fbdc27d23784273a02a7b7a68b347f1dd34ea18aaf67ca5a2dbaeb1fd0d42d12

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 15:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe
Size

216KB
MD5

7fd8046af20a9730a5f6bc0441ac7269
SHA1

2ae505f0fc66e4e713be570bab1a16520fb54803
SHA256

fbdc27d23784273a02a7b7a68b347f1dd34ea18aaf67ca5a2dbaeb1fd0d42d12
SHA512

58d65ac84e7ab977360f219b100b213561e4017ad781e57f13aaf12682b99a73b58ada8bf470ab3bc7ddfdd8ad2877f306a074e52aa20fa506833c3272c0eb91
SSDEEP

3072:jEGh0o5l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG3lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}\stubpath = "C:\\Windows\\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe"	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}\stubpath = "C:\\Windows\\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe"	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F704BD-9878-4954-81AF-6E13B91B4333}	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}\stubpath = "C:\\Windows\\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe"	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}\stubpath = "C:\\Windows\\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe"	{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C6FB48-21BC-4297-B77F-874095AC613C}\stubpath = "C:\\Windows\\{82C6FB48-21BC-4297-B77F-874095AC613C}.exe"	{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}\stubpath = "C:\\Windows\\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe"	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}\stubpath = "C:\\Windows\\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe"	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}\stubpath = "C:\\Windows\\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe"	{26F704BD-9878-4954-81AF-6E13B91B4333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}\stubpath = "C:\\Windows\\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe"	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F704BD-9878-4954-81AF-6E13B91B4333}\stubpath = "C:\\Windows\\{26F704BD-9878-4954-81AF-6E13B91B4333}.exe"	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}	{26F704BD-9878-4954-81AF-6E13B91B4333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C6FB48-21BC-4297-B77F-874095AC613C}	{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}\stubpath = "C:\\Windows\\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe"	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}	{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe
2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe
2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe
2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe
2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe
2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe
2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe
2268	{26F704BD-9878-4954-81AF-6E13B91B4333}.exe
2600	{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe
2260	{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe
1648	{82C6FB48-21BC-4297-B77F-874095AC613C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe
File created	C:\Windows\{26F704BD-9878-4954-81AF-6E13B91B4333}.exe	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe
File created	C:\Windows\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe	{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe
File created	C:\Windows\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe
File created	C:\Windows\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe
File created	C:\Windows\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe
File created	C:\Windows\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe	{26F704BD-9878-4954-81AF-6E13B91B4333}.exe
File created	C:\Windows\{82C6FB48-21BC-4297-B77F-874095AC613C}.exe	{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe
File created	C:\Windows\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe
File created	C:\Windows\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe
File created	C:\Windows\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe
Token: SeIncBasePriorityPrivilege	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe
Token: SeIncBasePriorityPrivilege	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe
Token: SeIncBasePriorityPrivilege	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe
Token: SeIncBasePriorityPrivilege	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe
Token: SeIncBasePriorityPrivilege	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe
Token: SeIncBasePriorityPrivilege	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe
Token: SeIncBasePriorityPrivilege	2268	{26F704BD-9878-4954-81AF-6E13B91B4333}.exe
Token: SeIncBasePriorityPrivilege	2600	{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe
Token: SeIncBasePriorityPrivilege	2260	{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3064	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	28
PID 2112 wrote to memory of 3064	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	28
PID 2112 wrote to memory of 3064	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	28
PID 2112 wrote to memory of 3064	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	28
PID 2112 wrote to memory of 2656	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	29
PID 2112 wrote to memory of 2656	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	29
PID 2112 wrote to memory of 2656	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	29
PID 2112 wrote to memory of 2656	2112	2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe	29
PID 3064 wrote to memory of 2776	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	30
PID 3064 wrote to memory of 2776	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	30
PID 3064 wrote to memory of 2776	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	30
PID 3064 wrote to memory of 2776	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	30
PID 3064 wrote to memory of 2668	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	31
PID 3064 wrote to memory of 2668	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	31
PID 3064 wrote to memory of 2668	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	31
PID 3064 wrote to memory of 2668	3064	{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe	31
PID 2776 wrote to memory of 2784	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	33
PID 2776 wrote to memory of 2784	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	33
PID 2776 wrote to memory of 2784	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	33
PID 2776 wrote to memory of 2784	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	33
PID 2776 wrote to memory of 2520	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	32
PID 2776 wrote to memory of 2520	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	32
PID 2776 wrote to memory of 2520	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	32
PID 2776 wrote to memory of 2520	2776	{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe	32
PID 2784 wrote to memory of 2560	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	36
PID 2784 wrote to memory of 2560	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	36
PID 2784 wrote to memory of 2560	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	36
PID 2784 wrote to memory of 2560	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	36
PID 2784 wrote to memory of 2524	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	37
PID 2784 wrote to memory of 2524	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	37
PID 2784 wrote to memory of 2524	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	37
PID 2784 wrote to memory of 2524	2784	{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe	37
PID 2560 wrote to memory of 2576	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	39
PID 2560 wrote to memory of 2576	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	39
PID 2560 wrote to memory of 2576	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	39
PID 2560 wrote to memory of 2576	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	39
PID 2560 wrote to memory of 2976	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	38
PID 2560 wrote to memory of 2976	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	38
PID 2560 wrote to memory of 2976	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	38
PID 2560 wrote to memory of 2976	2560	{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe	38
PID 2576 wrote to memory of 2368	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	41
PID 2576 wrote to memory of 2368	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	41
PID 2576 wrote to memory of 2368	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	41
PID 2576 wrote to memory of 2368	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	41
PID 2576 wrote to memory of 1916	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	40
PID 2576 wrote to memory of 1916	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	40
PID 2576 wrote to memory of 1916	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	40
PID 2576 wrote to memory of 1916	2576	{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe	40
PID 2368 wrote to memory of 2872	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	42
PID 2368 wrote to memory of 2872	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	42
PID 2368 wrote to memory of 2872	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	42
PID 2368 wrote to memory of 2872	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	42
PID 2368 wrote to memory of 2352	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	43
PID 2368 wrote to memory of 2352	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	43
PID 2368 wrote to memory of 2352	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	43
PID 2368 wrote to memory of 2352	2368	{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe	43
PID 2872 wrote to memory of 2268	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	45
PID 2872 wrote to memory of 2268	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	45
PID 2872 wrote to memory of 2268	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	45
PID 2872 wrote to memory of 2268	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	45
PID 2872 wrote to memory of 2064	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	44
PID 2872 wrote to memory of 2064	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	44
PID 2872 wrote to memory of 2064	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	44
PID 2872 wrote to memory of 2064	2872	{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_7fd8046af20a9730a5f6bc0441ac7269_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe
  C:\Windows\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe
    C:\Windows\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22E1C~1.EXE > nul
      4⤵
      PID:2520
  - - C:\Windows\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe
      C:\Windows\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe
        
        C:\Windows\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67DCB~1.EXE > nul
        6⤵
        
        PID:2976
      - C:\Windows\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe
        
        C:\Windows\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E793~1.EXE > nul
        7⤵
        
        PID:1916
        
        C:\Windows\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe
        
        C:\Windows\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe
        
        C:\Windows\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D865F~1.EXE > nul
        9⤵
        
        PID:2064
        
        C:\Windows\{26F704BD-9878-4954-81AF-6E13B91B4333}.exe
        
        C:\Windows\{26F704BD-9878-4954-81AF-6E13B91B4333}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26F70~1.EXE > nul
        10⤵
        
        PID:2716
        
        C:\Windows\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe
        
        C:\Windows\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{759C3~1.EXE > nul
        11⤵
        
        PID:1696
        
        C:\Windows\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe
        
        C:\Windows\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16479~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\{82C6FB48-21BC-4297-B77F-874095AC613C}.exe
        
        C:\Windows\{82C6FB48-21BC-4297-B77F-874095AC613C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F6A1~1.EXE > nul
        8⤵
        
        PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDFC6~1.EXE > nul
        5⤵
        
        PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{96DB1~1.EXE > nul
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe

Filesize
216KB

MD5
d4a39f0f30c601a1496b6482bb5d6a2d

SHA1
d539f19e6cd529d8f1daa86dcd3fbefa73584991

SHA256
303c29ddd632477da6649cb6f36cf58d5977a636806692d2ea66981ff71deba7

SHA512
23911cd5252d9de5a28f7bd354faa0bcd04f18607915a35587203bab9e1d4ab7ed3eb877ea9089e2a62d31e82a80a156156fc1e4779cd8549f252ac5d7631a1f

Download Submit
C:\Windows\{164797A0-54E1-4a1d-A3FE-7D318DE80C1A}.exe

Filesize
216KB

MD5
d4a39f0f30c601a1496b6482bb5d6a2d

SHA1
d539f19e6cd529d8f1daa86dcd3fbefa73584991

SHA256
303c29ddd632477da6649cb6f36cf58d5977a636806692d2ea66981ff71deba7

SHA512
23911cd5252d9de5a28f7bd354faa0bcd04f18607915a35587203bab9e1d4ab7ed3eb877ea9089e2a62d31e82a80a156156fc1e4779cd8549f252ac5d7631a1f

Download Submit
C:\Windows\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe

Filesize
216KB

MD5
12dcf78ee146774f3fef58d279233064

SHA1
8684df958204092f6c0a13e6565259ea1f62df58

SHA256
1aa2ed6109e2e8f6c8d70523a21703b191e5c1f8d29f7f2ca0cba491886d716d

SHA512
fcbc53b9e326490ba524b89ee25f4e8f8c355901df7d48c79e2fabaab7ff818396ef230ed23b44c400887f3ecc0212216460a04fefead1ef35942eebedf1bcfc

Download Submit
C:\Windows\{22E1C49E-CB9D-4857-B8FA-7244FF55C18B}.exe

Filesize
216KB

MD5
12dcf78ee146774f3fef58d279233064

SHA1
8684df958204092f6c0a13e6565259ea1f62df58

SHA256
1aa2ed6109e2e8f6c8d70523a21703b191e5c1f8d29f7f2ca0cba491886d716d

SHA512
fcbc53b9e326490ba524b89ee25f4e8f8c355901df7d48c79e2fabaab7ff818396ef230ed23b44c400887f3ecc0212216460a04fefead1ef35942eebedf1bcfc

Download Submit
C:\Windows\{26F704BD-9878-4954-81AF-6E13B91B4333}.exe

Filesize
216KB

MD5
72845e0fd100bf8fe32757223b939867

SHA1
861c5f835f394c83850c95b11aee4fbf5974b468

SHA256
d10632eb3e3b509197d80d18b7b1bd852023541f6194954150a3aca9ef37a5ec

SHA512
791b60956f8d4e84f2c13f68f2d5057fee945d46defe213181ee53b62b98116f35f1a46c636d45ddb7be851ead58b9ef34c7197cccd52ebc0d85adf19f72c9fc

Download Submit
C:\Windows\{26F704BD-9878-4954-81AF-6E13B91B4333}.exe

Filesize
216KB

MD5
72845e0fd100bf8fe32757223b939867

SHA1
861c5f835f394c83850c95b11aee4fbf5974b468

SHA256
d10632eb3e3b509197d80d18b7b1bd852023541f6194954150a3aca9ef37a5ec

SHA512
791b60956f8d4e84f2c13f68f2d5057fee945d46defe213181ee53b62b98116f35f1a46c636d45ddb7be851ead58b9ef34c7197cccd52ebc0d85adf19f72c9fc

Download Submit
C:\Windows\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe

Filesize
216KB

MD5
b0df64210b7df3469fcd5f6bcd30b626

SHA1
a67c3d14b179a725954eeb5fd4ba4d60647f55dc

SHA256
9dc707631a043af96cccf72532fa9bee3dbc5ba5a2e75f7f0cb2b5bb675c16ec

SHA512
ef8130f7f5501a8551dd4a005ffc9b161d522bdb7775f63aac7eb62d445d83ebeafc63bcabb16623bcfa4338afdc7eb9903a6d3562a53a33818648384859860a

Download Submit
C:\Windows\{2E793EDE-D4D1-4699-8025-5B8E75C59A1A}.exe

Filesize
216KB

MD5
b0df64210b7df3469fcd5f6bcd30b626

SHA1
a67c3d14b179a725954eeb5fd4ba4d60647f55dc

SHA256
9dc707631a043af96cccf72532fa9bee3dbc5ba5a2e75f7f0cb2b5bb675c16ec

SHA512
ef8130f7f5501a8551dd4a005ffc9b161d522bdb7775f63aac7eb62d445d83ebeafc63bcabb16623bcfa4338afdc7eb9903a6d3562a53a33818648384859860a

Download Submit
C:\Windows\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe

Filesize
216KB

MD5
fb1892a1918b11ef219a5cccc8d2a41e

SHA1
a1b398c077a0f7d2348cb62fece94440963d3cac

SHA256
83772e306360664170eee4418c76850e20af9add11efa84e6b797fbef4054a51

SHA512
4154c6e0963bd26bd010ce91b6ad827bbe2bf19be4f8a7cb0683766345b95d10c8b286de43247da29b579209b51ba7e1791017c18d06983764127385bb6c87cb

Download Submit
C:\Windows\{5F6A1A6F-D5C8-47e3-B0BC-EE0CB0F28116}.exe

Filesize
216KB

MD5
fb1892a1918b11ef219a5cccc8d2a41e

SHA1
a1b398c077a0f7d2348cb62fece94440963d3cac

SHA256
83772e306360664170eee4418c76850e20af9add11efa84e6b797fbef4054a51

SHA512
4154c6e0963bd26bd010ce91b6ad827bbe2bf19be4f8a7cb0683766345b95d10c8b286de43247da29b579209b51ba7e1791017c18d06983764127385bb6c87cb

Download Submit
C:\Windows\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe

Filesize
216KB

MD5
73f723857d195c648c07c2b43d2c062e

SHA1
a1d53a9c93980590d0eae854e65355103b97f759

SHA256
6b6207cc9aa940ba2040f73973d5c2e4d98243599cd4a140ba9086d363f1cc0e

SHA512
7a04fc76044234cd87135ffc555cf8b979b0ae059b0bea090b8e95a3ab67ae0f899e521b51094ceff22d1deae107a2799c013ccf6838fa5cb17ea2dd4ed3ddab

Download Submit
C:\Windows\{67DCB5C0-CC61-4004-9A4B-5EFF0A0A0B26}.exe

Filesize
216KB

MD5
73f723857d195c648c07c2b43d2c062e

SHA1
a1d53a9c93980590d0eae854e65355103b97f759

SHA256
6b6207cc9aa940ba2040f73973d5c2e4d98243599cd4a140ba9086d363f1cc0e

SHA512
7a04fc76044234cd87135ffc555cf8b979b0ae059b0bea090b8e95a3ab67ae0f899e521b51094ceff22d1deae107a2799c013ccf6838fa5cb17ea2dd4ed3ddab

Download Submit
C:\Windows\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe

Filesize
216KB

MD5
c6996341c646bca1a1e4e93789b4385b

SHA1
8d472ae3ad20669411b13fcd8a079a7988004d5d

SHA256
92e4011c62167f46261d7b141571a457285f63df9a4715f4fa4220ae61ca8f8d

SHA512
f79b9121b0381c5f8663a8184674fca012f319148e13eb583ca0f884820fe957aa56b50b1d0eebfba9a83d530e3ccbad17aca14219be6267b4b91bc1616bd410

Download Submit
C:\Windows\{759C3CDB-162B-4eb6-8950-FA07B54AB1CC}.exe

Filesize
216KB

MD5
c6996341c646bca1a1e4e93789b4385b

SHA1
8d472ae3ad20669411b13fcd8a079a7988004d5d

SHA256
92e4011c62167f46261d7b141571a457285f63df9a4715f4fa4220ae61ca8f8d

SHA512
f79b9121b0381c5f8663a8184674fca012f319148e13eb583ca0f884820fe957aa56b50b1d0eebfba9a83d530e3ccbad17aca14219be6267b4b91bc1616bd410

Download Submit
C:\Windows\{82C6FB48-21BC-4297-B77F-874095AC613C}.exe

Filesize
216KB

MD5
4568908a4cf3a71ddb85df565741a4a6

SHA1
32ca33e3a981e4bb5cc94fe9395c5926cc6ee87d

SHA256
293249d6c765db066a212be7e13f01ff7d4c16f67606f8a3b6ceb868014c4f10

SHA512
16a274e447b0096911591ec2e5976039621c76674eb44235a0d13373180fb6b00ceb2ca63477b8bbd444d929fb7ce3ab63e5d0b43a81f2fc8516fbad0d6d3ce6

Download Submit
C:\Windows\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe

Filesize
216KB

MD5
eb1e4f2984c442852b6d7beadce58904

SHA1
3a38908d7867d3a69368e45eade88401cc23a6d3

SHA256
00978afeac5e474e97056ee6caaf26b1d89d5136034027ae664617149ba99b0f

SHA512
130d4fd84f7c673bba8a8e195b166d86ca09d1a549ec48077f3216762ac0b51781709bf063325e0ccce3af5b770dc58e936f0aabde950964bcaf459a7f735518

Download Submit
C:\Windows\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe

Filesize
216KB

MD5
eb1e4f2984c442852b6d7beadce58904

SHA1
3a38908d7867d3a69368e45eade88401cc23a6d3

SHA256
00978afeac5e474e97056ee6caaf26b1d89d5136034027ae664617149ba99b0f

SHA512
130d4fd84f7c673bba8a8e195b166d86ca09d1a549ec48077f3216762ac0b51781709bf063325e0ccce3af5b770dc58e936f0aabde950964bcaf459a7f735518

Download Submit
C:\Windows\{96DB1D99-7C5A-4f99-B898-A09798FD5ACB}.exe

Filesize
216KB

MD5
eb1e4f2984c442852b6d7beadce58904

SHA1
3a38908d7867d3a69368e45eade88401cc23a6d3

SHA256
00978afeac5e474e97056ee6caaf26b1d89d5136034027ae664617149ba99b0f

SHA512
130d4fd84f7c673bba8a8e195b166d86ca09d1a549ec48077f3216762ac0b51781709bf063325e0ccce3af5b770dc58e936f0aabde950964bcaf459a7f735518

Download Submit
C:\Windows\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe

Filesize
216KB

MD5
6da89506698620388c0febff55f11f20

SHA1
db5cac8df1f68fabac2c332c4132be35bbf0099e

SHA256
865b520ebd82e3522001f5ed175e9f025cbb27d3fef34475b3e9b5f639598212

SHA512
a94414111e40c862427d60403c2750bebf4f476f66cff740937f758a0767192d9766470dd6246bc9c39bff236862e0a67b28ad01ec1fb446e2747a4ff85940b9

Download Submit
C:\Windows\{D865FDD0-D906-4f44-BF12-92A1DAFE5A32}.exe

Filesize
216KB

MD5
6da89506698620388c0febff55f11f20

SHA1
db5cac8df1f68fabac2c332c4132be35bbf0099e

SHA256
865b520ebd82e3522001f5ed175e9f025cbb27d3fef34475b3e9b5f639598212

SHA512
a94414111e40c862427d60403c2750bebf4f476f66cff740937f758a0767192d9766470dd6246bc9c39bff236862e0a67b28ad01ec1fb446e2747a4ff85940b9

Download Submit
C:\Windows\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe

Filesize
216KB

MD5
458f01d6dd1868641f4b7d01fb5b8419

SHA1
59eee04e2016431a91bfeeba42f86bbf565afef4

SHA256
b08ac16b7e6444a615c545cbe0135e0680ffbe0de770995d8cc4ac9797356707

SHA512
4b2c2c9ef37cde1f7167777485df7e41b037326e493399e0e39415004d0269283f3705d3927264187c9ec70030370f96f351016f5421203f1bc403a27adfd41f

Download Submit
C:\Windows\{FDFC6A35-6B30-4a75-BA3F-59DAAB87361C}.exe

Filesize
216KB

MD5
458f01d6dd1868641f4b7d01fb5b8419

SHA1
59eee04e2016431a91bfeeba42f86bbf565afef4

SHA256
b08ac16b7e6444a615c545cbe0135e0680ffbe0de770995d8cc4ac9797356707

SHA512
4b2c2c9ef37cde1f7167777485df7e41b037326e493399e0e39415004d0269283f3705d3927264187c9ec70030370f96f351016f5421203f1bc403a27adfd41f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads