036cc1e59438339d40bf888ec7e0cd4b9b18ee7b0bcb2b49a795dcfde1bf7d71

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
Size

180KB
MD5

428059bf6fe64f508babe3a27550a395
SHA1

fd4468b844a0b41c027f9920ecb99b0175f2cfdf
SHA256

036cc1e59438339d40bf888ec7e0cd4b9b18ee7b0bcb2b49a795dcfde1bf7d71
SHA512

30093ffdf1e83a56b64827622971464854ab84ffe095781d71f4435d24b0e4bea1c388c5905e9569c95f1df615c1482392ab016ad036a2ae5828f2858b757739
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGEl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85326CA7-62F8-42cf-919B-1C6738429A88}	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E83F98B3-3766-45b7-A364-F31704C9CE6B}	{85326CA7-62F8-42cf-919B-1C6738429A88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E83F98B3-3766-45b7-A364-F31704C9CE6B}\stubpath = "C:\\Windows\\{E83F98B3-3766-45b7-A364-F31704C9CE6B}.exe"	{85326CA7-62F8-42cf-919B-1C6738429A88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}\stubpath = "C:\\Windows\\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe"	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07BD8411-4272-4d56-8516-372F264664F1}\stubpath = "C:\\Windows\\{07BD8411-4272-4d56-8516-372F264664F1}.exe"	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}\stubpath = "C:\\Windows\\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe"	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC33265-A503-45ae-84DD-144F7C937EA4}\stubpath = "C:\\Windows\\{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe"	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85326CA7-62F8-42cf-919B-1C6738429A88}\stubpath = "C:\\Windows\\{85326CA7-62F8-42cf-919B-1C6738429A88}.exe"	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07BD8411-4272-4d56-8516-372F264664F1}	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}\stubpath = "C:\\Windows\\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe"	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}\stubpath = "C:\\Windows\\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe"	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E853E346-6864-449a-B999-A7C1F4A7F9FA}	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E853E346-6864-449a-B999-A7C1F4A7F9FA}\stubpath = "C:\\Windows\\{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe"	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC33265-A503-45ae-84DD-144F7C937EA4}	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}\stubpath = "C:\\Windows\\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe"	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42C86CB9-C45C-4607-98B0-C8A14021717E}	{07BD8411-4272-4d56-8516-372F264664F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42C86CB9-C45C-4607-98B0-C8A14021717E}\stubpath = "C:\\Windows\\{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe"	{07BD8411-4272-4d56-8516-372F264664F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}\stubpath = "C:\\Windows\\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe"	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe

Executes dropped EXE 12 IoCs

pid	Process
2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe
2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe
3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe
4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe
2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe
4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe
3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe
5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe
2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe
3840	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe
1280	{85326CA7-62F8-42cf-919B-1C6738429A88}.exe
3852	{E83F98B3-3766-45b7-A364-F31704C9CE6B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{07BD8411-4272-4d56-8516-372F264664F1}.exe	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe
File created	C:\Windows\{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe	{07BD8411-4272-4d56-8516-372F264664F1}.exe
File created	C:\Windows\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe
File created	C:\Windows\{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe
File created	C:\Windows\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe
File created	C:\Windows\{E83F98B3-3766-45b7-A364-F31704C9CE6B}.exe	{85326CA7-62F8-42cf-919B-1C6738429A88}.exe
File created	C:\Windows\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
File created	C:\Windows\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe
File created	C:\Windows\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe
File created	C:\Windows\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe
File created	C:\Windows\{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe
File created	C:\Windows\{85326CA7-62F8-42cf-919B-1C6738429A88}.exe	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1804	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe
Token: SeIncBasePriorityPrivilege	2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe
Token: SeIncBasePriorityPrivilege	3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe
Token: SeIncBasePriorityPrivilege	4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe
Token: SeIncBasePriorityPrivilege	2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe
Token: SeIncBasePriorityPrivilege	4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe
Token: SeIncBasePriorityPrivilege	3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe
Token: SeIncBasePriorityPrivilege	5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe
Token: SeIncBasePriorityPrivilege	2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe
Token: SeIncBasePriorityPrivilege	3840	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe
Token: SeIncBasePriorityPrivilege	1280	{85326CA7-62F8-42cf-919B-1C6738429A88}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2884	1804	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	92
PID 1804 wrote to memory of 2884	1804	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	92
PID 1804 wrote to memory of 2884	1804	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	92
PID 1804 wrote to memory of 3132	1804	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	93
PID 1804 wrote to memory of 3132	1804	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	93
PID 1804 wrote to memory of 3132	1804	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	93
PID 2884 wrote to memory of 2428	2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe	94
PID 2884 wrote to memory of 2428	2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe	94
PID 2884 wrote to memory of 2428	2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe	94
PID 2884 wrote to memory of 2480	2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe	95
PID 2884 wrote to memory of 2480	2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe	95
PID 2884 wrote to memory of 2480	2884	{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe	95
PID 2428 wrote to memory of 3148	2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe	99
PID 2428 wrote to memory of 3148	2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe	99
PID 2428 wrote to memory of 3148	2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe	99
PID 2428 wrote to memory of 3796	2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe	100
PID 2428 wrote to memory of 3796	2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe	100
PID 2428 wrote to memory of 3796	2428	{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe	100
PID 3148 wrote to memory of 4592	3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe	106
PID 3148 wrote to memory of 4592	3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe	106
PID 3148 wrote to memory of 4592	3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe	106
PID 3148 wrote to memory of 4244	3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe	107
PID 3148 wrote to memory of 4244	3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe	107
PID 3148 wrote to memory of 4244	3148	{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe	107
PID 4592 wrote to memory of 2316	4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe	108
PID 4592 wrote to memory of 2316	4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe	108
PID 4592 wrote to memory of 2316	4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe	108
PID 4592 wrote to memory of 3224	4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe	109
PID 4592 wrote to memory of 3224	4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe	109
PID 4592 wrote to memory of 3224	4592	{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe	109
PID 2316 wrote to memory of 4072	2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe	111
PID 2316 wrote to memory of 4072	2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe	111
PID 2316 wrote to memory of 4072	2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe	111
PID 2316 wrote to memory of 2124	2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe	112
PID 2316 wrote to memory of 2124	2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe	112
PID 2316 wrote to memory of 2124	2316	{07BD8411-4272-4d56-8516-372F264664F1}.exe	112
PID 4072 wrote to memory of 3764	4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe	113
PID 4072 wrote to memory of 3764	4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe	113
PID 4072 wrote to memory of 3764	4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe	113
PID 4072 wrote to memory of 2572	4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe	114
PID 4072 wrote to memory of 2572	4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe	114
PID 4072 wrote to memory of 2572	4072	{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe	114
PID 3764 wrote to memory of 5048	3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe	115
PID 3764 wrote to memory of 5048	3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe	115
PID 3764 wrote to memory of 5048	3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe	115
PID 3764 wrote to memory of 5108	3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe	116
PID 3764 wrote to memory of 5108	3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe	116
PID 3764 wrote to memory of 5108	3764	{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe	116
PID 5048 wrote to memory of 2320	5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe	117
PID 5048 wrote to memory of 2320	5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe	117
PID 5048 wrote to memory of 2320	5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe	117
PID 5048 wrote to memory of 1920	5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe	118
PID 5048 wrote to memory of 1920	5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe	118
PID 5048 wrote to memory of 1920	5048	{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe	118
PID 2320 wrote to memory of 3840	2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe	119
PID 2320 wrote to memory of 3840	2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe	119
PID 2320 wrote to memory of 3840	2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe	119
PID 2320 wrote to memory of 2868	2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe	120
PID 2320 wrote to memory of 2868	2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe	120
PID 2320 wrote to memory of 2868	2320	{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe	120
PID 3840 wrote to memory of 1280	3840	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe	122
PID 3840 wrote to memory of 1280	3840	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe	122
PID 3840 wrote to memory of 1280	3840	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe	122
PID 3840 wrote to memory of 3068	3840	{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe	121

C:\Users\Admin\AppData\Local\Temp\2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe
  C:\Windows\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe
    C:\Windows\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe
      C:\Windows\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe
        
        C:\Windows\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\{07BD8411-4272-4d56-8516-372F264664F1}.exe
        
        C:\Windows\{07BD8411-4272-4d56-8516-372F264664F1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe
        
        C:\Windows\{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe
        
        C:\Windows\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe
        
        C:\Windows\{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe
        
        C:\Windows\{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe
        
        C:\Windows\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17D5B~1.EXE > nul
        12⤵
        
        PID:3068
        
        C:\Windows\{85326CA7-62F8-42cf-919B-1C6738429A88}.exe
        
        C:\Windows\{85326CA7-62F8-42cf-919B-1C6738429A88}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{E83F98B3-3766-45b7-A364-F31704C9CE6B}.exe
        
        C:\Windows\{E83F98B3-3766-45b7-A364-F31704C9CE6B}.exe
        13⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85326~1.EXE > nul
        13⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC33~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E853E~1.EXE > nul
        10⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF355~1.EXE > nul
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42C86~1.EXE > nul
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07BD8~1.EXE > nul
        7⤵
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16AB1~1.EXE > nul
        6⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B997~1.EXE > nul
        5⤵
        
        PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8962A~1.EXE > nul
      4⤵
      PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{163A5~1.EXE > nul
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07BD8411-4272-4d56-8516-372F264664F1}.exe

Filesize
180KB

MD5
6dbc7bad88f57bdc57d474424ada6d0a

SHA1
7abe72e14a03434ad7f020160851fafcd8d567e7

SHA256
7599efd499c4d3ec2642692124b6ee02c212b901731181ebbd1de317ac0ca6a5

SHA512
ea2a5ff11dee9a4a9f1db26f76fb420c32568eb8bacf445ee6402cd55ca1e2c4e4e677ba8315a600a730e9bf1727dcf911868a51b514897c04c376fa2a6d7c04

Download Submit
C:\Windows\{07BD8411-4272-4d56-8516-372F264664F1}.exe

Filesize
180KB

MD5
6dbc7bad88f57bdc57d474424ada6d0a

SHA1
7abe72e14a03434ad7f020160851fafcd8d567e7

SHA256
7599efd499c4d3ec2642692124b6ee02c212b901731181ebbd1de317ac0ca6a5

SHA512
ea2a5ff11dee9a4a9f1db26f76fb420c32568eb8bacf445ee6402cd55ca1e2c4e4e677ba8315a600a730e9bf1727dcf911868a51b514897c04c376fa2a6d7c04

Download Submit
C:\Windows\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe

Filesize
180KB

MD5
35b0e6d548b34dda6c626f09d8411c65

SHA1
eb9b680117df636aa32ac5844d01587f7d9cc132

SHA256
c1869f3241e6593cc5a466ff875530d4ef695c9ad7fea666fbf17e8b158463e8

SHA512
26331c43883b42dab41c0b0adfd35b5cbbed36b3988098485d89c951da0b8b0023cca28cb7950c1e173df3648bbb92daa6fdfaf77b00c99819c411aad644c0ad

Download Submit
C:\Windows\{163A58AA-2B58-4a8d-A53C-CBACFEDC10FC}.exe

Filesize
180KB

MD5
35b0e6d548b34dda6c626f09d8411c65

SHA1
eb9b680117df636aa32ac5844d01587f7d9cc132

SHA256
c1869f3241e6593cc5a466ff875530d4ef695c9ad7fea666fbf17e8b158463e8

SHA512
26331c43883b42dab41c0b0adfd35b5cbbed36b3988098485d89c951da0b8b0023cca28cb7950c1e173df3648bbb92daa6fdfaf77b00c99819c411aad644c0ad

Download Submit
C:\Windows\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe

Filesize
180KB

MD5
62bd6bb781a88b42f1db5ef8d3bbef65

SHA1
84c523bfafbbd2ab094541390c0040fbb4f79233

SHA256
bf9a0835efcd94537fe6a851e297f1f758f66c65c75e95cf845d8cc525d514ce

SHA512
0b9aab752d54a697f074b4c283819301bd2fa949597bff4994acedd53a9113c8c09babb3f59fd1aff29ab4e8e34f193ae9c1e291e801e5a628595b297a39b7e9

Download Submit
C:\Windows\{16AB1A8C-4EA2-4105-81CD-B7982E5F06F6}.exe

Filesize
180KB

MD5
62bd6bb781a88b42f1db5ef8d3bbef65

SHA1
84c523bfafbbd2ab094541390c0040fbb4f79233

SHA256
bf9a0835efcd94537fe6a851e297f1f758f66c65c75e95cf845d8cc525d514ce

SHA512
0b9aab752d54a697f074b4c283819301bd2fa949597bff4994acedd53a9113c8c09babb3f59fd1aff29ab4e8e34f193ae9c1e291e801e5a628595b297a39b7e9

Download Submit
C:\Windows\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe

Filesize
180KB

MD5
6ecfd3fd58993413d5869cc6ad681754

SHA1
bdb5819bbc2f6d3f8f6e8e47a880c13ed773ca76

SHA256
41ad644ae4a5670f8ed5a74c137610160da665977dc1556820402a840e3b09b9

SHA512
4b5caaf9b9ef87551588572f36c1b64ae46d5ba3e6c8f558109d53ecd43b10507d1da7917f99639eba58215c6102a40f3c545ea174c23187561e46c9bf31f357

Download Submit
C:\Windows\{17D5BD70-E94A-41e1-99BD-27018DE4DA0D}.exe

Filesize
180KB

MD5
6ecfd3fd58993413d5869cc6ad681754

SHA1
bdb5819bbc2f6d3f8f6e8e47a880c13ed773ca76

SHA256
41ad644ae4a5670f8ed5a74c137610160da665977dc1556820402a840e3b09b9

SHA512
4b5caaf9b9ef87551588572f36c1b64ae46d5ba3e6c8f558109d53ecd43b10507d1da7917f99639eba58215c6102a40f3c545ea174c23187561e46c9bf31f357

Download Submit
C:\Windows\{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe

Filesize
180KB

MD5
2b1c436e962f6fe3a3ea1ea708f31b8b

SHA1
99b9b95216c9d8c93203e3049c5b6726c690b3f9

SHA256
994a6de9344b08452d776557c9b6e3db31df44da170533db8638e2b17dfc3271

SHA512
d6215699b545963498cd7c9ab1feb9a8eace30badfd4667fd65400d46111171e008f8d60d2f35b62a17e5b333b59d99b45ab0288494813edb9c82837a2c654b0

Download Submit
C:\Windows\{42C86CB9-C45C-4607-98B0-C8A14021717E}.exe

Filesize
180KB

MD5
2b1c436e962f6fe3a3ea1ea708f31b8b

SHA1
99b9b95216c9d8c93203e3049c5b6726c690b3f9

SHA256
994a6de9344b08452d776557c9b6e3db31df44da170533db8638e2b17dfc3271

SHA512
d6215699b545963498cd7c9ab1feb9a8eace30badfd4667fd65400d46111171e008f8d60d2f35b62a17e5b333b59d99b45ab0288494813edb9c82837a2c654b0

Download Submit
C:\Windows\{85326CA7-62F8-42cf-919B-1C6738429A88}.exe

Filesize
180KB

MD5
c2e035fd8a69dc93df10f91ecdd430b0

SHA1
48f43bd6480c7f16e53ad175992002a9896639a5

SHA256
b4e3b68d86c4065b58cbe93876de6f1c1d1bf0efb15cc320ef75c1983843ffee

SHA512
59d8a5ec8ae102e957cc496b139e76fec2c30a0bef3118923ed459860b75e662cf159968277089c106e73c0b9386ac8eafdc122da250e9fe417db6f88826dd4b

Download Submit
C:\Windows\{85326CA7-62F8-42cf-919B-1C6738429A88}.exe

Filesize
180KB

MD5
c2e035fd8a69dc93df10f91ecdd430b0

SHA1
48f43bd6480c7f16e53ad175992002a9896639a5

SHA256
b4e3b68d86c4065b58cbe93876de6f1c1d1bf0efb15cc320ef75c1983843ffee

SHA512
59d8a5ec8ae102e957cc496b139e76fec2c30a0bef3118923ed459860b75e662cf159968277089c106e73c0b9386ac8eafdc122da250e9fe417db6f88826dd4b

Download Submit
C:\Windows\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe

Filesize
180KB

MD5
72c1aac5d0c6e96ffbc52d6487c5a960

SHA1
861798121e3fa330ab13b55ec60e4ff3937e28cb

SHA256
a7c90f48c335c57fcdccb8f53e23f5c67304fc207a1515ad4c0d77f438250bf2

SHA512
cce7d4764ff35b6aafa821fdcb914e4d6581b863ba575cee245e6cfd24ebbc5f25fcbb1bc7a106f31477b2940549bccb9807a9ec6bef5ffcb1b818ead25b7c35

Download Submit
C:\Windows\{8962A612-CEFB-4b4b-B7D3-FD1EE3269B8F}.exe

Filesize
180KB

MD5
72c1aac5d0c6e96ffbc52d6487c5a960

SHA1
861798121e3fa330ab13b55ec60e4ff3937e28cb

SHA256
a7c90f48c335c57fcdccb8f53e23f5c67304fc207a1515ad4c0d77f438250bf2

SHA512
cce7d4764ff35b6aafa821fdcb914e4d6581b863ba575cee245e6cfd24ebbc5f25fcbb1bc7a106f31477b2940549bccb9807a9ec6bef5ffcb1b818ead25b7c35

Download Submit
C:\Windows\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe

Filesize
180KB

MD5
0831e1b4190bb1fa0f81c84924ad9cae

SHA1
daa027042e6c41245c302b10df1a79accca9e5f7

SHA256
fa828d4398f17282185e3cacd66145c6c493b9af219481578ecc6fb433491f36

SHA512
e99238c2eaaf11dc5769ccbb913be340b90717c311c7bb9a0410b39bb3746c1fade4a2207fd62f78b74d89cf329f9331d71ce94d89614bf94af6ae617ae5bd9d

Download Submit
C:\Windows\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe

Filesize
180KB

MD5
0831e1b4190bb1fa0f81c84924ad9cae

SHA1
daa027042e6c41245c302b10df1a79accca9e5f7

SHA256
fa828d4398f17282185e3cacd66145c6c493b9af219481578ecc6fb433491f36

SHA512
e99238c2eaaf11dc5769ccbb913be340b90717c311c7bb9a0410b39bb3746c1fade4a2207fd62f78b74d89cf329f9331d71ce94d89614bf94af6ae617ae5bd9d

Download Submit
C:\Windows\{8B997C4F-59AF-4bdb-A8FF-25543F398F56}.exe

Filesize
180KB

MD5
0831e1b4190bb1fa0f81c84924ad9cae

SHA1
daa027042e6c41245c302b10df1a79accca9e5f7

SHA256
fa828d4398f17282185e3cacd66145c6c493b9af219481578ecc6fb433491f36

SHA512
e99238c2eaaf11dc5769ccbb913be340b90717c311c7bb9a0410b39bb3746c1fade4a2207fd62f78b74d89cf329f9331d71ce94d89614bf94af6ae617ae5bd9d

Download Submit
C:\Windows\{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe

Filesize
180KB

MD5
ef6ac1a7cf0795460e54a6a1b2911920

SHA1
c6ee1d38a6c46ff2fd515f414be2155e294ca1b2

SHA256
416c2d604d73287932a1dff2c0fd23d01740ac7e2ba8f554273559ef17bd2a53

SHA512
b2fb9e432f55f19a8d15ed3377f0ebf135f1c874e091745980148c675849d06f187f63ec9258997e8a9cf8fb2e45bccebf6a0080c0e98f0e94553fb0c11b1ec2

Download Submit
C:\Windows\{BCC33265-A503-45ae-84DD-144F7C937EA4}.exe

Filesize
180KB

MD5
ef6ac1a7cf0795460e54a6a1b2911920

SHA1
c6ee1d38a6c46ff2fd515f414be2155e294ca1b2

SHA256
416c2d604d73287932a1dff2c0fd23d01740ac7e2ba8f554273559ef17bd2a53

SHA512
b2fb9e432f55f19a8d15ed3377f0ebf135f1c874e091745980148c675849d06f187f63ec9258997e8a9cf8fb2e45bccebf6a0080c0e98f0e94553fb0c11b1ec2

Download Submit
C:\Windows\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe

Filesize
180KB

MD5
2e65ca866490addc1a5bd8c8b3caf9b9

SHA1
67d02c2918dc7f90f87882e1532dfc5c44c8946c

SHA256
77de8688df9549df0318dc7c04da8d8cbed5757ef89d97d03a7c877f6e06bf30

SHA512
5bfd92f9aaa10285ec346e8fee4b244b2f82dc07032cbafaaa779b7d01d0e6d63a12354ae6487b7721baeab7bb65741b000ed895fd6c07c3c1f3c4e5a2c1753c

Download Submit
C:\Windows\{DF35569D-D7DE-4c5a-AFEC-A946449DAEDA}.exe

Filesize
180KB

MD5
2e65ca866490addc1a5bd8c8b3caf9b9

SHA1
67d02c2918dc7f90f87882e1532dfc5c44c8946c

SHA256
77de8688df9549df0318dc7c04da8d8cbed5757ef89d97d03a7c877f6e06bf30

SHA512
5bfd92f9aaa10285ec346e8fee4b244b2f82dc07032cbafaaa779b7d01d0e6d63a12354ae6487b7721baeab7bb65741b000ed895fd6c07c3c1f3c4e5a2c1753c

Download Submit
C:\Windows\{E83F98B3-3766-45b7-A364-F31704C9CE6B}.exe

Filesize
180KB

MD5
089ac8548dfdc0b6beca5711b283df61

SHA1
da3a173d67ee16a0f95051a9bf8ac7cee7a26bfc

SHA256
167a4a54a66e0a247672c64c7b98d99628d3e42806f4adaebac5f525b5861abb

SHA512
9ca6bb77f7212a56e718a7ed90845632b859bfb64e5782e0c873253c5dd98391088e20c12c8b2b9527b46f8bda492c9ba78d88a3400ad8bb598241bc8133c6e2

Download Submit
C:\Windows\{E83F98B3-3766-45b7-A364-F31704C9CE6B}.exe

Filesize
180KB

MD5
089ac8548dfdc0b6beca5711b283df61

SHA1
da3a173d67ee16a0f95051a9bf8ac7cee7a26bfc

SHA256
167a4a54a66e0a247672c64c7b98d99628d3e42806f4adaebac5f525b5861abb

SHA512
9ca6bb77f7212a56e718a7ed90845632b859bfb64e5782e0c873253c5dd98391088e20c12c8b2b9527b46f8bda492c9ba78d88a3400ad8bb598241bc8133c6e2

Download Submit
C:\Windows\{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe

Filesize
180KB

MD5
91b66f35c1afb8a27f58864b6fe7958c

SHA1
da840bbbed908b9765c1fe85920be4bde91100b6

SHA256
c374b26509fe03f757618a3d2949c488ae55e6b7806b3f55998e62f6c23e4ae8

SHA512
f0a1f3aba1361e6080a38623cba498d8915b5b49d7495a5f68e1ede9b7e61e6414e7e3cb5dea210679e9c23da080264477ac0afd8ef8a1e67600b4579a3155c9

Download Submit
C:\Windows\{E853E346-6864-449a-B999-A7C1F4A7F9FA}.exe

Filesize
180KB

MD5
91b66f35c1afb8a27f58864b6fe7958c

SHA1
da840bbbed908b9765c1fe85920be4bde91100b6

SHA256
c374b26509fe03f757618a3d2949c488ae55e6b7806b3f55998e62f6c23e4ae8

SHA512
f0a1f3aba1361e6080a38623cba498d8915b5b49d7495a5f68e1ede9b7e61e6414e7e3cb5dea210679e9c23da080264477ac0afd8ef8a1e67600b4579a3155c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads