5623d1a0d1e53cc40e876b64aa07899a1d9826f8529671a1598e472291b63a01

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/08/2023, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe
Size

372KB
MD5

6b354713affd78445c196be1768c3ad1
SHA1

1f24a0f49a15f012372ee1966119fea5146fdae9
SHA256

5623d1a0d1e53cc40e876b64aa07899a1d9826f8529671a1598e472291b63a01
SHA512

be7ba0dec3692d5ddbfc7852af791294a069fe8c601d8a4d3658b5e081e3e9dd2a7b7f7cee21c88cce8584d5332d5e3b314ea4a1fcbba44b8f731d66dc0ce1a9
SSDEEP

3072:CEGh0oymlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4584C154-3988-4204-B3E0-2E1930F17634}\stubpath = "C:\\Windows\\{4584C154-3988-4204-B3E0-2E1930F17634}.exe"	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3212AD2-D4D4-4226-A047-95EF8319D324}\stubpath = "C:\\Windows\\{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe"	{4584C154-3988-4204-B3E0-2E1930F17634}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E8CE870-0C5E-4192-89FB-E3629E67838A}	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E8CE870-0C5E-4192-89FB-E3629E67838A}\stubpath = "C:\\Windows\\{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe"	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88AFA83A-266D-4053-B8AF-B3C1AB047686}	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E7B690C-04D8-46b4-B90A-E140138D958E}\stubpath = "C:\\Windows\\{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe"	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169A0715-C896-491d-8861-3A17B14A08D2}	{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34EC7229-8DB6-4359-B95F-078C1E882371}\stubpath = "C:\\Windows\\{34EC7229-8DB6-4359-B95F-078C1E882371}.exe"	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88AFA83A-266D-4053-B8AF-B3C1AB047686}\stubpath = "C:\\Windows\\{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe"	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4584C154-3988-4204-B3E0-2E1930F17634}	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3212AD2-D4D4-4226-A047-95EF8319D324}	{4584C154-3988-4204-B3E0-2E1930F17634}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBF9FE31-114E-46fc-A202-9FD1C5271093}	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBF9FE31-114E-46fc-A202-9FD1C5271093}\stubpath = "C:\\Windows\\{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe"	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34EC7229-8DB6-4359-B95F-078C1E882371}	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9460C976-A49D-4722-BDB1-86E66E225B8E}	{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9460C976-A49D-4722-BDB1-86E66E225B8E}\stubpath = "C:\\Windows\\{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe"	{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169A0715-C896-491d-8861-3A17B14A08D2}\stubpath = "C:\\Windows\\{169A0715-C896-491d-8861-3A17B14A08D2}.exe"	{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E7B690C-04D8-46b4-B90A-E140138D958E}	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}\stubpath = "C:\\Windows\\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe"	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}\stubpath = "C:\\Windows\\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe"	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe
2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe
2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe
2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe
2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe
2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe
808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe
600	{4584C154-3988-4204-B3E0-2E1930F17634}.exe
1176	{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe
1500	{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe
2168	{169A0715-C896-491d-8861-3A17B14A08D2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe
File created	C:\Windows\{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe
File created	C:\Windows\{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe	{4584C154-3988-4204-B3E0-2E1930F17634}.exe
File created	C:\Windows\{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe	{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe
File created	C:\Windows\{169A0715-C896-491d-8861-3A17B14A08D2}.exe	{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe
File created	C:\Windows\{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe
File created	C:\Windows\{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe
File created	C:\Windows\{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe
File created	C:\Windows\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe
File created	C:\Windows\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe
File created	C:\Windows\{4584C154-3988-4204-B3E0-2E1930F17634}.exe	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe
Token: SeIncBasePriorityPrivilege	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe
Token: SeIncBasePriorityPrivilege	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe
Token: SeIncBasePriorityPrivilege	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe
Token: SeIncBasePriorityPrivilege	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe
Token: SeIncBasePriorityPrivilege	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe
Token: SeIncBasePriorityPrivilege	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe
Token: SeIncBasePriorityPrivilege	600	{4584C154-3988-4204-B3E0-2E1930F17634}.exe
Token: SeIncBasePriorityPrivilege	1176	{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe
Token: SeIncBasePriorityPrivilege	1500	{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1212	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	28
PID 2492 wrote to memory of 1212	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	28
PID 2492 wrote to memory of 1212	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	28
PID 2492 wrote to memory of 1212	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	28
PID 2492 wrote to memory of 1740	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	29
PID 2492 wrote to memory of 1740	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	29
PID 2492 wrote to memory of 1740	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	29
PID 2492 wrote to memory of 1740	2492	6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe	29
PID 1212 wrote to memory of 2524	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	32
PID 1212 wrote to memory of 2524	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	32
PID 1212 wrote to memory of 2524	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	32
PID 1212 wrote to memory of 2524	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	32
PID 1212 wrote to memory of 2844	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	33
PID 1212 wrote to memory of 2844	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	33
PID 1212 wrote to memory of 2844	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	33
PID 1212 wrote to memory of 2844	1212	{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe	33
PID 2524 wrote to memory of 2872	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	34
PID 2524 wrote to memory of 2872	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	34
PID 2524 wrote to memory of 2872	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	34
PID 2524 wrote to memory of 2872	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	34
PID 2524 wrote to memory of 2408	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	35
PID 2524 wrote to memory of 2408	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	35
PID 2524 wrote to memory of 2408	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	35
PID 2524 wrote to memory of 2408	2524	{34EC7229-8DB6-4359-B95F-078C1E882371}.exe	35
PID 2872 wrote to memory of 2772	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	36
PID 2872 wrote to memory of 2772	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	36
PID 2872 wrote to memory of 2772	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	36
PID 2872 wrote to memory of 2772	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	36
PID 2872 wrote to memory of 2956	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	37
PID 2872 wrote to memory of 2956	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	37
PID 2872 wrote to memory of 2956	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	37
PID 2872 wrote to memory of 2956	2872	{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe	37
PID 2772 wrote to memory of 2904	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	38
PID 2772 wrote to memory of 2904	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	38
PID 2772 wrote to memory of 2904	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	38
PID 2772 wrote to memory of 2904	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	38
PID 2772 wrote to memory of 2736	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	39
PID 2772 wrote to memory of 2736	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	39
PID 2772 wrote to memory of 2736	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	39
PID 2772 wrote to memory of 2736	2772	{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe	39
PID 2904 wrote to memory of 2768	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	40
PID 2904 wrote to memory of 2768	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	40
PID 2904 wrote to memory of 2768	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	40
PID 2904 wrote to memory of 2768	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	40
PID 2904 wrote to memory of 2860	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	41
PID 2904 wrote to memory of 2860	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	41
PID 2904 wrote to memory of 2860	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	41
PID 2904 wrote to memory of 2860	2904	{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe	41
PID 2768 wrote to memory of 808	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	43
PID 2768 wrote to memory of 808	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	43
PID 2768 wrote to memory of 808	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	43
PID 2768 wrote to memory of 808	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	43
PID 2768 wrote to memory of 2268	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	42
PID 2768 wrote to memory of 2268	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	42
PID 2768 wrote to memory of 2268	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	42
PID 2768 wrote to memory of 2268	2768	{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe	42
PID 808 wrote to memory of 600	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	44
PID 808 wrote to memory of 600	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	44
PID 808 wrote to memory of 600	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	44
PID 808 wrote to memory of 600	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	44
PID 808 wrote to memory of 544	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	45
PID 808 wrote to memory of 544	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	45
PID 808 wrote to memory of 544	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	45
PID 808 wrote to memory of 544	808	{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe	45

C:\Users\Admin\AppData\Local\Temp\6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6b354713affd78445c196be1768c3ad1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe
  C:\Windows\{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\{34EC7229-8DB6-4359-B95F-078C1E882371}.exe
    C:\Windows\{34EC7229-8DB6-4359-B95F-078C1E882371}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe
      C:\Windows\{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe
        
        C:\Windows\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe
        
        C:\Windows\{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe
        
        C:\Windows\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16CD3~1.EXE > nul
        8⤵
        
        PID:2268
        
        C:\Windows\{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe
        
        C:\Windows\{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{4584C154-3988-4204-B3E0-2E1930F17634}.exe
        
        C:\Windows\{4584C154-3988-4204-B3E0-2E1930F17634}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe
        
        C:\Windows\{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe
        
        C:\Windows\{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{169A0715-C896-491d-8861-3A17B14A08D2}.exe
        
        C:\Windows\{169A0715-C896-491d-8861-3A17B14A08D2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9460C~1.EXE > nul
        12⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3212~1.EXE > nul
        11⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4584C~1.EXE > nul
        10⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88AFA~1.EXE > nul
        9⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E8CE~1.EXE > nul
        7⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C00~1.EXE > nul
        6⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E7B6~1.EXE > nul
        5⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{34EC7~1.EXE > nul
      4⤵
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BBF9F~1.EXE > nul
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6B3547~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{169A0715-C896-491d-8861-3A17B14A08D2}.exe

Filesize
372KB

MD5
0cb22b73972a48363dee494b86b5727f

SHA1
14ad395fc0dfc2e10f1ef656a91ecc244db77b08

SHA256
f8cef9c681e6e64cfa1920129e3bf628c2765bb1f12307e1c1898d0dcab1df88

SHA512
4e53dd505e64e13abdba99aba69934e59b13493a9cfcdbf4341a96663937398ac64b783147680bcb54d591c86f3c7d94358fe0a51569bbf39eb42e01b1410ba0

Download Submit
C:\Windows\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe

Filesize
372KB

MD5
0412af2bdb85e590882e504a4438a0f9

SHA1
c2102e1bbddf0ae41377e9af1973605f576deef1

SHA256
f0c65c21ed355c90bacaf64d2e6047e74a5d0f91abeef1c9244814316f95fb52

SHA512
eefbbf3ed876ce46a8474f38fc7dcd0439af63dcebe80466501eac429abd7e7da37f0b333bad5b200587c5c972586af13836d42cede9e7ec79e3ea458741bf67

Download Submit
C:\Windows\{16CD36D5-F9A0-4c0d-B34D-1453B2FA086E}.exe

Filesize
372KB

MD5
0412af2bdb85e590882e504a4438a0f9

SHA1
c2102e1bbddf0ae41377e9af1973605f576deef1

SHA256
f0c65c21ed355c90bacaf64d2e6047e74a5d0f91abeef1c9244814316f95fb52

SHA512
eefbbf3ed876ce46a8474f38fc7dcd0439af63dcebe80466501eac429abd7e7da37f0b333bad5b200587c5c972586af13836d42cede9e7ec79e3ea458741bf67

Download Submit
C:\Windows\{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe

Filesize
372KB

MD5
3783ef6788b4642ee05aea24444b4be4

SHA1
5e16ccb8efe67f49ca4d65dc683d67be8bffc364

SHA256
46c94fff08194064c1b10a2542072f95ea53c2c3b6baf74023a3dec250cedd9e

SHA512
ac3e6c2069ac1f565af13ed69581f83f2300a0e105f74d7ac6713a9bde60f42411211812299d4334828abb444b474056e52e8265b565cc3232c30bad2e97f936

Download Submit
C:\Windows\{2E8CE870-0C5E-4192-89FB-E3629E67838A}.exe

Filesize
372KB

MD5
3783ef6788b4642ee05aea24444b4be4

SHA1
5e16ccb8efe67f49ca4d65dc683d67be8bffc364

SHA256
46c94fff08194064c1b10a2542072f95ea53c2c3b6baf74023a3dec250cedd9e

SHA512
ac3e6c2069ac1f565af13ed69581f83f2300a0e105f74d7ac6713a9bde60f42411211812299d4334828abb444b474056e52e8265b565cc3232c30bad2e97f936

Download Submit
C:\Windows\{34EC7229-8DB6-4359-B95F-078C1E882371}.exe

Filesize
372KB

MD5
366052bbb9b9c4c81e90ee40cc24b8ba

SHA1
700de28c851192f742800c84597f875e01cead07

SHA256
57fe89e9c7113e98ae266816a3977a93e0a9fd205a48935e6ec6861e97d3f6cd

SHA512
53267607529df99b536d93e5426806c16e3e5829cc80ba41d9fffc3ea1dd2f6e833b436fb7768ca996b7f5315b1356ade8a10932dc8844b105ab0af5c8d72e96

Download Submit
C:\Windows\{34EC7229-8DB6-4359-B95F-078C1E882371}.exe

Filesize
372KB

MD5
366052bbb9b9c4c81e90ee40cc24b8ba

SHA1
700de28c851192f742800c84597f875e01cead07

SHA256
57fe89e9c7113e98ae266816a3977a93e0a9fd205a48935e6ec6861e97d3f6cd

SHA512
53267607529df99b536d93e5426806c16e3e5829cc80ba41d9fffc3ea1dd2f6e833b436fb7768ca996b7f5315b1356ade8a10932dc8844b105ab0af5c8d72e96

Download Submit
C:\Windows\{4584C154-3988-4204-B3E0-2E1930F17634}.exe

Filesize
372KB

MD5
68e53d763feaff66cb245ffdb1675fb4

SHA1
b2eacfa4132b2686a16c5d80952dce4769f23d24

SHA256
e8b2e2caf4277396f55241168c26fb39bc90f920109d51b86ce869ead5844b03

SHA512
9b6fd0bdda9807cbf717f5149787315d3b25ae66ad37b30693f459e391e580c5b09b908574e59328910df898014e6ba9ea2230b23b44ace521938dbceb5804d4

Download Submit
C:\Windows\{4584C154-3988-4204-B3E0-2E1930F17634}.exe

Filesize
372KB

MD5
68e53d763feaff66cb245ffdb1675fb4

SHA1
b2eacfa4132b2686a16c5d80952dce4769f23d24

SHA256
e8b2e2caf4277396f55241168c26fb39bc90f920109d51b86ce869ead5844b03

SHA512
9b6fd0bdda9807cbf717f5149787315d3b25ae66ad37b30693f459e391e580c5b09b908574e59328910df898014e6ba9ea2230b23b44ace521938dbceb5804d4

Download Submit
C:\Windows\{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe

Filesize
372KB

MD5
edb528269bd8340449dd50df9d7cdb7f

SHA1
78ed9c5be5687d4d1b278fae402b1d4a4aaaca19

SHA256
f51e46c1fb7188cad135d93d04c1c917380a0c37d162cb2e3af39f12fe06b91e

SHA512
5f842cb7bf20439020371968a0d243b90e27f4af7cbd2c1423c2c0d2b20f6e6f5815c31a0031f609cde37fc93e737065c2cf86b0f5b6bb9ccd829b41f93dcd16

Download Submit
C:\Windows\{4E7B690C-04D8-46b4-B90A-E140138D958E}.exe

Filesize
372KB

MD5
edb528269bd8340449dd50df9d7cdb7f

SHA1
78ed9c5be5687d4d1b278fae402b1d4a4aaaca19

SHA256
f51e46c1fb7188cad135d93d04c1c917380a0c37d162cb2e3af39f12fe06b91e

SHA512
5f842cb7bf20439020371968a0d243b90e27f4af7cbd2c1423c2c0d2b20f6e6f5815c31a0031f609cde37fc93e737065c2cf86b0f5b6bb9ccd829b41f93dcd16

Download Submit
C:\Windows\{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe

Filesize
372KB

MD5
7ea337a77697c800ceb8a91f605ddb85

SHA1
507c78b156b9442393d2fcc3f41e41d013d6523f

SHA256
66b6d91426cee38949ded340a1a80e79983a393a3a9c258d322c05869a2cb8ab

SHA512
659831892241e840d636b5a34fba82139c5d75a1ebe77bf0221ab4f18e8df174d3fa2826c46bb7206ff0c36973128c421e9d75b6d9cf0b1b99d0d4b65b35be16

Download Submit
C:\Windows\{88AFA83A-266D-4053-B8AF-B3C1AB047686}.exe

Filesize
372KB

MD5
7ea337a77697c800ceb8a91f605ddb85

SHA1
507c78b156b9442393d2fcc3f41e41d013d6523f

SHA256
66b6d91426cee38949ded340a1a80e79983a393a3a9c258d322c05869a2cb8ab

SHA512
659831892241e840d636b5a34fba82139c5d75a1ebe77bf0221ab4f18e8df174d3fa2826c46bb7206ff0c36973128c421e9d75b6d9cf0b1b99d0d4b65b35be16

Download Submit
C:\Windows\{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe

Filesize
372KB

MD5
35db18eff83e8ef9e2da676220a50685

SHA1
696ddbefdcaa627e90576f934614ecb7633ffb8d

SHA256
14444d36833364a5fc78ff4e897db94fe33a258edcc889fcb1e2d3905ff38a93

SHA512
0a65536dcf18d7f9c2fe7ec985a196c99ea3b29c49a52ea79397dd2e6d4d92a0692a8b59655d4647d6eddff060c5e1cdcb6604ee5a87206ce965d89cd735cb82

Download Submit
C:\Windows\{9460C976-A49D-4722-BDB1-86E66E225B8E}.exe

Filesize
372KB

MD5
35db18eff83e8ef9e2da676220a50685

SHA1
696ddbefdcaa627e90576f934614ecb7633ffb8d

SHA256
14444d36833364a5fc78ff4e897db94fe33a258edcc889fcb1e2d3905ff38a93

SHA512
0a65536dcf18d7f9c2fe7ec985a196c99ea3b29c49a52ea79397dd2e6d4d92a0692a8b59655d4647d6eddff060c5e1cdcb6604ee5a87206ce965d89cd735cb82

Download Submit
C:\Windows\{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe

Filesize
372KB

MD5
946da26b028370270d2ea1ff57ee1075

SHA1
f9486d1370555a8761f6949a0bfe9dec281ae7b7

SHA256
fe82a4623a0639c66cf89d86ac3c14d90848cb761ccce0527d702fa9a59cc063

SHA512
99324529725b6087682f1d72be63ab07d756a8cfd02f6110f24e65f504ed9d0eb5406963d11f9b72689ac17cc84d169e0d101f5fa2500f0e298d4d63c0821d8e

Download Submit
C:\Windows\{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe

Filesize
372KB

MD5
946da26b028370270d2ea1ff57ee1075

SHA1
f9486d1370555a8761f6949a0bfe9dec281ae7b7

SHA256
fe82a4623a0639c66cf89d86ac3c14d90848cb761ccce0527d702fa9a59cc063

SHA512
99324529725b6087682f1d72be63ab07d756a8cfd02f6110f24e65f504ed9d0eb5406963d11f9b72689ac17cc84d169e0d101f5fa2500f0e298d4d63c0821d8e

Download Submit
C:\Windows\{BBF9FE31-114E-46fc-A202-9FD1C5271093}.exe

Filesize
372KB

MD5
946da26b028370270d2ea1ff57ee1075

SHA1
f9486d1370555a8761f6949a0bfe9dec281ae7b7

SHA256
fe82a4623a0639c66cf89d86ac3c14d90848cb761ccce0527d702fa9a59cc063

SHA512
99324529725b6087682f1d72be63ab07d756a8cfd02f6110f24e65f504ed9d0eb5406963d11f9b72689ac17cc84d169e0d101f5fa2500f0e298d4d63c0821d8e

Download Submit
C:\Windows\{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe

Filesize
372KB

MD5
0d4b12e54cc35d1d6338815ced73af6e

SHA1
ee08db847ccd7f140dd0d7d8418d12a8f7c9b173

SHA256
2601d9bcbce7ae0d71ee2e796c90b2ffaffbd1306d7ec7ee8c8b68b188851986

SHA512
dfafc6fc72f44ce68caab21ac9bface5c2573dc8798a5e343f26270491d728fd810af3f4954efe36ce351e21ca2057fcef5f73c888730b84cc03739959e0279d

Download Submit
C:\Windows\{D3212AD2-D4D4-4226-A047-95EF8319D324}.exe

Filesize
372KB

MD5
0d4b12e54cc35d1d6338815ced73af6e

SHA1
ee08db847ccd7f140dd0d7d8418d12a8f7c9b173

SHA256
2601d9bcbce7ae0d71ee2e796c90b2ffaffbd1306d7ec7ee8c8b68b188851986

SHA512
dfafc6fc72f44ce68caab21ac9bface5c2573dc8798a5e343f26270491d728fd810af3f4954efe36ce351e21ca2057fcef5f73c888730b84cc03739959e0279d

Download Submit
C:\Windows\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe

Filesize
372KB

MD5
efd3cde767b1d4f8bcd354c4b139a06d

SHA1
66553d15031bb61a0ad582283fb37cbf166fbe23

SHA256
e363afca930852f51aed84a865975de80f115ab2e1f21ea20960a406c3eeef69

SHA512
449e181f51761eb20e7fcb77ba789d504b8dc6dd42afad0a69740df6f060530771b7c99f9748ad6607ce5f3247823d8f7fb1a66eb5f66469ced1824a3ff12979

Download Submit
C:\Windows\{D7C00096-7C17-44f6-A6AD-B12DC384DED1}.exe

Filesize
372KB

MD5
efd3cde767b1d4f8bcd354c4b139a06d

SHA1
66553d15031bb61a0ad582283fb37cbf166fbe23

SHA256
e363afca930852f51aed84a865975de80f115ab2e1f21ea20960a406c3eeef69

SHA512
449e181f51761eb20e7fcb77ba789d504b8dc6dd42afad0a69740df6f060530771b7c99f9748ad6607ce5f3247823d8f7fb1a66eb5f66469ced1824a3ff12979

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads