1cbf044971148f547f247db4c2bf486e6f942bc9ee03b51a3aa57c959fac97ac

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Size

372KB
MD5

236abde9e5123a6174cbd3f89797d44e
SHA1

45aa644f08b6af6b0c7120aa6948a503fa67e361
SHA256

1cbf044971148f547f247db4c2bf486e6f942bc9ee03b51a3aa57c959fac97ac
SHA512

31ca9b2a03b4de72e24c0f2089ab9f819ac236d50ed448adcc5508f27f1e0bf99026aebc3218909ff4c84956fe328784d42f3fafca9803ac92673adc58954dae
SSDEEP

3072:CEGh0oFmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGCl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}\stubpath = "C:\\Windows\\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe"	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E987D0B-87C9-4928-924A-9B12879CD4B3}	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}\stubpath = "C:\\Windows\\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe"	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}\stubpath = "C:\\Windows\\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe"	{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E987D0B-87C9-4928-924A-9B12879CD4B3}\stubpath = "C:\\Windows\\{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe"	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}\stubpath = "C:\\Windows\\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe"	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}	{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}\stubpath = "C:\\Windows\\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe"	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{588EA588-8F8C-44f8-9D49-99E8B674565B}	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{588EA588-8F8C-44f8-9D49-99E8B674565B}\stubpath = "C:\\Windows\\{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe"	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}\stubpath = "C:\\Windows\\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe"	{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}	{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}	{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}\stubpath = "C:\\Windows\\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe"	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0C74F0-19F7-4f15-8674-4399F867028C}	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C0C74F0-19F7-4f15-8674-4399F867028C}\stubpath = "C:\\Windows\\{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe"	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}\stubpath = "C:\\Windows\\{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}.exe"	{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe
2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe
2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe
2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe
2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe
2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe
2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe
2948	{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe
1732	{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe
2832	{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe
2896	{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe	{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe
File created	C:\Windows\{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}.exe	{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe
File created	C:\Windows\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe
File created	C:\Windows\{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe
File created	C:\Windows\{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe
File created	C:\Windows\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe
File created	C:\Windows\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe	{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe
File created	C:\Windows\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
File created	C:\Windows\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe
File created	C:\Windows\{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe
File created	C:\Windows\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe
Token: SeIncBasePriorityPrivilege	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe
Token: SeIncBasePriorityPrivilege	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe
Token: SeIncBasePriorityPrivilege	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe
Token: SeIncBasePriorityPrivilege	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe
Token: SeIncBasePriorityPrivilege	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe
Token: SeIncBasePriorityPrivilege	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe
Token: SeIncBasePriorityPrivilege	2948	{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe
Token: SeIncBasePriorityPrivilege	1732	{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe
Token: SeIncBasePriorityPrivilege	2832	{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2376	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	28
PID 2324 wrote to memory of 2376	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	28
PID 2324 wrote to memory of 2376	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	28
PID 2324 wrote to memory of 2376	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	28
PID 2324 wrote to memory of 2240	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	29
PID 2324 wrote to memory of 2240	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	29
PID 2324 wrote to memory of 2240	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	29
PID 2324 wrote to memory of 2240	2324	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	29
PID 2376 wrote to memory of 2648	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	30
PID 2376 wrote to memory of 2648	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	30
PID 2376 wrote to memory of 2648	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	30
PID 2376 wrote to memory of 2648	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	30
PID 2376 wrote to memory of 2728	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	31
PID 2376 wrote to memory of 2728	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	31
PID 2376 wrote to memory of 2728	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	31
PID 2376 wrote to memory of 2728	2376	{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe	31
PID 2648 wrote to memory of 2676	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	32
PID 2648 wrote to memory of 2676	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	32
PID 2648 wrote to memory of 2676	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	32
PID 2648 wrote to memory of 2676	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	32
PID 2648 wrote to memory of 2772	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	33
PID 2648 wrote to memory of 2772	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	33
PID 2648 wrote to memory of 2772	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	33
PID 2648 wrote to memory of 2772	2648	{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe	33
PID 2676 wrote to memory of 2684	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	36
PID 2676 wrote to memory of 2684	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	36
PID 2676 wrote to memory of 2684	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	36
PID 2676 wrote to memory of 2684	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	36
PID 2676 wrote to memory of 1628	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	37
PID 2676 wrote to memory of 1628	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	37
PID 2676 wrote to memory of 1628	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	37
PID 2676 wrote to memory of 1628	2676	{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe	37
PID 2684 wrote to memory of 2536	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	38
PID 2684 wrote to memory of 2536	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	38
PID 2684 wrote to memory of 2536	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	38
PID 2684 wrote to memory of 2536	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	38
PID 2684 wrote to memory of 2592	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	39
PID 2684 wrote to memory of 2592	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	39
PID 2684 wrote to memory of 2592	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	39
PID 2684 wrote to memory of 2592	2684	{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe	39
PID 2536 wrote to memory of 2156	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	41
PID 2536 wrote to memory of 2156	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	41
PID 2536 wrote to memory of 2156	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	41
PID 2536 wrote to memory of 2156	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	41
PID 2536 wrote to memory of 2152	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	40
PID 2536 wrote to memory of 2152	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	40
PID 2536 wrote to memory of 2152	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	40
PID 2536 wrote to memory of 2152	2536	{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe	40
PID 2156 wrote to memory of 2892	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	43
PID 2156 wrote to memory of 2892	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	43
PID 2156 wrote to memory of 2892	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	43
PID 2156 wrote to memory of 2892	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	43
PID 2156 wrote to memory of 2940	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	42
PID 2156 wrote to memory of 2940	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	42
PID 2156 wrote to memory of 2940	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	42
PID 2156 wrote to memory of 2940	2156	{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe	42
PID 2892 wrote to memory of 2948	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	44
PID 2892 wrote to memory of 2948	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	44
PID 2892 wrote to memory of 2948	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	44
PID 2892 wrote to memory of 2948	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	44
PID 2892 wrote to memory of 2304	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	45
PID 2892 wrote to memory of 2304	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	45
PID 2892 wrote to memory of 2304	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	45
PID 2892 wrote to memory of 2304	2892	{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe
  C:\Windows\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe
    C:\Windows\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe
      C:\Windows\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe
        
        C:\Windows\{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe
        
        C:\Windows\{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{588EA~1.EXE > nul
        7⤵
        
        PID:2152
        
        C:\Windows\{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe
        
        C:\Windows\{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0C7~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe
        
        C:\Windows\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe
        
        C:\Windows\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11CA5~1.EXE > nul
        10⤵
        
        PID:3012
        
        C:\Windows\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe
        
        C:\Windows\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe
        
        C:\Windows\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB115~1.EXE > nul
        12⤵
        
        PID:2988
        
        C:\Windows\{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}.exe
        
        C:\Windows\{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}.exe
        12⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E380~1.EXE > nul
        11⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E84F1~1.EXE > nul
        9⤵
        
        PID:2304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E987~1.EXE > nul
        6⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FBA1~1.EXE > nul
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49A84~1.EXE > nul
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDF0~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe

Filesize
372KB

MD5
d7545af7c667e6a4828b8a623933f59d

SHA1
0752257b968fd11a8d6536b3320a971409644b0a

SHA256
c04655e8c3ec7b14cddc22aa2da46fd156f0b3e7ab978b72c2e464cddcc7fae5

SHA512
2659f015209fe5d8aa3be15ebc984a6fab0b4867cfabb4dcc17209360e500bd07739ac20d8ddb22b59b9eeb0956a4d69b89c6503510010af29c1439095a8f6a6

Download Submit
C:\Windows\{0E987D0B-87C9-4928-924A-9B12879CD4B3}.exe

Filesize
372KB

MD5
d7545af7c667e6a4828b8a623933f59d

SHA1
0752257b968fd11a8d6536b3320a971409644b0a

SHA256
c04655e8c3ec7b14cddc22aa2da46fd156f0b3e7ab978b72c2e464cddcc7fae5

SHA512
2659f015209fe5d8aa3be15ebc984a6fab0b4867cfabb4dcc17209360e500bd07739ac20d8ddb22b59b9eeb0956a4d69b89c6503510010af29c1439095a8f6a6

Download Submit
C:\Windows\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe

Filesize
372KB

MD5
ad9dd81965108bcce4e6f803ec628fdb

SHA1
543ea2d544673f6c9f1fd48cd2f087f2ec4dd556

SHA256
fbe2c653f45babbb8a79e207d35f8e8a3c95323f82a7f61011b56416c6872fec

SHA512
78d295cbd08fcdbb5117d9d1bb1665ca2956b8caf12c3b11b898067562206594966a36790f200de56c58490ce7d3b542fc6ae215c06ba83f1e7d7c19ab2bd3be

Download Submit
C:\Windows\{11CA526F-B139-45db-A27A-CCE87B8AB9AF}.exe

Filesize
372KB

MD5
ad9dd81965108bcce4e6f803ec628fdb

SHA1
543ea2d544673f6c9f1fd48cd2f087f2ec4dd556

SHA256
fbe2c653f45babbb8a79e207d35f8e8a3c95323f82a7f61011b56416c6872fec

SHA512
78d295cbd08fcdbb5117d9d1bb1665ca2956b8caf12c3b11b898067562206594966a36790f200de56c58490ce7d3b542fc6ae215c06ba83f1e7d7c19ab2bd3be

Download Submit
C:\Windows\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe

Filesize
372KB

MD5
682554d2a59c43b3b6279d25c97c61f5

SHA1
daa2ed854f009d9b41c889f60453bcd2a82b9ebd

SHA256
75e59d55d76e87b22b68b9eb34d6b0bdf441b5702da06838847e881caa529fab

SHA512
efeb1348bfc24874ec44bfffa8ae783da3f5abb5d18dc2ff8e3877cf71626ba2f6d467f8c959fb46f3199f2c8ccdc9c2db262dab0b85596ed3620a343a8bff1c

Download Submit
C:\Windows\{1E3806AF-CADE-4d96-A0A4-3014A94552DF}.exe

Filesize
372KB

MD5
682554d2a59c43b3b6279d25c97c61f5

SHA1
daa2ed854f009d9b41c889f60453bcd2a82b9ebd

SHA256
75e59d55d76e87b22b68b9eb34d6b0bdf441b5702da06838847e881caa529fab

SHA512
efeb1348bfc24874ec44bfffa8ae783da3f5abb5d18dc2ff8e3877cf71626ba2f6d467f8c959fb46f3199f2c8ccdc9c2db262dab0b85596ed3620a343a8bff1c

Download Submit
C:\Windows\{3A8E8EB9-D22A-48b9-8D73-4231D6DB4444}.exe

Filesize
372KB

MD5
b0cb26096a70ede0cbc1620b27db24e9

SHA1
945d32ed69aaa5307ccd93aedcf2bd4e9690e656

SHA256
517585f649949cd9a38ad23cde4a97d63cd521c76d0478882b48e1e24424e6c2

SHA512
0fc1ff0c3f4b2952c4aa83844079e1202a3e1e625a644cfb3c961ee14f503f9ce11f740de3c6fef23273a93171ea31677c4f92707a78d4f332cfd8e6eca6bc31

Download Submit
C:\Windows\{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe

Filesize
372KB

MD5
35e4141aacc01fb120911f5f0c4c4a34

SHA1
54fd459605dd1ec1c1a1840d1fff798988b88ca2

SHA256
3611bdb1c5ef71dbe5f949a6a56c1c4fe53626d771b82535cd6b6c50eb41cb41

SHA512
5bab1fb8e35509b84d8a87587be96da6e808bb2c23d7d719474afdb86f84eac4e4c03e0547fbf45495d24bbafe12aa140980ead81730d5314eb6e80bece7c286

Download Submit
C:\Windows\{3C0C74F0-19F7-4f15-8674-4399F867028C}.exe

Filesize
372KB

MD5
35e4141aacc01fb120911f5f0c4c4a34

SHA1
54fd459605dd1ec1c1a1840d1fff798988b88ca2

SHA256
3611bdb1c5ef71dbe5f949a6a56c1c4fe53626d771b82535cd6b6c50eb41cb41

SHA512
5bab1fb8e35509b84d8a87587be96da6e808bb2c23d7d719474afdb86f84eac4e4c03e0547fbf45495d24bbafe12aa140980ead81730d5314eb6e80bece7c286

Download Submit
C:\Windows\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe

Filesize
372KB

MD5
94a8abdc2992acaaa8518c32bf970e69

SHA1
c319385b83148d3a3c13b53d569dc3c0f2365ea8

SHA256
187fcd1538ad0b4197cf6c87100f531a027ff62312298ba9ad6c99d0abb3524b

SHA512
7b6ba91acd06e1d317ebaa09173f7cca9796ae98e9befca7b9e3a68771909cb0ea5eaa0e4b2ee23e7d543a88f5b05084f5eee55ee6946b21fdce83521074a83d

Download Submit
C:\Windows\{49A843A0-B141-4dc3-ABAE-7606CCBB74F3}.exe

Filesize
372KB

MD5
94a8abdc2992acaaa8518c32bf970e69

SHA1
c319385b83148d3a3c13b53d569dc3c0f2365ea8

SHA256
187fcd1538ad0b4197cf6c87100f531a027ff62312298ba9ad6c99d0abb3524b

SHA512
7b6ba91acd06e1d317ebaa09173f7cca9796ae98e9befca7b9e3a68771909cb0ea5eaa0e4b2ee23e7d543a88f5b05084f5eee55ee6946b21fdce83521074a83d

Download Submit
C:\Windows\{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe

Filesize
372KB

MD5
c523a89b9d2295cf9c267ba3e3d59022

SHA1
efae48b5a036696077f26b9b4cde346e86a17040

SHA256
bb41a27f43fba10ccca774ac86f6817ee5987408ba436754f7e033c64b5d46c8

SHA512
3213aceb0fc1b35cf0a13ff225145f3b8a944e6681116cff0637f4c015f23b7279a26867f6ae64a93f7cd291ed3b594da1e25bf54e09d7a99b8044341f33cdba

Download Submit
C:\Windows\{588EA588-8F8C-44f8-9D49-99E8B674565B}.exe

Filesize
372KB

MD5
c523a89b9d2295cf9c267ba3e3d59022

SHA1
efae48b5a036696077f26b9b4cde346e86a17040

SHA256
bb41a27f43fba10ccca774ac86f6817ee5987408ba436754f7e033c64b5d46c8

SHA512
3213aceb0fc1b35cf0a13ff225145f3b8a944e6681116cff0637f4c015f23b7279a26867f6ae64a93f7cd291ed3b594da1e25bf54e09d7a99b8044341f33cdba

Download Submit
C:\Windows\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe

Filesize
372KB

MD5
f21d3008369d64a67315d725d3994c2a

SHA1
1f84da9fc60d90fe6522ff43bf1953c7d8c5f0b7

SHA256
3d409409d531db84097fdfa0749f08e17f80be551f262d2179945430758b057c

SHA512
35b590a69a50139c7fc07be729fbecc5127d8e627f3f283b4cd6dd50a7da15f8b71c73018026474a64f850f3b89ebbe9cd170fdfe0c12a56eabbbd8af4775c66

Download Submit
C:\Windows\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe

Filesize
372KB

MD5
f21d3008369d64a67315d725d3994c2a

SHA1
1f84da9fc60d90fe6522ff43bf1953c7d8c5f0b7

SHA256
3d409409d531db84097fdfa0749f08e17f80be551f262d2179945430758b057c

SHA512
35b590a69a50139c7fc07be729fbecc5127d8e627f3f283b4cd6dd50a7da15f8b71c73018026474a64f850f3b89ebbe9cd170fdfe0c12a56eabbbd8af4775c66

Download Submit
C:\Windows\{7EDF03B8-27AB-4e13-8B80-8D4729F9EF5E}.exe

Filesize
372KB

MD5
f21d3008369d64a67315d725d3994c2a

SHA1
1f84da9fc60d90fe6522ff43bf1953c7d8c5f0b7

SHA256
3d409409d531db84097fdfa0749f08e17f80be551f262d2179945430758b057c

SHA512
35b590a69a50139c7fc07be729fbecc5127d8e627f3f283b4cd6dd50a7da15f8b71c73018026474a64f850f3b89ebbe9cd170fdfe0c12a56eabbbd8af4775c66

Download Submit
C:\Windows\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe

Filesize
372KB

MD5
7ed8ae7d1a2a96cdc9bf999039a2a3c0

SHA1
1fe29bfce8370ef784cfc426d149525e1a798475

SHA256
8fd5d642f956aa3e40d2bf397bbdbb85f782a80147a61140ad8fb6a463de15df

SHA512
3b4bca0ab3dc58b6739fffe3170b1c4a7b7b8c1a212a24a5ffffb1c437462b5c06ea3042e6b65c4149c4135b93fe25064da2974a9dd962519cc8c790307dd30a

Download Submit
C:\Windows\{9FBA1ADA-6C5F-4a39-B17C-82A49C2A6E7A}.exe

Filesize
372KB

MD5
7ed8ae7d1a2a96cdc9bf999039a2a3c0

SHA1
1fe29bfce8370ef784cfc426d149525e1a798475

SHA256
8fd5d642f956aa3e40d2bf397bbdbb85f782a80147a61140ad8fb6a463de15df

SHA512
3b4bca0ab3dc58b6739fffe3170b1c4a7b7b8c1a212a24a5ffffb1c437462b5c06ea3042e6b65c4149c4135b93fe25064da2974a9dd962519cc8c790307dd30a

Download Submit
C:\Windows\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe

Filesize
372KB

MD5
e081c359e6306145ccacf592d0304cff

SHA1
6327f116d0db831913df4c3754a188973db4463b

SHA256
476544556c7369516a207a0e2d8ae5592de18e5a1514b61fd9b3e9b13db30358

SHA512
4a3240706e1bbd10946eb26f4f3b99e8ae9eed390007486b3485b7edfb880fa7a4f355bcaf882ddde360936b4ce2f6db0acdc07f68c7eeb5d05b12f5dcb6cf79

Download Submit
C:\Windows\{E84F199D-E2EB-4bc9-8A9F-0D364701FCCF}.exe

Filesize
372KB

MD5
e081c359e6306145ccacf592d0304cff

SHA1
6327f116d0db831913df4c3754a188973db4463b

SHA256
476544556c7369516a207a0e2d8ae5592de18e5a1514b61fd9b3e9b13db30358

SHA512
4a3240706e1bbd10946eb26f4f3b99e8ae9eed390007486b3485b7edfb880fa7a4f355bcaf882ddde360936b4ce2f6db0acdc07f68c7eeb5d05b12f5dcb6cf79

Download Submit
C:\Windows\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe

Filesize
372KB

MD5
c0ccc367f8f5a064f45d947fbf1df140

SHA1
50b027310437fc98180e8a81a5da2b289a9d7a84

SHA256
7cab21a54453ab46473034a209e371be4439a033c614d2a86a3f2d6e3010250e

SHA512
29ba79a9529ce4852006410c70edbadb64e8c17941bab4082af85d6206b21b25113746e3486448cb1dfcddda1c8b52d034a9e7a73d75ac017395966d58406b4e

Download Submit
C:\Windows\{FB115E51-50AF-4f9a-B224-1DD1CDB20DF9}.exe

Filesize
372KB

MD5
c0ccc367f8f5a064f45d947fbf1df140

SHA1
50b027310437fc98180e8a81a5da2b289a9d7a84

SHA256
7cab21a54453ab46473034a209e371be4439a033c614d2a86a3f2d6e3010250e

SHA512
29ba79a9529ce4852006410c70edbadb64e8c17941bab4082af85d6206b21b25113746e3486448cb1dfcddda1c8b52d034a9e7a73d75ac017395966d58406b4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads