a84411b5a747a1ad42638b67debdd63106d3acc2595dc114626e497dd285e341

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Size

408KB
MD5

25de35a20184013edefb0093b0766822
SHA1

f891b6d3627476a843b2768b609463dde27ad3c1
SHA256

a84411b5a747a1ad42638b67debdd63106d3acc2595dc114626e497dd285e341
SHA512

322ecc2832cc777df38fd07502a246fb3c855f4c2468e14d8d4abbdafd25575379379db9b11d60db0c9729fd28b6d83f4a75d571416296755da94f5f2001455c
SSDEEP

3072:CEGh0oCl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGQldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD26E080-D042-4e4c-BD32-332BC5D654A2}	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}\stubpath = "C:\\Windows\\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe"	{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D090E086-71FA-48da-9257-AD924B59CD88}\stubpath = "C:\\Windows\\{D090E086-71FA-48da-9257-AD924B59CD88}.exe"	{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B582E0F7-D083-45db-8837-3312DECE8A61}\stubpath = "C:\\Windows\\{B582E0F7-D083-45db-8837-3312DECE8A61}.exe"	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB2A7019-99D4-4f36-9908-7884E839265B}	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E13000E-9382-455e-93A7-AFB9332A7F10}\stubpath = "C:\\Windows\\{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe"	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D090E086-71FA-48da-9257-AD924B59CD88}	{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}\stubpath = "C:\\Windows\\{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}.exe"	{D090E086-71FA-48da-9257-AD924B59CD88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5870402C-AB9E-47e9-B911-44A2CC4723F0}	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}\stubpath = "C:\\Windows\\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe"	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DCB17BC-769D-410d-9460-769A4F72FB71}\stubpath = "C:\\Windows\\{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe"	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD26E080-D042-4e4c-BD32-332BC5D654A2}\stubpath = "C:\\Windows\\{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe"	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B582E0F7-D083-45db-8837-3312DECE8A61}	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E13000E-9382-455e-93A7-AFB9332A7F10}	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}\stubpath = "C:\\Windows\\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe"	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DCB17BC-769D-410d-9460-769A4F72FB71}	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5870402C-AB9E-47e9-B911-44A2CC4723F0}\stubpath = "C:\\Windows\\{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe"	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB2A7019-99D4-4f36-9908-7884E839265B}\stubpath = "C:\\Windows\\{EB2A7019-99D4-4f36-9908-7884E839265B}.exe"	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}	{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}	{D090E086-71FA-48da-9257-AD924B59CD88}.exe

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe
2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe
2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe
2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe
2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe
2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe
2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe
2880	{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe
1920	{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe
1940	{D090E086-71FA-48da-9257-AD924B59CD88}.exe
2384	{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D090E086-71FA-48da-9257-AD924B59CD88}.exe	{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe
File created	C:\Windows\{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
File created	C:\Windows\{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe
File created	C:\Windows\{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe
File created	C:\Windows\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe
File created	C:\Windows\{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe
File created	C:\Windows\{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe
File created	C:\Windows\{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe
File created	C:\Windows\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe
File created	C:\Windows\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe	{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe
File created	C:\Windows\{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}.exe	{D090E086-71FA-48da-9257-AD924B59CD88}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe
Token: SeIncBasePriorityPrivilege	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe
Token: SeIncBasePriorityPrivilege	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe
Token: SeIncBasePriorityPrivilege	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe
Token: SeIncBasePriorityPrivilege	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe
Token: SeIncBasePriorityPrivilege	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe
Token: SeIncBasePriorityPrivilege	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe
Token: SeIncBasePriorityPrivilege	2880	{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe
Token: SeIncBasePriorityPrivilege	1920	{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe
Token: SeIncBasePriorityPrivilege	1940	{D090E086-71FA-48da-9257-AD924B59CD88}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1196	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	28
PID 2092 wrote to memory of 1196	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	28
PID 2092 wrote to memory of 1196	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	28
PID 2092 wrote to memory of 1196	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	28
PID 2092 wrote to memory of 2736	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	29
PID 2092 wrote to memory of 2736	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	29
PID 2092 wrote to memory of 2736	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	29
PID 2092 wrote to memory of 2736	2092	2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe	29
PID 1196 wrote to memory of 2624	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	30
PID 1196 wrote to memory of 2624	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	30
PID 1196 wrote to memory of 2624	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	30
PID 1196 wrote to memory of 2624	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	30
PID 1196 wrote to memory of 2388	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	31
PID 1196 wrote to memory of 2388	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	31
PID 1196 wrote to memory of 2388	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	31
PID 1196 wrote to memory of 2388	1196	{B582E0F7-D083-45db-8837-3312DECE8A61}.exe	31
PID 2624 wrote to memory of 2632	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	32
PID 2624 wrote to memory of 2632	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	32
PID 2624 wrote to memory of 2632	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	32
PID 2624 wrote to memory of 2632	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	32
PID 2624 wrote to memory of 2720	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	33
PID 2624 wrote to memory of 2720	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	33
PID 2624 wrote to memory of 2720	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	33
PID 2624 wrote to memory of 2720	2624	{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe	33
PID 2632 wrote to memory of 2548	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	36
PID 2632 wrote to memory of 2548	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	36
PID 2632 wrote to memory of 2548	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	36
PID 2632 wrote to memory of 2548	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	36
PID 2632 wrote to memory of 3008	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	37
PID 2632 wrote to memory of 3008	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	37
PID 2632 wrote to memory of 3008	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	37
PID 2632 wrote to memory of 3008	2632	{EB2A7019-99D4-4f36-9908-7884E839265B}.exe	37
PID 2548 wrote to memory of 2988	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	38
PID 2548 wrote to memory of 2988	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	38
PID 2548 wrote to memory of 2988	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	38
PID 2548 wrote to memory of 2988	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	38
PID 2548 wrote to memory of 2452	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	39
PID 2548 wrote to memory of 2452	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	39
PID 2548 wrote to memory of 2452	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	39
PID 2548 wrote to memory of 2452	2548	{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe	39
PID 2988 wrote to memory of 2208	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	40
PID 2988 wrote to memory of 2208	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	40
PID 2988 wrote to memory of 2208	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	40
PID 2988 wrote to memory of 2208	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	40
PID 2988 wrote to memory of 2740	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	41
PID 2988 wrote to memory of 2740	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	41
PID 2988 wrote to memory of 2740	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	41
PID 2988 wrote to memory of 2740	2988	{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe	41
PID 2208 wrote to memory of 2836	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	43
PID 2208 wrote to memory of 2836	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	43
PID 2208 wrote to memory of 2836	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	43
PID 2208 wrote to memory of 2836	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	43
PID 2208 wrote to memory of 2840	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	42
PID 2208 wrote to memory of 2840	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	42
PID 2208 wrote to memory of 2840	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	42
PID 2208 wrote to memory of 2840	2208	{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe	42
PID 2836 wrote to memory of 2880	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	44
PID 2836 wrote to memory of 2880	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	44
PID 2836 wrote to memory of 2880	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	44
PID 2836 wrote to memory of 2880	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	44
PID 2836 wrote to memory of 1472	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	45
PID 2836 wrote to memory of 1472	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	45
PID 2836 wrote to memory of 1472	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	45
PID 2836 wrote to memory of 1472	2836	{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_25de35a20184013edefb0093b0766822_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\{B582E0F7-D083-45db-8837-3312DECE8A61}.exe
  C:\Windows\{B582E0F7-D083-45db-8837-3312DECE8A61}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe
    C:\Windows\{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{EB2A7019-99D4-4f36-9908-7884E839265B}.exe
      C:\Windows\{EB2A7019-99D4-4f36-9908-7884E839265B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe
        
        C:\Windows\{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe
        
        C:\Windows\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe
        
        C:\Windows\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8851~1.EXE > nul
        8⤵
        
        PID:2840
        
        C:\Windows\{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe
        
        C:\Windows\{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe
        
        C:\Windows\{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe
        
        C:\Windows\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\{D090E086-71FA-48da-9257-AD924B59CD88}.exe
        
        C:\Windows\{D090E086-71FA-48da-9257-AD924B59CD88}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}.exe
        
        C:\Windows\{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}.exe
        12⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D090E~1.EXE > nul
        12⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37CA5~1.EXE > nul
        11⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD26E~1.EXE > nul
        10⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DCB1~1.EXE > nul
        9⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AC2B~1.EXE > nul
        7⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E130~1.EXE > nul
        6⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB2A7~1.EXE > nul
        5⤵
        
        PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58704~1.EXE > nul
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B582E~1.EXE > nul
    3⤵
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe

Filesize
408KB

MD5
3e5e773dd28f7c389cf5b805445db242

SHA1
e7989fdf83c0b042b12d66a01dfb5680d6e7f3a8

SHA256
ae869fd1a2c4d69ea5432a0ec4048b1bac89698ef6dc111690cd53a90fe9ca42

SHA512
dbead0e01191d16fa016120bd6017411c6f86e18823e1f414ba84bcda9db2e7e6f523f2e6afad7523f3ff902daad087f89831cfe75ea977375f5c346995f9ffd

Download Submit
C:\Windows\{2AC2BC57-9EA9-43a5-85AF-0D89907AA5A4}.exe

Filesize
408KB

MD5
3e5e773dd28f7c389cf5b805445db242

SHA1
e7989fdf83c0b042b12d66a01dfb5680d6e7f3a8

SHA256
ae869fd1a2c4d69ea5432a0ec4048b1bac89698ef6dc111690cd53a90fe9ca42

SHA512
dbead0e01191d16fa016120bd6017411c6f86e18823e1f414ba84bcda9db2e7e6f523f2e6afad7523f3ff902daad087f89831cfe75ea977375f5c346995f9ffd

Download Submit
C:\Windows\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe

Filesize
408KB

MD5
a4523d27c66029d9a1e1c1d9d4bf06df

SHA1
b65cad43355136a23c088ccd7edf9b1f5dad58e9

SHA256
4a536cd12b3abe56cde062a7d9ec41e73051472b24c2927c3f1271e81e76f288

SHA512
7c2383914e547f8612363a776a5d969395e0fd48dc48d0a6c4f686775df02bfcc312225457cb7d6723281f96d46e78f3e1cf39990007f24084efbfe167d1319a

Download Submit
C:\Windows\{37CA5B5D-CF82-42b6-A1D9-86989FD9FE6F}.exe

Filesize
408KB

MD5
a4523d27c66029d9a1e1c1d9d4bf06df

SHA1
b65cad43355136a23c088ccd7edf9b1f5dad58e9

SHA256
4a536cd12b3abe56cde062a7d9ec41e73051472b24c2927c3f1271e81e76f288

SHA512
7c2383914e547f8612363a776a5d969395e0fd48dc48d0a6c4f686775df02bfcc312225457cb7d6723281f96d46e78f3e1cf39990007f24084efbfe167d1319a

Download Submit
C:\Windows\{4B2E4F9F-27FA-4988-9AB7-5C8A8A950D40}.exe

Filesize
408KB

MD5
4b7491b2bc2281e4570508c043214e7c

SHA1
4993e4efe751126acdf8f470723711d21e0c8e44

SHA256
52350eb8449e010fc865c785de3df5e878175466ecad08e15b066e6987543f75

SHA512
e54021a94d1f052041ba6d2f4f95331708d213d9c02d216283fb66ab7081f87d5d1f73c744ccb27b1d13c1f6031c8cf124b2f5df98d1fc31efd235cd6df0fc52

Download Submit
C:\Windows\{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe

Filesize
408KB

MD5
a97012217fc46389adb1c78ac1bcf6a6

SHA1
f3cbcd17a38edb654c92d8c9ef2bf10da29fe86b

SHA256
3ee8070d4e61ad9e63abb80ad2332cbb172d4a1f94939f14c57b6910a9256dc1

SHA512
78e80f3762fd0eac9c76d77225883787490458a79605fa8667dd02b57ed641620dea528c231d3cf6a1982e8671f67db6e43a29d1b728524681b7d64831a39610

Download Submit
C:\Windows\{5870402C-AB9E-47e9-B911-44A2CC4723F0}.exe

Filesize
408KB

MD5
a97012217fc46389adb1c78ac1bcf6a6

SHA1
f3cbcd17a38edb654c92d8c9ef2bf10da29fe86b

SHA256
3ee8070d4e61ad9e63abb80ad2332cbb172d4a1f94939f14c57b6910a9256dc1

SHA512
78e80f3762fd0eac9c76d77225883787490458a79605fa8667dd02b57ed641620dea528c231d3cf6a1982e8671f67db6e43a29d1b728524681b7d64831a39610

Download Submit
C:\Windows\{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe

Filesize
408KB

MD5
145ad688d59c037b13b7312515c52c37

SHA1
04406d5b09f0401eb933aedd80f5dd6a050374f2

SHA256
645dd28c8d4afe380c50aff9fdc0d367cdfc401e4c9268f14ad7d4e1f2c88f37

SHA512
810494726cbe922839fa7ecc6491494b5bd8c126b116d851e8ae08f30f058ed6bcda2a80cdd5692069ddacd3701e373fba66a56ad9d328ae4d1f4f3e7262c0c5

Download Submit
C:\Windows\{6DCB17BC-769D-410d-9460-769A4F72FB71}.exe

Filesize
408KB

MD5
145ad688d59c037b13b7312515c52c37

SHA1
04406d5b09f0401eb933aedd80f5dd6a050374f2

SHA256
645dd28c8d4afe380c50aff9fdc0d367cdfc401e4c9268f14ad7d4e1f2c88f37

SHA512
810494726cbe922839fa7ecc6491494b5bd8c126b116d851e8ae08f30f058ed6bcda2a80cdd5692069ddacd3701e373fba66a56ad9d328ae4d1f4f3e7262c0c5

Download Submit
C:\Windows\{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe

Filesize
408KB

MD5
073eb4f9cb0a16f580316d4d9156f039

SHA1
5f3793cabd69d28a259cccfc2b6541ab2dfe47f5

SHA256
1e1670e04388caf089d117860b14d2a7c51ba63446c97e2011ad22beaa4b403d

SHA512
41eb6e0e15febebef502c6c65ead024ae74915e721c03c4909887375041f7c49b00f688e069b8e3d2b9418897fa4796aa547804cf04e7afd64c3330adec9276d

Download Submit
C:\Windows\{8E13000E-9382-455e-93A7-AFB9332A7F10}.exe

Filesize
408KB

MD5
073eb4f9cb0a16f580316d4d9156f039

SHA1
5f3793cabd69d28a259cccfc2b6541ab2dfe47f5

SHA256
1e1670e04388caf089d117860b14d2a7c51ba63446c97e2011ad22beaa4b403d

SHA512
41eb6e0e15febebef502c6c65ead024ae74915e721c03c4909887375041f7c49b00f688e069b8e3d2b9418897fa4796aa547804cf04e7afd64c3330adec9276d

Download Submit
C:\Windows\{B582E0F7-D083-45db-8837-3312DECE8A61}.exe

Filesize
408KB

MD5
d27b2673106cad752091370f6bd989f1

SHA1
59622caba74deb7c377dfbcd07c09e44df8f7756

SHA256
b6aa3a6536bf0872af194c6fefc60fd72b707c39144a1840e3f61ff75973fab3

SHA512
43307cd03d433889caace3c8e211dfe4026a8141d4637d699840a1a8fcebef96de042363c5da1c7c8d2e9075d5855b6eef8b112820d251541f3d037843f9e182

Download Submit
C:\Windows\{B582E0F7-D083-45db-8837-3312DECE8A61}.exe

Filesize
408KB

MD5
d27b2673106cad752091370f6bd989f1

SHA1
59622caba74deb7c377dfbcd07c09e44df8f7756

SHA256
b6aa3a6536bf0872af194c6fefc60fd72b707c39144a1840e3f61ff75973fab3

SHA512
43307cd03d433889caace3c8e211dfe4026a8141d4637d699840a1a8fcebef96de042363c5da1c7c8d2e9075d5855b6eef8b112820d251541f3d037843f9e182

Download Submit
C:\Windows\{B582E0F7-D083-45db-8837-3312DECE8A61}.exe

Filesize
408KB

MD5
d27b2673106cad752091370f6bd989f1

SHA1
59622caba74deb7c377dfbcd07c09e44df8f7756

SHA256
b6aa3a6536bf0872af194c6fefc60fd72b707c39144a1840e3f61ff75973fab3

SHA512
43307cd03d433889caace3c8e211dfe4026a8141d4637d699840a1a8fcebef96de042363c5da1c7c8d2e9075d5855b6eef8b112820d251541f3d037843f9e182

Download Submit
C:\Windows\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe

Filesize
408KB

MD5
def2e8caf64625767af399c49255d333

SHA1
fce652ae299fdd7b387e56bc31781a7034a16490

SHA256
c42d98c4a982ba029a58ed0277802ded2ab0f5af5ebcaa06dd318420cd34f599

SHA512
2bf13bce8d2b9de6138b26eac7b78cd8eb3c946d0a0c2db2f3b918bfd93780807d32b480de054b9ba8caeaceecc2d1541872c2f58616df28fe66b8f8939b6d36

Download Submit
C:\Windows\{B8851D01-5098-4aa3-ABCA-A6C00AF5EFEC}.exe

Filesize
408KB

MD5
def2e8caf64625767af399c49255d333

SHA1
fce652ae299fdd7b387e56bc31781a7034a16490

SHA256
c42d98c4a982ba029a58ed0277802ded2ab0f5af5ebcaa06dd318420cd34f599

SHA512
2bf13bce8d2b9de6138b26eac7b78cd8eb3c946d0a0c2db2f3b918bfd93780807d32b480de054b9ba8caeaceecc2d1541872c2f58616df28fe66b8f8939b6d36

Download Submit
C:\Windows\{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe

Filesize
408KB

MD5
85598c98c5babf9c2d235ba4b841282b

SHA1
68209bd104842e23ddb627b13a34ec8997b2bf4d

SHA256
cbeb2a6e43020aefef56d5a1dd430c79d8dff49763b480c9e453b9779473de61

SHA512
b9c851a26dc3f5d35088f67ff6bd1ab37fbfbdda5ba319b2008774755beac90a54a2a402f4d6d756dd9482c184edefcd352c8f7ec40e13aa2698e64ba0c47a42

Download Submit
C:\Windows\{BD26E080-D042-4e4c-BD32-332BC5D654A2}.exe

Filesize
408KB

MD5
85598c98c5babf9c2d235ba4b841282b

SHA1
68209bd104842e23ddb627b13a34ec8997b2bf4d

SHA256
cbeb2a6e43020aefef56d5a1dd430c79d8dff49763b480c9e453b9779473de61

SHA512
b9c851a26dc3f5d35088f67ff6bd1ab37fbfbdda5ba319b2008774755beac90a54a2a402f4d6d756dd9482c184edefcd352c8f7ec40e13aa2698e64ba0c47a42

Download Submit
C:\Windows\{D090E086-71FA-48da-9257-AD924B59CD88}.exe

Filesize
408KB

MD5
d1579ee399c35a63b76410307121b93f

SHA1
8751577012e75d9454d950c24d0859b2121dbe20

SHA256
bb55b2f528b0bae4765a7741671ad6ac067edd15e9fac01d698e9e5dc2dee400

SHA512
904364ff022600cc3131a16f983205b7bac81af23e64b5a52caf3a9b59005f21aeb80d003c0ddaad019b0c7f28846575ed76e341be91f32371d500421e51260a

Download Submit
C:\Windows\{D090E086-71FA-48da-9257-AD924B59CD88}.exe

Filesize
408KB

MD5
d1579ee399c35a63b76410307121b93f

SHA1
8751577012e75d9454d950c24d0859b2121dbe20

SHA256
bb55b2f528b0bae4765a7741671ad6ac067edd15e9fac01d698e9e5dc2dee400

SHA512
904364ff022600cc3131a16f983205b7bac81af23e64b5a52caf3a9b59005f21aeb80d003c0ddaad019b0c7f28846575ed76e341be91f32371d500421e51260a

Download Submit
C:\Windows\{EB2A7019-99D4-4f36-9908-7884E839265B}.exe

Filesize
408KB

MD5
931e10c11f6e1f9ee091e4842ce7b80f

SHA1
c0b684b27ccc8b6c269193337da9489f1e068d09

SHA256
022c52f843f42ae5f9137565a16e01e7d5b87e0a80c8a256696efe1217710c58

SHA512
380a1da12a629a45ee99cadc15e91e3d764e1cbe188b5f66ca5059abaeee12e3d93883920e8fea1c7d217d35c458268a548f448425aada187240f49975e189e3

Download Submit
C:\Windows\{EB2A7019-99D4-4f36-9908-7884E839265B}.exe

Filesize
408KB

MD5
931e10c11f6e1f9ee091e4842ce7b80f

SHA1
c0b684b27ccc8b6c269193337da9489f1e068d09

SHA256
022c52f843f42ae5f9137565a16e01e7d5b87e0a80c8a256696efe1217710c58

SHA512
380a1da12a629a45ee99cadc15e91e3d764e1cbe188b5f66ca5059abaeee12e3d93883920e8fea1c7d217d35c458268a548f448425aada187240f49975e189e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads