7dcef3fd4f3cbab9e482ad4ce16ddeb052c83add7706236cdd96986d14842c36

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Size

344KB
MD5

27b114bbff31ed0e16d430d3dcdf08cd
SHA1

b326baab2a0b4eafdb468a00f5b5e745576d91ba
SHA256

7dcef3fd4f3cbab9e482ad4ce16ddeb052c83add7706236cdd96986d14842c36
SHA512

13279cbb1c3ce39cfbdb380ead25d4da05ac226e0203566c4de2476052b7ceaddf1e5e062c0721279e5099dd5fbe730b035412b9c842a71087e70d7a58dceae1
SSDEEP

3072:mEGh0owlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGKlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}\stubpath = "C:\\Windows\\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe"	{289CAADD-36B5-4162-8E54-198810E51009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D25900F-EE91-4809-85CD-A877B80D2125}	{837C0952-C102-4b4c-AF28-75C68708F915}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{289CAADD-36B5-4162-8E54-198810E51009}	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}\stubpath = "C:\\Windows\\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe"	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}\stubpath = "C:\\Windows\\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe"	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{837C0952-C102-4b4c-AF28-75C68708F915}	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D25900F-EE91-4809-85CD-A877B80D2125}\stubpath = "C:\\Windows\\{9D25900F-EE91-4809-85CD-A877B80D2125}.exe"	{837C0952-C102-4b4c-AF28-75C68708F915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}\stubpath = "C:\\Windows\\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe"	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}	{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}\stubpath = "C:\\Windows\\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe"	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{706332FF-E286-42ba-AE18-B8F0639D0EF8}	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{706332FF-E286-42ba-AE18-B8F0639D0EF8}\stubpath = "C:\\Windows\\{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe"	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{289CAADD-36B5-4162-8E54-198810E51009}\stubpath = "C:\\Windows\\{289CAADD-36B5-4162-8E54-198810E51009}.exe"	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}\stubpath = "C:\\Windows\\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe"	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{837C0952-C102-4b4c-AF28-75C68708F915}\stubpath = "C:\\Windows\\{837C0952-C102-4b4c-AF28-75C68708F915}.exe"	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}	{289CAADD-36B5-4162-8E54-198810E51009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}\stubpath = "C:\\Windows\\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe"	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}\stubpath = "C:\\Windows\\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}.exe"	{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe

Executes dropped EXE 12 IoCs

pid	Process
3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe
4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe
4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe
396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe
3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe
4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe
1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe
4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe
2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe
708	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe
1648	{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe
3332	{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe
File created	C:\Windows\{9D25900F-EE91-4809-85CD-A877B80D2125}.exe	{837C0952-C102-4b4c-AF28-75C68708F915}.exe
File created	C:\Windows\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe
File created	C:\Windows\{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe
File created	C:\Windows\{289CAADD-36B5-4162-8E54-198810E51009}.exe	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe
File created	C:\Windows\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe	{289CAADD-36B5-4162-8E54-198810E51009}.exe
File created	C:\Windows\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe
File created	C:\Windows\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
File created	C:\Windows\{837C0952-C102-4b4c-AF28-75C68708F915}.exe	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe
File created	C:\Windows\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe
File created	C:\Windows\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe
File created	C:\Windows\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}.exe	{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3264	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe
Token: SeIncBasePriorityPrivilege	4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe
Token: SeIncBasePriorityPrivilege	4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe
Token: SeIncBasePriorityPrivilege	396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe
Token: SeIncBasePriorityPrivilege	3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe
Token: SeIncBasePriorityPrivilege	4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe
Token: SeIncBasePriorityPrivilege	1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe
Token: SeIncBasePriorityPrivilege	4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe
Token: SeIncBasePriorityPrivilege	2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe
Token: SeIncBasePriorityPrivilege	708	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe
Token: SeIncBasePriorityPrivilege	1648	{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 3048	3264	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	87
PID 3264 wrote to memory of 3048	3264	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	87
PID 3264 wrote to memory of 3048	3264	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	87
PID 3264 wrote to memory of 3768	3264	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	88
PID 3264 wrote to memory of 3768	3264	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	88
PID 3264 wrote to memory of 3768	3264	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	88
PID 3048 wrote to memory of 4200	3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe	89
PID 3048 wrote to memory of 4200	3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe	89
PID 3048 wrote to memory of 4200	3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe	89
PID 3048 wrote to memory of 1520	3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe	90
PID 3048 wrote to memory of 1520	3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe	90
PID 3048 wrote to memory of 1520	3048	{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe	90
PID 4200 wrote to memory of 4144	4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe	94
PID 4200 wrote to memory of 4144	4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe	94
PID 4200 wrote to memory of 4144	4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe	94
PID 4200 wrote to memory of 2948	4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe	93
PID 4200 wrote to memory of 2948	4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe	93
PID 4200 wrote to memory of 2948	4200	{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe	93
PID 4144 wrote to memory of 396	4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe	96
PID 4144 wrote to memory of 396	4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe	96
PID 4144 wrote to memory of 396	4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe	96
PID 4144 wrote to memory of 2644	4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe	97
PID 4144 wrote to memory of 2644	4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe	97
PID 4144 wrote to memory of 2644	4144	{837C0952-C102-4b4c-AF28-75C68708F915}.exe	97
PID 396 wrote to memory of 3928	396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe	98
PID 396 wrote to memory of 3928	396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe	98
PID 396 wrote to memory of 3928	396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe	98
PID 396 wrote to memory of 3656	396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe	99
PID 396 wrote to memory of 3656	396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe	99
PID 396 wrote to memory of 3656	396	{9D25900F-EE91-4809-85CD-A877B80D2125}.exe	99
PID 3928 wrote to memory of 4592	3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe	100
PID 3928 wrote to memory of 4592	3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe	100
PID 3928 wrote to memory of 4592	3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe	100
PID 3928 wrote to memory of 2476	3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe	101
PID 3928 wrote to memory of 2476	3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe	101
PID 3928 wrote to memory of 2476	3928	{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe	101
PID 4592 wrote to memory of 1072	4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe	102
PID 4592 wrote to memory of 1072	4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe	102
PID 4592 wrote to memory of 1072	4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe	102
PID 4592 wrote to memory of 552	4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe	103
PID 4592 wrote to memory of 552	4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe	103
PID 4592 wrote to memory of 552	4592	{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe	103
PID 1072 wrote to memory of 4924	1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe	104
PID 1072 wrote to memory of 4924	1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe	104
PID 1072 wrote to memory of 4924	1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe	104
PID 1072 wrote to memory of 1576	1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe	105
PID 1072 wrote to memory of 1576	1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe	105
PID 1072 wrote to memory of 1576	1072	{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe	105
PID 4924 wrote to memory of 2120	4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe	106
PID 4924 wrote to memory of 2120	4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe	106
PID 4924 wrote to memory of 2120	4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe	106
PID 4924 wrote to memory of 1260	4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe	107
PID 4924 wrote to memory of 1260	4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe	107
PID 4924 wrote to memory of 1260	4924	{289CAADD-36B5-4162-8E54-198810E51009}.exe	107
PID 2120 wrote to memory of 708	2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe	108
PID 2120 wrote to memory of 708	2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe	108
PID 2120 wrote to memory of 708	2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe	108
PID 2120 wrote to memory of 4920	2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe	109
PID 2120 wrote to memory of 4920	2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe	109
PID 2120 wrote to memory of 4920	2120	{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe	109
PID 708 wrote to memory of 1648	708	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe	110
PID 708 wrote to memory of 1648	708	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe	110
PID 708 wrote to memory of 1648	708	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe	110
PID 708 wrote to memory of 1032	708	{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe	111

C:\Users\Admin\AppData\Local\Temp\2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe
  C:\Windows\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe
    C:\Windows\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29454~1.EXE > nul
      4⤵
      PID:2948
  - - C:\Windows\{837C0952-C102-4b4c-AF28-75C68708F915}.exe
      C:\Windows\{837C0952-C102-4b4c-AF28-75C68708F915}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\{9D25900F-EE91-4809-85CD-A877B80D2125}.exe
        
        C:\Windows\{9D25900F-EE91-4809-85CD-A877B80D2125}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe
        
        C:\Windows\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe
        
        C:\Windows\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe
        
        C:\Windows\{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\{289CAADD-36B5-4162-8E54-198810E51009}.exe
        
        C:\Windows\{289CAADD-36B5-4162-8E54-198810E51009}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe
        
        C:\Windows\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe
        
        C:\Windows\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe
        
        C:\Windows\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}.exe
        
        C:\Windows\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}.exe
        13⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76FE9~1.EXE > nul
        13⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CE86~1.EXE > nul
        12⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B44C~1.EXE > nul
        11⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{289CA~1.EXE > nul
        10⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70633~1.EXE > nul
        9⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3977A~1.EXE > nul
        8⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E63F~1.EXE > nul
        7⤵
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D259~1.EXE > nul
        6⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{837C0~1.EXE > nul
        5⤵
        
        PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B3D1~1.EXE > nul
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe

Filesize
344KB

MD5
17e0d84e7dc207f72f60396920d16d75

SHA1
a8bac1b59b39f6926df4b7b350a6e62199bae01f

SHA256
695968ef093c30138f7254070cc1749c1c40348cad49f1af976ec012b8191e43

SHA512
b8318f48bcc863e1f94f580a45489ac73fc923fb30381ae243fbd8e0e85063d80ffc078d893ab0e2e236bdf8c807ea5c08f16b4ee1c578a08fbe0c8c66f52ceb

Download Submit
C:\Windows\{1CE863DB-4126-4ee4-98AF-6A16EB0DADA3}.exe

Filesize
344KB

MD5
17e0d84e7dc207f72f60396920d16d75

SHA1
a8bac1b59b39f6926df4b7b350a6e62199bae01f

SHA256
695968ef093c30138f7254070cc1749c1c40348cad49f1af976ec012b8191e43

SHA512
b8318f48bcc863e1f94f580a45489ac73fc923fb30381ae243fbd8e0e85063d80ffc078d893ab0e2e236bdf8c807ea5c08f16b4ee1c578a08fbe0c8c66f52ceb

Download Submit
C:\Windows\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe

Filesize
344KB

MD5
c9821929992d053c1062a7d727f5dd9b

SHA1
40daf6c30c18d8504504f1e14199b4813008aa04

SHA256
2546c4616036a1e3fa0c4c692d10b6eaa50c5cdb40438bdf3f7a446b9aa58955

SHA512
f74eed7bf1abba2758d6a7ea33a652da1388d6a567154fcb3a37e6404b682424f8846741d940f6a41fd1122d6b6544c42b6a39748464a33ddd5a3fba5d5d66ae

Download Submit
C:\Windows\{1E63FE74-B0C1-448a-B432-46A741E9B4B8}.exe

Filesize
344KB

MD5
c9821929992d053c1062a7d727f5dd9b

SHA1
40daf6c30c18d8504504f1e14199b4813008aa04

SHA256
2546c4616036a1e3fa0c4c692d10b6eaa50c5cdb40438bdf3f7a446b9aa58955

SHA512
f74eed7bf1abba2758d6a7ea33a652da1388d6a567154fcb3a37e6404b682424f8846741d940f6a41fd1122d6b6544c42b6a39748464a33ddd5a3fba5d5d66ae

Download Submit
C:\Windows\{289CAADD-36B5-4162-8E54-198810E51009}.exe

Filesize
344KB

MD5
782899ef370bd1d34d4c342679d49ae4

SHA1
bc73dbca4be1109a24a56d4de0b6323cc48a0b2d

SHA256
b304f9a77356bdf19b0db72809bff62354a1b3d7037f55bb64d5ab27c5c0846c

SHA512
1ce15b0cf6e728707be28ad7fd501d6d5ab69d95912c478c9cfc3070f8e4cd4cc7243578b2edc6438e196663c537349a6f01a97b058fcd18856f3d7ad9694acc

Download Submit
C:\Windows\{289CAADD-36B5-4162-8E54-198810E51009}.exe

Filesize
344KB

MD5
782899ef370bd1d34d4c342679d49ae4

SHA1
bc73dbca4be1109a24a56d4de0b6323cc48a0b2d

SHA256
b304f9a77356bdf19b0db72809bff62354a1b3d7037f55bb64d5ab27c5c0846c

SHA512
1ce15b0cf6e728707be28ad7fd501d6d5ab69d95912c478c9cfc3070f8e4cd4cc7243578b2edc6438e196663c537349a6f01a97b058fcd18856f3d7ad9694acc

Download Submit
C:\Windows\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe

Filesize
344KB

MD5
21e1145fcca00068cdffe2b16e44e73d

SHA1
03a14d6a167ce509c3c7fd467202f3461487ba8c

SHA256
7e0f0ec0de41c73ab24302ee0872226cd6d495a0fa7e399d34bdeb2979419be6

SHA512
11312767aa91b2a13694ff2bb643f0a7029d11fe7248971e3ff851f5882d7be5e58a0d289a8de2bd41bcd6dd4c77d72f45e9c054c626183ccddde56affff3156

Download Submit
C:\Windows\{29454396-D1BA-41b2-BAA9-5C73E06CF1B2}.exe

Filesize
344KB

MD5
21e1145fcca00068cdffe2b16e44e73d

SHA1
03a14d6a167ce509c3c7fd467202f3461487ba8c

SHA256
7e0f0ec0de41c73ab24302ee0872226cd6d495a0fa7e399d34bdeb2979419be6

SHA512
11312767aa91b2a13694ff2bb643f0a7029d11fe7248971e3ff851f5882d7be5e58a0d289a8de2bd41bcd6dd4c77d72f45e9c054c626183ccddde56affff3156

Download Submit
C:\Windows\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe

Filesize
344KB

MD5
b4298f35d9a1148ce7346469b7e74274

SHA1
937678d2f9c7969d85f30f70cea33ea225e48377

SHA256
c2b88fcdcc725979723c503a9f4344e24ccc4fa28d0259a2e1ae24a8c9e8b2ae

SHA512
da1150c8c70c1c37aea1505a011d31a22b84505cc5226b7d1735bd8c34984b5d812c67761e515a697108f911b230cdcb8d786f14b9b3dc6ba0e58e9efa4c073b

Download Submit
C:\Windows\{2B3D1B4B-E499-422e-9BC6-2726EDE8B376}.exe

Filesize
344KB

MD5
b4298f35d9a1148ce7346469b7e74274

SHA1
937678d2f9c7969d85f30f70cea33ea225e48377

SHA256
c2b88fcdcc725979723c503a9f4344e24ccc4fa28d0259a2e1ae24a8c9e8b2ae

SHA512
da1150c8c70c1c37aea1505a011d31a22b84505cc5226b7d1735bd8c34984b5d812c67761e515a697108f911b230cdcb8d786f14b9b3dc6ba0e58e9efa4c073b

Download Submit
C:\Windows\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe

Filesize
344KB

MD5
1fae7f11ce94dd866fb3ac9326e8b117

SHA1
4b71711553921a2957697681b99335fc02b5dae1

SHA256
9b53a357b0d567ff2f175a0061bb97d34f2ada2049e37b081b1951b38683e19f

SHA512
133b1d125eebe259e4b0f1f67fe5465591ffa27b0115a62534823dafc1906d49960ed664aa04f5a6b7e3ecdbbb677a3f83dde8ef2d566918787880670c230464

Download Submit
C:\Windows\{3977A0B8-05BD-4a48-9D18-AE3C898A9A14}.exe

Filesize
344KB

MD5
1fae7f11ce94dd866fb3ac9326e8b117

SHA1
4b71711553921a2957697681b99335fc02b5dae1

SHA256
9b53a357b0d567ff2f175a0061bb97d34f2ada2049e37b081b1951b38683e19f

SHA512
133b1d125eebe259e4b0f1f67fe5465591ffa27b0115a62534823dafc1906d49960ed664aa04f5a6b7e3ecdbbb677a3f83dde8ef2d566918787880670c230464

Download Submit
C:\Windows\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe

Filesize
344KB

MD5
7f9b8707ce26ca826e081ebcdb9847fc

SHA1
9aa492996ae56ed046ecb51d83406745b7ac2cb4

SHA256
61d727d9c500449aad3990500dc9c44dad038ffc9498a565547fe51563ffe1e4

SHA512
314e3bdebd9c53311ea6d86a60a763109cdd91314c60616b40f47e7ca30f00d6cc080817495f6214aa0ca420deecc24c7948b1a557b0a3ca123d92985fbdd731

Download Submit
C:\Windows\{4B44C01B-9513-4f84-A7E8-E7B048AEF207}.exe

Filesize
344KB

MD5
7f9b8707ce26ca826e081ebcdb9847fc

SHA1
9aa492996ae56ed046ecb51d83406745b7ac2cb4

SHA256
61d727d9c500449aad3990500dc9c44dad038ffc9498a565547fe51563ffe1e4

SHA512
314e3bdebd9c53311ea6d86a60a763109cdd91314c60616b40f47e7ca30f00d6cc080817495f6214aa0ca420deecc24c7948b1a557b0a3ca123d92985fbdd731

Download Submit
C:\Windows\{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe

Filesize
344KB

MD5
1ad78f9e6875a77147b7ce0a22e7d991

SHA1
4ffcce0b7c865d9cd28d24b8c104209df851ac0b

SHA256
d83f2d457da3d486c7881f48d45d26b8983d343f8e26ccbbeb6b984bfc5f70db

SHA512
c63d1586c3b2e6143414180e0e1073a67aa0a6aae8a2f641894e6432e1aa29ae6317a9cc88952b043399b1cdaf903808be50ead55eb11e9c87db5265ee8384c5

Download Submit
C:\Windows\{706332FF-E286-42ba-AE18-B8F0639D0EF8}.exe

Filesize
344KB

MD5
1ad78f9e6875a77147b7ce0a22e7d991

SHA1
4ffcce0b7c865d9cd28d24b8c104209df851ac0b

SHA256
d83f2d457da3d486c7881f48d45d26b8983d343f8e26ccbbeb6b984bfc5f70db

SHA512
c63d1586c3b2e6143414180e0e1073a67aa0a6aae8a2f641894e6432e1aa29ae6317a9cc88952b043399b1cdaf903808be50ead55eb11e9c87db5265ee8384c5

Download Submit
C:\Windows\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe

Filesize
344KB

MD5
97a3b5653f287baaebd0b751c2e5f623

SHA1
92a19a11447983bf9ee0aa83a68abc47692aabbd

SHA256
4ab6db9c842c8643708f7c47063b6e44b9b6fe21d45c9606902004f61a3dbb95

SHA512
d12d1f3f9780f51966d673dfacab6a19475aaa879baeabe984f5445b575ebd30340528368265bbc6a08e757759d5119cf7e8e8835dd91422e92d76298747fcc8

Download Submit
C:\Windows\{76FE9E1A-CD7B-4f2c-8D84-F1FB91353576}.exe

Filesize
344KB

MD5
97a3b5653f287baaebd0b751c2e5f623

SHA1
92a19a11447983bf9ee0aa83a68abc47692aabbd

SHA256
4ab6db9c842c8643708f7c47063b6e44b9b6fe21d45c9606902004f61a3dbb95

SHA512
d12d1f3f9780f51966d673dfacab6a19475aaa879baeabe984f5445b575ebd30340528368265bbc6a08e757759d5119cf7e8e8835dd91422e92d76298747fcc8

Download Submit
C:\Windows\{837C0952-C102-4b4c-AF28-75C68708F915}.exe

Filesize
344KB

MD5
455f3918eb9fc31c981e2e1b26c8cacf

SHA1
60a13176540c005bceb0677d732a6e739aaae1fa

SHA256
a9f41a1b0edbfc09ece4cf8017c01de46cabb02dd542089dad35cc0207bd3c79

SHA512
30b18c9eb7964be8cd14a7e6089a117fe7da6e1a03af4da816e0b1caa4d9515065af2d643a012d3224f2d41e46b6cbf90b7c1ef8c0473039ec0b432e33372768

Download Submit
C:\Windows\{837C0952-C102-4b4c-AF28-75C68708F915}.exe

Filesize
344KB

MD5
455f3918eb9fc31c981e2e1b26c8cacf

SHA1
60a13176540c005bceb0677d732a6e739aaae1fa

SHA256
a9f41a1b0edbfc09ece4cf8017c01de46cabb02dd542089dad35cc0207bd3c79

SHA512
30b18c9eb7964be8cd14a7e6089a117fe7da6e1a03af4da816e0b1caa4d9515065af2d643a012d3224f2d41e46b6cbf90b7c1ef8c0473039ec0b432e33372768

Download Submit
C:\Windows\{837C0952-C102-4b4c-AF28-75C68708F915}.exe

Filesize
344KB

MD5
455f3918eb9fc31c981e2e1b26c8cacf

SHA1
60a13176540c005bceb0677d732a6e739aaae1fa

SHA256
a9f41a1b0edbfc09ece4cf8017c01de46cabb02dd542089dad35cc0207bd3c79

SHA512
30b18c9eb7964be8cd14a7e6089a117fe7da6e1a03af4da816e0b1caa4d9515065af2d643a012d3224f2d41e46b6cbf90b7c1ef8c0473039ec0b432e33372768

Download Submit
C:\Windows\{9D25900F-EE91-4809-85CD-A877B80D2125}.exe

Filesize
344KB

MD5
008fa00a036ec99de6ab8501378a7801

SHA1
5ae0ca9e2754ab11dad8e190bbd588554da40535

SHA256
60daa3cfb6038a619d41a0757e7167df33705842f3d5f5b7f011920c7823019d

SHA512
2117209b521fe208c0294323fac43a0c46e86d2c975f3ea3acfe11c71f268a421132f5a67da537bdbe00f2a815a9a1dd57aa77059370e66547f23cee4431aea7

Download Submit
C:\Windows\{9D25900F-EE91-4809-85CD-A877B80D2125}.exe

Filesize
344KB

MD5
008fa00a036ec99de6ab8501378a7801

SHA1
5ae0ca9e2754ab11dad8e190bbd588554da40535

SHA256
60daa3cfb6038a619d41a0757e7167df33705842f3d5f5b7f011920c7823019d

SHA512
2117209b521fe208c0294323fac43a0c46e86d2c975f3ea3acfe11c71f268a421132f5a67da537bdbe00f2a815a9a1dd57aa77059370e66547f23cee4431aea7

Download Submit
C:\Windows\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}.exe

Filesize
344KB

MD5
df6e7859d3a00e90b59e3afe98968955

SHA1
53b1bd30657626715f827245b4b4f20e7a919a69

SHA256
6764bc0508ab892d3b722c7f9021e96902c7800fc8659961d21afeed0fa9ae80

SHA512
797c5f48c95a5a4ed408e3e268f9363c5853fcfe7c5ec4771087ccaff8baa60f118e6c25f0a4da2c6bf0344f2926940f2094baa80eaacb317be9ef80b2e8ca07

Download Submit
C:\Windows\{D2DBA8AE-82E4-4f3b-AFE3-DDB2CAFACBBD}.exe

Filesize
344KB

MD5
df6e7859d3a00e90b59e3afe98968955

SHA1
53b1bd30657626715f827245b4b4f20e7a919a69

SHA256
6764bc0508ab892d3b722c7f9021e96902c7800fc8659961d21afeed0fa9ae80

SHA512
797c5f48c95a5a4ed408e3e268f9363c5853fcfe7c5ec4771087ccaff8baa60f118e6c25f0a4da2c6bf0344f2926940f2094baa80eaacb317be9ef80b2e8ca07

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads