7b73413c771a1e15def62a9f45f25a815d02678cd0580ce035dbfc46e85f4aea

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe
Size

380KB
MD5

169996492f116f424586de748af387a3
SHA1

035b00d0b94d7ed7d1ac9e3f47628be4e8d4ddfa
SHA256

7b73413c771a1e15def62a9f45f25a815d02678cd0580ce035dbfc46e85f4aea
SHA512

fd286b1fd64a8bc90e5cda7799ea56dafc45b26a57aecfefd85f055f51e6c9c3ef9372218f04eaf6f31bf54638ebc3f29c9123e8e5f98423e4f3fd593b5b3720
SSDEEP

3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGdl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C5EB0F-6708-4831-97EE-039110C5CF01}	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA8FA843-35C2-483a-B271-7423D2CD80AA}\stubpath = "C:\\Windows\\{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe"	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B17F330-148B-4003-BE16-517779451F93}	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B17F330-148B-4003-BE16-517779451F93}\stubpath = "C:\\Windows\\{2B17F330-148B-4003-BE16-517779451F93}.exe"	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}	{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C5EB0F-6708-4831-97EE-039110C5CF01}\stubpath = "C:\\Windows\\{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe"	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA8FA843-35C2-483a-B271-7423D2CD80AA}	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542970D6-6527-423e-AFA2-584475E68174}	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4156EE4-253B-404b-B8CB-348BEC98520A}\stubpath = "C:\\Windows\\{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe"	{542970D6-6527-423e-AFA2-584475E68174}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3ADECDC-CA72-4897-A094-CBF739C1259C}\stubpath = "C:\\Windows\\{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe"	{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}\stubpath = "C:\\Windows\\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe"	{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}	{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}\stubpath = "C:\\Windows\\{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}.exe"	{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D3E0039-42BC-411e-B4FD-3789673CD977}	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}	{2B17F330-148B-4003-BE16-517779451F93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4156EE4-253B-404b-B8CB-348BEC98520A}	{542970D6-6527-423e-AFA2-584475E68174}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3ADECDC-CA72-4897-A094-CBF739C1259C}	{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D3E0039-42BC-411e-B4FD-3789673CD977}\stubpath = "C:\\Windows\\{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe"	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}\stubpath = "C:\\Windows\\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe"	{2B17F330-148B-4003-BE16-517779451F93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}\stubpath = "C:\\Windows\\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe"	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{542970D6-6527-423e-AFA2-584475E68174}\stubpath = "C:\\Windows\\{542970D6-6527-423e-AFA2-584475E68174}.exe"	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe

Executes dropped EXE 11 IoCs

pid	Process
3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe
2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe
2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe
2540	{2B17F330-148B-4003-BE16-517779451F93}.exe
2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe
2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe
2456	{542970D6-6527-423e-AFA2-584475E68174}.exe
2604	{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe
2424	{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe
668	{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe
1696	{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe
File created	C:\Windows\{2B17F330-148B-4003-BE16-517779451F93}.exe	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe
File created	C:\Windows\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe
File created	C:\Windows\{542970D6-6527-423e-AFA2-584475E68174}.exe	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe
File created	C:\Windows\{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe
File created	C:\Windows\{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe
File created	C:\Windows\{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe	{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe
File created	C:\Windows\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe	{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe
File created	C:\Windows\{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}.exe	{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe
File created	C:\Windows\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	{2B17F330-148B-4003-BE16-517779451F93}.exe
File created	C:\Windows\{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe	{542970D6-6527-423e-AFA2-584475E68174}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe
Token: SeIncBasePriorityPrivilege	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe
Token: SeIncBasePriorityPrivilege	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe
Token: SeIncBasePriorityPrivilege	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe
Token: SeIncBasePriorityPrivilege	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe
Token: SeIncBasePriorityPrivilege	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe
Token: SeIncBasePriorityPrivilege	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe
Token: SeIncBasePriorityPrivilege	2604	{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe
Token: SeIncBasePriorityPrivilege	2424	{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe
Token: SeIncBasePriorityPrivilege	668	{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 3012	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	28
PID 1032 wrote to memory of 3012	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	28
PID 1032 wrote to memory of 3012	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	28
PID 1032 wrote to memory of 3012	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	28
PID 1032 wrote to memory of 2768	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	29
PID 1032 wrote to memory of 2768	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	29
PID 1032 wrote to memory of 2768	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	29
PID 1032 wrote to memory of 2768	1032	2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe	29
PID 3012 wrote to memory of 2644	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	30
PID 3012 wrote to memory of 2644	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	30
PID 3012 wrote to memory of 2644	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	30
PID 3012 wrote to memory of 2644	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	30
PID 3012 wrote to memory of 2728	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	31
PID 3012 wrote to memory of 2728	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	31
PID 3012 wrote to memory of 2728	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	31
PID 3012 wrote to memory of 2728	3012	{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe	31
PID 2644 wrote to memory of 2888	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	33
PID 2644 wrote to memory of 2888	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	33
PID 2644 wrote to memory of 2888	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	33
PID 2644 wrote to memory of 2888	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	33
PID 2644 wrote to memory of 2640	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	32
PID 2644 wrote to memory of 2640	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	32
PID 2644 wrote to memory of 2640	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	32
PID 2644 wrote to memory of 2640	2644	{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe	32
PID 2888 wrote to memory of 2540	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	36
PID 2888 wrote to memory of 2540	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	36
PID 2888 wrote to memory of 2540	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	36
PID 2888 wrote to memory of 2540	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	36
PID 2888 wrote to memory of 2688	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	37
PID 2888 wrote to memory of 2688	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	37
PID 2888 wrote to memory of 2688	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	37
PID 2888 wrote to memory of 2688	2888	{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe	37
PID 2540 wrote to memory of 2736	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	39
PID 2540 wrote to memory of 2736	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	39
PID 2540 wrote to memory of 2736	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	39
PID 2540 wrote to memory of 2736	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	39
PID 2540 wrote to memory of 2532	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	38
PID 2540 wrote to memory of 2532	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	38
PID 2540 wrote to memory of 2532	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	38
PID 2540 wrote to memory of 2532	2540	{2B17F330-148B-4003-BE16-517779451F93}.exe	38
PID 2736 wrote to memory of 2636	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	41
PID 2736 wrote to memory of 2636	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	41
PID 2736 wrote to memory of 2636	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	41
PID 2736 wrote to memory of 2636	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	41
PID 2736 wrote to memory of 2560	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	40
PID 2736 wrote to memory of 2560	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	40
PID 2736 wrote to memory of 2560	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	40
PID 2736 wrote to memory of 2560	2736	{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe	40
PID 2636 wrote to memory of 2456	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	43
PID 2636 wrote to memory of 2456	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	43
PID 2636 wrote to memory of 2456	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	43
PID 2636 wrote to memory of 2456	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	43
PID 2636 wrote to memory of 1944	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	42
PID 2636 wrote to memory of 1944	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	42
PID 2636 wrote to memory of 1944	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	42
PID 2636 wrote to memory of 1944	2636	{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe	42
PID 2456 wrote to memory of 2604	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	45
PID 2456 wrote to memory of 2604	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	45
PID 2456 wrote to memory of 2604	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	45
PID 2456 wrote to memory of 2604	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	45
PID 2456 wrote to memory of 2848	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	44
PID 2456 wrote to memory of 2848	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	44
PID 2456 wrote to memory of 2848	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	44
PID 2456 wrote to memory of 2848	2456	{542970D6-6527-423e-AFA2-584475E68174}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_169996492f116f424586de748af387a3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe
  C:\Windows\{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe
    C:\Windows\{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA8FA~1.EXE > nul
      4⤵
      PID:2640
  - - C:\Windows\{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe
      C:\Windows\{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{2B17F330-148B-4003-BE16-517779451F93}.exe
        
        C:\Windows\{2B17F330-148B-4003-BE16-517779451F93}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B17F~1.EXE > nul
        6⤵
        
        PID:2532
      - C:\Windows\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe
        
        C:\Windows\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F71D~1.EXE > nul
        7⤵
        
        PID:2560
        
        C:\Windows\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe
        
        C:\Windows\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3616E~1.EXE > nul
        8⤵
        
        PID:1944
        
        C:\Windows\{542970D6-6527-423e-AFA2-584475E68174}.exe
        
        C:\Windows\{542970D6-6527-423e-AFA2-584475E68174}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54297~1.EXE > nul
        9⤵
        
        PID:2848
        
        C:\Windows\{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe
        
        C:\Windows\{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe
        
        C:\Windows\{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3ADE~1.EXE > nul
        11⤵
        
        PID:2796
        
        C:\Windows\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe
        
        C:\Windows\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54125~1.EXE > nul
        12⤵
        
        PID:2212
        
        C:\Windows\{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}.exe
        
        C:\Windows\{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}.exe
        12⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4156~1.EXE > nul
        10⤵
        
        PID:1424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D3E0~1.EXE > nul
        5⤵
        
        PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{35C5E~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03CEC04D-33B3-4e76-A5ED-C1A7051DF181}.exe

Filesize
380KB

MD5
7ef38f9f937a507d507d1219a5a8d5ab

SHA1
dabf5a0f4d5c8e7ad1e2663072ef68d4ace9a0d4

SHA256
c6d1d78bdef5153e6d45020656206cc938853f0b5a2ae89be2fdde7e52c5196f

SHA512
ece8ab5077f580c35e59602916226f9027909c5f61642cbcae322883930a930cf81f61640e29f767182f0c1927c470833c79bba3d4967480f34591748012468a

Download Submit
C:\Windows\{2B17F330-148B-4003-BE16-517779451F93}.exe

Filesize
380KB

MD5
a75f5965744efe938686436f07aa224f

SHA1
325fbe3b25f196fcf58e7850ca76c602d8bb31f4

SHA256
406877ccb537fac895b788b56114c7e018d56b0734cd68c3deaee47ce588e118

SHA512
7690af33950cf23adba25b0f7480cb5086911046c2b698323074277fadaa08db650c8403642e8aa2894d4e6ae5f87cd3192ef39ea536da5695bb76774ee1db7c

Download Submit
C:\Windows\{2B17F330-148B-4003-BE16-517779451F93}.exe

Filesize
380KB

MD5
a75f5965744efe938686436f07aa224f

SHA1
325fbe3b25f196fcf58e7850ca76c602d8bb31f4

SHA256
406877ccb537fac895b788b56114c7e018d56b0734cd68c3deaee47ce588e118

SHA512
7690af33950cf23adba25b0f7480cb5086911046c2b698323074277fadaa08db650c8403642e8aa2894d4e6ae5f87cd3192ef39ea536da5695bb76774ee1db7c

Download Submit
C:\Windows\{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe

Filesize
380KB

MD5
6d140a33bea754efaf375000da4452a9

SHA1
9bf3d13bc6cf2628e0d5a215aa95d52b2e9cbe79

SHA256
3ee7a66f826335c18d4e622839aa050c4e39b0f7913018b102531439f76f41c7

SHA512
77079ade8081eba3b4fd404fb1476f75380ade470af42d70586f4b7888847339eb590c246318482aff46a19443a07154c0f92174f79a6e010e5dbfa1c85f40d6

Download Submit
C:\Windows\{2D3E0039-42BC-411e-B4FD-3789673CD977}.exe

Filesize
380KB

MD5
6d140a33bea754efaf375000da4452a9

SHA1
9bf3d13bc6cf2628e0d5a215aa95d52b2e9cbe79

SHA256
3ee7a66f826335c18d4e622839aa050c4e39b0f7913018b102531439f76f41c7

SHA512
77079ade8081eba3b4fd404fb1476f75380ade470af42d70586f4b7888847339eb590c246318482aff46a19443a07154c0f92174f79a6e010e5dbfa1c85f40d6

Download Submit
C:\Windows\{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe

Filesize
380KB

MD5
d451ebcbe68b820a8094c3c761f5e97e

SHA1
e812d6639efe05a8b46ee4e1b7b1c92368992f49

SHA256
b4706a4f75609cb75de4573495cad4de0071ca53112e32ea55805138a0a0b0f6

SHA512
fe6c8f151da9936b3993327d4733dea0ab858b4848a15f56c21041bb47b271b8e020ebf28cd534439c3f08eacb1fcfaa595358a9322587acaa600f2ebcad49c2

Download Submit
C:\Windows\{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe

Filesize
380KB

MD5
d451ebcbe68b820a8094c3c761f5e97e

SHA1
e812d6639efe05a8b46ee4e1b7b1c92368992f49

SHA256
b4706a4f75609cb75de4573495cad4de0071ca53112e32ea55805138a0a0b0f6

SHA512
fe6c8f151da9936b3993327d4733dea0ab858b4848a15f56c21041bb47b271b8e020ebf28cd534439c3f08eacb1fcfaa595358a9322587acaa600f2ebcad49c2

Download Submit
C:\Windows\{35C5EB0F-6708-4831-97EE-039110C5CF01}.exe

Filesize
380KB

MD5
d451ebcbe68b820a8094c3c761f5e97e

SHA1
e812d6639efe05a8b46ee4e1b7b1c92368992f49

SHA256
b4706a4f75609cb75de4573495cad4de0071ca53112e32ea55805138a0a0b0f6

SHA512
fe6c8f151da9936b3993327d4733dea0ab858b4848a15f56c21041bb47b271b8e020ebf28cd534439c3f08eacb1fcfaa595358a9322587acaa600f2ebcad49c2

Download Submit
C:\Windows\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe

Filesize
380KB

MD5
676d6c8cca993b5577a42de101115b68

SHA1
31cdecdfbccfc2c9ff5f9a4a96893dd944fbf721

SHA256
89f22401cfe37ae44c74c31301304d34b4023b78cff0990d3d5fa2ff3cbfe7c1

SHA512
a2b6b8c13b2e6f6506ab1c0b2226c38e627763c96b0de1da70fe852221c5990c2e23829d270eca14de9cb3f52974d8010cb61f558ae3bca7461bf59363d28d01

Download Submit
C:\Windows\{3616E2CD-5D8A-43f5-832C-A070D2DAED4B}.exe

Filesize
380KB

MD5
676d6c8cca993b5577a42de101115b68

SHA1
31cdecdfbccfc2c9ff5f9a4a96893dd944fbf721

SHA256
89f22401cfe37ae44c74c31301304d34b4023b78cff0990d3d5fa2ff3cbfe7c1

SHA512
a2b6b8c13b2e6f6506ab1c0b2226c38e627763c96b0de1da70fe852221c5990c2e23829d270eca14de9cb3f52974d8010cb61f558ae3bca7461bf59363d28d01

Download Submit
C:\Windows\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe

Filesize
380KB

MD5
b020d1dad81853b81727666d2703c9e0

SHA1
db9f2b5d11ff9d2dcc6f1de05d77ac254f1e6c8f

SHA256
c90dfde5fb2a3911129c583f7e4c63cbf4ec2cf9c8cf6e4f13ca7f1ab0848597

SHA512
3416ed12e220f3515403dca6b124e41c130211835d30384f572d751d3a5f8c146ed0aa50124aad5803ec4f4dd14e68b95d2fed8ab2b95d40b346555c459cec41

Download Submit
C:\Windows\{3F71D882-0B14-4e4a-86A6-64732E1FEB16}.exe

Filesize
380KB

MD5
b020d1dad81853b81727666d2703c9e0

SHA1
db9f2b5d11ff9d2dcc6f1de05d77ac254f1e6c8f

SHA256
c90dfde5fb2a3911129c583f7e4c63cbf4ec2cf9c8cf6e4f13ca7f1ab0848597

SHA512
3416ed12e220f3515403dca6b124e41c130211835d30384f572d751d3a5f8c146ed0aa50124aad5803ec4f4dd14e68b95d2fed8ab2b95d40b346555c459cec41

Download Submit
C:\Windows\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe

Filesize
380KB

MD5
bace994437ec400b7ceea6c18e805613

SHA1
b36df6404cf77df5d96df3f44249b40065456e31

SHA256
6acbd94867f764d2d1c7b9f83b1aa29a1ef173e1058934102e91185ba99aa8ee

SHA512
6deebda05c7f6f7d8161ed04ed166abc9930d0fa87ea7a5e3029ee0ae87dc4f8dc5f4b166cf33bb5cb0897c8ee30c568359165b4b7d2c5a4a2151fafe47a658d

Download Submit
C:\Windows\{541257B3-FF9A-4d51-9D1C-8414586EA2B6}.exe

Filesize
380KB

MD5
bace994437ec400b7ceea6c18e805613

SHA1
b36df6404cf77df5d96df3f44249b40065456e31

SHA256
6acbd94867f764d2d1c7b9f83b1aa29a1ef173e1058934102e91185ba99aa8ee

SHA512
6deebda05c7f6f7d8161ed04ed166abc9930d0fa87ea7a5e3029ee0ae87dc4f8dc5f4b166cf33bb5cb0897c8ee30c568359165b4b7d2c5a4a2151fafe47a658d

Download Submit
C:\Windows\{542970D6-6527-423e-AFA2-584475E68174}.exe

Filesize
380KB

MD5
feaedb0836e647de8314d14db92e1ae6

SHA1
fc6309193fe2a4f8907c27d5a71fdf2b5ae34697

SHA256
3d1a61303a59fa7cab5ad963b281316c56f7c84a75cde152ae93aee2bbf429a9

SHA512
e073b8f7a399aa60731d6cda0269d5f3f3cac6a5c35d624ef562bccf0911c6de5e43f4bdc2c6d7d94f4dde794d546b13f7f8c3ee73093f8524c95568e0b18ff4

Download Submit
C:\Windows\{542970D6-6527-423e-AFA2-584475E68174}.exe

Filesize
380KB

MD5
feaedb0836e647de8314d14db92e1ae6

SHA1
fc6309193fe2a4f8907c27d5a71fdf2b5ae34697

SHA256
3d1a61303a59fa7cab5ad963b281316c56f7c84a75cde152ae93aee2bbf429a9

SHA512
e073b8f7a399aa60731d6cda0269d5f3f3cac6a5c35d624ef562bccf0911c6de5e43f4bdc2c6d7d94f4dde794d546b13f7f8c3ee73093f8524c95568e0b18ff4

Download Submit
C:\Windows\{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe

Filesize
380KB

MD5
80a42a3bfae7b8475720cf015f8a3f91

SHA1
e0fc282595bdbb332ec408f4043f83baf6af6633

SHA256
745887bc1c544e0d8caaef7d72fc92feca3df933982928d6f7c209d3272ef008

SHA512
b9c12430db44ab9cda5f73655a239d4512849b4f708a551d516459d4cc5340736c09255cebe16b348e769674a31f5c5126d2c840af1d79ba0ce49e23064dc1e5

Download Submit
C:\Windows\{D3ADECDC-CA72-4897-A094-CBF739C1259C}.exe

Filesize
380KB

MD5
80a42a3bfae7b8475720cf015f8a3f91

SHA1
e0fc282595bdbb332ec408f4043f83baf6af6633

SHA256
745887bc1c544e0d8caaef7d72fc92feca3df933982928d6f7c209d3272ef008

SHA512
b9c12430db44ab9cda5f73655a239d4512849b4f708a551d516459d4cc5340736c09255cebe16b348e769674a31f5c5126d2c840af1d79ba0ce49e23064dc1e5

Download Submit
C:\Windows\{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe

Filesize
380KB

MD5
6a088ea445bf8a7dfca865b521dda312

SHA1
76d9cf7936b323f750a0b23ac10f3080aa960fb7

SHA256
08408f8881f368c9b14a2217985ef44d436557ecc8f8be46a6205e7bc358a13e

SHA512
ed342da8d6fd3a08e312f0065f2b34db05f5f4adea578a177254cc6f91b48b836fc7197aa033da6144e1ebdc90380cefa0c749bca479a38ac2e9fffd334a9800

Download Submit
C:\Windows\{F4156EE4-253B-404b-B8CB-348BEC98520A}.exe

Filesize
380KB

MD5
6a088ea445bf8a7dfca865b521dda312

SHA1
76d9cf7936b323f750a0b23ac10f3080aa960fb7

SHA256
08408f8881f368c9b14a2217985ef44d436557ecc8f8be46a6205e7bc358a13e

SHA512
ed342da8d6fd3a08e312f0065f2b34db05f5f4adea578a177254cc6f91b48b836fc7197aa033da6144e1ebdc90380cefa0c749bca479a38ac2e9fffd334a9800

Download Submit
C:\Windows\{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe

Filesize
380KB

MD5
3a2244bb6cebf80670c5b876238ec739

SHA1
b900c19cae0245aaa0a10f1db6e7b18c62b07e24

SHA256
a92089a168c76e3e2f43fd22240dfe6cf21b656e25e9d3ac1a1084f785c5144f

SHA512
b4b57e73794ae79bb874586b3343aadd5d2fd81b291d082099d7f3d068ee35c3522bfc88a4bedd1f21fedef360fb808d3cc2794ec82e6521c93b044247c28fa8

Download Submit
C:\Windows\{FA8FA843-35C2-483a-B271-7423D2CD80AA}.exe

Filesize
380KB

MD5
3a2244bb6cebf80670c5b876238ec739

SHA1
b900c19cae0245aaa0a10f1db6e7b18c62b07e24

SHA256
a92089a168c76e3e2f43fd22240dfe6cf21b656e25e9d3ac1a1084f785c5144f

SHA512
b4b57e73794ae79bb874586b3343aadd5d2fd81b291d082099d7f3d068ee35c3522bfc88a4bedd1f21fedef360fb808d3cc2794ec82e6521c93b044247c28fa8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads