bedda55a233c9dff70e80311718207465dd17795b582f3b73bef45de9f5eac1e

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22-08-2023 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Size

204KB
MD5

21c7814c95e5a510c2e6e538e62dba15
SHA1

e57d1312d10c43a981299c12af06d54fda5ac902
SHA256

bedda55a233c9dff70e80311718207465dd17795b582f3b73bef45de9f5eac1e
SHA512

e02466efd77a6412dd16732fa958234e552a7e20a5e5f8c732c6b101b00c1e159c12658711ea95fbcaeb987e14d766b5b64749740a8ae276373a369188ffd55e
SSDEEP

1536:1EGh0oTl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oTl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}\stubpath = "C:\\Windows\\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe"	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6039D1F9-2528-45d0-95B2-272CFB316F28}\stubpath = "C:\\Windows\\{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe"	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C89BE16B-FA5D-410a-B248-F41E55C20820}\stubpath = "C:\\Windows\\{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe"	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209E5524-AC7D-4250-894F-A83DD50FF073}\stubpath = "C:\\Windows\\{209E5524-AC7D-4250-894F-A83DD50FF073}.exe"	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}\stubpath = "C:\\Windows\\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe"	{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}\stubpath = "C:\\Windows\\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe"	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AF673C-832F-46bd-AD48-C14E94BFD02C}	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C89BE16B-FA5D-410a-B248-F41E55C20820}	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209E5524-AC7D-4250-894F-A83DD50FF073}	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}\stubpath = "C:\\Windows\\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe"	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AF673C-832F-46bd-AD48-C14E94BFD02C}\stubpath = "C:\\Windows\\{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe"	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}\stubpath = "C:\\Windows\\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe"	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}\stubpath = "C:\\Windows\\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe"	{209E5524-AC7D-4250-894F-A83DD50FF073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6039D1F9-2528-45d0-95B2-272CFB316F28}	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}	{209E5524-AC7D-4250-894F-A83DD50FF073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}	{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{442003D9-CB40-4e4b-BF98-BD35866FA555}	{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{442003D9-CB40-4e4b-BF98-BD35866FA555}\stubpath = "C:\\Windows\\{442003D9-CB40-4e4b-BF98-BD35866FA555}.exe"	{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe

Executes dropped EXE 11 IoCs

pid	Process
1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe
2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe
2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe
2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe
2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe
2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe
2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe
980	{209E5524-AC7D-4250-894F-A83DD50FF073}.exe
2684	{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe
832	{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe
2276	{442003D9-CB40-4e4b-BF98-BD35866FA555}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{209E5524-AC7D-4250-894F-A83DD50FF073}.exe	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe
File created	C:\Windows\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe	{209E5524-AC7D-4250-894F-A83DD50FF073}.exe
File created	C:\Windows\{442003D9-CB40-4e4b-BF98-BD35866FA555}.exe	{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe
File created	C:\Windows\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
File created	C:\Windows\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe
File created	C:\Windows\{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe
File created	C:\Windows\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe
File created	C:\Windows\{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe
File created	C:\Windows\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe
File created	C:\Windows\{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe
File created	C:\Windows\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe	{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe
Token: SeIncBasePriorityPrivilege	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe
Token: SeIncBasePriorityPrivilege	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe
Token: SeIncBasePriorityPrivilege	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe
Token: SeIncBasePriorityPrivilege	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe
Token: SeIncBasePriorityPrivilege	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe
Token: SeIncBasePriorityPrivilege	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe
Token: SeIncBasePriorityPrivilege	980	{209E5524-AC7D-4250-894F-A83DD50FF073}.exe
Token: SeIncBasePriorityPrivilege	2684	{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe
Token: SeIncBasePriorityPrivilege	832	{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1564	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	28
PID 1216 wrote to memory of 1564	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	28
PID 1216 wrote to memory of 1564	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	28
PID 1216 wrote to memory of 1564	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	28
PID 1216 wrote to memory of 2412	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	29
PID 1216 wrote to memory of 2412	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	29
PID 1216 wrote to memory of 2412	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	29
PID 1216 wrote to memory of 2412	1216	2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe	29
PID 1564 wrote to memory of 2548	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	30
PID 1564 wrote to memory of 2548	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	30
PID 1564 wrote to memory of 2548	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	30
PID 1564 wrote to memory of 2548	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	30
PID 1564 wrote to memory of 2856	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	31
PID 1564 wrote to memory of 2856	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	31
PID 1564 wrote to memory of 2856	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	31
PID 1564 wrote to memory of 2856	1564	{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe	31
PID 2548 wrote to memory of 2868	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	34
PID 2548 wrote to memory of 2868	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	34
PID 2548 wrote to memory of 2868	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	34
PID 2548 wrote to memory of 2868	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	34
PID 2548 wrote to memory of 2732	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	35
PID 2548 wrote to memory of 2732	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	35
PID 2548 wrote to memory of 2732	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	35
PID 2548 wrote to memory of 2732	2548	{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe	35
PID 2868 wrote to memory of 2260	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	36
PID 2868 wrote to memory of 2260	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	36
PID 2868 wrote to memory of 2260	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	36
PID 2868 wrote to memory of 2260	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	36
PID 2868 wrote to memory of 2876	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	37
PID 2868 wrote to memory of 2876	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	37
PID 2868 wrote to memory of 2876	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	37
PID 2868 wrote to memory of 2876	2868	{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe	37
PID 2260 wrote to memory of 2704	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	39
PID 2260 wrote to memory of 2704	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	39
PID 2260 wrote to memory of 2704	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	39
PID 2260 wrote to memory of 2704	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	39
PID 2260 wrote to memory of 2736	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	38
PID 2260 wrote to memory of 2736	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	38
PID 2260 wrote to memory of 2736	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	38
PID 2260 wrote to memory of 2736	2260	{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe	38
PID 2704 wrote to memory of 2192	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	40
PID 2704 wrote to memory of 2192	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	40
PID 2704 wrote to memory of 2192	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	40
PID 2704 wrote to memory of 2192	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	40
PID 2704 wrote to memory of 2180	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	41
PID 2704 wrote to memory of 2180	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	41
PID 2704 wrote to memory of 2180	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	41
PID 2704 wrote to memory of 2180	2704	{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe	41
PID 2192 wrote to memory of 2316	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	43
PID 2192 wrote to memory of 2316	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	43
PID 2192 wrote to memory of 2316	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	43
PID 2192 wrote to memory of 2316	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	43
PID 2192 wrote to memory of 768	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	42
PID 2192 wrote to memory of 768	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	42
PID 2192 wrote to memory of 768	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	42
PID 2192 wrote to memory of 768	2192	{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe	42
PID 2316 wrote to memory of 980	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	44
PID 2316 wrote to memory of 980	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	44
PID 2316 wrote to memory of 980	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	44
PID 2316 wrote to memory of 980	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	44
PID 2316 wrote to memory of 1484	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	45
PID 2316 wrote to memory of 1484	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	45
PID 2316 wrote to memory of 1484	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	45
PID 2316 wrote to memory of 1484	2316	{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_21c7814c95e5a510c2e6e538e62dba15_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe
  C:\Windows\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe
    C:\Windows\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe
      C:\Windows\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe
        
        C:\Windows\{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55AF6~1.EXE > nul
        6⤵
        
        PID:2736
      - C:\Windows\{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe
        
        C:\Windows\{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe
        
        C:\Windows\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FCE8~1.EXE > nul
        8⤵
        
        PID:768
        
        C:\Windows\{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe
        
        C:\Windows\{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{209E5524-AC7D-4250-894F-A83DD50FF073}.exe
        
        C:\Windows\{209E5524-AC7D-4250-894F-A83DD50FF073}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe
        
        C:\Windows\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe
        
        C:\Windows\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEDB2~1.EXE > nul
        12⤵
        
        PID:1072
        
        C:\Windows\{442003D9-CB40-4e4b-BF98-BD35866FA555}.exe
        
        C:\Windows\{442003D9-CB40-4e4b-BF98-BD35866FA555}.exe
        12⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADEEA~1.EXE > nul
        11⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{209E5~1.EXE > nul
        10⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C89BE~1.EXE > nul
        9⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6039D~1.EXE > nul
        7⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80F88~1.EXE > nul
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E02E~1.EXE > nul
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC1B6~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe

Filesize
204KB

MD5
ff8dbdc1e78f46114ce43796c804b3d3

SHA1
0b9d200f9da86017d902b1b2eb0a8d64cb004252

SHA256
9722f43dcc66a0fdbc77bbe40b65a01beee68c75ada20ed37924c9441385bdde

SHA512
7bc8ec84a028b01d5cdb1c763dee83b45c39a41813e7dc904e29b2991c6bcd2ab27d77b2b707d9202c8ebaa998e52a65d8d0552321061190966f0a9153fb0142

Download Submit
C:\Windows\{1FCE8EA9-EECA-434a-B4E1-A566BB60F0FC}.exe

Filesize
204KB

MD5
ff8dbdc1e78f46114ce43796c804b3d3

SHA1
0b9d200f9da86017d902b1b2eb0a8d64cb004252

SHA256
9722f43dcc66a0fdbc77bbe40b65a01beee68c75ada20ed37924c9441385bdde

SHA512
7bc8ec84a028b01d5cdb1c763dee83b45c39a41813e7dc904e29b2991c6bcd2ab27d77b2b707d9202c8ebaa998e52a65d8d0552321061190966f0a9153fb0142

Download Submit
C:\Windows\{209E5524-AC7D-4250-894F-A83DD50FF073}.exe

Filesize
204KB

MD5
b1e32f6c6e163859c79fabc39dc725b7

SHA1
7d2bc72661f12c4209f6e26d4bbe5906862955c6

SHA256
6a7ec96849fe7b3a48464cb78354a9f7eabc0707efe5afe9273c8f3dbbe35b42

SHA512
a169e014e1c7159d720be41b55b3b1282809e8776aa0e4e3efcf2cd6cbc66ba2c88c50a42a6812a4ff6e0bd3123b7684e0774da669a2bb891801522fb6e1661c

Download Submit
C:\Windows\{209E5524-AC7D-4250-894F-A83DD50FF073}.exe

Filesize
204KB

MD5
b1e32f6c6e163859c79fabc39dc725b7

SHA1
7d2bc72661f12c4209f6e26d4bbe5906862955c6

SHA256
6a7ec96849fe7b3a48464cb78354a9f7eabc0707efe5afe9273c8f3dbbe35b42

SHA512
a169e014e1c7159d720be41b55b3b1282809e8776aa0e4e3efcf2cd6cbc66ba2c88c50a42a6812a4ff6e0bd3123b7684e0774da669a2bb891801522fb6e1661c

Download Submit
C:\Windows\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe

Filesize
204KB

MD5
ebc3954ffbf3e245d11d9ead4c9a804e

SHA1
2e51c9fecd3978b3ebd306ba4ec9eb5bb3396b31

SHA256
69438abe8dec735057aa928c0c0e8f83f86e782a06744e948d2ef9968daa7fd4

SHA512
edeb98daf4dcff0fc5540bb2f3824b5aebb466e7e377e4bc71d301f47c5b031d3d381339bba1970854511f435613de5f7ab24996bd8860fa30ab947b2017f6cf

Download Submit
C:\Windows\{2E02E9C0-B84E-4896-9CF0-F46548F4EA9A}.exe

Filesize
204KB

MD5
ebc3954ffbf3e245d11d9ead4c9a804e

SHA1
2e51c9fecd3978b3ebd306ba4ec9eb5bb3396b31

SHA256
69438abe8dec735057aa928c0c0e8f83f86e782a06744e948d2ef9968daa7fd4

SHA512
edeb98daf4dcff0fc5540bb2f3824b5aebb466e7e377e4bc71d301f47c5b031d3d381339bba1970854511f435613de5f7ab24996bd8860fa30ab947b2017f6cf

Download Submit
C:\Windows\{442003D9-CB40-4e4b-BF98-BD35866FA555}.exe

Filesize
204KB

MD5
08375ba930a83927f90e166e7d82ae28

SHA1
58bce56a6dfe8265570cfd15cf723541a5d620af

SHA256
096f75673d34eb63f9cab68447f456cf9c3de5ea0929663dda0f6c7086a48461

SHA512
6cce572d990714caaa138ab9b7952246df363360ccca9a884437f5bf1139de4df730d6f85b4f2767136eaba4422ea0c8a4f1fc7026afb841bcd2cf00f9440b3a

Download Submit
C:\Windows\{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe

Filesize
204KB

MD5
0aa94772c528db90bc11d2a8069df4ed

SHA1
719dc90aea4ba5e796140777de20ba6777d675b5

SHA256
6e1dc6905d212d6bd56f8a1eb1f64ed3231f71933319ad988aa89b612b284ed9

SHA512
92f1abb7b0ee5d0c33846b986b570e86b6124634dc600751acf80f5b009f21be48d020d1900b59ef9cf547aea8bd19b8a6833e84a9a5f95fb9a00c2b75690305

Download Submit
C:\Windows\{55AF673C-832F-46bd-AD48-C14E94BFD02C}.exe

Filesize
204KB

MD5
0aa94772c528db90bc11d2a8069df4ed

SHA1
719dc90aea4ba5e796140777de20ba6777d675b5

SHA256
6e1dc6905d212d6bd56f8a1eb1f64ed3231f71933319ad988aa89b612b284ed9

SHA512
92f1abb7b0ee5d0c33846b986b570e86b6124634dc600751acf80f5b009f21be48d020d1900b59ef9cf547aea8bd19b8a6833e84a9a5f95fb9a00c2b75690305

Download Submit
C:\Windows\{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe

Filesize
204KB

MD5
b804bb250b8cfb3adb8f4e3ec0a4c8af

SHA1
64d28f1053e1d59f9c0c7db76be496434e5fb2cd

SHA256
51b9d7277e43e05f976509c71430eb55009d6261ef696ec9f71eec7b1606cad9

SHA512
0c5b50545e6ff11fdde89aef426a2faf39f5684ef9fbddb3bd34f085feb4266925050577f1a6f21f1b43f7ec420e369803ddb8bdf1d53f2f61ec4f52b6173291

Download Submit
C:\Windows\{6039D1F9-2528-45d0-95B2-272CFB316F28}.exe

Filesize
204KB

MD5
b804bb250b8cfb3adb8f4e3ec0a4c8af

SHA1
64d28f1053e1d59f9c0c7db76be496434e5fb2cd

SHA256
51b9d7277e43e05f976509c71430eb55009d6261ef696ec9f71eec7b1606cad9

SHA512
0c5b50545e6ff11fdde89aef426a2faf39f5684ef9fbddb3bd34f085feb4266925050577f1a6f21f1b43f7ec420e369803ddb8bdf1d53f2f61ec4f52b6173291

Download Submit
C:\Windows\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe

Filesize
204KB

MD5
c756817fdbbf1a65836b2052745cd41d

SHA1
17c02ec07a9ed1fa50cb1c9a8b5aeed8d61eebe4

SHA256
0d05f75f5d8eef21f042e1d3cc1167123e234cf1943534bea75fceb446f20e80

SHA512
390a9299be8ee59e8545c44a3f50234ac93726770319c721e54e7fb21107780a34c1237dbe830b0b6bbb751cf455a12746bc0149edb95d9a5431342d4986d14f

Download Submit
C:\Windows\{80F88E64-AC9B-4c0d-8C02-DE1ADA5CD9C8}.exe

Filesize
204KB

MD5
c756817fdbbf1a65836b2052745cd41d

SHA1
17c02ec07a9ed1fa50cb1c9a8b5aeed8d61eebe4

SHA256
0d05f75f5d8eef21f042e1d3cc1167123e234cf1943534bea75fceb446f20e80

SHA512
390a9299be8ee59e8545c44a3f50234ac93726770319c721e54e7fb21107780a34c1237dbe830b0b6bbb751cf455a12746bc0149edb95d9a5431342d4986d14f

Download Submit
C:\Windows\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe

Filesize
204KB

MD5
725f35092dbe27b8e5980250bd3627d7

SHA1
9c8d207734fdf6705f161be70cf82a3e3e0f4f7d

SHA256
f97b2d2fdbe86df7040be28cbd14c0ae80d4f94abf0ed7a1f8dd2c0d30f7494d

SHA512
4e9bc7e930f0616652554e41f70698c2d85c117830692ecd1856a1e9069439af3d44befe2ac02174244d9069bff5d252e4c5daa6a553bbd7dfeb01be7eff324f

Download Submit
C:\Windows\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe

Filesize
204KB

MD5
725f35092dbe27b8e5980250bd3627d7

SHA1
9c8d207734fdf6705f161be70cf82a3e3e0f4f7d

SHA256
f97b2d2fdbe86df7040be28cbd14c0ae80d4f94abf0ed7a1f8dd2c0d30f7494d

SHA512
4e9bc7e930f0616652554e41f70698c2d85c117830692ecd1856a1e9069439af3d44befe2ac02174244d9069bff5d252e4c5daa6a553bbd7dfeb01be7eff324f

Download Submit
C:\Windows\{AC1B604E-E955-4ee5-8104-3C27FD0FDEA9}.exe

Filesize
204KB

MD5
725f35092dbe27b8e5980250bd3627d7

SHA1
9c8d207734fdf6705f161be70cf82a3e3e0f4f7d

SHA256
f97b2d2fdbe86df7040be28cbd14c0ae80d4f94abf0ed7a1f8dd2c0d30f7494d

SHA512
4e9bc7e930f0616652554e41f70698c2d85c117830692ecd1856a1e9069439af3d44befe2ac02174244d9069bff5d252e4c5daa6a553bbd7dfeb01be7eff324f

Download Submit
C:\Windows\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe

Filesize
204KB

MD5
ddd92062c2ae13bb41c78adcf8c3cc17

SHA1
632f6bcdec4f16c2c189be133886ee037e962f6a

SHA256
48efe83bd69cf0b6ba83f432630f2de05d4ba07b65b00fd58c8d93a7783a70b2

SHA512
ecea586428f5b46410f51a0ef992bd2034a09d04cb84761637fc136da0327d10b176fcfc562017b221947edaf17fe890abd0f82e9c510338fe8d86699c64dacb

Download Submit
C:\Windows\{ADEEAC78-6986-4bdc-827F-F86D1CEB494E}.exe

Filesize
204KB

MD5
ddd92062c2ae13bb41c78adcf8c3cc17

SHA1
632f6bcdec4f16c2c189be133886ee037e962f6a

SHA256
48efe83bd69cf0b6ba83f432630f2de05d4ba07b65b00fd58c8d93a7783a70b2

SHA512
ecea586428f5b46410f51a0ef992bd2034a09d04cb84761637fc136da0327d10b176fcfc562017b221947edaf17fe890abd0f82e9c510338fe8d86699c64dacb

Download Submit
C:\Windows\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe

Filesize
204KB

MD5
8e1a987ccb6a704e690981a99d71fa0a

SHA1
e0897f38dc361aed91514214b2581366cbc8c7bf

SHA256
5601f969d1772b455e0c804d8a8cd9e1a467f10bf27b68bb40da6958189ba445

SHA512
6690d13f44461ebd94279b6a3aab8e29a3c764efcf03243730ed8dc2700da4778c6b97cb79311a38c124deb11d241f077badb10a7b10234ffc6616ed9b1b24a3

Download Submit
C:\Windows\{AEDB2BF5-C1B9-4f42-850E-3656AE3326E5}.exe

Filesize
204KB

MD5
8e1a987ccb6a704e690981a99d71fa0a

SHA1
e0897f38dc361aed91514214b2581366cbc8c7bf

SHA256
5601f969d1772b455e0c804d8a8cd9e1a467f10bf27b68bb40da6958189ba445

SHA512
6690d13f44461ebd94279b6a3aab8e29a3c764efcf03243730ed8dc2700da4778c6b97cb79311a38c124deb11d241f077badb10a7b10234ffc6616ed9b1b24a3

Download Submit
C:\Windows\{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe

Filesize
204KB

MD5
4b0b5caf2c10ce80642fcfbba4edaf9a

SHA1
760988dd3ab8db0e1afe93b62e5c04109283dcd7

SHA256
065fe73e1d669c9a278cdae5bc70ef8b942b523a1dcf801d58cc4823ca82a217

SHA512
aff48b1c9208fda7c783740b097e7976c2d6cdb679739f49cb38420fd2461c9e104f4e9a9d9d7819dc9798e3c56438b803bc6e16fe74ae4ac7d5808708e634a6

Download Submit
C:\Windows\{C89BE16B-FA5D-410a-B248-F41E55C20820}.exe

Filesize
204KB

MD5
4b0b5caf2c10ce80642fcfbba4edaf9a

SHA1
760988dd3ab8db0e1afe93b62e5c04109283dcd7

SHA256
065fe73e1d669c9a278cdae5bc70ef8b942b523a1dcf801d58cc4823ca82a217

SHA512
aff48b1c9208fda7c783740b097e7976c2d6cdb679739f49cb38420fd2461c9e104f4e9a9d9d7819dc9798e3c56438b803bc6e16fe74ae4ac7d5808708e634a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads