7a44d8d9c4329150e3e10440da6d141dd1991954c22e4a2a14a2b5fb62fddf6f

Analysis

max time kernel
169s
max time network
141s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Size

192KB
MD5

6e058e5a1c38b5284e7d68094ef56fec
SHA1

c1cd6fb7172198502ac8e9fa8bb13a9450a9d38c
SHA256

7a44d8d9c4329150e3e10440da6d141dd1991954c22e4a2a14a2b5fb62fddf6f
SHA512

5ca2be30081b8611948578059cddde68e7c210b38095d8ac37536fd78ab336cde34d98a9bfe727efb8d31104a9969769f88e06a392ac3d7a094995b199a98fa6
SSDEEP

1536:1EGh0oHl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oHl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7055E28-A841-46b3-A367-924AFD2E39EF}\stubpath = "C:\\Windows\\{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe"	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}\stubpath = "C:\\Windows\\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe"	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}\stubpath = "C:\\Windows\\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe"	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}\stubpath = "C:\\Windows\\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe"	{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}	{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776733E-064D-41b0-8C6A-D01523811C8A}	{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A15837E-7E08-408a-A08B-0747FD10F6F2}	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FBF16EA-F800-47d7-8EF6-1E6822521435}	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7055E28-A841-46b3-A367-924AFD2E39EF}	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}\stubpath = "C:\\Windows\\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe"	{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FBF16EA-F800-47d7-8EF6-1E6822521435}\stubpath = "C:\\Windows\\{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe"	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3F14116-B658-4b23-9C1A-0D67C78C9853}	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3F14116-B658-4b23-9C1A-0D67C78C9853}\stubpath = "C:\\Windows\\{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe"	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{227F01E8-595E-4996-B13E-0616D9D5135A}\stubpath = "C:\\Windows\\{227F01E8-595E-4996-B13E-0616D9D5135A}.exe"	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776733E-064D-41b0-8C6A-D01523811C8A}\stubpath = "C:\\Windows\\{9776733E-064D-41b0-8C6A-D01523811C8A}.exe"	{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}\stubpath = "C:\\Windows\\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe"	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A15837E-7E08-408a-A08B-0747FD10F6F2}\stubpath = "C:\\Windows\\{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe"	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{227F01E8-595E-4996-B13E-0616D9D5135A}	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}	{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe
2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe
2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe
2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe
2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe
1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe
2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe
2900	{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe
2756	{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe
1660	{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe
2592	{9776733E-064D-41b0-8C6A-D01523811C8A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
File created	C:\Windows\{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe
File created	C:\Windows\{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe
File created	C:\Windows\{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe
File created	C:\Windows\{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe
File created	C:\Windows\{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe
File created	C:\Windows\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe
File created	C:\Windows\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe
File created	C:\Windows\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe	{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe
File created	C:\Windows\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe	{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe
File created	C:\Windows\{9776733E-064D-41b0-8C6A-D01523811C8A}.exe	{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe
Token: SeIncBasePriorityPrivilege	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe
Token: SeIncBasePriorityPrivilege	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe
Token: SeIncBasePriorityPrivilege	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe
Token: SeIncBasePriorityPrivilege	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe
Token: SeIncBasePriorityPrivilege	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe
Token: SeIncBasePriorityPrivilege	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe
Token: SeIncBasePriorityPrivilege	2900	{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe
Token: SeIncBasePriorityPrivilege	2756	{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe
Token: SeIncBasePriorityPrivilege	1660	{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2732	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	29
PID 2688 wrote to memory of 2732	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	29
PID 2688 wrote to memory of 2732	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	29
PID 2688 wrote to memory of 2732	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	29
PID 2688 wrote to memory of 2616	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	30
PID 2688 wrote to memory of 2616	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	30
PID 2688 wrote to memory of 2616	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	30
PID 2688 wrote to memory of 2616	2688	2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe	30
PID 2732 wrote to memory of 2784	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	31
PID 2732 wrote to memory of 2784	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	31
PID 2732 wrote to memory of 2784	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	31
PID 2732 wrote to memory of 2784	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	31
PID 2732 wrote to memory of 2580	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	32
PID 2732 wrote to memory of 2580	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	32
PID 2732 wrote to memory of 2580	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	32
PID 2732 wrote to memory of 2580	2732	{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe	32
PID 2784 wrote to memory of 2628	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	34
PID 2784 wrote to memory of 2628	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	34
PID 2784 wrote to memory of 2628	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	34
PID 2784 wrote to memory of 2628	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	34
PID 2784 wrote to memory of 320	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	33
PID 2784 wrote to memory of 320	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	33
PID 2784 wrote to memory of 320	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	33
PID 2784 wrote to memory of 320	2784	{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe	33
PID 2628 wrote to memory of 2488	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	36
PID 2628 wrote to memory of 2488	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	36
PID 2628 wrote to memory of 2488	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	36
PID 2628 wrote to memory of 2488	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	36
PID 2628 wrote to memory of 2544	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	35
PID 2628 wrote to memory of 2544	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	35
PID 2628 wrote to memory of 2544	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	35
PID 2628 wrote to memory of 2544	2628	{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe	35
PID 2488 wrote to memory of 2536	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	37
PID 2488 wrote to memory of 2536	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	37
PID 2488 wrote to memory of 2536	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	37
PID 2488 wrote to memory of 2536	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	37
PID 2488 wrote to memory of 3060	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	38
PID 2488 wrote to memory of 3060	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	38
PID 2488 wrote to memory of 3060	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	38
PID 2488 wrote to memory of 3060	2488	{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe	38
PID 2536 wrote to memory of 1964	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	39
PID 2536 wrote to memory of 1964	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	39
PID 2536 wrote to memory of 1964	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	39
PID 2536 wrote to memory of 1964	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	39
PID 2536 wrote to memory of 2840	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	40
PID 2536 wrote to memory of 2840	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	40
PID 2536 wrote to memory of 2840	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	40
PID 2536 wrote to memory of 2840	2536	{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe	40
PID 1964 wrote to memory of 2888	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	41
PID 1964 wrote to memory of 2888	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	41
PID 1964 wrote to memory of 2888	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	41
PID 1964 wrote to memory of 2888	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	41
PID 1964 wrote to memory of 2852	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	42
PID 1964 wrote to memory of 2852	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	42
PID 1964 wrote to memory of 2852	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	42
PID 1964 wrote to memory of 2852	1964	{227F01E8-595E-4996-B13E-0616D9D5135A}.exe	42
PID 2888 wrote to memory of 2900	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	43
PID 2888 wrote to memory of 2900	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	43
PID 2888 wrote to memory of 2900	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	43
PID 2888 wrote to memory of 2900	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	43
PID 2888 wrote to memory of 1556	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	44
PID 2888 wrote to memory of 1556	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	44
PID 2888 wrote to memory of 1556	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	44
PID 2888 wrote to memory of 1556	2888	{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_6e058e5a1c38b5284e7d68094ef56fec_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe
  C:\Windows\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe
    C:\Windows\{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5A158~1.EXE > nul
      4⤵
      PID:320
  - - C:\Windows\{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe
      C:\Windows\{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FBF1~1.EXE > nul
        5⤵
        
        PID:2544
    - - C:\Windows\{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe
        
        C:\Windows\{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe
        
        C:\Windows\{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{227F01E8-595E-4996-B13E-0616D9D5135A}.exe
        
        C:\Windows\{227F01E8-595E-4996-B13E-0616D9D5135A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe
        
        C:\Windows\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe
        
        C:\Windows\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08ED2~1.EXE > nul
        10⤵
        
        PID:1072
        
        C:\Windows\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe
        
        C:\Windows\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe
        
        C:\Windows\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\{9776733E-064D-41b0-8C6A-D01523811C8A}.exe
        
        C:\Windows\{9776733E-064D-41b0-8C6A-D01523811C8A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C2EF~1.EXE > nul
        12⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEFA8~1.EXE > nul
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F3F5~1.EXE > nul
        9⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{227F0~1.EXE > nul
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3F14~1.EXE > nul
        7⤵
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7055~1.EXE > nul
        6⤵
        
        PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2AD3E~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe

Filesize
192KB

MD5
e5b05787cfd574b1e3a7bb34a38ca5a9

SHA1
b84780c1c47d978d26f3362202c1b46986f994cd

SHA256
afb4ec2eb199f85145ae88c403a33de5e747ee0f51e2e50ad16e777b4e284ba3

SHA512
7e96ca05ce5334c6e7a6cbf61e41e795561ccb7c090568fdfc175a428ece771edcce953ebcdea830231c8b08ca14abee367b6d8f066e2f46c04736c33d3c1b74

Download Submit
C:\Windows\{08ED2854-E890-4525-B00A-AFC0B55FEEAA}.exe

Filesize
192KB

MD5
e5b05787cfd574b1e3a7bb34a38ca5a9

SHA1
b84780c1c47d978d26f3362202c1b46986f994cd

SHA256
afb4ec2eb199f85145ae88c403a33de5e747ee0f51e2e50ad16e777b4e284ba3

SHA512
7e96ca05ce5334c6e7a6cbf61e41e795561ccb7c090568fdfc175a428ece771edcce953ebcdea830231c8b08ca14abee367b6d8f066e2f46c04736c33d3c1b74

Download Submit
C:\Windows\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe

Filesize
192KB

MD5
60dd05538057904d2689953eb467cffa

SHA1
5501ac47b804fa3d9e2b0da94ed5a5901282edb1

SHA256
8310a0e0050abd7fd022488d6e493612f1e95f489d589c3cc457b0abf54cc2c5

SHA512
31683c9204840c852f17747925c7d9d7109d4356e68ab578f8c1852a5dfd55bcdd9483ada82787f40bb5957635b80e3a1495417e3469c64184181b917b5437a8

Download Submit
C:\Windows\{1C2EFD3E-0DBA-455f-ADC7-F5B518F71923}.exe

Filesize
192KB

MD5
60dd05538057904d2689953eb467cffa

SHA1
5501ac47b804fa3d9e2b0da94ed5a5901282edb1

SHA256
8310a0e0050abd7fd022488d6e493612f1e95f489d589c3cc457b0abf54cc2c5

SHA512
31683c9204840c852f17747925c7d9d7109d4356e68ab578f8c1852a5dfd55bcdd9483ada82787f40bb5957635b80e3a1495417e3469c64184181b917b5437a8

Download Submit
C:\Windows\{227F01E8-595E-4996-B13E-0616D9D5135A}.exe

Filesize
192KB

MD5
3fe5536fc647991157691393e9b25839

SHA1
c97db096d81e119931f7de5609c51efc25ea00e3

SHA256
b783f439a47fb5a8af325218c1afc0eb88197dd7190de58f3962291fcee458bd

SHA512
2684776449c13425f3c4c39faeb233fd1246d4a90994d448e0062c3f7d99e86f4c0932cf22fd1682a72b246352e558bb58b1cd30370089dd1a7fa0c71485ea3e

Download Submit
C:\Windows\{227F01E8-595E-4996-B13E-0616D9D5135A}.exe

Filesize
192KB

MD5
3fe5536fc647991157691393e9b25839

SHA1
c97db096d81e119931f7de5609c51efc25ea00e3

SHA256
b783f439a47fb5a8af325218c1afc0eb88197dd7190de58f3962291fcee458bd

SHA512
2684776449c13425f3c4c39faeb233fd1246d4a90994d448e0062c3f7d99e86f4c0932cf22fd1682a72b246352e558bb58b1cd30370089dd1a7fa0c71485ea3e

Download Submit
C:\Windows\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe

Filesize
192KB

MD5
8f7f1c5e83a05e16ff10d6a009f52231

SHA1
2975dd6d1f331c2f056d64ecfe27aaaa9fe8497e

SHA256
b6a4b4512df36a2c39acf0f8055d5ca6e6984c4f5f0238815406c8a6314dca59

SHA512
6ddef062aa9dc3cb5de50e83cfc13eabc464cee63825ced7a8a4a0535233fdb6cf3d7b1d4fcabe0469fda867114b8949c6342a975d8bb8569aa7d9455189f6cc

Download Submit
C:\Windows\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe

Filesize
192KB

MD5
8f7f1c5e83a05e16ff10d6a009f52231

SHA1
2975dd6d1f331c2f056d64ecfe27aaaa9fe8497e

SHA256
b6a4b4512df36a2c39acf0f8055d5ca6e6984c4f5f0238815406c8a6314dca59

SHA512
6ddef062aa9dc3cb5de50e83cfc13eabc464cee63825ced7a8a4a0535233fdb6cf3d7b1d4fcabe0469fda867114b8949c6342a975d8bb8569aa7d9455189f6cc

Download Submit
C:\Windows\{2AD3E56D-14C5-4631-80AA-2CFAC98CC91B}.exe

Filesize
192KB

MD5
8f7f1c5e83a05e16ff10d6a009f52231

SHA1
2975dd6d1f331c2f056d64ecfe27aaaa9fe8497e

SHA256
b6a4b4512df36a2c39acf0f8055d5ca6e6984c4f5f0238815406c8a6314dca59

SHA512
6ddef062aa9dc3cb5de50e83cfc13eabc464cee63825ced7a8a4a0535233fdb6cf3d7b1d4fcabe0469fda867114b8949c6342a975d8bb8569aa7d9455189f6cc

Download Submit
C:\Windows\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe

Filesize
192KB

MD5
e76cf3b5d822a9f4d2a0926506bc7cf8

SHA1
5aaf8b2fe2b15f07c818dc76b82d7adc8934c8f2

SHA256
9b08d603d231e97c7bc00ea0b61f163f9972c79a7e74da80db446bea81e3e699

SHA512
c10b03a55d8d4d4151a62b1a1366396f720333d7c6f97cf7e81638efad018d50e7dc90f848050f90c771cb8a7a7c209bd3dfb048d464d32cc80c6b9c6b4a4d6d

Download Submit
C:\Windows\{4F3F5ED9-FD80-48e7-8E1D-5D7B822FDD8E}.exe

Filesize
192KB

MD5
e76cf3b5d822a9f4d2a0926506bc7cf8

SHA1
5aaf8b2fe2b15f07c818dc76b82d7adc8934c8f2

SHA256
9b08d603d231e97c7bc00ea0b61f163f9972c79a7e74da80db446bea81e3e699

SHA512
c10b03a55d8d4d4151a62b1a1366396f720333d7c6f97cf7e81638efad018d50e7dc90f848050f90c771cb8a7a7c209bd3dfb048d464d32cc80c6b9c6b4a4d6d

Download Submit
C:\Windows\{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe

Filesize
192KB

MD5
a6711f0f82e0986c9cdd8846f672e4e3

SHA1
1b1de9a6c798dcd47db6e3bc374a7063c8d9d801

SHA256
fc6d671d4ab967639d074565f778cd9b0d2a5b2cc0d8d046b65814ed55ad65a2

SHA512
d6f9e6f70eebda312931fdf8afd5a97ae848b89feda68098af76fe816e0b76e146b09f6ba45209f275fc15e9a3605f6a197012f666e3a5cd44fd82e83f0734d0

Download Submit
C:\Windows\{5A15837E-7E08-408a-A08B-0747FD10F6F2}.exe

Filesize
192KB

MD5
a6711f0f82e0986c9cdd8846f672e4e3

SHA1
1b1de9a6c798dcd47db6e3bc374a7063c8d9d801

SHA256
fc6d671d4ab967639d074565f778cd9b0d2a5b2cc0d8d046b65814ed55ad65a2

SHA512
d6f9e6f70eebda312931fdf8afd5a97ae848b89feda68098af76fe816e0b76e146b09f6ba45209f275fc15e9a3605f6a197012f666e3a5cd44fd82e83f0734d0

Download Submit
C:\Windows\{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe

Filesize
192KB

MD5
c900a5e7f6073bdd8ccb4478a39337d5

SHA1
59dc0d4520a394e0b972a98f81ff294e74c984d8

SHA256
3272cc20084a9c0d35193d976e20e3bc96cdd199219b101d338ec7b417c45d9d

SHA512
5072e8642899fe0b0808fcc5add86d0866ce5e841d89f981759844e279207ca8f9a759bd5e0da55bdbde7f1bd1661fe17403631e7de47961daf62e0864d6e32e

Download Submit
C:\Windows\{5FBF16EA-F800-47d7-8EF6-1E6822521435}.exe

Filesize
192KB

MD5
c900a5e7f6073bdd8ccb4478a39337d5

SHA1
59dc0d4520a394e0b972a98f81ff294e74c984d8

SHA256
3272cc20084a9c0d35193d976e20e3bc96cdd199219b101d338ec7b417c45d9d

SHA512
5072e8642899fe0b0808fcc5add86d0866ce5e841d89f981759844e279207ca8f9a759bd5e0da55bdbde7f1bd1661fe17403631e7de47961daf62e0864d6e32e

Download Submit
C:\Windows\{9776733E-064D-41b0-8C6A-D01523811C8A}.exe

Filesize
192KB

MD5
56faa8db87693e65bd9edee3d4b3c720

SHA1
ffc160394d90248f95fa985370f3f163ad3840a3

SHA256
49be509768a455dc50055574e9411cc55cf0b9da76649c1208cb3dd1f57bb2ce

SHA512
174895a054564833d30dd518bb7532ecbb2f679e463cb1513278219af234723e547eb2757bf70b5205445ab53e685e9f2d7e8c08a4752b592b496ec89e834177

Download Submit
C:\Windows\{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe

Filesize
192KB

MD5
676f1029257085a9e07c4d0ec71b7042

SHA1
b22091810e186f1af1115ad7a2faadfc849d17e4

SHA256
61121c3f0b08408a0ac8cf605fec2cc3f9d5960087e5546d4f2e02142da23a2e

SHA512
48d290b186d6b752c2f48b870813077a9783858fd406bb541d64e9d4f8b1b40f14702a5176836448b578619cb64927ba5b6cee843d54c14fe3110498b21c47ed

Download Submit
C:\Windows\{D3F14116-B658-4b23-9C1A-0D67C78C9853}.exe

Filesize
192KB

MD5
676f1029257085a9e07c4d0ec71b7042

SHA1
b22091810e186f1af1115ad7a2faadfc849d17e4

SHA256
61121c3f0b08408a0ac8cf605fec2cc3f9d5960087e5546d4f2e02142da23a2e

SHA512
48d290b186d6b752c2f48b870813077a9783858fd406bb541d64e9d4f8b1b40f14702a5176836448b578619cb64927ba5b6cee843d54c14fe3110498b21c47ed

Download Submit
C:\Windows\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe

Filesize
192KB

MD5
a647f50fe7fd153cb425dca809729adb

SHA1
9001cf63bd82de30d40b52077b6c9718d8367dca

SHA256
2c59a81b193906db2cac7cab403e46cc9d8458923c242d48cb420300357340d7

SHA512
60b2971c1f79c4dac498de8984918c7cf0902c3aa716cf3ce8852bbd8e994ad2caec97f02cc20009293bf64c1c1903ed80063befe61475ab1bb064a578094bd2

Download Submit
C:\Windows\{DEFA80B3-6FAA-4d4c-94AC-DB5105E4B59F}.exe

Filesize
192KB

MD5
a647f50fe7fd153cb425dca809729adb

SHA1
9001cf63bd82de30d40b52077b6c9718d8367dca

SHA256
2c59a81b193906db2cac7cab403e46cc9d8458923c242d48cb420300357340d7

SHA512
60b2971c1f79c4dac498de8984918c7cf0902c3aa716cf3ce8852bbd8e994ad2caec97f02cc20009293bf64c1c1903ed80063befe61475ab1bb064a578094bd2

Download Submit
C:\Windows\{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe

Filesize
192KB

MD5
8134d0a8e3afe81f69628e52adc29fbc

SHA1
e8f49d7965102d6f55e15ae079a91775513c43f6

SHA256
22bc3f0b5fe3036ca282e3181c0d5f4bad9ab7ed7f64dd8cc1e211e4173824c2

SHA512
212f45251a911b500fcc770f0b6b667ea5a38f6a7ff515ac441e8fa2aa3a0f66816e0ad83303339053ce136275e327071fbc5145016b68f40e17c9b52ed899e8

Download Submit
C:\Windows\{E7055E28-A841-46b3-A367-924AFD2E39EF}.exe

Filesize
192KB

MD5
8134d0a8e3afe81f69628e52adc29fbc

SHA1
e8f49d7965102d6f55e15ae079a91775513c43f6

SHA256
22bc3f0b5fe3036ca282e3181c0d5f4bad9ab7ed7f64dd8cc1e211e4173824c2

SHA512
212f45251a911b500fcc770f0b6b667ea5a38f6a7ff515ac441e8fa2aa3a0f66816e0ad83303339053ce136275e327071fbc5145016b68f40e17c9b52ed899e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads