491c5eb2efe35e6a0fa840b2e919f3fbb6654465c57e6f763c3f4d688a2c279a

Analysis

max time kernel
112s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Size

408KB
MD5

a2fb72ace11abef6a1d5371f4ae710c9
SHA1

32b060e6de11bc2dc4ec1cd174052c32a8dbbc7f
SHA256

491c5eb2efe35e6a0fa840b2e919f3fbb6654465c57e6f763c3f4d688a2c279a
SHA512

18fc70c53a68bbee7be6ca31752993350da42f51f0775e36ca349aabc94c7dbdc51c7e771d6a229e5136849a1456eeafb484825eaf7042e71066e23455bb4c50
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG7ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06421409-8784-47de-938D-F07081CC1547}\stubpath = "C:\\Windows\\{06421409-8784-47de-938D-F07081CC1547}.exe"	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D239DF4-233B-47cf-986F-1A98247E23DF}	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{326DF36A-3349-42ca-BEC8-3F2FBFC87AF8}	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}\stubpath = "C:\\Windows\\{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe"	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D9A504C-67BC-452b-943E-4ADCD79699F4}	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}\stubpath = "C:\\Windows\\{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe"	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{342952FB-54A3-4597-BC8C-C6AB28008226}	{9D708B93-386F-43bb-969C-B2DE84409139}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4A199E6-7FC7-442a-88F0-0C920C80B27A}	{06421409-8784-47de-938D-F07081CC1547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4A199E6-7FC7-442a-88F0-0C920C80B27A}\stubpath = "C:\\Windows\\{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe"	{06421409-8784-47de-938D-F07081CC1547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D9A504C-67BC-452b-943E-4ADCD79699F4}\stubpath = "C:\\Windows\\{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe"	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D708B93-386F-43bb-969C-B2DE84409139}	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D708B93-386F-43bb-969C-B2DE84409139}\stubpath = "C:\\Windows\\{9D708B93-386F-43bb-969C-B2DE84409139}.exe"	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{326DF36A-3349-42ca-BEC8-3F2FBFC87AF8}\stubpath = "C:\\Windows\\{326DF36A-3349-42ca-BEC8-3F2FBFC87AF8}.exe"	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{342952FB-54A3-4597-BC8C-C6AB28008226}\stubpath = "C:\\Windows\\{342952FB-54A3-4597-BC8C-C6AB28008226}.exe"	{9D708B93-386F-43bb-969C-B2DE84409139}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06421409-8784-47de-938D-F07081CC1547}	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D239DF4-233B-47cf-986F-1A98247E23DF}\stubpath = "C:\\Windows\\{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe"	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe

Executes dropped EXE 9 IoCs

pid	Process
1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe
2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe
3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe
4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe
1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe
1356	{06421409-8784-47de-938D-F07081CC1547}.exe
4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe
4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe
3156	{326DF36A-3349-42ca-BEC8-3F2FBFC87AF8}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe
File created	C:\Windows\{326DF36A-3349-42ca-BEC8-3F2FBFC87AF8}.exe	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe
File created	C:\Windows\{9D708B93-386F-43bb-969C-B2DE84409139}.exe	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe
File created	C:\Windows\{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe
File created	C:\Windows\{342952FB-54A3-4597-BC8C-C6AB28008226}.exe	{9D708B93-386F-43bb-969C-B2DE84409139}.exe
File created	C:\Windows\{06421409-8784-47de-938D-F07081CC1547}.exe	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe
File created	C:\Windows\{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe	{06421409-8784-47de-938D-F07081CC1547}.exe
File created	C:\Windows\{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
File created	C:\Windows\{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4520	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe
Token: SeIncBasePriorityPrivilege	2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe
Token: SeIncBasePriorityPrivilege	3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe
Token: SeIncBasePriorityPrivilege	4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe
Token: SeIncBasePriorityPrivilege	1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe
Token: SeIncBasePriorityPrivilege	1356	{06421409-8784-47de-938D-F07081CC1547}.exe
Token: SeIncBasePriorityPrivilege	4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe
Token: SeIncBasePriorityPrivilege	4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 1844	4520	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	101
PID 4520 wrote to memory of 1844	4520	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	101
PID 4520 wrote to memory of 1844	4520	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	101
PID 4520 wrote to memory of 3572	4520	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	100
PID 4520 wrote to memory of 3572	4520	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	100
PID 4520 wrote to memory of 3572	4520	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	100
PID 1844 wrote to memory of 2960	1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe	103
PID 1844 wrote to memory of 2960	1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe	103
PID 1844 wrote to memory of 2960	1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe	103
PID 1844 wrote to memory of 432	1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe	104
PID 1844 wrote to memory of 432	1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe	104
PID 1844 wrote to memory of 432	1844	{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe	104
PID 2960 wrote to memory of 3016	2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe	107
PID 2960 wrote to memory of 3016	2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe	107
PID 2960 wrote to memory of 3016	2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe	107
PID 2960 wrote to memory of 3240	2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe	108
PID 2960 wrote to memory of 3240	2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe	108
PID 2960 wrote to memory of 3240	2960	{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe	108
PID 3016 wrote to memory of 4192	3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe	109
PID 3016 wrote to memory of 4192	3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe	109
PID 3016 wrote to memory of 4192	3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe	109
PID 3016 wrote to memory of 2260	3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe	110
PID 3016 wrote to memory of 2260	3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe	110
PID 3016 wrote to memory of 2260	3016	{9D708B93-386F-43bb-969C-B2DE84409139}.exe	110
PID 4192 wrote to memory of 1240	4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe	111
PID 4192 wrote to memory of 1240	4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe	111
PID 4192 wrote to memory of 1240	4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe	111
PID 4192 wrote to memory of 3208	4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe	112
PID 4192 wrote to memory of 3208	4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe	112
PID 4192 wrote to memory of 3208	4192	{342952FB-54A3-4597-BC8C-C6AB28008226}.exe	112
PID 1240 wrote to memory of 1356	1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe	114
PID 1240 wrote to memory of 1356	1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe	114
PID 1240 wrote to memory of 1356	1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe	114
PID 1240 wrote to memory of 3720	1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe	115
PID 1240 wrote to memory of 3720	1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe	115
PID 1240 wrote to memory of 3720	1240	{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe	115
PID 1356 wrote to memory of 4792	1356	{06421409-8784-47de-938D-F07081CC1547}.exe	117
PID 1356 wrote to memory of 4792	1356	{06421409-8784-47de-938D-F07081CC1547}.exe	117
PID 1356 wrote to memory of 4792	1356	{06421409-8784-47de-938D-F07081CC1547}.exe	117
PID 1356 wrote to memory of 4148	1356	{06421409-8784-47de-938D-F07081CC1547}.exe	116
PID 1356 wrote to memory of 4148	1356	{06421409-8784-47de-938D-F07081CC1547}.exe	116
PID 1356 wrote to memory of 4148	1356	{06421409-8784-47de-938D-F07081CC1547}.exe	116
PID 4792 wrote to memory of 4264	4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe	121
PID 4792 wrote to memory of 4264	4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe	121
PID 4792 wrote to memory of 4264	4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe	121
PID 4792 wrote to memory of 3788	4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe	120
PID 4792 wrote to memory of 3788	4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe	120
PID 4792 wrote to memory of 3788	4792	{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe	120
PID 4264 wrote to memory of 3156	4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe	128
PID 4264 wrote to memory of 3156	4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe	128
PID 4264 wrote to memory of 3156	4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe	128
PID 4264 wrote to memory of 3740	4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe	127
PID 4264 wrote to memory of 3740	4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe	127
PID 4264 wrote to memory of 3740	4264	{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3572
- C:\Windows\{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe
  C:\Windows\{93BDEB39-36E8-46b5-B9A2-4ED9FC2892D8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe
    C:\Windows\{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\{9D708B93-386F-43bb-969C-B2DE84409139}.exe
      C:\Windows\{9D708B93-386F-43bb-969C-B2DE84409139}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\{342952FB-54A3-4597-BC8C-C6AB28008226}.exe
        
        C:\Windows\{342952FB-54A3-4597-BC8C-C6AB28008226}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Windows\{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe
        
        C:\Windows\{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\{06421409-8784-47de-938D-F07081CC1547}.exe
        
        C:\Windows\{06421409-8784-47de-938D-F07081CC1547}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06421~1.EXE > nul
        8⤵
        
        PID:4148
        
        C:\Windows\{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe
        
        C:\Windows\{B4A199E6-7FC7-442a-88F0-0C920C80B27A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4A19~1.EXE > nul
        9⤵
        
        PID:3788
        
        C:\Windows\{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe
        
        C:\Windows\{1D239DF4-233B-47cf-986F-1A98247E23DF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D239~1.EXE > nul
        10⤵
        
        PID:3740
        
        C:\Windows\{326DF36A-3349-42ca-BEC8-3F2FBFC87AF8}.exe
        
        C:\Windows\{326DF36A-3349-42ca-BEC8-3F2FBFC87AF8}.exe
        10⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{326DF~1.EXE > nul
        11⤵
        
        PID:3612
        
        C:\Windows\{1367508E-D3CF-45bd-99DB-B929145287CD}.exe
        
        C:\Windows\{1367508E-D3CF-45bd-99DB-B929145287CD}.exe
        11⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13675~1.EXE > nul
        12⤵
        
        PID:744
        
        C:\Windows\{17D07868-E083-468f-B780-B46050AE4665}.exe
        
        C:\Windows\{17D07868-E083-468f-B780-B46050AE4665}.exe
        12⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF327~1.EXE > nul
        7⤵
        
        PID:3720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34295~1.EXE > nul
        6⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D708~1.EXE > nul
        5⤵
        
        PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9D9A5~1.EXE > nul
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{93BDE~1.EXE > nul
    3⤵
    PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06421409-8784-47de-938D-F07081CC1547}.exe

Filesize
31KB

MD5
31f91041ed4ecfa78d32932956410752

SHA1
ad92653dc7a97d5bf60c63458f253d699cb28aac

SHA256
5f10aa2e1c606aefe87dc880825686427b44db94044586b75816aa3dd07386cb

SHA512
60eabc914893493670cb1744f058d801ba4de831cad7b134f91f2daf438048f2a34eb87ed4e456829024ac0d155036db6a054f370b812d1b8b4fc287f03a0af6

Download Submit
C:\Windows\{06421409-8784-47de-938D-F07081CC1547}.exe

Filesize
408KB

MD5
3452d1e978b34663f0f6397770e3bf01

SHA1
c188f24b67c7444c715e8a1ae58fb31f84cd8655

SHA256
e19843b2e7dcfe3feec6bb9efa6eefff0a9befc4e5e0d86f6c85e934f77e5ee3

SHA512
72824b67aa9da62a4ba420c2649832735f2b1b9946e047077db0615492e5e5468c71b3a86a026c497be1500371868bfd58d9a1933328d4181de9042df59f4d65

Download Submit
C:\Windows\{342952FB-54A3-4597-BC8C-C6AB28008226}.exe

Filesize
408KB

MD5
21058bc8bc23b4695aa378d5a2a11d7d

SHA1
60a1589e06a451f46889c2805a0886a0c2812b85

SHA256
df97b6348cd11eb5ab8762d68b5387cd7141c6e76ba7a4506b4f12637506bd8b

SHA512
14ae4e10bd6eef423da71bc0982fe0e93a48e7db085ca0a8c16b5e12da5c498cfc1d53f6e04fcf9b8fc09442090e2faed3160e9b180562b151b0919d5853d662

Download Submit
C:\Windows\{9D708B93-386F-43bb-969C-B2DE84409139}.exe

Filesize
408KB

MD5
f121fe3bfd41211e37270b6a49386a2a

SHA1
a3ec4a3129f9d20ec94d38f7ffa2ac3d5999b55f

SHA256
2ce94c2d47d47324871ba54c77b3a518dbd435b3d2c0f1ed0561493c645c870e

SHA512
a3f2e2716c88461d33fc7c7d0bb213991dc260bbc0f4022d4b6ac39dd772f0bdbc0d135a4841aa09c589f957bc500eeabe88f91b6faac73261bf3a5c1d302a3d

Download Submit
C:\Windows\{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe

Filesize
109KB

MD5
896c37034692428e1ebb6820acb5d78a

SHA1
a27a45afb2e8cb2997bef199188c153202af8a93

SHA256
c6dde7bc9a899b72b9ad099f46c35f822d6c028df79464c3aba1d7417ab56876

SHA512
87ee0ab7fef1ad78823564ac2994a2405e4da902344406645cfb91a5a02260d8bc70a39441615db580412ef22ec25e953529fd79b853eb9f131fd0d17f162df0

Download Submit
C:\Windows\{9D9A504C-67BC-452b-943E-4ADCD79699F4}.exe

Filesize
135KB

MD5
b3151f10d552883aace4546d08f2e7d5

SHA1
4bb4707ca2593b2c9d7f607dd100059502e122be

SHA256
3d2f71632c454e2c26ad813107df3fb8ca82dfbe40132c39d089c2bee0249983

SHA512
ee4aab2ae719670558c226b3a9c11e9842914c38b9a6e07bcae21f2f20b53c540b1e69c02896f23dbd6e6c50846521be04db6a3d1051db3a017b7bf0fe9db93a

Download Submit
C:\Windows\{FF327D3E-B93D-4e3e-B27D-2B43D145E6B5}.exe

Filesize
408KB

MD5
d42d732b5783f1452532c0211f2d3262

SHA1
95a031b41931c238cf7c81e8f3e4898b0d9619de

SHA256
c22a0e6bd0c5979125d2d50966614b2a1037bf3cd79056a9b556c68b6abfc464

SHA512
1e0f3d51c4381ecd06486ca9f0151efd4061076a341d81534e602102cc441a201154bb702cc6b888ff3c438b9cb2eb43337fe000b2f0e1fd610a09f7fc0686d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads