e77b268b9b1255d0eacc07b7e9760b9ad3c9a4802127e9fcf5bed640399a318c

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe
Size

204KB
MD5

4a1948e3c8ae3826f3ef36f7d4afb07b
SHA1

3a9e15be7c536a899403e0e46165aabe0ca34fa3
SHA256

e77b268b9b1255d0eacc07b7e9760b9ad3c9a4802127e9fcf5bed640399a318c
SHA512

29511d3fa5ad1982911eb7e36aeb8c652efed2cc1dbb3f7417df8893653bc75e842ffe3f495cac92264e9b4e1a16e5b490eacc81726b1e1a7dae2fa498b8cac2
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o1l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A0BFE2-C94A-428b-B00F-A9D897197552}\stubpath = "C:\\Windows\\{B4A0BFE2-C94A-428b-B00F-A9D897197552}.exe"	{E2007519-733D-450a-9CD8-39731184C8A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A828A500-552E-4891-B826-0CDE1AB89A09}	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A45EB99-60D5-4dd7-834A-257C36825481}	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A0BFE2-C94A-428b-B00F-A9D897197552}	{E2007519-733D-450a-9CD8-39731184C8A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18BBDDA4-43F0-4652-8954-4CE50123D590}	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}\stubpath = "C:\\Windows\\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe"	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB0E35F2-1934-4dd1-B722-FBA337658547}	{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB0E35F2-1934-4dd1-B722-FBA337658547}\stubpath = "C:\\Windows\\{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe"	{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88651819-9682-42cd-B939-B71CE557A5CB}\stubpath = "C:\\Windows\\{88651819-9682-42cd-B939-B71CE557A5CB}.exe"	{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2007519-733D-450a-9CD8-39731184C8A9}\stubpath = "C:\\Windows\\{E2007519-733D-450a-9CD8-39731184C8A9}.exe"	{88651819-9682-42cd-B939-B71CE557A5CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450BC567-BCC0-4731-A7D6-5507D1E78305}	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450BC567-BCC0-4731-A7D6-5507D1E78305}\stubpath = "C:\\Windows\\{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe"	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}\stubpath = "C:\\Windows\\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe"	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}\stubpath = "C:\\Windows\\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe"	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88651819-9682-42cd-B939-B71CE557A5CB}	{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2007519-733D-450a-9CD8-39731184C8A9}	{88651819-9682-42cd-B939-B71CE557A5CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18BBDDA4-43F0-4652-8954-4CE50123D590}\stubpath = "C:\\Windows\\{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe"	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A828A500-552E-4891-B826-0CDE1AB89A09}\stubpath = "C:\\Windows\\{A828A500-552E-4891-B826-0CDE1AB89A09}.exe"	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A45EB99-60D5-4dd7-834A-257C36825481}\stubpath = "C:\\Windows\\{5A45EB99-60D5-4dd7-834A-257C36825481}.exe"	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}\stubpath = "C:\\Windows\\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe"	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe
2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe
2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe
2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe
2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe
1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe
1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe
1680	{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe
2764	{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe
2844	{88651819-9682-42cd-B939-B71CE557A5CB}.exe
1620	{E2007519-733D-450a-9CD8-39731184C8A9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe
File created	C:\Windows\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe
File created	C:\Windows\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe
File created	C:\Windows\{88651819-9682-42cd-B939-B71CE557A5CB}.exe	{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe
File created	C:\Windows\{E2007519-733D-450a-9CD8-39731184C8A9}.exe	{88651819-9682-42cd-B939-B71CE557A5CB}.exe
File created	C:\Windows\{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe
File created	C:\Windows\{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe
File created	C:\Windows\{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe
File created	C:\Windows\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe
File created	C:\Windows\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe
File created	C:\Windows\{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe	{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe
File created	C:\Windows\{B4A0BFE2-C94A-428b-B00F-A9D897197552}.exe	{E2007519-733D-450a-9CD8-39731184C8A9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe
Token: SeIncBasePriorityPrivilege	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe
Token: SeIncBasePriorityPrivilege	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe
Token: SeIncBasePriorityPrivilege	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe
Token: SeIncBasePriorityPrivilege	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe
Token: SeIncBasePriorityPrivilege	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe
Token: SeIncBasePriorityPrivilege	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe
Token: SeIncBasePriorityPrivilege	1680	{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe
Token: SeIncBasePriorityPrivilege	2764	{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe
Token: SeIncBasePriorityPrivilege	2844	{88651819-9682-42cd-B939-B71CE557A5CB}.exe
Token: SeIncBasePriorityPrivilege	1620	{E2007519-733D-450a-9CD8-39731184C8A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2132	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	29
PID 1724 wrote to memory of 2132	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	29
PID 1724 wrote to memory of 2132	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	29
PID 1724 wrote to memory of 2132	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	29
PID 1724 wrote to memory of 2872	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	28
PID 1724 wrote to memory of 2872	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	28
PID 1724 wrote to memory of 2872	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	28
PID 1724 wrote to memory of 2872	1724	2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe	28
PID 2132 wrote to memory of 2768	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	30
PID 2132 wrote to memory of 2768	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	30
PID 2132 wrote to memory of 2768	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	30
PID 2132 wrote to memory of 2768	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	30
PID 2132 wrote to memory of 2628	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	31
PID 2132 wrote to memory of 2628	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	31
PID 2132 wrote to memory of 2628	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	31
PID 2132 wrote to memory of 2628	2132	{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe	31
PID 2768 wrote to memory of 2676	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	35
PID 2768 wrote to memory of 2676	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	35
PID 2768 wrote to memory of 2676	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	35
PID 2768 wrote to memory of 2676	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	35
PID 2768 wrote to memory of 2752	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	34
PID 2768 wrote to memory of 2752	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	34
PID 2768 wrote to memory of 2752	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	34
PID 2768 wrote to memory of 2752	2768	{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe	34
PID 2676 wrote to memory of 2552	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	37
PID 2676 wrote to memory of 2552	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	37
PID 2676 wrote to memory of 2552	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	37
PID 2676 wrote to memory of 2552	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	37
PID 2676 wrote to memory of 2624	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	36
PID 2676 wrote to memory of 2624	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	36
PID 2676 wrote to memory of 2624	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	36
PID 2676 wrote to memory of 2624	2676	{A828A500-552E-4891-B826-0CDE1AB89A09}.exe	36
PID 2552 wrote to memory of 2560	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	39
PID 2552 wrote to memory of 2560	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	39
PID 2552 wrote to memory of 2560	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	39
PID 2552 wrote to memory of 2560	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	39
PID 2552 wrote to memory of 2312	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	38
PID 2552 wrote to memory of 2312	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	38
PID 2552 wrote to memory of 2312	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	38
PID 2552 wrote to memory of 2312	2552	{5A45EB99-60D5-4dd7-834A-257C36825481}.exe	38
PID 2560 wrote to memory of 1120	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	41
PID 2560 wrote to memory of 1120	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	41
PID 2560 wrote to memory of 1120	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	41
PID 2560 wrote to memory of 1120	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	41
PID 2560 wrote to memory of 580	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	40
PID 2560 wrote to memory of 580	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	40
PID 2560 wrote to memory of 580	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	40
PID 2560 wrote to memory of 580	2560	{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe	40
PID 1120 wrote to memory of 1096	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	42
PID 1120 wrote to memory of 1096	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	42
PID 1120 wrote to memory of 1096	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	42
PID 1120 wrote to memory of 1096	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	42
PID 1120 wrote to memory of 1308	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	43
PID 1120 wrote to memory of 1308	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	43
PID 1120 wrote to memory of 1308	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	43
PID 1120 wrote to memory of 1308	1120	{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe	43
PID 1096 wrote to memory of 1680	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	45
PID 1096 wrote to memory of 1680	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	45
PID 1096 wrote to memory of 1680	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	45
PID 1096 wrote to memory of 1680	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	45
PID 1096 wrote to memory of 1672	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	44
PID 1096 wrote to memory of 1672	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	44
PID 1096 wrote to memory of 1672	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	44
PID 1096 wrote to memory of 1672	1096	{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_4a1948e3c8ae3826f3ef36f7d4afb07b_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2872
- C:\Windows\{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe
  C:\Windows\{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe
    C:\Windows\{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{450BC~1.EXE > nul
      4⤵
      PID:2752
  - - C:\Windows\{A828A500-552E-4891-B826-0CDE1AB89A09}.exe
      C:\Windows\{A828A500-552E-4891-B826-0CDE1AB89A09}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A828A~1.EXE > nul
        5⤵
        
        PID:2624
    - - C:\Windows\{5A45EB99-60D5-4dd7-834A-257C36825481}.exe
        
        C:\Windows\{5A45EB99-60D5-4dd7-834A-257C36825481}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A45E~1.EXE > nul
        6⤵
        
        PID:2312
      - C:\Windows\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe
        
        C:\Windows\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFDDD~1.EXE > nul
        7⤵
        
        PID:580
        
        C:\Windows\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe
        
        C:\Windows\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe
        
        C:\Windows\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24501~1.EXE > nul
        9⤵
        
        PID:1672
        
        C:\Windows\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe
        
        C:\Windows\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAB79~1.EXE > nul
        10⤵
        
        PID:2816
        
        C:\Windows\{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe
        
        C:\Windows\{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB0E3~1.EXE > nul
        11⤵
        
        PID:2928
        
        C:\Windows\{88651819-9682-42cd-B939-B71CE557A5CB}.exe
        
        C:\Windows\{88651819-9682-42cd-B939-B71CE557A5CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{E2007519-733D-450a-9CD8-39731184C8A9}.exe
        
        C:\Windows\{E2007519-733D-450a-9CD8-39731184C8A9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{B4A0BFE2-C94A-428b-B00F-A9D897197552}.exe
        
        C:\Windows\{B4A0BFE2-C94A-428b-B00F-A9D897197552}.exe
        13⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2007~1.EXE > nul
        13⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88651~1.EXE > nul
        12⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BE50~1.EXE > nul
        8⤵
        
        PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18BBD~1.EXE > nul
    3⤵
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe

Filesize
204KB

MD5
3e41bfaa1bedb017f1eb308046241c72

SHA1
c0ca0dba984ec87445ba80a1947292e8d3890808

SHA256
190d184adaa8b41e496d271fe6f399ed72170ca05cceb6fd9f18dee192f511e3

SHA512
3db83d8cd7615ab7a0417714803b4445074acdd01e291b8bfd830cdfd5eaba0f65e50239bf5b7ad515b9c515ffe888c8deb8f77b0544d781054b700fc0954cd5

Download Submit
C:\Windows\{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe

Filesize
204KB

MD5
3e41bfaa1bedb017f1eb308046241c72

SHA1
c0ca0dba984ec87445ba80a1947292e8d3890808

SHA256
190d184adaa8b41e496d271fe6f399ed72170ca05cceb6fd9f18dee192f511e3

SHA512
3db83d8cd7615ab7a0417714803b4445074acdd01e291b8bfd830cdfd5eaba0f65e50239bf5b7ad515b9c515ffe888c8deb8f77b0544d781054b700fc0954cd5

Download Submit
C:\Windows\{18BBDDA4-43F0-4652-8954-4CE50123D590}.exe

Filesize
204KB

MD5
3e41bfaa1bedb017f1eb308046241c72

SHA1
c0ca0dba984ec87445ba80a1947292e8d3890808

SHA256
190d184adaa8b41e496d271fe6f399ed72170ca05cceb6fd9f18dee192f511e3

SHA512
3db83d8cd7615ab7a0417714803b4445074acdd01e291b8bfd830cdfd5eaba0f65e50239bf5b7ad515b9c515ffe888c8deb8f77b0544d781054b700fc0954cd5

Download Submit
C:\Windows\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe

Filesize
204KB

MD5
58b7c008c68246ed9343cfb3ca05c9eb

SHA1
4dc5cc0967497113a8709ebd8c40f6ef5ca4cd93

SHA256
9e8fc82dd263c8be2eab8c336a0e857572bfc0b9130b1eb2340887b969db8a7f

SHA512
f420d5c96485b8804f061e2a4c36e2c53de57a09ded72564b8a027d4c12ff240a0afd00f769ca1accb7f015a35df1c1463cf8b40ed9f9d56a292d0d005015e89

Download Submit
C:\Windows\{24501F99-F0FE-4c3f-BE27-42C89991AA6D}.exe

Filesize
204KB

MD5
58b7c008c68246ed9343cfb3ca05c9eb

SHA1
4dc5cc0967497113a8709ebd8c40f6ef5ca4cd93

SHA256
9e8fc82dd263c8be2eab8c336a0e857572bfc0b9130b1eb2340887b969db8a7f

SHA512
f420d5c96485b8804f061e2a4c36e2c53de57a09ded72564b8a027d4c12ff240a0afd00f769ca1accb7f015a35df1c1463cf8b40ed9f9d56a292d0d005015e89

Download Submit
C:\Windows\{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe

Filesize
204KB

MD5
780c4d84574447a8b747f0399b9a1555

SHA1
2fd6ea55d4d211e1adb199dd7566001aba920494

SHA256
c9266c66d69f522c05d9b3c2e2b08626cff58e6587b3ba6f6de4c636cfe6437d

SHA512
aff0131a24210b1d3c730697fb2d83ace1cb838c6002af64fb932bf8e453ee4c0fa5c25dc56db5bd793e0b97ec179a7f8b3cfdb99ab3165d899655864bb84239

Download Submit
C:\Windows\{450BC567-BCC0-4731-A7D6-5507D1E78305}.exe

Filesize
204KB

MD5
780c4d84574447a8b747f0399b9a1555

SHA1
2fd6ea55d4d211e1adb199dd7566001aba920494

SHA256
c9266c66d69f522c05d9b3c2e2b08626cff58e6587b3ba6f6de4c636cfe6437d

SHA512
aff0131a24210b1d3c730697fb2d83ace1cb838c6002af64fb932bf8e453ee4c0fa5c25dc56db5bd793e0b97ec179a7f8b3cfdb99ab3165d899655864bb84239

Download Submit
C:\Windows\{5A45EB99-60D5-4dd7-834A-257C36825481}.exe

Filesize
204KB

MD5
1cdc0aab6fbe740294e21d5dc4ddd832

SHA1
7740c1a0f6f865757c49dd413433ebfa7352f122

SHA256
7d4d1d2500eab846f2253646a48140006d46c5d6325a057a444ae126a8a81958

SHA512
ecdf34dbd31aca112a97e1c9e10f1daa2128a78a02efdde55db9fb86d633e12e53768321f742261e547a4e0d52fe2c1cabf498bae048c4a4b48c67bb3ae9ecde

Download Submit
C:\Windows\{5A45EB99-60D5-4dd7-834A-257C36825481}.exe

Filesize
204KB

MD5
1cdc0aab6fbe740294e21d5dc4ddd832

SHA1
7740c1a0f6f865757c49dd413433ebfa7352f122

SHA256
7d4d1d2500eab846f2253646a48140006d46c5d6325a057a444ae126a8a81958

SHA512
ecdf34dbd31aca112a97e1c9e10f1daa2128a78a02efdde55db9fb86d633e12e53768321f742261e547a4e0d52fe2c1cabf498bae048c4a4b48c67bb3ae9ecde

Download Submit
C:\Windows\{88651819-9682-42cd-B939-B71CE557A5CB}.exe

Filesize
204KB

MD5
f4d915daa0009cf3f4f3fe65e61bc6a5

SHA1
8abcc058f5d9d6ee6389e636d72e4a54f2d8b681

SHA256
e5d5ad4919a85f993873b8502b8e80ae8aa434e67544097448f024f186341f7c

SHA512
2716c61fd28f9c8d07cfd279f115cc7e362f46b826d08e7c687fed879a912f3beb1109c545531b90e397689d45b5c8d4b54faca82b96efbd2f39e651fd35d0ff

Download Submit
C:\Windows\{88651819-9682-42cd-B939-B71CE557A5CB}.exe

Filesize
204KB

MD5
f4d915daa0009cf3f4f3fe65e61bc6a5

SHA1
8abcc058f5d9d6ee6389e636d72e4a54f2d8b681

SHA256
e5d5ad4919a85f993873b8502b8e80ae8aa434e67544097448f024f186341f7c

SHA512
2716c61fd28f9c8d07cfd279f115cc7e362f46b826d08e7c687fed879a912f3beb1109c545531b90e397689d45b5c8d4b54faca82b96efbd2f39e651fd35d0ff

Download Submit
C:\Windows\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe

Filesize
204KB

MD5
961045fa424819787adb12dccb51c417

SHA1
8ca7794babd86924597706efe940b34e7aec34bc

SHA256
4fed624f3e796f32e654ff4f86129a69c7069e5f78573a78177bd0610f349a3d

SHA512
d5074fafd2d864f289378f563900fdfa0da935bbc50e97234d0006b53976540e48f32783089c945a18e088347c16c186b05fcbb6b2e5b66cb35c215c0fbb0e92

Download Submit
C:\Windows\{8BE50F1A-397A-4cea-A656-03949CD7D9AD}.exe

Filesize
204KB

MD5
961045fa424819787adb12dccb51c417

SHA1
8ca7794babd86924597706efe940b34e7aec34bc

SHA256
4fed624f3e796f32e654ff4f86129a69c7069e5f78573a78177bd0610f349a3d

SHA512
d5074fafd2d864f289378f563900fdfa0da935bbc50e97234d0006b53976540e48f32783089c945a18e088347c16c186b05fcbb6b2e5b66cb35c215c0fbb0e92

Download Submit
C:\Windows\{A828A500-552E-4891-B826-0CDE1AB89A09}.exe

Filesize
204KB

MD5
d387c0346607c1edf81a4610a7900b53

SHA1
a6db858b409a769acdd9cf8d2b1913ecec79062d

SHA256
07687b5ac9dec456fa8c01e64d0c7d6f7605ea2535bf1ffcd8f1e1db63972901

SHA512
b634024264637d75cef49f7d869a09c99c8577ad5b01eaf37d08e23dccd8780f41b91ae5e6b3511a1751b5e4e4358fafee61a09efe69a56625eeaca1c09a0477

Download Submit
C:\Windows\{A828A500-552E-4891-B826-0CDE1AB89A09}.exe

Filesize
204KB

MD5
d387c0346607c1edf81a4610a7900b53

SHA1
a6db858b409a769acdd9cf8d2b1913ecec79062d

SHA256
07687b5ac9dec456fa8c01e64d0c7d6f7605ea2535bf1ffcd8f1e1db63972901

SHA512
b634024264637d75cef49f7d869a09c99c8577ad5b01eaf37d08e23dccd8780f41b91ae5e6b3511a1751b5e4e4358fafee61a09efe69a56625eeaca1c09a0477

Download Submit
C:\Windows\{B4A0BFE2-C94A-428b-B00F-A9D897197552}.exe

Filesize
204KB

MD5
a0fc7b6d95641eab4bcdae89df238054

SHA1
63cb85ee1894fc53c1fdb25805d0d213456ba404

SHA256
655af0fcd7857372e2c40c3b2610e2c606e09bde035d8e15a1f6dae6367cf5c0

SHA512
060fa90d75680861e8cf7873c32342dbc43d5da170c0c318db40775cab9b9c0694f02f1bdc1926ede3bdbe004eb5cc57f42eb954a7789e805a78646474e964a3

Download Submit
C:\Windows\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe

Filesize
204KB

MD5
255b48bf516ddac6e293b6d9004ec0ba

SHA1
e751ced6e3515c054e0b5ebf516f5feb0dfa70b9

SHA256
663394991118a75d61847cb3fa72e30331be5170f6dabe38c4f9c7e8ca3806bb

SHA512
d90ea47c45809d6d4c2b3ce17a1008f53e9a69634b546c89692f0d845e87b2fdef14faeb11a17676932e8d303283f1bee34fc85ca8315e88e48ab2dd29f3ceb7

Download Submit
C:\Windows\{BFDDDDF7-445A-4a58-86EA-9DA607406A37}.exe

Filesize
204KB

MD5
255b48bf516ddac6e293b6d9004ec0ba

SHA1
e751ced6e3515c054e0b5ebf516f5feb0dfa70b9

SHA256
663394991118a75d61847cb3fa72e30331be5170f6dabe38c4f9c7e8ca3806bb

SHA512
d90ea47c45809d6d4c2b3ce17a1008f53e9a69634b546c89692f0d845e87b2fdef14faeb11a17676932e8d303283f1bee34fc85ca8315e88e48ab2dd29f3ceb7

Download Submit
C:\Windows\{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe

Filesize
204KB

MD5
c5d0258d8f5a80376aa2bb7d3c6ed669

SHA1
0caca6c0d00bf7b751ed4e21bbdd7c9c6986d1ad

SHA256
217bc48192cadf0943b383fa6ce7c415637a8d56c70ca4c8906acc585a32d2c4

SHA512
90b90c978bbcfcab6e422086b39287e3533a0adcf20faa77487b7267aa29e79e921597002392d2af814a143fd408225a017ed70c9dfb07be8908bf9a5211a947

Download Submit
C:\Windows\{CB0E35F2-1934-4dd1-B722-FBA337658547}.exe

Filesize
204KB

MD5
c5d0258d8f5a80376aa2bb7d3c6ed669

SHA1
0caca6c0d00bf7b751ed4e21bbdd7c9c6986d1ad

SHA256
217bc48192cadf0943b383fa6ce7c415637a8d56c70ca4c8906acc585a32d2c4

SHA512
90b90c978bbcfcab6e422086b39287e3533a0adcf20faa77487b7267aa29e79e921597002392d2af814a143fd408225a017ed70c9dfb07be8908bf9a5211a947

Download Submit
C:\Windows\{E2007519-733D-450a-9CD8-39731184C8A9}.exe

Filesize
204KB

MD5
c5de17f144b238be925f09cd0f8a7c78

SHA1
631343ad459cdfdf9aa4503d6d0b191082e31883

SHA256
76a3cc81f541b815730e7a8b75cb2f3824dcbf65c6a0d9b6e7b198af52ff74e0

SHA512
fc8ee4a3e17e65aea844e0c23bece0fba76bdc2905bb6293a70f9db20e7b1b4bbe63d4e9cbfe29a32d4379cac5ebf6251e64e4bf86a29ea64ea45ab03b6c2dbd

Download Submit
C:\Windows\{E2007519-733D-450a-9CD8-39731184C8A9}.exe

Filesize
204KB

MD5
c5de17f144b238be925f09cd0f8a7c78

SHA1
631343ad459cdfdf9aa4503d6d0b191082e31883

SHA256
76a3cc81f541b815730e7a8b75cb2f3824dcbf65c6a0d9b6e7b198af52ff74e0

SHA512
fc8ee4a3e17e65aea844e0c23bece0fba76bdc2905bb6293a70f9db20e7b1b4bbe63d4e9cbfe29a32d4379cac5ebf6251e64e4bf86a29ea64ea45ab03b6c2dbd

Download Submit
C:\Windows\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe

Filesize
204KB

MD5
4cd8c4e648a7efeaef6f8e1b5dc8fb63

SHA1
c3af0804d44a72ec9c0103d541e35d46c93a3283

SHA256
9ab41e19f9dbd1f280a9e1f71eeb6b7e953e27a96340acd373242acd7d54c3c6

SHA512
7a39556fba1f004f222222620795572369a60239402583f05fa882dca83f2c96252122e8959cc32282724b1df229053c51850bf32a9fe3eed0b582391f131090

Download Submit
C:\Windows\{EAB795DA-6B2B-4ce2-A7A3-E4421C9289BC}.exe

Filesize
204KB

MD5
4cd8c4e648a7efeaef6f8e1b5dc8fb63

SHA1
c3af0804d44a72ec9c0103d541e35d46c93a3283

SHA256
9ab41e19f9dbd1f280a9e1f71eeb6b7e953e27a96340acd373242acd7d54c3c6

SHA512
7a39556fba1f004f222222620795572369a60239402583f05fa882dca83f2c96252122e8959cc32282724b1df229053c51850bf32a9fe3eed0b582391f131090

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads