2f1621bc9621a80034f1de0a0dfdb3da86b7e62e7d757490a9d042cf1685f80d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Size

216KB
MD5

bffb5ff7202677c2cb4c71859f09f901
SHA1

5b9aea3732a0309b1141b563ddc7e7775181c1c1
SHA256

2f1621bc9621a80034f1de0a0dfdb3da86b7e62e7d757490a9d042cf1685f80d
SHA512

9a1e0896ad0caa9bde75f5c6e7aabeefcd77e15d1ec60fbfb728f556c337023fc09e22393b2a08ec2ecd6074457ef824deaf362edba511d141d6d0243c668070
SSDEEP

3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B8B961-2819-42ed-A3DD-60ABC2268065}\stubpath = "C:\\Windows\\{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe"	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AEB9FEA-3662-4664-9548-9664D0756731}	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}\stubpath = "C:\\Windows\\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe"	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{503AE69C-BF95-453c-BF58-1898C92982B2}	{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}\stubpath = "C:\\Windows\\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe"	{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{503AE69C-BF95-453c-BF58-1898C92982B2}\stubpath = "C:\\Windows\\{503AE69C-BF95-453c-BF58-1898C92982B2}.exe"	{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}\stubpath = "C:\\Windows\\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe"	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}\stubpath = "C:\\Windows\\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe"	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}\stubpath = "C:\\Windows\\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe"	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AEB9FEA-3662-4664-9548-9664D0756731}\stubpath = "C:\\Windows\\{7AEB9FEA-3662-4664-9548-9664D0756731}.exe"	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}	{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6B8B961-2819-42ed-A3DD-60ABC2268065}	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB32034C-53A0-44d1-95CA-95158E791DE5}\stubpath = "C:\\Windows\\{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe"	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F160C7D6-1F39-422e-A8F0-7924D785CA9F}	{503AE69C-BF95-453c-BF58-1898C92982B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}\stubpath = "C:\\Windows\\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe"	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB32034C-53A0-44d1-95CA-95158E791DE5}	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F160C7D6-1F39-422e-A8F0-7924D785CA9F}\stubpath = "C:\\Windows\\{F160C7D6-1F39-422e-A8F0-7924D785CA9F}.exe"	{503AE69C-BF95-453c-BF58-1898C92982B2}.exe

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe
2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe
2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe
2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe
2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe
372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe
1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe
2696	{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe
1532	{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe
2508	{503AE69C-BF95-453c-BF58-1898C92982B2}.exe
2964	{F160C7D6-1F39-422e-A8F0-7924D785CA9F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe
File created	C:\Windows\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe	{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe
File created	C:\Windows\{503AE69C-BF95-453c-BF58-1898C92982B2}.exe	{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe
File created	C:\Windows\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
File created	C:\Windows\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe
File created	C:\Windows\{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe
File created	C:\Windows\{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe
File created	C:\Windows\{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe
File created	C:\Windows\{F160C7D6-1F39-422e-A8F0-7924D785CA9F}.exe	{503AE69C-BF95-453c-BF58-1898C92982B2}.exe
File created	C:\Windows\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe
File created	C:\Windows\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe
Token: SeIncBasePriorityPrivilege	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe
Token: SeIncBasePriorityPrivilege	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe
Token: SeIncBasePriorityPrivilege	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe
Token: SeIncBasePriorityPrivilege	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe
Token: SeIncBasePriorityPrivilege	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe
Token: SeIncBasePriorityPrivilege	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe
Token: SeIncBasePriorityPrivilege	2696	{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe
Token: SeIncBasePriorityPrivilege	1532	{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe
Token: SeIncBasePriorityPrivilege	2508	{503AE69C-BF95-453c-BF58-1898C92982B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2632	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	28
PID 2084 wrote to memory of 2632	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	28
PID 2084 wrote to memory of 2632	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	28
PID 2084 wrote to memory of 2632	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	28
PID 2084 wrote to memory of 2828	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	29
PID 2084 wrote to memory of 2828	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	29
PID 2084 wrote to memory of 2828	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	29
PID 2084 wrote to memory of 2828	2084	bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe	29
PID 2632 wrote to memory of 2164	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	32
PID 2632 wrote to memory of 2164	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	32
PID 2632 wrote to memory of 2164	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	32
PID 2632 wrote to memory of 2164	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	32
PID 2632 wrote to memory of 2752	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	33
PID 2632 wrote to memory of 2752	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	33
PID 2632 wrote to memory of 2752	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	33
PID 2632 wrote to memory of 2752	2632	{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe	33
PID 2164 wrote to memory of 2856	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	35
PID 2164 wrote to memory of 2856	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	35
PID 2164 wrote to memory of 2856	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	35
PID 2164 wrote to memory of 2856	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	35
PID 2164 wrote to memory of 2832	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	34
PID 2164 wrote to memory of 2832	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	34
PID 2164 wrote to memory of 2832	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	34
PID 2164 wrote to memory of 2832	2164	{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe	34
PID 2856 wrote to memory of 2720	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	37
PID 2856 wrote to memory of 2720	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	37
PID 2856 wrote to memory of 2720	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	37
PID 2856 wrote to memory of 2720	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	37
PID 2856 wrote to memory of 2772	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	36
PID 2856 wrote to memory of 2772	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	36
PID 2856 wrote to memory of 2772	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	36
PID 2856 wrote to memory of 2772	2856	{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe	36
PID 2720 wrote to memory of 2232	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	39
PID 2720 wrote to memory of 2232	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	39
PID 2720 wrote to memory of 2232	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	39
PID 2720 wrote to memory of 2232	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	39
PID 2720 wrote to memory of 2784	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	38
PID 2720 wrote to memory of 2784	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	38
PID 2720 wrote to memory of 2784	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	38
PID 2720 wrote to memory of 2784	2720	{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe	38
PID 2232 wrote to memory of 372	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	41
PID 2232 wrote to memory of 372	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	41
PID 2232 wrote to memory of 372	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	41
PID 2232 wrote to memory of 372	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	41
PID 2232 wrote to memory of 324	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	40
PID 2232 wrote to memory of 324	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	40
PID 2232 wrote to memory of 324	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	40
PID 2232 wrote to memory of 324	2232	{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe	40
PID 372 wrote to memory of 1152	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	42
PID 372 wrote to memory of 1152	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	42
PID 372 wrote to memory of 1152	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	42
PID 372 wrote to memory of 1152	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	42
PID 372 wrote to memory of 108	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	43
PID 372 wrote to memory of 108	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	43
PID 372 wrote to memory of 108	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	43
PID 372 wrote to memory of 108	372	{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe	43
PID 1152 wrote to memory of 2696	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	44
PID 1152 wrote to memory of 2696	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	44
PID 1152 wrote to memory of 2696	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	44
PID 1152 wrote to memory of 2696	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	44
PID 1152 wrote to memory of 1832	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	45
PID 1152 wrote to memory of 1832	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	45
PID 1152 wrote to memory of 1832	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	45
PID 1152 wrote to memory of 1832	1152	{7AEB9FEA-3662-4664-9548-9664D0756731}.exe	45

C:\Users\Admin\AppData\Local\Temp\bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bffb5ff7202677c2cb4c71859f09f901_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe
  C:\Windows\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe
    C:\Windows\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF8FD~1.EXE > nul
      4⤵
      PID:2832
  - - C:\Windows\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe
      C:\Windows\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FAEB~1.EXE > nul
        5⤵
        
        PID:2772
    - - C:\Windows\{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe
        
        C:\Windows\{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B8B~1.EXE > nul
        6⤵
        
        PID:2784
      - C:\Windows\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe
        
        C:\Windows\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2559~1.EXE > nul
        7⤵
        
        PID:324
        
        C:\Windows\{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe
        
        C:\Windows\{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{7AEB9FEA-3662-4664-9548-9664D0756731}.exe
        
        C:\Windows\{7AEB9FEA-3662-4664-9548-9664D0756731}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe
        
        C:\Windows\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E9BF~1.EXE > nul
        10⤵
        
        PID:2340
        
        C:\Windows\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe
        
        C:\Windows\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\{503AE69C-BF95-453c-BF58-1898C92982B2}.exe
        
        C:\Windows\{503AE69C-BF95-453c-BF58-1898C92982B2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{F160C7D6-1F39-422e-A8F0-7924D785CA9F}.exe
        
        C:\Windows\{F160C7D6-1F39-422e-A8F0-7924D785CA9F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{503AE~1.EXE > nul
        12⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D035D~1.EXE > nul
        11⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AEB9~1.EXE > nul
        9⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB320~1.EXE > nul
        8⤵
        
        PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A528C~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BFFB5F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe

Filesize
216KB

MD5
6cfad78790231a517909b2acea8d2fec

SHA1
f0b5ac64124221109d408782e2d500abd5fabba6

SHA256
af8fd41b86accf74e33a101fca454365c2531c22d2d39e13365b40f54e889e98

SHA512
012a330d707021ca0ced7c7c5731db65e32af851324882a26fdac66db4b0f573ee6fac41bbffcda1a479326edee8fe115bc3a8da062cb05deb74d09767a70dbd

Download Submit
C:\Windows\{4E9BF1DB-2098-4cbe-B3FE-4820C265F0F5}.exe

Filesize
216KB

MD5
6cfad78790231a517909b2acea8d2fec

SHA1
f0b5ac64124221109d408782e2d500abd5fabba6

SHA256
af8fd41b86accf74e33a101fca454365c2531c22d2d39e13365b40f54e889e98

SHA512
012a330d707021ca0ced7c7c5731db65e32af851324882a26fdac66db4b0f573ee6fac41bbffcda1a479326edee8fe115bc3a8da062cb05deb74d09767a70dbd

Download Submit
C:\Windows\{503AE69C-BF95-453c-BF58-1898C92982B2}.exe

Filesize
216KB

MD5
96dfb5fd89c8e2f819c75f45621074f5

SHA1
003e28592cc315517a90075a079d79f0785a2249

SHA256
23ba6c87a8fcf9e43f6ba58a219e4eaad9eb493e432249c16dd672f1501e6098

SHA512
27ede168fc383c663d30653ae21fef2ce38c7f2598dc4337194357d13ce97d28bf6a68ff0ab2363ebd6dba7df625ab863833f06b1fa6d1e7497a4b94b3be0cd1

Download Submit
C:\Windows\{503AE69C-BF95-453c-BF58-1898C92982B2}.exe

Filesize
216KB

MD5
96dfb5fd89c8e2f819c75f45621074f5

SHA1
003e28592cc315517a90075a079d79f0785a2249

SHA256
23ba6c87a8fcf9e43f6ba58a219e4eaad9eb493e432249c16dd672f1501e6098

SHA512
27ede168fc383c663d30653ae21fef2ce38c7f2598dc4337194357d13ce97d28bf6a68ff0ab2363ebd6dba7df625ab863833f06b1fa6d1e7497a4b94b3be0cd1

Download Submit
C:\Windows\{7AEB9FEA-3662-4664-9548-9664D0756731}.exe

Filesize
216KB

MD5
ffd570e8fd17689b035f531f845d6777

SHA1
277c196e10af220432ec535a80befe4b20477b1b

SHA256
740ef5673d0114b4bd728eb75cb24c225711dd0863b46c6b26c223e3b9a73b5d

SHA512
6119ffd697c8d7c1e97bde10767cd9bc9382033cd1ed01492495534c7a9f665d32676c14cb27e2eb45a8074814b7015e9ba7b01b8765e69c8b0c0aeeb66e6bca

Download Submit
C:\Windows\{7AEB9FEA-3662-4664-9548-9664D0756731}.exe

Filesize
216KB

MD5
ffd570e8fd17689b035f531f845d6777

SHA1
277c196e10af220432ec535a80befe4b20477b1b

SHA256
740ef5673d0114b4bd728eb75cb24c225711dd0863b46c6b26c223e3b9a73b5d

SHA512
6119ffd697c8d7c1e97bde10767cd9bc9382033cd1ed01492495534c7a9f665d32676c14cb27e2eb45a8074814b7015e9ba7b01b8765e69c8b0c0aeeb66e6bca

Download Submit
C:\Windows\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe

Filesize
216KB

MD5
a2d38b4423ba75be88dc88db7e43d9cd

SHA1
d6039d7c66ca15d51419b36ef624332aea8102ae

SHA256
3d4a1c8c2a019075dedfece204cbed7200b84f62dce148cf9a6779aeddbbc3b6

SHA512
819e4ebad7fcd765114ff2b40e995a07a6b2422a46c182fd1e505dbdb2982a77c6776b47e8ff9a520801cfd795fb6d3b0a24eaafba54789da75f4b9a31f65753

Download Submit
C:\Windows\{9FAEB73C-9D2A-4269-92DF-081BCEF0EFE6}.exe

Filesize
216KB

MD5
a2d38b4423ba75be88dc88db7e43d9cd

SHA1
d6039d7c66ca15d51419b36ef624332aea8102ae

SHA256
3d4a1c8c2a019075dedfece204cbed7200b84f62dce148cf9a6779aeddbbc3b6

SHA512
819e4ebad7fcd765114ff2b40e995a07a6b2422a46c182fd1e505dbdb2982a77c6776b47e8ff9a520801cfd795fb6d3b0a24eaafba54789da75f4b9a31f65753

Download Submit
C:\Windows\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe

Filesize
216KB

MD5
582969c4150e581ea253fa6716d5f859

SHA1
9a7cc11986a1ec154f9dcfd3be51ca74048ebbc7

SHA256
41c9a4d625d0fe819134732523fae8828af9f3390d61f0bf6c17db28ab5289fd

SHA512
2aaad812c0022f34e62eebf43797dc954cfcaa33bd906d366f434254adeb72d1ca9dae0c7e66183fdef01d8f57d17c67d8282d8f8f71129398043f0dcc01f428

Download Submit
C:\Windows\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe

Filesize
216KB

MD5
582969c4150e581ea253fa6716d5f859

SHA1
9a7cc11986a1ec154f9dcfd3be51ca74048ebbc7

SHA256
41c9a4d625d0fe819134732523fae8828af9f3390d61f0bf6c17db28ab5289fd

SHA512
2aaad812c0022f34e62eebf43797dc954cfcaa33bd906d366f434254adeb72d1ca9dae0c7e66183fdef01d8f57d17c67d8282d8f8f71129398043f0dcc01f428

Download Submit
C:\Windows\{A528C879-22D1-450c-B465-3DBFE6FB9E3F}.exe

Filesize
216KB

MD5
582969c4150e581ea253fa6716d5f859

SHA1
9a7cc11986a1ec154f9dcfd3be51ca74048ebbc7

SHA256
41c9a4d625d0fe819134732523fae8828af9f3390d61f0bf6c17db28ab5289fd

SHA512
2aaad812c0022f34e62eebf43797dc954cfcaa33bd906d366f434254adeb72d1ca9dae0c7e66183fdef01d8f57d17c67d8282d8f8f71129398043f0dcc01f428

Download Submit
C:\Windows\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe

Filesize
216KB

MD5
aebee0e6a6798cafe442c134cdde09b7

SHA1
e95604566531e1e14b54ff0775a407a9f910e202

SHA256
73784441d90ac7742e0e2a09fa89aeecbb90d625c46fd7219726dc805b959dc6

SHA512
e6d56b33d3eefc78dd4261d0c32389fd3378e7baa15b8ca72d581758a4a4316383139e91e2199987039305c5a88472465cd53e7b952104d8d11c83679e6599c0

Download Submit
C:\Windows\{B2559E7E-8DAC-4dd2-B579-109884CBA50C}.exe

Filesize
216KB

MD5
aebee0e6a6798cafe442c134cdde09b7

SHA1
e95604566531e1e14b54ff0775a407a9f910e202

SHA256
73784441d90ac7742e0e2a09fa89aeecbb90d625c46fd7219726dc805b959dc6

SHA512
e6d56b33d3eefc78dd4261d0c32389fd3378e7baa15b8ca72d581758a4a4316383139e91e2199987039305c5a88472465cd53e7b952104d8d11c83679e6599c0

Download Submit
C:\Windows\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe

Filesize
216KB

MD5
aadd8b0421cbbb373f9a622ae0a1e623

SHA1
d66499774ded905ffde6337fdcb0285170a324f7

SHA256
b8b454f1c4bb2348eaf0d5a828af261a35037102862569f8c8be58958af12a3a

SHA512
fe9df4007ad979ed122fde8c096897b3ca4f4583d509ab8aa009df5a7f6f88e4b89e3b3f8757e020405dc411e14f6e45cc49b3f6c581913f31e0571ea3072e1b

Download Submit
C:\Windows\{BF8FD7AC-C1B0-4c61-964C-AF6C850F2A45}.exe

Filesize
216KB

MD5
aadd8b0421cbbb373f9a622ae0a1e623

SHA1
d66499774ded905ffde6337fdcb0285170a324f7

SHA256
b8b454f1c4bb2348eaf0d5a828af261a35037102862569f8c8be58958af12a3a

SHA512
fe9df4007ad979ed122fde8c096897b3ca4f4583d509ab8aa009df5a7f6f88e4b89e3b3f8757e020405dc411e14f6e45cc49b3f6c581913f31e0571ea3072e1b

Download Submit
C:\Windows\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe

Filesize
216KB

MD5
f993f9e048ae82250bd797cadf9b87da

SHA1
670eacf261c4d5fcf7c3fa3790534bd51b52bc6d

SHA256
b3ad0c652c0dc48e7c61b0353ca8df845738b56b935055a6140bcf51b2d5ac72

SHA512
f66ec827458139264222c958cb72ef4d5270fd3fd34f5e617162ad683c67a28c8a09c74e5a38217ec5dbcb4fe267172099687c337411a08b38018ac99022ce19

Download Submit
C:\Windows\{D035D6F4-6E51-4d0c-A80F-BE18423F613D}.exe

Filesize
216KB

MD5
f993f9e048ae82250bd797cadf9b87da

SHA1
670eacf261c4d5fcf7c3fa3790534bd51b52bc6d

SHA256
b3ad0c652c0dc48e7c61b0353ca8df845738b56b935055a6140bcf51b2d5ac72

SHA512
f66ec827458139264222c958cb72ef4d5270fd3fd34f5e617162ad683c67a28c8a09c74e5a38217ec5dbcb4fe267172099687c337411a08b38018ac99022ce19

Download Submit
C:\Windows\{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe

Filesize
216KB

MD5
35297aa054b13598e8c3b4d2e2473d92

SHA1
35ef41fa04c9addd99cfcb9d1fecd9b20bdabfcd

SHA256
d292f19e177b61c763c1591fadc4acd832a62740cbdfe026f2e95c3aa3aab626

SHA512
731ec619234e4abb06d1eb5c2214dbed1cdb652153ed99b212f0fb254db3db9585dd35913aef3995960f79e21670522cdf48c1573ecdcb90fdaeb978a3c025e7

Download Submit
C:\Windows\{D6B8B961-2819-42ed-A3DD-60ABC2268065}.exe

Filesize
216KB

MD5
35297aa054b13598e8c3b4d2e2473d92

SHA1
35ef41fa04c9addd99cfcb9d1fecd9b20bdabfcd

SHA256
d292f19e177b61c763c1591fadc4acd832a62740cbdfe026f2e95c3aa3aab626

SHA512
731ec619234e4abb06d1eb5c2214dbed1cdb652153ed99b212f0fb254db3db9585dd35913aef3995960f79e21670522cdf48c1573ecdcb90fdaeb978a3c025e7

Download Submit
C:\Windows\{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe

Filesize
216KB

MD5
8e5638a064484b1aa8e5a5ccf3aac555

SHA1
97b13dda7dce34e5cb7e5323848035bed228a1ca

SHA256
c722ba7d100279f4f28cb2d976cbb82cd1027b8f7d651d75a2260df21482c51c

SHA512
ba5bd8f39f5c65cd2332f52e384681965da49e8042c9a33d8f36b514c2b960ae93e55195e1d083823a4d2032609859ae64cc6ae3d2b777fb591bbece1c8c7e3a

Download Submit
C:\Windows\{EB32034C-53A0-44d1-95CA-95158E791DE5}.exe

Filesize
216KB

MD5
8e5638a064484b1aa8e5a5ccf3aac555

SHA1
97b13dda7dce34e5cb7e5323848035bed228a1ca

SHA256
c722ba7d100279f4f28cb2d976cbb82cd1027b8f7d651d75a2260df21482c51c

SHA512
ba5bd8f39f5c65cd2332f52e384681965da49e8042c9a33d8f36b514c2b960ae93e55195e1d083823a4d2032609859ae64cc6ae3d2b777fb591bbece1c8c7e3a

Download Submit
C:\Windows\{F160C7D6-1F39-422e-A8F0-7924D785CA9F}.exe

Filesize
216KB

MD5
a77a9246acb6e251bf59944a2e4476ec

SHA1
52681642c3d63a4eb6f37cb12c413b145e64170f

SHA256
e6f7c7a6ee547625d4346e40b5a64a4921b6f2f91d5c30286da92bb0aca41ebb

SHA512
6b915db9d4c6f3b3a06c461a331f9f02ee5564b2f148cd1f395ceb00294cf9676d1e2486fefd3f564db684772d0614ba6e3bb63f314e52c7b2773292b13ddf93

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads