d2134a52967b7957beb0de4d377d15921a752da54bd81500554fce0193c91300

Analysis

max time kernel
100s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe
Size

180KB
MD5

47271475eda33586b35a3ba61016602b
SHA1

7f7821fe751ff60a57e0308c75c6df6fbe7d736b
SHA256

d2134a52967b7957beb0de4d377d15921a752da54bd81500554fce0193c91300
SHA512

86227e478d59a8a42418c147c3dda0872285e225ddbd5a1d86a2032afe22497f48b51bb9a2a0ce4ebe16df8b24eac64e265083c278594778dd2516559680e791
SSDEEP

3072:jEGh0ozlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}\stubpath = "C:\\Windows\\{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe"	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B5229CA-AA00-482c-95B2-897FD48735B9}	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}\stubpath = "C:\\Windows\\{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe"	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C127F13F-096A-4991-BC91-25E4270362CF}\stubpath = "C:\\Windows\\{C127F13F-096A-4991-BC91-25E4270362CF}.exe"	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}\stubpath = "C:\\Windows\\{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe"	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}\stubpath = "C:\\Windows\\{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe"	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}\stubpath = "C:\\Windows\\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe"	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A61D9370-E9D1-4d3e-A762-4782DE30F27C}\stubpath = "C:\\Windows\\{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe"	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C127F13F-096A-4991-BC91-25E4270362CF}	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B5229CA-AA00-482c-95B2-897FD48735B9}\stubpath = "C:\\Windows\\{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe"	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A61D9370-E9D1-4d3e-A762-4782DE30F27C}	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe

Deletes itself 1 IoCs

pid	Process
1156	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe
2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe
2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe
1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe
1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe
2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe
2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe
2988	{C127F13F-096A-4991-BC91-25E4270362CF}.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe
File created	C:\Windows\{C127F13F-096A-4991-BC91-25E4270362CF}.exe	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe
File created	C:\Windows\{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe
File created	C:\Windows\{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe
File created	C:\Windows\{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe
File created	C:\Windows\{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe
File created	C:\Windows\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe
File created	C:\Windows\{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe
Token: SeIncBasePriorityPrivilege	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe
Token: SeIncBasePriorityPrivilege	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe
Token: SeIncBasePriorityPrivilege	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe
Token: SeIncBasePriorityPrivilege	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe
Token: SeIncBasePriorityPrivilege	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe
Token: SeIncBasePriorityPrivilege	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2000	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	29
PID 2240 wrote to memory of 2000	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	29
PID 2240 wrote to memory of 2000	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	29
PID 2240 wrote to memory of 2000	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	29
PID 2240 wrote to memory of 1156	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	28
PID 2240 wrote to memory of 1156	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	28
PID 2240 wrote to memory of 1156	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	28
PID 2240 wrote to memory of 1156	2240	2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe	28
PID 2000 wrote to memory of 2624	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	31
PID 2000 wrote to memory of 2624	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	31
PID 2000 wrote to memory of 2624	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	31
PID 2000 wrote to memory of 2624	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	31
PID 2000 wrote to memory of 2480	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	30
PID 2000 wrote to memory of 2480	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	30
PID 2000 wrote to memory of 2480	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	30
PID 2000 wrote to memory of 2480	2000	{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe	30
PID 2624 wrote to memory of 2748	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	33
PID 2624 wrote to memory of 2748	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	33
PID 2624 wrote to memory of 2748	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	33
PID 2624 wrote to memory of 2748	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	33
PID 2624 wrote to memory of 2608	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	32
PID 2624 wrote to memory of 2608	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	32
PID 2624 wrote to memory of 2608	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	32
PID 2624 wrote to memory of 2608	2624	{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe	32
PID 2748 wrote to memory of 1236	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	37
PID 2748 wrote to memory of 1236	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	37
PID 2748 wrote to memory of 1236	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	37
PID 2748 wrote to memory of 1236	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	37
PID 2748 wrote to memory of 1916	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	36
PID 2748 wrote to memory of 1916	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	36
PID 2748 wrote to memory of 1916	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	36
PID 2748 wrote to memory of 1916	2748	{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe	36
PID 1236 wrote to memory of 1944	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	39
PID 1236 wrote to memory of 1944	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	39
PID 1236 wrote to memory of 1944	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	39
PID 1236 wrote to memory of 1944	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	39
PID 1236 wrote to memory of 956	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	38
PID 1236 wrote to memory of 956	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	38
PID 1236 wrote to memory of 956	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	38
PID 1236 wrote to memory of 956	1236	{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe	38
PID 1944 wrote to memory of 2460	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	40
PID 1944 wrote to memory of 2460	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	40
PID 1944 wrote to memory of 2460	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	40
PID 1944 wrote to memory of 2460	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	40
PID 1944 wrote to memory of 1912	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	41
PID 1944 wrote to memory of 1912	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	41
PID 1944 wrote to memory of 1912	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	41
PID 1944 wrote to memory of 1912	1944	{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe	41
PID 2460 wrote to memory of 2808	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	43
PID 2460 wrote to memory of 2808	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	43
PID 2460 wrote to memory of 2808	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	43
PID 2460 wrote to memory of 2808	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	43
PID 2460 wrote to memory of 1324	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	42
PID 2460 wrote to memory of 1324	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	42
PID 2460 wrote to memory of 1324	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	42
PID 2460 wrote to memory of 1324	2460	{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe	42
PID 2808 wrote to memory of 2988	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	45
PID 2808 wrote to memory of 2988	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	45
PID 2808 wrote to memory of 2988	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	45
PID 2808 wrote to memory of 2988	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	45
PID 2808 wrote to memory of 2860	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	44
PID 2808 wrote to memory of 2860	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	44
PID 2808 wrote to memory of 2860	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	44
PID 2808 wrote to memory of 2860	2808	{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_47271475eda33586b35a3ba61016602b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1156
- C:\Windows\{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe
  C:\Windows\{AF8E22F9-21AB-40c0-B3EA-D80C7CBC3FA0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AF8E2~1.EXE > nul
    3⤵
    PID:2480
- - C:\Windows\{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe
    C:\Windows\{5BB847B5-CFF3-4688-8494-CBEFF02DE89B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB84~1.EXE > nul
      4⤵
      PID:2608
  - - C:\Windows\{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe
      C:\Windows\{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B522~1.EXE > nul
        5⤵
        
        PID:1916
    - - C:\Windows\{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe
        
        C:\Windows\{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30FAA~1.EXE > nul
        6⤵
        
        PID:956
      - C:\Windows\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe
        
        C:\Windows\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe
        
        C:\Windows\{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A61D9~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe
        
        C:\Windows\{3C52A4FD-E1DF-4445-AB82-FC39B18868E4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C52A~1.EXE > nul
        9⤵
        
        PID:2860
        
        C:\Windows\{C127F13F-096A-4991-BC91-25E4270362CF}.exe
        
        C:\Windows\{C127F13F-096A-4991-BC91-25E4270362CF}.exe
        9⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C127F~1.EXE > nul
        10⤵
        
        PID:2696
        
        C:\Windows\{6E195AFC-BB24-491b-84CE-2594B88DA888}.exe
        
        C:\Windows\{6E195AFC-BB24-491b-84CE-2594B88DA888}.exe
        10⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E195~1.EXE > nul
        11⤵
        
        PID:556
        
        C:\Windows\{27DF2740-6BB0-46f6-B032-50F7D304C981}.exe
        
        C:\Windows\{27DF2740-6BB0-46f6-B032-50F7D304C981}.exe
        11⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27DF2~1.EXE > nul
        12⤵
        
        PID:664
        
        C:\Windows\{000246D9-EBB9-4d37-9FF7-F33387B1EAF6}.exe
        
        C:\Windows\{000246D9-EBB9-4d37-9FF7-F33387B1EAF6}.exe
        12⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8191~1.EXE > nul
        7⤵
        
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27DF2740-6BB0-46f6-B032-50F7D304C981}.exe

Filesize
25KB

MD5
8074cc8f230ffda208d05c938a348a9c

SHA1
a3d867d4fc2376ada5af22d5916dd9e398781a7d

SHA256
6d6e054e916dd5a5d305eff1d6afc4fe7efb88fe00ca8e73ed24e4ccae30bfcb

SHA512
3ba061a80cae087d9b7449fd3cfcaec1aad618479f102c1041a5042b9ec824d9960bb87f7cd14d09e36d7878f4b875abbf04964b74f689a4a82837823ef09559

Download Submit
C:\Windows\{30FAA2B2-1F2E-47a6-8FE0-98CC0B5D477D}.exe

Filesize
34KB

MD5
5757af8bee81829b56a49e8d56f9889d

SHA1
deda384889c020fee83cbf0f46790c6055c3a507

SHA256
9a29d02f83cd7f0152976f8c006aab482f6dcaeaedc2b4ab0c4ef03a25f1c038

SHA512
1b614fc2f4e3688656d8a452c48803e14637b37ba49e772757e1cc7e1ad8520b30c4cd31c1637ebf3115c890c84d24eaf6c50af11d3bf101ee6c1838946685d7

Download Submit
C:\Windows\{6E195AFC-BB24-491b-84CE-2594B88DA888}.exe

Filesize
17KB

MD5
20b3d4377a7a7fcf955cf97a8531ce54

SHA1
f49eec49e38abca89726745f1a6b3bdd0647614c

SHA256
94495f3fd6adbee1b8e7dc79c8da751e49aad441b59a646a69092cf179bf30b5

SHA512
50325fb37fd3144bbc28ab7876fff61c5a68314738b8e8478605db6877d2d66cf003ef5d0baa34372d0d3d8aa916b11ff3baaaa28b214f548c5cb2f389c854c0

Download Submit
C:\Windows\{8B5229CA-AA00-482c-95B2-897FD48735B9}.exe

Filesize
5KB

MD5
34bc67e64361094aebdf0880ec3a03b9

SHA1
bdd62bd41284d2f325dc7151c4feb3e572e8113f

SHA256
6fdbe4983ec12a214d59949a9281e8956092ce8f026f6852f412f112fbf126e5

SHA512
c72a4da39cf90d30074f185a362d478022bb48d5dd7b358153ce9740a9765d5a54ffb9067caba283de0971900a3bf1e36b3aae224fbf2d172104aaefd33796a0

Download Submit
C:\Windows\{A61D9370-E9D1-4d3e-A762-4782DE30F27C}.exe

Filesize
59KB

MD5
dd9879f44b7d836e7511fa7a03150ecf

SHA1
d2caf6f8b1e89db1badc277031f84d3b05066d9d

SHA256
3eab3eff938782b16cd28a9904d0c0c4727f09959f5cd7f5e0754766303e64e9

SHA512
4d29a3e0f43e63c23735b5410b39f28cf8a1605468becbb5fd5877012077c2fa2489ddd7fa95e24cbb0ac70dfcd3a83b10990931250d6cc30e1899ec6a2b6697

Download Submit
C:\Windows\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe

Filesize
1KB

MD5
4bc0c8a9188ba80b6b1d123f1538b01c

SHA1
f970f1d1eb981593f5dce6c92a843c45a5c93db2

SHA256
8d808b2a37d78acca7fb3cf18ce2a6c378433f6f09a1700955074eec9d0673ec

SHA512
c9ee2ff3915c0df23c16a774bcd2e4a8584e4d938b10e998e95e7095975d88c825c7d1d681916823e64f9076d739769afadff629f6aa608e4e14a41b9d5b5bd4

Download Submit
C:\Windows\{D8191D6A-2E5D-4c5d-9C3B-D8E6B6B41F9C}.exe

Filesize
25KB

MD5
c66a9b2941525ea1cd5ad3601f799f65

SHA1
0cbc706498ad2e287c8424041911f5144f4d1c27

SHA256
b8942843bafaed5f8bcc43c17ac4820f40b8e642faa99855c581cba14b670e2e

SHA512
9c3ac9c3b1cf26fb620ec9547c4e4dbcef56f86365e9e4e9f92a17e4da44e82e8373e1b99590332ef695c9cdb7aca91f643133a012a298021f73d09795e2ee52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads