f8a821f380f93d3e21d31c96746b7d9614bb9b0048b907dd89f3e067ce9b5617

Analysis

max time kernel
151s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe
Size

216KB
MD5

65c5c6bc30c148833836a4f6c22aaf9f
SHA1

dd31002816d6e6dab9844aa52a2c109b9c4eb4a8
SHA256

f8a821f380f93d3e21d31c96746b7d9614bb9b0048b907dd89f3e067ce9b5617
SHA512

433c747ddd7c20e1c12cec168ba8e711bc72b70a79716a82ffce98409a2e623df86689b8d49fb5141ed1441a4d9d9d717180237c9b61d54f4f92b7f6e6668989
SSDEEP

3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG7lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}\stubpath = "C:\\Windows\\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe"	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}\stubpath = "C:\\Windows\\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe"	{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}	{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{702AB2A5-2EBE-4abc-B07D-F284217D016F}	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}\stubpath = "C:\\Windows\\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe"	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ADB4278-8B3B-447e-8321-57A7D51DC483}\stubpath = "C:\\Windows\\{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe"	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}\stubpath = "C:\\Windows\\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe"	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}\stubpath = "C:\\Windows\\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe"	{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}	{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}\stubpath = "C:\\Windows\\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe"	{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}	{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA66781-36D8-4461-AC57-534BA0FCDFAB}	{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA66781-36D8-4461-AC57-534BA0FCDFAB}\stubpath = "C:\\Windows\\{1CA66781-36D8-4461-AC57-534BA0FCDFAB}.exe"	{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4943B92C-D174-44c2-B185-6BF59711172D}	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4943B92C-D174-44c2-B185-6BF59711172D}\stubpath = "C:\\Windows\\{4943B92C-D174-44c2-B185-6BF59711172D}.exe"	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}	{4943B92C-D174-44c2-B185-6BF59711172D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}\stubpath = "C:\\Windows\\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe"	{4943B92C-D174-44c2-B185-6BF59711172D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{702AB2A5-2EBE-4abc-B07D-F284217D016F}\stubpath = "C:\\Windows\\{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe"	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ADB4278-8B3B-447e-8321-57A7D51DC483}	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}\stubpath = "C:\\Windows\\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe"	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe
2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe
2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe
2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe
1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe
592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe
2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe
2636	{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe
1904	{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe
928	{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe
1800	{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe
580	{1CA66781-36D8-4461-AC57-534BA0FCDFAB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe	{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe
File created	C:\Windows\{4943B92C-D174-44c2-B185-6BF59711172D}.exe	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe
File created	C:\Windows\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	{4943B92C-D174-44c2-B185-6BF59711172D}.exe
File created	C:\Windows\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe
File created	C:\Windows\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe
File created	C:\Windows\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe	{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe
File created	C:\Windows\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe	{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe
File created	C:\Windows\{1CA66781-36D8-4461-AC57-534BA0FCDFAB}.exe	{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe
File created	C:\Windows\{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe
File created	C:\Windows\{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe
File created	C:\Windows\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe
File created	C:\Windows\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe
Token: SeIncBasePriorityPrivilege	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe
Token: SeIncBasePriorityPrivilege	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe
Token: SeIncBasePriorityPrivilege	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe
Token: SeIncBasePriorityPrivilege	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe
Token: SeIncBasePriorityPrivilege	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe
Token: SeIncBasePriorityPrivilege	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe
Token: SeIncBasePriorityPrivilege	2636	{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe
Token: SeIncBasePriorityPrivilege	1904	{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe
Token: SeIncBasePriorityPrivilege	928	{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe
Token: SeIncBasePriorityPrivilege	1800	{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2608	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	28
PID 1928 wrote to memory of 2608	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	28
PID 1928 wrote to memory of 2608	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	28
PID 1928 wrote to memory of 2608	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	28
PID 1928 wrote to memory of 2708	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	29
PID 1928 wrote to memory of 2708	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	29
PID 1928 wrote to memory of 2708	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	29
PID 1928 wrote to memory of 2708	1928	2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe	29
PID 2608 wrote to memory of 2908	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	30
PID 2608 wrote to memory of 2908	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	30
PID 2608 wrote to memory of 2908	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	30
PID 2608 wrote to memory of 2908	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	30
PID 2608 wrote to memory of 2720	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	31
PID 2608 wrote to memory of 2720	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	31
PID 2608 wrote to memory of 2720	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	31
PID 2608 wrote to memory of 2720	2608	{4943B92C-D174-44c2-B185-6BF59711172D}.exe	31
PID 2908 wrote to memory of 2456	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	34
PID 2908 wrote to memory of 2456	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	34
PID 2908 wrote to memory of 2456	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	34
PID 2908 wrote to memory of 2456	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	34
PID 2908 wrote to memory of 2524	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	35
PID 2908 wrote to memory of 2524	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	35
PID 2908 wrote to memory of 2524	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	35
PID 2908 wrote to memory of 2524	2908	{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe	35
PID 2456 wrote to memory of 2984	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	36
PID 2456 wrote to memory of 2984	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	36
PID 2456 wrote to memory of 2984	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	36
PID 2456 wrote to memory of 2984	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	36
PID 2456 wrote to memory of 2820	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	37
PID 2456 wrote to memory of 2820	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	37
PID 2456 wrote to memory of 2820	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	37
PID 2456 wrote to memory of 2820	2456	{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe	37
PID 2984 wrote to memory of 1644	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	38
PID 2984 wrote to memory of 1644	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	38
PID 2984 wrote to memory of 1644	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	38
PID 2984 wrote to memory of 1644	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	38
PID 2984 wrote to memory of 1884	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	39
PID 2984 wrote to memory of 1884	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	39
PID 2984 wrote to memory of 1884	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	39
PID 2984 wrote to memory of 1884	2984	{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe	39
PID 1644 wrote to memory of 592	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	40
PID 1644 wrote to memory of 592	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	40
PID 1644 wrote to memory of 592	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	40
PID 1644 wrote to memory of 592	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	40
PID 1644 wrote to memory of 2752	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	41
PID 1644 wrote to memory of 2752	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	41
PID 1644 wrote to memory of 2752	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	41
PID 1644 wrote to memory of 2752	1644	{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe	41
PID 592 wrote to memory of 2740	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	42
PID 592 wrote to memory of 2740	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	42
PID 592 wrote to memory of 2740	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	42
PID 592 wrote to memory of 2740	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	42
PID 592 wrote to memory of 2828	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	43
PID 592 wrote to memory of 2828	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	43
PID 592 wrote to memory of 2828	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	43
PID 592 wrote to memory of 2828	592	{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe	43
PID 2740 wrote to memory of 2636	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	44
PID 2740 wrote to memory of 2636	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	44
PID 2740 wrote to memory of 2636	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	44
PID 2740 wrote to memory of 2636	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	44
PID 2740 wrote to memory of 2876	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	45
PID 2740 wrote to memory of 2876	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	45
PID 2740 wrote to memory of 2876	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	45
PID 2740 wrote to memory of 2876	2740	{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_65c5c6bc30c148833836a4f6c22aaf9f_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\{4943B92C-D174-44c2-B185-6BF59711172D}.exe
  C:\Windows\{4943B92C-D174-44c2-B185-6BF59711172D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe
    C:\Windows\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe
      C:\Windows\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe
        
        C:\Windows\{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe
        
        C:\Windows\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe
        
        C:\Windows\{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe
        
        C:\Windows\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe
        
        C:\Windows\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe
        
        C:\Windows\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe
        
        C:\Windows\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe
        
        C:\Windows\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\{1CA66781-36D8-4461-AC57-534BA0FCDFAB}.exe
        
        C:\Windows\{1CA66781-36D8-4461-AC57-534BA0FCDFAB}.exe
        13⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04A8F~1.EXE > nul
        13⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81601~1.EXE > nul
        12⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89A64~1.EXE > nul
        11⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C141~1.EXE > nul
        10⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8000A~1.EXE > nul
        9⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ADB4~1.EXE > nul
        8⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D8A~1.EXE > nul
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{702AB~1.EXE > nul
        6⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD9A~1.EXE > nul
        5⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E77F0~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4943B~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe

Filesize
216KB

MD5
40785cfe8e0458ecd2caf60f062bb00c

SHA1
75d9eb3727d69bb0ccf7c5cb163b72e4ddece1cb

SHA256
c65a79074006c931b28bc8ba341113720eadca108def2c17e210f2c00bdee5b6

SHA512
362698768eb60d79ea0e0eb7a9a93e1a598592e154b9931a9e28776c10fa2d0edd6d11c6741198f47464d4f6ae1f944672dbbf68c5131b0dbd5bc58b5a45cccc

Download Submit
C:\Windows\{04A8F3F6-0CBB-46ec-9CBD-AB5C87CA2C63}.exe

Filesize
216KB

MD5
40785cfe8e0458ecd2caf60f062bb00c

SHA1
75d9eb3727d69bb0ccf7c5cb163b72e4ddece1cb

SHA256
c65a79074006c931b28bc8ba341113720eadca108def2c17e210f2c00bdee5b6

SHA512
362698768eb60d79ea0e0eb7a9a93e1a598592e154b9931a9e28776c10fa2d0edd6d11c6741198f47464d4f6ae1f944672dbbf68c5131b0dbd5bc58b5a45cccc

Download Submit
C:\Windows\{1CA66781-36D8-4461-AC57-534BA0FCDFAB}.exe

Filesize
216KB

MD5
73a465a5af78062cea3744c9e6c5eaae

SHA1
19b0cb9d79b6cf87247e7e5956ca25c964527682

SHA256
ea866db3af5866b4dcbbc780e3fbf465d740f253e7a1bb9dc9bb28bf0fc25d56

SHA512
8d65ee86543589d270572fcc97a441cd1ed9f70b8c73c02c05abb1d16ced451c80929dd292e4575f0b39abe23a95cda207d7bd7580dbd3794edfc632c4a8af73

Download Submit
C:\Windows\{4943B92C-D174-44c2-B185-6BF59711172D}.exe

Filesize
216KB

MD5
e4c4b640596295fc109ccfca707bfa06

SHA1
777902beeaf179b49497cf11a9ec865a6077c66d

SHA256
f268516889b9834ddadfad42556e38b7dd713188c261855e704845733c0f73d7

SHA512
78857063e15e86d5ff02401fab5c15ad4fb241d878b2da6b65e51a604d510e4122e675a885e03a11762d1cd05b2063c63ea05a6fc34dc53f02b48fa4700760ab

Download Submit
C:\Windows\{4943B92C-D174-44c2-B185-6BF59711172D}.exe

Filesize
216KB

MD5
e4c4b640596295fc109ccfca707bfa06

SHA1
777902beeaf179b49497cf11a9ec865a6077c66d

SHA256
f268516889b9834ddadfad42556e38b7dd713188c261855e704845733c0f73d7

SHA512
78857063e15e86d5ff02401fab5c15ad4fb241d878b2da6b65e51a604d510e4122e675a885e03a11762d1cd05b2063c63ea05a6fc34dc53f02b48fa4700760ab

Download Submit
C:\Windows\{4943B92C-D174-44c2-B185-6BF59711172D}.exe

Filesize
216KB

MD5
e4c4b640596295fc109ccfca707bfa06

SHA1
777902beeaf179b49497cf11a9ec865a6077c66d

SHA256
f268516889b9834ddadfad42556e38b7dd713188c261855e704845733c0f73d7

SHA512
78857063e15e86d5ff02401fab5c15ad4fb241d878b2da6b65e51a604d510e4122e675a885e03a11762d1cd05b2063c63ea05a6fc34dc53f02b48fa4700760ab

Download Submit
C:\Windows\{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe

Filesize
216KB

MD5
bb75d88361bf04aaedd84fffbe415a5e

SHA1
e40cb631a766ecf220e1649ab290270602a02709

SHA256
8abaa4f7acff93faa1814fee62bab017dc3fda4087237655f9d745f9462b1760

SHA512
0b7f8a2b920f5ffa3b2b79b3d6802e537887bf901e5158908080f45457132c986230f287dc829eb14cf6d93835ddbe0c18e84db2426352019fc83edda483a151

Download Submit
C:\Windows\{702AB2A5-2EBE-4abc-B07D-F284217D016F}.exe

Filesize
216KB

MD5
bb75d88361bf04aaedd84fffbe415a5e

SHA1
e40cb631a766ecf220e1649ab290270602a02709

SHA256
8abaa4f7acff93faa1814fee62bab017dc3fda4087237655f9d745f9462b1760

SHA512
0b7f8a2b920f5ffa3b2b79b3d6802e537887bf901e5158908080f45457132c986230f287dc829eb14cf6d93835ddbe0c18e84db2426352019fc83edda483a151

Download Submit
C:\Windows\{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe

Filesize
216KB

MD5
26083bb88014f2b67f131be15f8d3bbd

SHA1
7c75126d90ce4337c4cf6fb1bc5f527267d4b9d9

SHA256
4b6e8b255aff676bdfbb27d0f999c168166e5d15354b735fd36958c3836853b9

SHA512
573c02314081f1ac949e07cac2cd63259ff4d34be84a8d6d07da7c18de0eccbf4e026b7d7f29e189e11de85d218d3919b42a0f293926b547f0825159e5fdee56

Download Submit
C:\Windows\{7ADB4278-8B3B-447e-8321-57A7D51DC483}.exe

Filesize
216KB

MD5
26083bb88014f2b67f131be15f8d3bbd

SHA1
7c75126d90ce4337c4cf6fb1bc5f527267d4b9d9

SHA256
4b6e8b255aff676bdfbb27d0f999c168166e5d15354b735fd36958c3836853b9

SHA512
573c02314081f1ac949e07cac2cd63259ff4d34be84a8d6d07da7c18de0eccbf4e026b7d7f29e189e11de85d218d3919b42a0f293926b547f0825159e5fdee56

Download Submit
C:\Windows\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe

Filesize
216KB

MD5
63a8a44a864928ce12336726c16c0e3d

SHA1
cf1940a5a8ce049ca91290c8ebf16ae70de1dd07

SHA256
3552f71b7d2847224b8749ee8bff268bfddfb32ef86620f26cb1c279d5adad6e

SHA512
c7e72816853908d38da356d496965b0ec1628a8b491ef62fef8a797abd6e5020cc524d015e0d5a78e27cf718dd90f9e4e50fab76b23aa9f38413ccff9a2fc4c6

Download Submit
C:\Windows\{7C141AD2-BB28-460e-BB7A-9D6BC779B961}.exe

Filesize
216KB

MD5
63a8a44a864928ce12336726c16c0e3d

SHA1
cf1940a5a8ce049ca91290c8ebf16ae70de1dd07

SHA256
3552f71b7d2847224b8749ee8bff268bfddfb32ef86620f26cb1c279d5adad6e

SHA512
c7e72816853908d38da356d496965b0ec1628a8b491ef62fef8a797abd6e5020cc524d015e0d5a78e27cf718dd90f9e4e50fab76b23aa9f38413ccff9a2fc4c6

Download Submit
C:\Windows\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe

Filesize
216KB

MD5
fa27e881613a8fdc1f92993ff4e21cee

SHA1
f2e7cd79363bcfe76a6c89b742e17736ce35d6ec

SHA256
16ca5f503840b50d1d9e7056f761983102555de6fd738ac688d91838a82fe25d

SHA512
441de3e593162ece88ebd02ca5b05e2a52e8ad2c25347399ae75acfaa25c7abfa0e9575d3308629bc39315b38c2a4895f37bdc303e142dfd25928d8532df0f65

Download Submit
C:\Windows\{8000AEEC-3A4C-4c1b-8DAC-EA6800E1706C}.exe

Filesize
216KB

MD5
fa27e881613a8fdc1f92993ff4e21cee

SHA1
f2e7cd79363bcfe76a6c89b742e17736ce35d6ec

SHA256
16ca5f503840b50d1d9e7056f761983102555de6fd738ac688d91838a82fe25d

SHA512
441de3e593162ece88ebd02ca5b05e2a52e8ad2c25347399ae75acfaa25c7abfa0e9575d3308629bc39315b38c2a4895f37bdc303e142dfd25928d8532df0f65

Download Submit
C:\Windows\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe

Filesize
216KB

MD5
cefe032059f0951a22c4abed14cac187

SHA1
8af35a0332d710c3f7e53ad00cd1934bc8e9a586

SHA256
7ad2742bc47a00b18f23f767620bd85f81e034b006a825aebe331c77f55987ab

SHA512
0e285660b44e13f7f3bb6f9abb62fd54c8102c77886acdbc3098df343e71cad48f0dafba92f2522145ada18b095e5372e01e59b88230fad591bd0e65f96d598a

Download Submit
C:\Windows\{81601EF1-DE2A-402d-9656-37C8D2CBA71F}.exe

Filesize
216KB

MD5
cefe032059f0951a22c4abed14cac187

SHA1
8af35a0332d710c3f7e53ad00cd1934bc8e9a586

SHA256
7ad2742bc47a00b18f23f767620bd85f81e034b006a825aebe331c77f55987ab

SHA512
0e285660b44e13f7f3bb6f9abb62fd54c8102c77886acdbc3098df343e71cad48f0dafba92f2522145ada18b095e5372e01e59b88230fad591bd0e65f96d598a

Download Submit
C:\Windows\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe

Filesize
216KB

MD5
374d7499da37377a6e5286235c7a099c

SHA1
21e397abac0991f0d6931dd4ce0114ddd8ac2c86

SHA256
e109f198be8b52e7b820cbfc95526dac05940427044df0610d9d5e312c332c62

SHA512
324fff833c2cc53056688226289c406fff9992d83dea23041725659dc40f0bede3e6be7a04315b650a0ddc7b6475e57e875dd955c0addc4e9e181e55414735ff

Download Submit
C:\Windows\{89A64E29-E55B-4ac2-809E-B59F2E4DDD0D}.exe

Filesize
216KB

MD5
374d7499da37377a6e5286235c7a099c

SHA1
21e397abac0991f0d6931dd4ce0114ddd8ac2c86

SHA256
e109f198be8b52e7b820cbfc95526dac05940427044df0610d9d5e312c332c62

SHA512
324fff833c2cc53056688226289c406fff9992d83dea23041725659dc40f0bede3e6be7a04315b650a0ddc7b6475e57e875dd955c0addc4e9e181e55414735ff

Download Submit
C:\Windows\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe

Filesize
216KB

MD5
846fbe2cfeb8ce81c32d0a0f5a12ba59

SHA1
b7f19faef81220eaa93bec0652244c3a3cb52b4e

SHA256
f288830bb43f12b0e2adb2bdb9fbb8326de66a2091798490b8d5d7fb66726a2b

SHA512
ab1e9abfa0202251269682f64760a31d3ad031fac01b220041af4ca9168b98c915e9c7e635a7f9d26598f04ee72fb0c8f5ba697a596a36eed944b592ea6ee1db

Download Submit
C:\Windows\{C3D8A95C-ADBF-4d25-8091-37A09DE994AF}.exe

Filesize
216KB

MD5
846fbe2cfeb8ce81c32d0a0f5a12ba59

SHA1
b7f19faef81220eaa93bec0652244c3a3cb52b4e

SHA256
f288830bb43f12b0e2adb2bdb9fbb8326de66a2091798490b8d5d7fb66726a2b

SHA512
ab1e9abfa0202251269682f64760a31d3ad031fac01b220041af4ca9168b98c915e9c7e635a7f9d26598f04ee72fb0c8f5ba697a596a36eed944b592ea6ee1db

Download Submit
C:\Windows\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe

Filesize
216KB

MD5
7f7fc879b64b8bf5f29ecc2f753078f9

SHA1
3eaafc99cf16c25311f59cf6b9b78c3594316b78

SHA256
00c1cd47b2ad296abfcd5ab7f4f945221d105e6ef1f407e268a6c289067369c9

SHA512
722495dd3106545917d79ab163802ce2f08dea0e51fbd9241bc0cf73f30c2c65088240089f3746f5886bd3eb90a543162440618d0601575099a103829154dccd

Download Submit
C:\Windows\{CCD9A0FE-ED5D-4dac-B504-FCD41A108ADA}.exe

Filesize
216KB

MD5
7f7fc879b64b8bf5f29ecc2f753078f9

SHA1
3eaafc99cf16c25311f59cf6b9b78c3594316b78

SHA256
00c1cd47b2ad296abfcd5ab7f4f945221d105e6ef1f407e268a6c289067369c9

SHA512
722495dd3106545917d79ab163802ce2f08dea0e51fbd9241bc0cf73f30c2c65088240089f3746f5886bd3eb90a543162440618d0601575099a103829154dccd

Download Submit
C:\Windows\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe

Filesize
216KB

MD5
412030a25f39c9d480f5d8bab4889eba

SHA1
de8c4166e88ea34a7703a1900e76394385c59b13

SHA256
aba23907c8622a8f1cfb9217c67c90bf64589920cc0a7b7149088500d4c83868

SHA512
b8ffeb112ad39f37d862149777254b28ebe3f094f18f9b5a8ab35a81877b6e4c9da37f8b4c0ae05fcd40eda453486f44174932477b125ed84da60566e7e73bb7

Download Submit
C:\Windows\{E77F05FA-7CDD-4f78-8714-3E35D63F1411}.exe

Filesize
216KB

MD5
412030a25f39c9d480f5d8bab4889eba

SHA1
de8c4166e88ea34a7703a1900e76394385c59b13

SHA256
aba23907c8622a8f1cfb9217c67c90bf64589920cc0a7b7149088500d4c83868

SHA512
b8ffeb112ad39f37d862149777254b28ebe3f094f18f9b5a8ab35a81877b6e4c9da37f8b4c0ae05fcd40eda453486f44174932477b125ed84da60566e7e73bb7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads