33f3012f420d03896de1f6ba231117db7a7969c0129466b3afb484b72287d15e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Size

408KB
MD5

cbe429d5258f2cfdfda4609b421b8eeb
SHA1

7bcef0bb7c7491b82c5777320ea7604c1a9526d4
SHA256

33f3012f420d03896de1f6ba231117db7a7969c0129466b3afb484b72287d15e
SHA512

3ec5c909f156999b3fd29b2191df035b464cbf6de63e0b8bd29bd00e4099fa2a1d208a2938162f53fb39e3055fc92bf0ae817b40685b025ceb19f92b43971ebd
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGGldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}\stubpath = "C:\\Windows\\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe"	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AAEF159-A489-4264-AFBC-87DC28D3D694}\stubpath = "C:\\Windows\\{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe"	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99EEFB14-B031-4ff1-8829-C5D559D7F364}	{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}	{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}\stubpath = "C:\\Windows\\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe"	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7C48485-080F-481d-8C44-4BAF59A00246}\stubpath = "C:\\Windows\\{C7C48485-080F-481d-8C44-4BAF59A00246}.exe"	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26558149-B726-408b-AD2E-4E95E3D3A643}	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AAEF159-A489-4264-AFBC-87DC28D3D694}	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18EE1975-4493-45a6-AB06-ED919207DBE7}	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{668F00E4-A064-490f-93F4-0544EDD6A0B3}\stubpath = "C:\\Windows\\{668F00E4-A064-490f-93F4-0544EDD6A0B3}.exe"	{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7C48485-080F-481d-8C44-4BAF59A00246}	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08396D9C-E107-404d-BFEB-36D9503BA681}\stubpath = "C:\\Windows\\{08396D9C-E107-404d-BFEB-36D9503BA681}.exe"	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26558149-B726-408b-AD2E-4E95E3D3A643}\stubpath = "C:\\Windows\\{26558149-B726-408b-AD2E-4E95E3D3A643}.exe"	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18EE1975-4493-45a6-AB06-ED919207DBE7}\stubpath = "C:\\Windows\\{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe"	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99EEFB14-B031-4ff1-8829-C5D559D7F364}\stubpath = "C:\\Windows\\{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe"	{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}\stubpath = "C:\\Windows\\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe"	{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08396D9C-E107-404d-BFEB-36D9503BA681}	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{668F00E4-A064-490f-93F4-0544EDD6A0B3}	{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}\stubpath = "C:\\Windows\\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe"	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe
2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe
2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe
2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe
1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe
580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe
1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe
1452	{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe
772	{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe
1788	{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe
2256	{668F00E4-A064-490f-93F4-0544EDD6A0B3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe
File created	C:\Windows\{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe	{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe
File created	C:\Windows\{668F00E4-A064-490f-93F4-0544EDD6A0B3}.exe	{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe
File created	C:\Windows\{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
File created	C:\Windows\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe
File created	C:\Windows\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe
File created	C:\Windows\{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe
File created	C:\Windows\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe
File created	C:\Windows\{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe
File created	C:\Windows\{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe
File created	C:\Windows\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe	{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe
Token: SeIncBasePriorityPrivilege	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe
Token: SeIncBasePriorityPrivilege	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe
Token: SeIncBasePriorityPrivilege	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe
Token: SeIncBasePriorityPrivilege	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe
Token: SeIncBasePriorityPrivilege	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe
Token: SeIncBasePriorityPrivilege	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe
Token: SeIncBasePriorityPrivilege	1452	{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe
Token: SeIncBasePriorityPrivilege	772	{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe
Token: SeIncBasePriorityPrivilege	1788	{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2464	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	28
PID 2896 wrote to memory of 2464	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	28
PID 2896 wrote to memory of 2464	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	28
PID 2896 wrote to memory of 2464	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	28
PID 2896 wrote to memory of 2900	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	29
PID 2896 wrote to memory of 2900	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	29
PID 2896 wrote to memory of 2900	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	29
PID 2896 wrote to memory of 2900	2896	cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe	29
PID 2464 wrote to memory of 2736	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	32
PID 2464 wrote to memory of 2736	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	32
PID 2464 wrote to memory of 2736	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	32
PID 2464 wrote to memory of 2736	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	32
PID 2464 wrote to memory of 2724	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	33
PID 2464 wrote to memory of 2724	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	33
PID 2464 wrote to memory of 2724	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	33
PID 2464 wrote to memory of 2724	2464	{08396D9C-E107-404d-BFEB-36D9503BA681}.exe	33
PID 2736 wrote to memory of 2924	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	35
PID 2736 wrote to memory of 2924	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	35
PID 2736 wrote to memory of 2924	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	35
PID 2736 wrote to memory of 2924	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	35
PID 2736 wrote to memory of 2764	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	34
PID 2736 wrote to memory of 2764	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	34
PID 2736 wrote to memory of 2764	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	34
PID 2736 wrote to memory of 2764	2736	{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe	34
PID 2924 wrote to memory of 2716	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	37
PID 2924 wrote to memory of 2716	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	37
PID 2924 wrote to memory of 2716	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	37
PID 2924 wrote to memory of 2716	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	37
PID 2924 wrote to memory of 2776	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	36
PID 2924 wrote to memory of 2776	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	36
PID 2924 wrote to memory of 2776	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	36
PID 2924 wrote to memory of 2776	2924	{C7C48485-080F-481d-8C44-4BAF59A00246}.exe	36
PID 2716 wrote to memory of 1912	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	39
PID 2716 wrote to memory of 1912	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	39
PID 2716 wrote to memory of 1912	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	39
PID 2716 wrote to memory of 1912	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	39
PID 2716 wrote to memory of 2112	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	38
PID 2716 wrote to memory of 2112	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	38
PID 2716 wrote to memory of 2112	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	38
PID 2716 wrote to memory of 2112	2716	{26558149-B726-408b-AD2E-4E95E3D3A643}.exe	38
PID 1912 wrote to memory of 580	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	40
PID 1912 wrote to memory of 580	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	40
PID 1912 wrote to memory of 580	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	40
PID 1912 wrote to memory of 580	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	40
PID 1912 wrote to memory of 436	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	41
PID 1912 wrote to memory of 436	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	41
PID 1912 wrote to memory of 436	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	41
PID 1912 wrote to memory of 436	1912	{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe	41
PID 580 wrote to memory of 1640	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	42
PID 580 wrote to memory of 1640	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	42
PID 580 wrote to memory of 1640	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	42
PID 580 wrote to memory of 1640	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	42
PID 580 wrote to memory of 2684	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	43
PID 580 wrote to memory of 2684	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	43
PID 580 wrote to memory of 2684	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	43
PID 580 wrote to memory of 2684	580	{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe	43
PID 1640 wrote to memory of 1452	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	44
PID 1640 wrote to memory of 1452	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	44
PID 1640 wrote to memory of 1452	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	44
PID 1640 wrote to memory of 1452	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	44
PID 1640 wrote to memory of 1916	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	45
PID 1640 wrote to memory of 1916	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	45
PID 1640 wrote to memory of 1916	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	45
PID 1640 wrote to memory of 1916	1640	{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe	45

C:\Users\Admin\AppData\Local\Temp\cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cbe429d5258f2cfdfda4609b421b8eeb_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\{08396D9C-E107-404d-BFEB-36D9503BA681}.exe
  C:\Windows\{08396D9C-E107-404d-BFEB-36D9503BA681}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe
    C:\Windows\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{638F8~1.EXE > nul
      4⤵
      PID:2764
  - - C:\Windows\{C7C48485-080F-481d-8C44-4BAF59A00246}.exe
      C:\Windows\{C7C48485-080F-481d-8C44-4BAF59A00246}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7C48~1.EXE > nul
        5⤵
        
        PID:2776
    - - C:\Windows\{26558149-B726-408b-AD2E-4E95E3D3A643}.exe
        
        C:\Windows\{26558149-B726-408b-AD2E-4E95E3D3A643}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26558~1.EXE > nul
        6⤵
        
        PID:2112
      - C:\Windows\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe
        
        C:\Windows\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe
        
        C:\Windows\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe
        
        C:\Windows\{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe
        
        C:\Windows\{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18EE1~1.EXE > nul
        10⤵
        
        PID:1676
        
        C:\Windows\{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe
        
        C:\Windows\{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99EEF~1.EXE > nul
        11⤵
        
        PID:2024
        
        C:\Windows\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe
        
        C:\Windows\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\{668F00E4-A064-490f-93F4-0544EDD6A0B3}.exe
        
        C:\Windows\{668F00E4-A064-490f-93F4-0544EDD6A0B3}.exe
        12⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6CA6~1.EXE > nul
        12⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AAEF~1.EXE > nul
        9⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E62E9~1.EXE > nul
        8⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48A9B~1.EXE > nul
        7⤵
        
        PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{08396~1.EXE > nul
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CBE429~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08396D9C-E107-404d-BFEB-36D9503BA681}.exe

Filesize
408KB

MD5
873d51aee70f485dfbb121755b7790f6

SHA1
5b7058a87dcd707a1f29b7fc7968ef474d307f70

SHA256
357f1c9f28aea688f4cd5fafc922acae72260d7f4d82315c0c95f0851acfbe8b

SHA512
7a234bcbc4d18a2bd93d2a35f15f3e03ec2ca0df77e139c07c5c774120c1739adaae7bbb92c8817289244b628ef90e3c9978bb2990c12a19cb381acc050e5e6f

Download Submit
C:\Windows\{08396D9C-E107-404d-BFEB-36D9503BA681}.exe

Filesize
408KB

MD5
873d51aee70f485dfbb121755b7790f6

SHA1
5b7058a87dcd707a1f29b7fc7968ef474d307f70

SHA256
357f1c9f28aea688f4cd5fafc922acae72260d7f4d82315c0c95f0851acfbe8b

SHA512
7a234bcbc4d18a2bd93d2a35f15f3e03ec2ca0df77e139c07c5c774120c1739adaae7bbb92c8817289244b628ef90e3c9978bb2990c12a19cb381acc050e5e6f

Download Submit
C:\Windows\{08396D9C-E107-404d-BFEB-36D9503BA681}.exe

Filesize
408KB

MD5
873d51aee70f485dfbb121755b7790f6

SHA1
5b7058a87dcd707a1f29b7fc7968ef474d307f70

SHA256
357f1c9f28aea688f4cd5fafc922acae72260d7f4d82315c0c95f0851acfbe8b

SHA512
7a234bcbc4d18a2bd93d2a35f15f3e03ec2ca0df77e139c07c5c774120c1739adaae7bbb92c8817289244b628ef90e3c9978bb2990c12a19cb381acc050e5e6f

Download Submit
C:\Windows\{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe

Filesize
408KB

MD5
eb5af0efa7dc20c420dba028009c0867

SHA1
4d2d261c5738c429844616e228e11a61da84e688

SHA256
753a6e8c7b84653b59b6e4528fed9076e76eed4a6f780b7e87b5ceff52f3df8e

SHA512
66851ae457c9a14845975a709e52233c4c754babc0b8c9e0407424bc9c1c96f0258c2525d44400556df6dcf54c741e40434825a8e77613091cfa27f90440155d

Download Submit
C:\Windows\{18EE1975-4493-45a6-AB06-ED919207DBE7}.exe

Filesize
408KB

MD5
eb5af0efa7dc20c420dba028009c0867

SHA1
4d2d261c5738c429844616e228e11a61da84e688

SHA256
753a6e8c7b84653b59b6e4528fed9076e76eed4a6f780b7e87b5ceff52f3df8e

SHA512
66851ae457c9a14845975a709e52233c4c754babc0b8c9e0407424bc9c1c96f0258c2525d44400556df6dcf54c741e40434825a8e77613091cfa27f90440155d

Download Submit
C:\Windows\{26558149-B726-408b-AD2E-4E95E3D3A643}.exe

Filesize
408KB

MD5
708d198cf1e27bb1f127e791336f6c9a

SHA1
31a16b69f10133af2d550ee83244b48fec4586ab

SHA256
a120212cb85c55f65889f2a6abf26b184f80420a175e41282a744b916c93f56a

SHA512
501078f47b14ef17a35ffe64872aebd532253258982c8358591e1f938683e1dab977cb7197cbba120989853a1e0da0fab22f79796dca661a54e9c6ab61ed1ad1

Download Submit
C:\Windows\{26558149-B726-408b-AD2E-4E95E3D3A643}.exe

Filesize
408KB

MD5
708d198cf1e27bb1f127e791336f6c9a

SHA1
31a16b69f10133af2d550ee83244b48fec4586ab

SHA256
a120212cb85c55f65889f2a6abf26b184f80420a175e41282a744b916c93f56a

SHA512
501078f47b14ef17a35ffe64872aebd532253258982c8358591e1f938683e1dab977cb7197cbba120989853a1e0da0fab22f79796dca661a54e9c6ab61ed1ad1

Download Submit
C:\Windows\{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe

Filesize
408KB

MD5
8deadaf34196ac252e32874fbf4964a0

SHA1
1d2592056f4c6fb4ff3cb4407a8897edad982b66

SHA256
528cf1ebb7a08193747c3540a9e63926229929636407afe325718ffcd64cb9f8

SHA512
cc575cb8a2a066c11adb3778a99661717932f1c243fb7a231aff130d1c00f6c14e152c915688868622c86c9d6598a46ef0caa624dddb5154e9bbe22c58bb40d2

Download Submit
C:\Windows\{3AAEF159-A489-4264-AFBC-87DC28D3D694}.exe

Filesize
408KB

MD5
8deadaf34196ac252e32874fbf4964a0

SHA1
1d2592056f4c6fb4ff3cb4407a8897edad982b66

SHA256
528cf1ebb7a08193747c3540a9e63926229929636407afe325718ffcd64cb9f8

SHA512
cc575cb8a2a066c11adb3778a99661717932f1c243fb7a231aff130d1c00f6c14e152c915688868622c86c9d6598a46ef0caa624dddb5154e9bbe22c58bb40d2

Download Submit
C:\Windows\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe

Filesize
408KB

MD5
0be33623e2910abf09bd50cf568aa32e

SHA1
2ca35b4ad2e6f08e589b28ccc0ebcba97003be7a

SHA256
2d2805678665ce3bf05dbdaeadf1693132eafee3f5cb90906e2047ebbdc5104b

SHA512
9e69a5cb264b78c12c176505509c5207685a48bd907096ac00419093bee6e161970b81848ef1926e32cde71cc48d36185ab343847de9e8e1a33ec2960020f64f

Download Submit
C:\Windows\{48A9BF02-811B-4fa7-835B-0A0FCC5EAEB8}.exe

Filesize
408KB

MD5
0be33623e2910abf09bd50cf568aa32e

SHA1
2ca35b4ad2e6f08e589b28ccc0ebcba97003be7a

SHA256
2d2805678665ce3bf05dbdaeadf1693132eafee3f5cb90906e2047ebbdc5104b

SHA512
9e69a5cb264b78c12c176505509c5207685a48bd907096ac00419093bee6e161970b81848ef1926e32cde71cc48d36185ab343847de9e8e1a33ec2960020f64f

Download Submit
C:\Windows\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe

Filesize
408KB

MD5
789da15302c1b6e85883864b3498140a

SHA1
b2923eca6196e78d4f7a249d37edc8ce64857d8c

SHA256
8ac95aed61dd218661ea9dc376d67009bba172259ddeea486967c0a70f0d2b2b

SHA512
d999e01dcc5de314bfabd41f9b5de7b21c60a54b552770f44882e7a84906e33bc9ee7ec43290d6b39c61917b3a37f0e3b17cc0348dfc7c6f057f9dc6c205385d

Download Submit
C:\Windows\{638F8C9D-ADBD-43a3-979D-D64F5C5DCFEA}.exe

Filesize
408KB

MD5
789da15302c1b6e85883864b3498140a

SHA1
b2923eca6196e78d4f7a249d37edc8ce64857d8c

SHA256
8ac95aed61dd218661ea9dc376d67009bba172259ddeea486967c0a70f0d2b2b

SHA512
d999e01dcc5de314bfabd41f9b5de7b21c60a54b552770f44882e7a84906e33bc9ee7ec43290d6b39c61917b3a37f0e3b17cc0348dfc7c6f057f9dc6c205385d

Download Submit
C:\Windows\{668F00E4-A064-490f-93F4-0544EDD6A0B3}.exe

Filesize
408KB

MD5
0360a175734f88bf37a984b8154ff3b2

SHA1
f2935220c7213709da35045ca4ee57e2d9e0ff65

SHA256
ba57c65380bac74ab8476cd3b52359cf75b12b4a07fac49c13772e7a746664c8

SHA512
38a6eba87c9378e43bbdabbc2c8998560a17dbcbeea14a746ec2e72da94704e3df18a852c66536e881be006fe115f41326540ba22c202ca6fde7072c78c7b2ca

Download Submit
C:\Windows\{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe

Filesize
408KB

MD5
c44dcbeeb2bc38c9b3f29709822971ae

SHA1
2242871b4a479dc97e43bbfb99d67a772d2aad6f

SHA256
6caf91c36619903c149b1746e3736600428d5750b880306f2039a59ffe9908c1

SHA512
41c4400be0647999d245623f2691e8783f49931bd262bc587b81cc3cd212751f943bfdfa870f27de2871e35fe513e5bb18bd05a64c33e7d378e1b5be32a6c1e0

Download Submit
C:\Windows\{99EEFB14-B031-4ff1-8829-C5D559D7F364}.exe

Filesize
408KB

MD5
c44dcbeeb2bc38c9b3f29709822971ae

SHA1
2242871b4a479dc97e43bbfb99d67a772d2aad6f

SHA256
6caf91c36619903c149b1746e3736600428d5750b880306f2039a59ffe9908c1

SHA512
41c4400be0647999d245623f2691e8783f49931bd262bc587b81cc3cd212751f943bfdfa870f27de2871e35fe513e5bb18bd05a64c33e7d378e1b5be32a6c1e0

Download Submit
C:\Windows\{C7C48485-080F-481d-8C44-4BAF59A00246}.exe

Filesize
408KB

MD5
d03347968bcfd0fa9cec7df51749abae

SHA1
051425d76977d38d1a4bca96c01bfcbda6ee22c2

SHA256
0a3fc1ac82ba3ea448bf94cd11235b4e69de65b1505116d94aa369594b9afb1a

SHA512
10c837caa7e471bda0184971f842aad85ae1111b1c2acbf1117236841dc93821b91678701d0de69717b6f65e382332a059ac065dab39dd8032540567ded780ea

Download Submit
C:\Windows\{C7C48485-080F-481d-8C44-4BAF59A00246}.exe

Filesize
408KB

MD5
d03347968bcfd0fa9cec7df51749abae

SHA1
051425d76977d38d1a4bca96c01bfcbda6ee22c2

SHA256
0a3fc1ac82ba3ea448bf94cd11235b4e69de65b1505116d94aa369594b9afb1a

SHA512
10c837caa7e471bda0184971f842aad85ae1111b1c2acbf1117236841dc93821b91678701d0de69717b6f65e382332a059ac065dab39dd8032540567ded780ea

Download Submit
C:\Windows\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe

Filesize
408KB

MD5
597ece7457ce536c02cb53b3581ae20f

SHA1
edb233cd2dcba73f521cf044e0df8f107812580f

SHA256
8e971036cc52a1a5c50d7a897b449449fa72fdbd1d3d3f46a26105ab5a145ca2

SHA512
c111731905ca58b696e390d04e6dbc08ec8782d8c705ec9a211284d12008a03f9dff8ee5d2addb8a49dde216d80433e5709c3b0272b90007da9d3cb8ae9c9525

Download Submit
C:\Windows\{E62E9E85-0F57-4713-AD52-92C8BAB750BD}.exe

Filesize
408KB

MD5
597ece7457ce536c02cb53b3581ae20f

SHA1
edb233cd2dcba73f521cf044e0df8f107812580f

SHA256
8e971036cc52a1a5c50d7a897b449449fa72fdbd1d3d3f46a26105ab5a145ca2

SHA512
c111731905ca58b696e390d04e6dbc08ec8782d8c705ec9a211284d12008a03f9dff8ee5d2addb8a49dde216d80433e5709c3b0272b90007da9d3cb8ae9c9525

Download Submit
C:\Windows\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe

Filesize
408KB

MD5
052e68937339fb48697ed182cce089bb

SHA1
074cdaf4c9640d254bd5c4b9f6f3535dae144916

SHA256
6d3ac62eb57450934cca16cb9a03d979641e10df3d4adc2f984dd3c5da7913c0

SHA512
31778c15c27f51eb43c61a8aabf9371d3b4fb3b6fb34b838acc6d79c4ae4f8de7109b66141ab414239c6cabc4e97546bda3288329f3ad75b9800470c003afe16

Download Submit
C:\Windows\{E6CA6707-0412-4c1f-B1A0-1622E2DE37FC}.exe

Filesize
408KB

MD5
052e68937339fb48697ed182cce089bb

SHA1
074cdaf4c9640d254bd5c4b9f6f3535dae144916

SHA256
6d3ac62eb57450934cca16cb9a03d979641e10df3d4adc2f984dd3c5da7913c0

SHA512
31778c15c27f51eb43c61a8aabf9371d3b4fb3b6fb34b838acc6d79c4ae4f8de7109b66141ab414239c6cabc4e97546bda3288329f3ad75b9800470c003afe16

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads