cd86a9feb6b0a329a14c9cdede271e63d105e62db

SHA512
b30be6f93d6ed46e410a2d6c8a5e2b6bf6f1521d0152e993ac94096e126fe53084d06a57d4e83b69235acd37cf8bc11fe5460f670adb2f0028b2f4b403d1c6af

Download Submit
C:\Windows\{B70AF1E6-48F9-4bd7-B75E-BA17492D1BDE}.exe

Filesize
408KB

MD5
c024eb61818aacabd52a1d78b14ebd2d

SHA1
c98eb04ecf4392cb9df241229ae6b84b6f4b6ffa

SHA256
bf271d1b7243f64e979bf24cd86a9feb6b0a329a14c9cdede271e63d105e62db

SHA512
b30be6f93d6ed46e410a2d6c8a5e2b6bf6f1521d0152e993ac94096e126fe53084d06a57d4e83b69235acd37cf8bc11fe5460f670adb2f0028b2f4b403d1c6af

Download Submit
C:\Windows\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe

Filesize
408KB

MD5
963c8af75b5162fae93fbcc712706b10

SHA1
237b82feada6e9aebfffdd900f604874ea9da809

SHA256
edb2de81303d213a3b11f6ba11431aafa7dd540e4c1f1ec6019f5a671fbb081c

SHA512
771f205f8bcca832e71ac1fdae2bf99ad9982c03a0a5a50991c73721fc938d210661d2890cb31665d85d8918dd34376a7f93cbd1978367128cf2710955ddf97c

Download Submit
C:\Windows\{E2D41F0B-C833-4738-88A5-B1064C4EFC35}.exe

Filesize
408KB

MD5
963c8af75b5162fae93fbcc712706b10

SHA1
237b82feada6e9aebfffdd900f604874ea9da809

SHA256
edb2de81303d213a3b11f6ba11431aafa7dd540e4c1f1ec6019f5a671fbb081c

SHA512
771f205f8bcca832e71ac1fdae2bf99ad9982c03a0a5a50991c73721fc938d210661d2890cb31665d85d8918dd34376a7f93cbd1978367128cf2710955ddf97c

Download Submit
C:\Windows\{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe

Filesize
408KB

MD5
935ff531e0b6dadc783b669d4db8c770

SHA1
1013c251385bbea40cdac4fc2231694ad35df08f

SHA256
056f3fbd5410f67c3e0ca8b57106c158526c307c298684ff81dfcc880091e707

SHA512
abb967bc554319f2890ae11b44160c1d150b542efc94a4c6b434211bfe7068b9be909711cc4cdc97db1d76d850265ed71100774839751ac0b99fdb5bffb70457

Download Submit
C:\Windows\{E88FEA55-6A12-4686-A384-F60B1134F1AE}.exe

Filesize
408KB

MD5
935ff531e0b6dadc783b669d4db8c770

SHA1
1013c251385bbea40cdac4fc2231694ad35df08f

SHA256
056f3fbd5410f67c3e0ca8b57106c158526c307c298684ff81dfcc880091e707

SHA512
abb967bc554319f2890ae11b44160c1d150b542efc94a4c6b434211bfe7068b9be909711cc4cdc97db1d76d850265ed71100774839751ac0b99fdb5bffb70457

Download Submit
C:\Windows\{EBC799F3-F251-46af-9684-48F4376D7554}.exe

Filesize
408KB

MD5
2be49771ce0e1b309d9cea151b02bbdf

SHA1
5f856642aef370fd6d54af4ec0c8a367f0d3bb8b

SHA256
2453b446f2e1b01a2467f40cddf05faa648324f47f8e060edef680938242e9a8

SHA512
19453579907f78da45a30875f1ff48c492ca336fc9948e37255481bb1502b9de3551728622f726436f5896f1c2e2cf612397c66fdc2abeb74a5f7f91fb693003

Download Submit
C:\Windows\{EBC799F3-F251-46af-9684-48F4376D7554}.exe

Filesize
408KB

MD5
2be49771ce0e1b309d9cea151b02bbdf

SHA1
5f856642aef370fd6d54af4ec0c8a367f0d3bb8b

SHA256
2453b446f2e1b01a2467f40cddf05faa648324f47f8e060edef680938242e9a8

SHA512
19453579907f78da45a30875f1ff48c492ca336fc9948e37255481bb1502b9de3551728622f726436f5896f1c2e2cf612397c66fdc2abeb74a5f7f91fb693003

Download Submit
C:\Windows\{EBC799F3-F251-46af-9684-48F4376D7554}.exe

Filesize
408KB

MD5
2be49771ce0e1b309d9cea151b02bbdf

SHA1
5f856642aef370fd6d54af4ec0c8a367f0d3bb8b

SHA256
2453b446f2e1b01a2467f40cddf05faa648324f47f8e060edef680938242e9a8

SHA512
19453579907f78da45a30875f1ff48c492ca336fc9948e37255481bb1502b9de3551728622f726436f5896f1c2e2cf612397c66fdc2abeb74a5f7f91fb693003

Download Submit
C:\Windows\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}.exe

Filesize
408KB

MD5
c5b9d3d643112308643518cb8f4fe256

SHA1
9e94de7056e3682be0c52cd3c21a31fba2e40d6f

SHA256
7a481e59b2a211790f749891afea9d3a012263dc045d7cc5dccb6ec86aff0e11

SHA512
55ed2b5fffb46d37bb94d4d7f4c5fbef81cd78d63f06ee683b94585e984bd6a55de0259f81c80fea57a64f029958edc72c18a8ef68535780686e1439c2c2d01a

Download Submit
C:\Windows\{FF13CBF9-54E5-49ec-A2BD-42300508F3A2}.exe

Filesize
408KB

MD5
c5b9d3d643112308643518cb8f4fe256

SHA1
9e94de7056e3682be0c52cd3c21a31fba2e40d6f

SHA256
7a481e59b2a211790f749891afea9d3a012263dc045d7cc5dccb6ec86aff0e11

SHA512
55ed2b5fffb46d37bb94d4d7f4c5fbef81cd78d63f06ee683b94585e984bd6a55de0259f81c80fea57a64f029958edc72c18a8ef68535780686e1439c2c2d01a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads