88e90c46ed2a8f362e3cff2f878a1aa8feacbf23695022b6f8791100f0203da3

Analysis

max time kernel
166s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Size

180KB
MD5

f07e742bdf130795758bc1fc3ffde82f
SHA1

3c79b1054a55f8cf9155f641e23ca2cf840755a8
SHA256

88e90c46ed2a8f362e3cff2f878a1aa8feacbf23695022b6f8791100f0203da3
SHA512

e65559e9bd110cfc81238569f9807102b9a65fe33487ef07fd21c053a77e6947adc00e0f61d5f03104921e41d11cee2fadd11db4a5c749a558ca79aa3b8f1925
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}\stubpath = "C:\\Windows\\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}.exe"	{11B91934-6405-4bbb-A712-38A128AB6C26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36041F06-814B-4de0-BCBA-AE32027B0737}\stubpath = "C:\\Windows\\{36041F06-814B-4de0-BCBA-AE32027B0737}.exe"	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11B91934-6405-4bbb-A712-38A128AB6C26}	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}	{11B91934-6405-4bbb-A712-38A128AB6C26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47B56296-B3BA-403a-A449-2C05FBF76D9B}	{A19D2374-2263-44d0-B845-90865DDC285D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F1901E2-20FA-41f5-AEC0-51744337C05C}	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32786126-3124-46a8-AD2E-B7400EDDF086}	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32786126-3124-46a8-AD2E-B7400EDDF086}\stubpath = "C:\\Windows\\{32786126-3124-46a8-AD2E-B7400EDDF086}.exe"	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21252F1-E801-47b9-9E43-3B9EDF83C163}\stubpath = "C:\\Windows\\{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe"	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}\stubpath = "C:\\Windows\\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe"	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A19D2374-2263-44d0-B845-90865DDC285D}	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F1901E2-20FA-41f5-AEC0-51744337C05C}\stubpath = "C:\\Windows\\{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe"	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E39972-A21E-4af4-A78F-A80281A0B42D}\stubpath = "C:\\Windows\\{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe"	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21252F1-E801-47b9-9E43-3B9EDF83C163}	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A19D2374-2263-44d0-B845-90865DDC285D}\stubpath = "C:\\Windows\\{A19D2374-2263-44d0-B845-90865DDC285D}.exe"	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47B56296-B3BA-403a-A449-2C05FBF76D9B}\stubpath = "C:\\Windows\\{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe"	{A19D2374-2263-44d0-B845-90865DDC285D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11B91934-6405-4bbb-A712-38A128AB6C26}\stubpath = "C:\\Windows\\{11B91934-6405-4bbb-A712-38A128AB6C26}.exe"	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36041F06-814B-4de0-BCBA-AE32027B0737}	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E39972-A21E-4af4-A78F-A80281A0B42D}	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}\stubpath = "C:\\Windows\\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe"	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}\stubpath = "C:\\Windows\\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe"	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe

Executes dropped EXE 12 IoCs

pid	Process
1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe
1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe
4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe
388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe
2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe
3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe
5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe
3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe
2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe
544	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe
4976	{11B91934-6405-4bbb-A712-38A128AB6C26}.exe
984	{91017072-5CE4-4e16-9BEB-B8AFFCA43996}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{32786126-3124-46a8-AD2E-B7400EDDF086}.exe	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe
File created	C:\Windows\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe
File created	C:\Windows\{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe	{A19D2374-2263-44d0-B845-90865DDC285D}.exe
File created	C:\Windows\{36041F06-814B-4de0-BCBA-AE32027B0737}.exe	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe
File created	C:\Windows\{11B91934-6405-4bbb-A712-38A128AB6C26}.exe	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe
File created	C:\Windows\{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
File created	C:\Windows\{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe
File created	C:\Windows\{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe
File created	C:\Windows\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe
File created	C:\Windows\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe
File created	C:\Windows\{A19D2374-2263-44d0-B845-90865DDC285D}.exe	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe
File created	C:\Windows\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}.exe	{11B91934-6405-4bbb-A712-38A128AB6C26}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4780	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe
Token: SeIncBasePriorityPrivilege	1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe
Token: SeIncBasePriorityPrivilege	4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe
Token: SeIncBasePriorityPrivilege	388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe
Token: SeIncBasePriorityPrivilege	2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe
Token: SeIncBasePriorityPrivilege	3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe
Token: SeIncBasePriorityPrivilege	5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe
Token: SeIncBasePriorityPrivilege	3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe
Token: SeIncBasePriorityPrivilege	2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe
Token: SeIncBasePriorityPrivilege	544	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe
Token: SeIncBasePriorityPrivilege	4976	{11B91934-6405-4bbb-A712-38A128AB6C26}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1548	4780	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	89
PID 4780 wrote to memory of 1548	4780	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	89
PID 4780 wrote to memory of 1548	4780	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	89
PID 4780 wrote to memory of 3968	4780	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	90
PID 4780 wrote to memory of 3968	4780	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	90
PID 4780 wrote to memory of 3968	4780	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	90
PID 1548 wrote to memory of 1572	1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe	95
PID 1548 wrote to memory of 1572	1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe	95
PID 1548 wrote to memory of 1572	1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe	95
PID 1548 wrote to memory of 3560	1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe	96
PID 1548 wrote to memory of 3560	1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe	96
PID 1548 wrote to memory of 3560	1548	{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe	96
PID 1572 wrote to memory of 4596	1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe	102
PID 1572 wrote to memory of 4596	1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe	102
PID 1572 wrote to memory of 4596	1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe	102
PID 1572 wrote to memory of 1016	1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe	101
PID 1572 wrote to memory of 1016	1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe	101
PID 1572 wrote to memory of 1016	1572	{32786126-3124-46a8-AD2E-B7400EDDF086}.exe	101
PID 4596 wrote to memory of 388	4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe	103
PID 4596 wrote to memory of 388	4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe	103
PID 4596 wrote to memory of 388	4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe	103
PID 4596 wrote to memory of 3012	4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe	104
PID 4596 wrote to memory of 3012	4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe	104
PID 4596 wrote to memory of 3012	4596	{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe	104
PID 388 wrote to memory of 2704	388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe	105
PID 388 wrote to memory of 2704	388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe	105
PID 388 wrote to memory of 2704	388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe	105
PID 388 wrote to memory of 708	388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe	106
PID 388 wrote to memory of 708	388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe	106
PID 388 wrote to memory of 708	388	{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe	106
PID 2704 wrote to memory of 3004	2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe	107
PID 2704 wrote to memory of 3004	2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe	107
PID 2704 wrote to memory of 3004	2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe	107
PID 2704 wrote to memory of 4548	2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe	108
PID 2704 wrote to memory of 4548	2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe	108
PID 2704 wrote to memory of 4548	2704	{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe	108
PID 3004 wrote to memory of 5060	3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe	109
PID 3004 wrote to memory of 5060	3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe	109
PID 3004 wrote to memory of 5060	3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe	109
PID 3004 wrote to memory of 3172	3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe	110
PID 3004 wrote to memory of 3172	3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe	110
PID 3004 wrote to memory of 3172	3004	{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe	110
PID 5060 wrote to memory of 3364	5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe	111
PID 5060 wrote to memory of 3364	5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe	111
PID 5060 wrote to memory of 3364	5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe	111
PID 5060 wrote to memory of 4504	5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe	112
PID 5060 wrote to memory of 4504	5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe	112
PID 5060 wrote to memory of 4504	5060	{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe	112
PID 3364 wrote to memory of 2144	3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe	113
PID 3364 wrote to memory of 2144	3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe	113
PID 3364 wrote to memory of 2144	3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe	113
PID 3364 wrote to memory of 1152	3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe	114
PID 3364 wrote to memory of 1152	3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe	114
PID 3364 wrote to memory of 1152	3364	{A19D2374-2263-44d0-B845-90865DDC285D}.exe	114
PID 2144 wrote to memory of 544	2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe	115
PID 2144 wrote to memory of 544	2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe	115
PID 2144 wrote to memory of 544	2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe	115
PID 2144 wrote to memory of 412	2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe	116
PID 2144 wrote to memory of 412	2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe	116
PID 2144 wrote to memory of 412	2144	{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe	116
PID 544 wrote to memory of 4976	544	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe	123
PID 544 wrote to memory of 4976	544	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe	123
PID 544 wrote to memory of 4976	544	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe	123
PID 544 wrote to memory of 2832	544	{36041F06-814B-4de0-BCBA-AE32027B0737}.exe	124

C:\Users\Admin\AppData\Local\Temp\2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe
  C:\Windows\{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\{32786126-3124-46a8-AD2E-B7400EDDF086}.exe
    C:\Windows\{32786126-3124-46a8-AD2E-B7400EDDF086}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{32786~1.EXE > nul
      4⤵
      PID:1016
  - - C:\Windows\{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe
      C:\Windows\{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe
        
        C:\Windows\{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe
        
        C:\Windows\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe
        
        C:\Windows\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe
        
        C:\Windows\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{A19D2374-2263-44d0-B845-90865DDC285D}.exe
        
        C:\Windows\{A19D2374-2263-44d0-B845-90865DDC285D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe
        
        C:\Windows\{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{36041F06-814B-4de0-BCBA-AE32027B0737}.exe
        
        C:\Windows\{36041F06-814B-4de0-BCBA-AE32027B0737}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{11B91934-6405-4bbb-A712-38A128AB6C26}.exe
        
        C:\Windows\{11B91934-6405-4bbb-A712-38A128AB6C26}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}.exe
        
        C:\Windows\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}.exe
        13⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11B91~1.EXE > nul
        13⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36041~1.EXE > nul
        12⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47B56~1.EXE > nul
        11⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A19D2~1.EXE > nul
        10⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C6B~1.EXE > nul
        9⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47DAA~1.EXE > nul
        8⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EAB3~1.EXE > nul
        7⤵
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2125~1.EXE > nul
        6⤵
        
        PID:708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28E39~1.EXE > nul
        5⤵
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F190~1.EXE > nul
    3⤵
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11B91934-6405-4bbb-A712-38A128AB6C26}.exe

Filesize
180KB

MD5
963908cb260a215e695e3ea539adfb85

SHA1
d906268e1a8adb4b04f39d6f512e933db00b121e

SHA256
7d8dd99fef54d80978d2270a8f8a77b13dc44fdb1b3e08ba3b4f0c963114331f

SHA512
705676eceef7eb83901c0d51ba1f1e37206df38c07fce89bd1e42fa4e6aaab146e8cfecaca321ad76ec94070db1f32ed8d59859207d8797ea97fbdf76a23a1cf

Download Submit
C:\Windows\{11B91934-6405-4bbb-A712-38A128AB6C26}.exe

Filesize
180KB

MD5
963908cb260a215e695e3ea539adfb85

SHA1
d906268e1a8adb4b04f39d6f512e933db00b121e

SHA256
7d8dd99fef54d80978d2270a8f8a77b13dc44fdb1b3e08ba3b4f0c963114331f

SHA512
705676eceef7eb83901c0d51ba1f1e37206df38c07fce89bd1e42fa4e6aaab146e8cfecaca321ad76ec94070db1f32ed8d59859207d8797ea97fbdf76a23a1cf

Download Submit
C:\Windows\{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe

Filesize
180KB

MD5
1587f854d6d218bfbe0997c4e51c9d6b

SHA1
42570b7b3fe3f52d7a1b05d3f76f41410c8459c8

SHA256
7f6a9f63a53f38e3c2b7d38c0b1a375937a7471490dc1d6faf62097a1bd17c2b

SHA512
0974088ff5c2dfce4977868728cabc104e000f52350e1bd654ad7162c73b106bfad24af0855fbfe646c52bfb80f6b94c805bae9b83d7f5b050b35a8ecb95eb01

Download Submit
C:\Windows\{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe

Filesize
180KB

MD5
1587f854d6d218bfbe0997c4e51c9d6b

SHA1
42570b7b3fe3f52d7a1b05d3f76f41410c8459c8

SHA256
7f6a9f63a53f38e3c2b7d38c0b1a375937a7471490dc1d6faf62097a1bd17c2b

SHA512
0974088ff5c2dfce4977868728cabc104e000f52350e1bd654ad7162c73b106bfad24af0855fbfe646c52bfb80f6b94c805bae9b83d7f5b050b35a8ecb95eb01

Download Submit
C:\Windows\{28E39972-A21E-4af4-A78F-A80281A0B42D}.exe

Filesize
180KB

MD5
1587f854d6d218bfbe0997c4e51c9d6b

SHA1
42570b7b3fe3f52d7a1b05d3f76f41410c8459c8

SHA256
7f6a9f63a53f38e3c2b7d38c0b1a375937a7471490dc1d6faf62097a1bd17c2b

SHA512
0974088ff5c2dfce4977868728cabc104e000f52350e1bd654ad7162c73b106bfad24af0855fbfe646c52bfb80f6b94c805bae9b83d7f5b050b35a8ecb95eb01

Download Submit
C:\Windows\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe

Filesize
180KB

MD5
cb52a89954e55f4ef0452c823217b2fc

SHA1
9b3a63b6bd5def33ef3154909d80022ac50ab4b4

SHA256
7826108e4d457fe053b0e1e75e2273b888a9776c58565abc8402fc184c9c80ef

SHA512
86f4efe1918a0d754cee8ca44390f7500db57cd4d166012fb70bc2adebe8be38f4f5caa2395cc6aa2d9a2a155a30cfabf1739e06ada961358edcf504a319d1dc

Download Submit
C:\Windows\{29C6B571-C65C-4d66-BDF2-CAE9FF32738A}.exe

Filesize
180KB

MD5
cb52a89954e55f4ef0452c823217b2fc

SHA1
9b3a63b6bd5def33ef3154909d80022ac50ab4b4

SHA256
7826108e4d457fe053b0e1e75e2273b888a9776c58565abc8402fc184c9c80ef

SHA512
86f4efe1918a0d754cee8ca44390f7500db57cd4d166012fb70bc2adebe8be38f4f5caa2395cc6aa2d9a2a155a30cfabf1739e06ada961358edcf504a319d1dc

Download Submit
C:\Windows\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe

Filesize
180KB

MD5
86dcbe878a5c943714d714101412ee7e

SHA1
4bada8998224f1107ddc0cc94c5778fcb787132a

SHA256
2d4be7fa77849aa71cbdda2c0768d6e4431b5bdc35e038b3fb3f1de671cb2069

SHA512
9f1c7e465974ca6bf8924daa8ae1460ff8cc7947fcaab33806d631d0e293ce6aefe8c0cacbaf18df6d4a6dace07a12308ee533fc80dd499308875dbe1b7e42a7

Download Submit
C:\Windows\{2EAB3446-EA6F-4991-8B20-D2F168CF7C58}.exe

Filesize
180KB

MD5
86dcbe878a5c943714d714101412ee7e

SHA1
4bada8998224f1107ddc0cc94c5778fcb787132a

SHA256
2d4be7fa77849aa71cbdda2c0768d6e4431b5bdc35e038b3fb3f1de671cb2069

SHA512
9f1c7e465974ca6bf8924daa8ae1460ff8cc7947fcaab33806d631d0e293ce6aefe8c0cacbaf18df6d4a6dace07a12308ee533fc80dd499308875dbe1b7e42a7

Download Submit
C:\Windows\{32786126-3124-46a8-AD2E-B7400EDDF086}.exe

Filesize
180KB

MD5
6b70ac7c36d35a273888101baa435cca

SHA1
8736eb371414ba8fb589461a37ba37a07364f239

SHA256
9993ae6fd4697716dbd7f587d3321bf10a8bfbcdd7a79b66a27a60226f93a7b4

SHA512
aae1f28e97dbff2674941ad35dd04c7866196eaa17c6395b0a4fc35fd568eb806255d16ac5a77be534a9e8860345afa083f2fcc5bb302badae9614d60e17d3f5

Download Submit
C:\Windows\{32786126-3124-46a8-AD2E-B7400EDDF086}.exe

Filesize
180KB

MD5
6b70ac7c36d35a273888101baa435cca

SHA1
8736eb371414ba8fb589461a37ba37a07364f239

SHA256
9993ae6fd4697716dbd7f587d3321bf10a8bfbcdd7a79b66a27a60226f93a7b4

SHA512
aae1f28e97dbff2674941ad35dd04c7866196eaa17c6395b0a4fc35fd568eb806255d16ac5a77be534a9e8860345afa083f2fcc5bb302badae9614d60e17d3f5

Download Submit
C:\Windows\{36041F06-814B-4de0-BCBA-AE32027B0737}.exe

Filesize
180KB

MD5
306c1f74f149908a02001f93dd5b8ee8

SHA1
a015b3c31c38f48006b776e0ddfa15a121586bdb

SHA256
117c8bd5384ece5477ca0356b4fb456b9df588df3e1248d685347593318c69cf

SHA512
7ea805f1f5df49ced7b07c6b2a2c83785863fa1b8d2ec6eb5735339951f2a8a048d8a7bfa805565a17b8d14bbc48e94dfbbcd9cdf8f1174768ef15836d57bdea

Download Submit
C:\Windows\{36041F06-814B-4de0-BCBA-AE32027B0737}.exe

Filesize
180KB

MD5
306c1f74f149908a02001f93dd5b8ee8

SHA1
a015b3c31c38f48006b776e0ddfa15a121586bdb

SHA256
117c8bd5384ece5477ca0356b4fb456b9df588df3e1248d685347593318c69cf

SHA512
7ea805f1f5df49ced7b07c6b2a2c83785863fa1b8d2ec6eb5735339951f2a8a048d8a7bfa805565a17b8d14bbc48e94dfbbcd9cdf8f1174768ef15836d57bdea

Download Submit
C:\Windows\{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe

Filesize
180KB

MD5
57d6155067843ad56cbd1645d7f5d6d0

SHA1
8330417ae6778c4a190d120b6303d942c93ed460

SHA256
5f1cb9e790abce2a2cef18c5d8c4b1b7d4f13818b93b32feb88f0c63d64a76e3

SHA512
33ed10a1205a5bbeeec777eaf29e5fef15309481cfa1d7dd9d26590e5300bc6849633aea8a080dcd7f5c6b628231dcb10128d664881ee2347bab0fcd37e6cd43

Download Submit
C:\Windows\{47B56296-B3BA-403a-A449-2C05FBF76D9B}.exe

Filesize
180KB

MD5
57d6155067843ad56cbd1645d7f5d6d0

SHA1
8330417ae6778c4a190d120b6303d942c93ed460

SHA256
5f1cb9e790abce2a2cef18c5d8c4b1b7d4f13818b93b32feb88f0c63d64a76e3

SHA512
33ed10a1205a5bbeeec777eaf29e5fef15309481cfa1d7dd9d26590e5300bc6849633aea8a080dcd7f5c6b628231dcb10128d664881ee2347bab0fcd37e6cd43

Download Submit
C:\Windows\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe

Filesize
180KB

MD5
eac6e22f7018d325540c5761976ec2dd

SHA1
57523d33f78a4e6fa142d46acc63bd687f5f3b1f

SHA256
cba50dd2dc0594b5f4b4e9fa56ce877ffeb2df27f734dbdf81963e407886bf8b

SHA512
00345635dbb9e6249d971e596e71aac03b67044575d6665620909c135d4e63f2c655a6ab1f496753c176c9c3b8a0ff77153b4d8ee85ec829716ae8ba92eeefc3

Download Submit
C:\Windows\{47DAA00A-3BF1-4e5d-BFC7-E6C732CD74F8}.exe

Filesize
180KB

MD5
eac6e22f7018d325540c5761976ec2dd

SHA1
57523d33f78a4e6fa142d46acc63bd687f5f3b1f

SHA256
cba50dd2dc0594b5f4b4e9fa56ce877ffeb2df27f734dbdf81963e407886bf8b

SHA512
00345635dbb9e6249d971e596e71aac03b67044575d6665620909c135d4e63f2c655a6ab1f496753c176c9c3b8a0ff77153b4d8ee85ec829716ae8ba92eeefc3

Download Submit
C:\Windows\{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe

Filesize
180KB

MD5
7a7eb3e2fe8b50d1a01f59f2ab7fc11a

SHA1
599c032940e5c979809b5be9e696c7614b1041e8

SHA256
7f3a282a642904f79f5fff45dda902746337bd7ee565b5f033c41624deac3c37

SHA512
5f5c2d0d59971672f0c3921ae85e66b05d1c4d9fbc8a4e1023d5f0f9c2ad11b02de53364d5b8b0415c1ae19a6dd597dfd1f72f138b1de41e993e29580041cb0b

Download Submit
C:\Windows\{5F1901E2-20FA-41f5-AEC0-51744337C05C}.exe

Filesize
180KB

MD5
7a7eb3e2fe8b50d1a01f59f2ab7fc11a

SHA1
599c032940e5c979809b5be9e696c7614b1041e8

SHA256
7f3a282a642904f79f5fff45dda902746337bd7ee565b5f033c41624deac3c37

SHA512
5f5c2d0d59971672f0c3921ae85e66b05d1c4d9fbc8a4e1023d5f0f9c2ad11b02de53364d5b8b0415c1ae19a6dd597dfd1f72f138b1de41e993e29580041cb0b

Download Submit
C:\Windows\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}.exe

Filesize
180KB

MD5
f2b9a2b0d086aa059d536cc0a7fc0f67

SHA1
903cce62662075c250abdca8de188bea168de384

SHA256
6f4cc3497bc1517972d417a3ec318b0f5d9b957240ca1c00dacc737f5263330c

SHA512
96eae3520830eaa57e6df0a64001deaa2b3f43797144a69ca3133367f55a03b3f750bd06de26ae691d5b4b420f36c06b9148765f7905cebdef9b028e639e866a

Download Submit
C:\Windows\{91017072-5CE4-4e16-9BEB-B8AFFCA43996}.exe

Filesize
180KB

MD5
f2b9a2b0d086aa059d536cc0a7fc0f67

SHA1
903cce62662075c250abdca8de188bea168de384

SHA256
6f4cc3497bc1517972d417a3ec318b0f5d9b957240ca1c00dacc737f5263330c

SHA512
96eae3520830eaa57e6df0a64001deaa2b3f43797144a69ca3133367f55a03b3f750bd06de26ae691d5b4b420f36c06b9148765f7905cebdef9b028e639e866a

Download Submit
C:\Windows\{A19D2374-2263-44d0-B845-90865DDC285D}.exe

Filesize
180KB

MD5
b4f2ee843ea5ac4a03eb7b07163d7c68

SHA1
b1fa4c82e7a70464059b5823cfbb13ba606bf318

SHA256
336cc7ea8935f9287ab9c3e5cb75704ba5a2bf78fbea015b92749d76e36af967

SHA512
fb30e65af739f853029d64ee4ace956c2c65bed0dc2b84c10112cd894f23557d401fc7e9c5f3ecfce7c8f30bd415ad665012d962d244c8779e1608677187d516

Download Submit
C:\Windows\{A19D2374-2263-44d0-B845-90865DDC285D}.exe

Filesize
180KB

MD5
b4f2ee843ea5ac4a03eb7b07163d7c68

SHA1
b1fa4c82e7a70464059b5823cfbb13ba606bf318

SHA256
336cc7ea8935f9287ab9c3e5cb75704ba5a2bf78fbea015b92749d76e36af967

SHA512
fb30e65af739f853029d64ee4ace956c2c65bed0dc2b84c10112cd894f23557d401fc7e9c5f3ecfce7c8f30bd415ad665012d962d244c8779e1608677187d516

Download Submit
C:\Windows\{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe

Filesize
180KB

MD5
f075dfb9483c9b4760b9f493c533d893

SHA1
e885f4939ffd7f5262cc645a69d3887a9f3fc6da

SHA256
5c5badc3ee0c2124a92b3c8643865c6946346ee141f5aa5208d42b304b7a4afb

SHA512
8247a9a7802db381f2a22beb321299a2e22ba1cd559176baaf4ecf5765677caa7b4328cfef86a815668820cf039ee359aa2585b551d23757ca58cc4e62d2d5e7

Download Submit
C:\Windows\{C21252F1-E801-47b9-9E43-3B9EDF83C163}.exe

Filesize
180KB

MD5
f075dfb9483c9b4760b9f493c533d893

SHA1
e885f4939ffd7f5262cc645a69d3887a9f3fc6da

SHA256
5c5badc3ee0c2124a92b3c8643865c6946346ee141f5aa5208d42b304b7a4afb

SHA512
8247a9a7802db381f2a22beb321299a2e22ba1cd559176baaf4ecf5765677caa7b4328cfef86a815668820cf039ee359aa2585b551d23757ca58cc4e62d2d5e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads