8f8bd3fea63ef94319c42a6a349ef9a33ed2a343e6699fd654ad44ec77590265

Analysis

max time kernel
157s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Size

204KB
MD5

1a8c4ebb8bd30f5ab30e947191e6e628
SHA1

ff2f1d81bc80979706a07d7cba115e4912a3f290
SHA256

8f8bd3fea63ef94319c42a6a349ef9a33ed2a343e6699fd654ad44ec77590265
SHA512

880b915f9bc71c5b453c24a0be6558f3280bae27f1e670d5728a11696de92fc88b56d6b9895dcf25e6c4108e192bc857141ea8b22414625a0adb00bf64ac7d18
SSDEEP

1536:1EGh0oal15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oal1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D280F32-7E3D-41f2-989A-42875F140DD4}\stubpath = "C:\\Windows\\{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe"	{F4663708-6D9E-407f-B095-4871228D6471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E010750-C229-4f10-B280-46B099117BF1}\stubpath = "C:\\Windows\\{5E010750-C229-4f10-B280-46B099117BF1}.exe"	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}\stubpath = "C:\\Windows\\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe"	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4663708-6D9E-407f-B095-4871228D6471}	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D280F32-7E3D-41f2-989A-42875F140DD4}	{F4663708-6D9E-407f-B095-4871228D6471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46153B01-E772-4e9c-BFC0-16A91D53668E}\stubpath = "C:\\Windows\\{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe"	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}\stubpath = "C:\\Windows\\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe"	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65949BD4-56CB-40c9-A686-71A00D6D6781}\stubpath = "C:\\Windows\\{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe"	{5E010750-C229-4f10-B280-46B099117BF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40258E0-B69F-4164-A67B-3145D239CCA1}\stubpath = "C:\\Windows\\{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe"	{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46153B01-E772-4e9c-BFC0-16A91D53668E}	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74E98117-14F4-47bf-B84A-43686F9195F7}	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74E98117-14F4-47bf-B84A-43686F9195F7}\stubpath = "C:\\Windows\\{74E98117-14F4-47bf-B84A-43686F9195F7}.exe"	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}\stubpath = "C:\\Windows\\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe"	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E010750-C229-4f10-B280-46B099117BF1}	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65949BD4-56CB-40c9-A686-71A00D6D6781}	{5E010750-C229-4f10-B280-46B099117BF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40258E0-B69F-4164-A67B-3145D239CCA1}	{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4663708-6D9E-407f-B095-4871228D6471}\stubpath = "C:\\Windows\\{F4663708-6D9E-407f-B095-4871228D6471}.exe"	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2571BEB2-5985-49b4-8043-559D4A9A1A28}\stubpath = "C:\\Windows\\{2571BEB2-5985-49b4-8043-559D4A9A1A28}.exe"	{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2571BEB2-5985-49b4-8043-559D4A9A1A28}	{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe

Executes dropped EXE 11 IoCs

pid	Process
1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe
2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe
2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe
2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe
2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe
2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe
2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe
2160	{5E010750-C229-4f10-B280-46B099117BF1}.exe
2880	{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe
1800	{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe
2012	{2571BEB2-5985-49b4-8043-559D4A9A1A28}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe	{5E010750-C229-4f10-B280-46B099117BF1}.exe
File created	C:\Windows\{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe	{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe
File created	C:\Windows\{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe
File created	C:\Windows\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe
File created	C:\Windows\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe
File created	C:\Windows\{5E010750-C229-4f10-B280-46B099117BF1}.exe	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe
File created	C:\Windows\{2571BEB2-5985-49b4-8043-559D4A9A1A28}.exe	{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe
File created	C:\Windows\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
File created	C:\Windows\{F4663708-6D9E-407f-B095-4871228D6471}.exe	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe
File created	C:\Windows\{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	{F4663708-6D9E-407f-B095-4871228D6471}.exe
File created	C:\Windows\{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe
Token: SeIncBasePriorityPrivilege	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe
Token: SeIncBasePriorityPrivilege	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe
Token: SeIncBasePriorityPrivilege	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe
Token: SeIncBasePriorityPrivilege	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe
Token: SeIncBasePriorityPrivilege	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe
Token: SeIncBasePriorityPrivilege	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe
Token: SeIncBasePriorityPrivilege	2160	{5E010750-C229-4f10-B280-46B099117BF1}.exe
Token: SeIncBasePriorityPrivilege	2880	{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe
Token: SeIncBasePriorityPrivilege	1800	{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1840	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	30
PID 272 wrote to memory of 1840	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	30
PID 272 wrote to memory of 1840	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	30
PID 272 wrote to memory of 1840	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	30
PID 272 wrote to memory of 1660	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	31
PID 272 wrote to memory of 1660	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	31
PID 272 wrote to memory of 1660	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	31
PID 272 wrote to memory of 1660	272	2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe	31
PID 1840 wrote to memory of 2736	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	32
PID 1840 wrote to memory of 2736	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	32
PID 1840 wrote to memory of 2736	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	32
PID 1840 wrote to memory of 2736	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	32
PID 1840 wrote to memory of 2104	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	33
PID 1840 wrote to memory of 2104	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	33
PID 1840 wrote to memory of 2104	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	33
PID 1840 wrote to memory of 2104	1840	{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe	33
PID 2736 wrote to memory of 2096	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	34
PID 2736 wrote to memory of 2096	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	34
PID 2736 wrote to memory of 2096	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	34
PID 2736 wrote to memory of 2096	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	34
PID 2736 wrote to memory of 2688	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	35
PID 2736 wrote to memory of 2688	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	35
PID 2736 wrote to memory of 2688	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	35
PID 2736 wrote to memory of 2688	2736	{F4663708-6D9E-407f-B095-4871228D6471}.exe	35
PID 2096 wrote to memory of 2812	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	36
PID 2096 wrote to memory of 2812	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	36
PID 2096 wrote to memory of 2812	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	36
PID 2096 wrote to memory of 2812	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	36
PID 2096 wrote to memory of 2564	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	37
PID 2096 wrote to memory of 2564	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	37
PID 2096 wrote to memory of 2564	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	37
PID 2096 wrote to memory of 2564	2096	{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe	37
PID 2812 wrote to memory of 2700	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	38
PID 2812 wrote to memory of 2700	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	38
PID 2812 wrote to memory of 2700	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	38
PID 2812 wrote to memory of 2700	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	38
PID 2812 wrote to memory of 2640	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	39
PID 2812 wrote to memory of 2640	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	39
PID 2812 wrote to memory of 2640	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	39
PID 2812 wrote to memory of 2640	2812	{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe	39
PID 2700 wrote to memory of 2548	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	40
PID 2700 wrote to memory of 2548	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	40
PID 2700 wrote to memory of 2548	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	40
PID 2700 wrote to memory of 2548	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	40
PID 2700 wrote to memory of 2780	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	41
PID 2700 wrote to memory of 2780	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	41
PID 2700 wrote to memory of 2780	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	41
PID 2700 wrote to memory of 2780	2700	{74E98117-14F4-47bf-B84A-43686F9195F7}.exe	41
PID 2548 wrote to memory of 2628	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	42
PID 2548 wrote to memory of 2628	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	42
PID 2548 wrote to memory of 2628	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	42
PID 2548 wrote to memory of 2628	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	42
PID 2548 wrote to memory of 2464	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	43
PID 2548 wrote to memory of 2464	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	43
PID 2548 wrote to memory of 2464	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	43
PID 2548 wrote to memory of 2464	2548	{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe	43
PID 2628 wrote to memory of 2160	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	44
PID 2628 wrote to memory of 2160	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	44
PID 2628 wrote to memory of 2160	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	44
PID 2628 wrote to memory of 2160	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	44
PID 2628 wrote to memory of 2536	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	45
PID 2628 wrote to memory of 2536	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	45
PID 2628 wrote to memory of 2536	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	45
PID 2628 wrote to memory of 2536	2628	{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_1a8c4ebb8bd30f5ab30e947191e6e628_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272
- C:\Windows\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe
  C:\Windows\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\{F4663708-6D9E-407f-B095-4871228D6471}.exe
    C:\Windows\{F4663708-6D9E-407f-B095-4871228D6471}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe
      C:\Windows\{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe
        
        C:\Windows\{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\{74E98117-14F4-47bf-B84A-43686F9195F7}.exe
        
        C:\Windows\{74E98117-14F4-47bf-B84A-43686F9195F7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe
        
        C:\Windows\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe
        
        C:\Windows\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{5E010750-C229-4f10-B280-46B099117BF1}.exe
        
        C:\Windows\{5E010750-C229-4f10-B280-46B099117BF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe
        
        C:\Windows\{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe
        
        C:\Windows\{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\{2571BEB2-5985-49b4-8043-559D4A9A1A28}.exe
        
        C:\Windows\{2571BEB2-5985-49b4-8043-559D4A9A1A28}.exe
        12⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4025~1.EXE > nul
        12⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65949~1.EXE > nul
        11⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E010~1.EXE > nul
        10⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF0A1~1.EXE > nul
        9⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDAD6~1.EXE > nul
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74E98~1.EXE > nul
        7⤵
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46153~1.EXE > nul
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D280~1.EXE > nul
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F4663~1.EXE > nul
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7569~1.EXE > nul
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2571BEB2-5985-49b4-8043-559D4A9A1A28}.exe

Filesize
204KB

MD5
baa7e163537be9abbbd8222bd7978a20

SHA1
46ba75f8496642d1051ccd8e6550705691e42e5f

SHA256
d1456829d290e4364e3aa0ce544082b3a6163a9ac5faf05fa1a4a3ff2cd35101

SHA512
485738f902993ea96eae742dfe3fe0406f459324dbd8b76e2ca6fd69e6ac139267a0a1ef6e7f6896ffa10031665f482e760ea2d6396e5da184cbb390e3fc0aaa

Download Submit
C:\Windows\{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe

Filesize
204KB

MD5
09f6ee193df859504c8ad23d029e7e13

SHA1
84a5cf2bd61596a3791bae99cf664c816d3708f4

SHA256
9511d5504c6cc72eb5f960041bf27e9790a13b8046478c3356e3b396592e4fa2

SHA512
2dd364b3bbf255729e6014a5fac0acaf6c2840b2e2053a30fff5d47b73fa801b4e93b34c24c8c1239b83ad805f5b7a3894ede726c0090335f2a560b91a2d5fa3

Download Submit
C:\Windows\{3D280F32-7E3D-41f2-989A-42875F140DD4}.exe

Filesize
204KB

MD5
09f6ee193df859504c8ad23d029e7e13

SHA1
84a5cf2bd61596a3791bae99cf664c816d3708f4

SHA256
9511d5504c6cc72eb5f960041bf27e9790a13b8046478c3356e3b396592e4fa2

SHA512
2dd364b3bbf255729e6014a5fac0acaf6c2840b2e2053a30fff5d47b73fa801b4e93b34c24c8c1239b83ad805f5b7a3894ede726c0090335f2a560b91a2d5fa3

Download Submit
C:\Windows\{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe

Filesize
204KB

MD5
2704c893f18b3fe5b52711f7dac6d9e7

SHA1
811fe52b650f500b99590c76b48d803804ac9e68

SHA256
d6247e6b2f4bf450af8345d151c2ce4a13143a98a9cdac5aea6f2c675de195bf

SHA512
2548e50c1447033bb40a6e955c6001345d03e8591f968a0dc3edf1a170d7a47958e0f11cd30a147cabf62e981caf94bc260af5cf40eceb1317d5ff03ef001725

Download Submit
C:\Windows\{46153B01-E772-4e9c-BFC0-16A91D53668E}.exe

Filesize
204KB

MD5
2704c893f18b3fe5b52711f7dac6d9e7

SHA1
811fe52b650f500b99590c76b48d803804ac9e68

SHA256
d6247e6b2f4bf450af8345d151c2ce4a13143a98a9cdac5aea6f2c675de195bf

SHA512
2548e50c1447033bb40a6e955c6001345d03e8591f968a0dc3edf1a170d7a47958e0f11cd30a147cabf62e981caf94bc260af5cf40eceb1317d5ff03ef001725

Download Submit
C:\Windows\{5E010750-C229-4f10-B280-46B099117BF1}.exe

Filesize
204KB

MD5
fe8d03ca680f990dc59f640f889c51f3

SHA1
6e50fa3631e6ac755881a1df9bf5e6fbbc371157

SHA256
fc0384bce5066d6438b14e26d938622e9bb2a4471dbe549de3bb3400c9b87e7b

SHA512
786c8f52802f619f664348f88fef302542cd9c569a369ec8331fabe7a30c3f18f1c6cef8fb65f3a09b205f54007e7b2e410da4a4942ab3abce798ba81810261e

Download Submit
C:\Windows\{5E010750-C229-4f10-B280-46B099117BF1}.exe

Filesize
204KB

MD5
fe8d03ca680f990dc59f640f889c51f3

SHA1
6e50fa3631e6ac755881a1df9bf5e6fbbc371157

SHA256
fc0384bce5066d6438b14e26d938622e9bb2a4471dbe549de3bb3400c9b87e7b

SHA512
786c8f52802f619f664348f88fef302542cd9c569a369ec8331fabe7a30c3f18f1c6cef8fb65f3a09b205f54007e7b2e410da4a4942ab3abce798ba81810261e

Download Submit
C:\Windows\{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe

Filesize
204KB

MD5
12401a0b568643c73c0ba2498ed4af9f

SHA1
8807e326998fb63a410c5e37df9c8ba4c83f775d

SHA256
841be1a5a3ae25376f4a784e4c7075c71a2762aaa3dbc5549743beecd669718e

SHA512
1a207c9eda011bd006de6211b5074c21e702c166a4e645901cc76437259008e2fe2f1d9df55498216e548216987ef9159d8058d4d61e31e7af8e815a77054473

Download Submit
C:\Windows\{65949BD4-56CB-40c9-A686-71A00D6D6781}.exe

Filesize
204KB

MD5
12401a0b568643c73c0ba2498ed4af9f

SHA1
8807e326998fb63a410c5e37df9c8ba4c83f775d

SHA256
841be1a5a3ae25376f4a784e4c7075c71a2762aaa3dbc5549743beecd669718e

SHA512
1a207c9eda011bd006de6211b5074c21e702c166a4e645901cc76437259008e2fe2f1d9df55498216e548216987ef9159d8058d4d61e31e7af8e815a77054473

Download Submit
C:\Windows\{74E98117-14F4-47bf-B84A-43686F9195F7}.exe

Filesize
204KB

MD5
badb3d53536a35bb645002e79bea1d6c

SHA1
42b2da61e17920d6f5c7dda9f193cd82923bcadc

SHA256
85d6a3ef3908e81434a88fdead4df2c157eb01e3b95e77fbb0d66eba7dfb3367

SHA512
1f27292fced5560dd43089d96a71d7c2098d87a4428954388c85295a891b62a673dad2392480279e65fa35cd64078a80754d7ce9b50b5e1564b5de5b99956235

Download Submit
C:\Windows\{74E98117-14F4-47bf-B84A-43686F9195F7}.exe

Filesize
204KB

MD5
badb3d53536a35bb645002e79bea1d6c

SHA1
42b2da61e17920d6f5c7dda9f193cd82923bcadc

SHA256
85d6a3ef3908e81434a88fdead4df2c157eb01e3b95e77fbb0d66eba7dfb3367

SHA512
1f27292fced5560dd43089d96a71d7c2098d87a4428954388c85295a891b62a673dad2392480279e65fa35cd64078a80754d7ce9b50b5e1564b5de5b99956235

Download Submit
C:\Windows\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe

Filesize
204KB

MD5
f408d6be1475b34abb5e28d3a6d0b5f2

SHA1
ccf57a5b9175b3dabd4653c2498bf56b5fd6b076

SHA256
f12b3e2977e2f6f59ad0361292022d83b90ca6082beb748d4c53853c4dceadf9

SHA512
93703a409ba7bc42802b2cfad43560856ac2704a03c1018d63de3954347fe6d580f2f407c486ffbf8e7f9e52bae89fae11c9796ca7b1abdb02e56b40971254b8

Download Submit
C:\Windows\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe

Filesize
204KB

MD5
f408d6be1475b34abb5e28d3a6d0b5f2

SHA1
ccf57a5b9175b3dabd4653c2498bf56b5fd6b076

SHA256
f12b3e2977e2f6f59ad0361292022d83b90ca6082beb748d4c53853c4dceadf9

SHA512
93703a409ba7bc42802b2cfad43560856ac2704a03c1018d63de3954347fe6d580f2f407c486ffbf8e7f9e52bae89fae11c9796ca7b1abdb02e56b40971254b8

Download Submit
C:\Windows\{A75697D7-C9C9-4a05-87FE-AD7B552206B5}.exe

Filesize
204KB

MD5
f408d6be1475b34abb5e28d3a6d0b5f2

SHA1
ccf57a5b9175b3dabd4653c2498bf56b5fd6b076

SHA256
f12b3e2977e2f6f59ad0361292022d83b90ca6082beb748d4c53853c4dceadf9

SHA512
93703a409ba7bc42802b2cfad43560856ac2704a03c1018d63de3954347fe6d580f2f407c486ffbf8e7f9e52bae89fae11c9796ca7b1abdb02e56b40971254b8

Download Submit
C:\Windows\{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe

Filesize
204KB

MD5
93e042914d825bd8e2fda0ccf6535755

SHA1
0c4df725aec0fee4add7a1be0faaac2cee6e2223

SHA256
6951c527693b97e238804ad9fe925f2796c2c04b28908ff1d01424af679781e0

SHA512
1afe492bda1de0d3fc0b587ee9bbc713f1b09f98e5827dfab1d488ee236d06aaec68983e5e2998d21365e592675e811361990563ccb5a9f3f7f5428abd4edb69

Download Submit
C:\Windows\{B40258E0-B69F-4164-A67B-3145D239CCA1}.exe

Filesize
204KB

MD5
93e042914d825bd8e2fda0ccf6535755

SHA1
0c4df725aec0fee4add7a1be0faaac2cee6e2223

SHA256
6951c527693b97e238804ad9fe925f2796c2c04b28908ff1d01424af679781e0

SHA512
1afe492bda1de0d3fc0b587ee9bbc713f1b09f98e5827dfab1d488ee236d06aaec68983e5e2998d21365e592675e811361990563ccb5a9f3f7f5428abd4edb69

Download Submit
C:\Windows\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe

Filesize
204KB

MD5
139d60f425907b7a4392a5f39364aaf9

SHA1
bf1d266e2a84d1eadaa747310e918c109da84ad3

SHA256
3df48893a5e7f551a9f998ff7782cfa11e1f4602395b3c976916a2b5db4a1676

SHA512
eae16b4e7c249ffa889da4e9a858dda889b0308c3e429281586ddf9a174cd02ed2f26d0b811df81cadc7c26a2c31ce7f783d0ac649baf35328677d1a47a1e39f

Download Submit
C:\Windows\{BDAD61D1-EFCC-4a3d-8AC5-C64EC9FFC864}.exe

Filesize
204KB

MD5
139d60f425907b7a4392a5f39364aaf9

SHA1
bf1d266e2a84d1eadaa747310e918c109da84ad3

SHA256
3df48893a5e7f551a9f998ff7782cfa11e1f4602395b3c976916a2b5db4a1676

SHA512
eae16b4e7c249ffa889da4e9a858dda889b0308c3e429281586ddf9a174cd02ed2f26d0b811df81cadc7c26a2c31ce7f783d0ac649baf35328677d1a47a1e39f

Download Submit
C:\Windows\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe

Filesize
204KB

MD5
b0c7d52e653b15bf98b1575476c35b1d

SHA1
25105c78244ddc990ec069828b5dd791d64a5f19

SHA256
6d512c7559a8f4b1975925210082c77d33d27928e132309cb54debe5aad9df0c

SHA512
908e66e68e64d2c2dbe49448e90e2aef3026e04aceafa2e15524c26eb7b31db28da43ba60301b4f4872fedd13e6ac740a2eb3fcb88cb2e811922c87eed0be421

Download Submit
C:\Windows\{BF0A1C4B-83F1-4935-82D1-4A6D2822B045}.exe

Filesize
204KB

MD5
b0c7d52e653b15bf98b1575476c35b1d

SHA1
25105c78244ddc990ec069828b5dd791d64a5f19

SHA256
6d512c7559a8f4b1975925210082c77d33d27928e132309cb54debe5aad9df0c

SHA512
908e66e68e64d2c2dbe49448e90e2aef3026e04aceafa2e15524c26eb7b31db28da43ba60301b4f4872fedd13e6ac740a2eb3fcb88cb2e811922c87eed0be421

Download Submit
C:\Windows\{F4663708-6D9E-407f-B095-4871228D6471}.exe

Filesize
204KB

MD5
cf8a31f32245b90dc6772193ce844185

SHA1
e1cba45914106745214eaed72e7a3728cf97cc98

SHA256
d5c189cb59bf48f8c2ae63ca14706242d813f720b45548ccdc3f094569794bda

SHA512
33f838dd8a7d0b748cb9a51abaad3356ee0ff5b78476ce27afcfae4dfe456b16bb3be8398105d5ba2fc41a52cc27fedd45d22040135fbf30ee5c248748b20e47

Download Submit
C:\Windows\{F4663708-6D9E-407f-B095-4871228D6471}.exe

Filesize
204KB

MD5
cf8a31f32245b90dc6772193ce844185

SHA1
e1cba45914106745214eaed72e7a3728cf97cc98

SHA256
d5c189cb59bf48f8c2ae63ca14706242d813f720b45548ccdc3f094569794bda

SHA512
33f838dd8a7d0b748cb9a51abaad3356ee0ff5b78476ce27afcfae4dfe456b16bb3be8398105d5ba2fc41a52cc27fedd45d22040135fbf30ee5c248748b20e47

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads