0f87f3bd178236711136b82f6433cec4ea266ad7451237a51e7f9c15724f4eae

Analysis

max time kernel
113s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe
Size

380KB
MD5

799fe906d0ecada1aa6edc07e9510556
SHA1

487be1e901f1114b3ea6b929154109e7006d0873
SHA256

0f87f3bd178236711136b82f6433cec4ea266ad7451237a51e7f9c15724f4eae
SHA512

ad3ef5c9d1bca38f9ffb958c4ac95c294a4dead2defc129f68943033fcfa6020f6fd6e247c85e80693bb2129b61136b46c9d5f8f54821d72ce9a92e5341fc9f6
SSDEEP

3072:mEGh0oFlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGbl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87D17613-ED16-4d36-A9D1-548BCD192D9C}\stubpath = "C:\\Windows\\{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe"	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD29A352-7BEB-4189-B01D-537E18FEEF2A}\stubpath = "C:\\Windows\\{CD29A352-7BEB-4189-B01D-537E18FEEF2A}.exe"	{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C24862-999F-4e1a-B14C-7ADC37E83062}	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9C24862-999F-4e1a-B14C-7ADC37E83062}\stubpath = "C:\\Windows\\{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe"	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}\stubpath = "C:\\Windows\\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe"	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313585EE-60B1-4958-A975-92FE8FE7CC14}	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85DD3B02-9A94-443e-B608-25C04D4B02E8}	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85DD3B02-9A94-443e-B608-25C04D4B02E8}\stubpath = "C:\\Windows\\{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe"	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1E7198D-2A3F-45ae-A900-432FAF01B479}\stubpath = "C:\\Windows\\{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe"	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87D17613-ED16-4d36-A9D1-548BCD192D9C}	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{773844E4-A476-4969-A056-4831E8BDB1E3}	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}\stubpath = "C:\\Windows\\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe"	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313585EE-60B1-4958-A975-92FE8FE7CC14}\stubpath = "C:\\Windows\\{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe"	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD29A352-7BEB-4189-B01D-537E18FEEF2A}	{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{773844E4-A476-4969-A056-4831E8BDB1E3}\stubpath = "C:\\Windows\\{773844E4-A476-4969-A056-4831E8BDB1E3}.exe"	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1E7198D-2A3F-45ae-A900-432FAF01B479}	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe
2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe
2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe
2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe
1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe
2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe
2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe
1868	{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe
864	{CD29A352-7BEB-4189-B01D-537E18FEEF2A}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe
File created	C:\Windows\{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe
File created	C:\Windows\{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe
File created	C:\Windows\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe
File created	C:\Windows\{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe
File created	C:\Windows\{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe
File created	C:\Windows\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe
File created	C:\Windows\{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe
File created	C:\Windows\{CD29A352-7BEB-4189-B01D-537E18FEEF2A}.exe	{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe
Token: SeIncBasePriorityPrivilege	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe
Token: SeIncBasePriorityPrivilege	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe
Token: SeIncBasePriorityPrivilege	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe
Token: SeIncBasePriorityPrivilege	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe
Token: SeIncBasePriorityPrivilege	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe
Token: SeIncBasePriorityPrivilege	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe
Token: SeIncBasePriorityPrivilege	1868	{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1076	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	29
PID 2168 wrote to memory of 1076	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	29
PID 2168 wrote to memory of 1076	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	29
PID 2168 wrote to memory of 1076	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	29
PID 2168 wrote to memory of 2676	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	28
PID 2168 wrote to memory of 2676	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	28
PID 2168 wrote to memory of 2676	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	28
PID 2168 wrote to memory of 2676	2168	2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe	28
PID 1076 wrote to memory of 2088	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	31
PID 1076 wrote to memory of 2088	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	31
PID 1076 wrote to memory of 2088	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	31
PID 1076 wrote to memory of 2088	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	31
PID 1076 wrote to memory of 2688	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	30
PID 1076 wrote to memory of 2688	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	30
PID 1076 wrote to memory of 2688	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	30
PID 1076 wrote to memory of 2688	1076	{773844E4-A476-4969-A056-4831E8BDB1E3}.exe	30
PID 2088 wrote to memory of 2648	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	34
PID 2088 wrote to memory of 2648	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	34
PID 2088 wrote to memory of 2648	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	34
PID 2088 wrote to memory of 2648	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	34
PID 2088 wrote to memory of 3068	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	35
PID 2088 wrote to memory of 3068	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	35
PID 2088 wrote to memory of 3068	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	35
PID 2088 wrote to memory of 3068	2088	{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe	35
PID 2648 wrote to memory of 2024	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	37
PID 2648 wrote to memory of 2024	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	37
PID 2648 wrote to memory of 2024	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	37
PID 2648 wrote to memory of 2024	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	37
PID 2648 wrote to memory of 680	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	36
PID 2648 wrote to memory of 680	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	36
PID 2648 wrote to memory of 680	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	36
PID 2648 wrote to memory of 680	2648	{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe	36
PID 2024 wrote to memory of 1756	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	38
PID 2024 wrote to memory of 1756	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	38
PID 2024 wrote to memory of 1756	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	38
PID 2024 wrote to memory of 1756	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	38
PID 2024 wrote to memory of 1792	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	39
PID 2024 wrote to memory of 1792	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	39
PID 2024 wrote to memory of 1792	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	39
PID 2024 wrote to memory of 1792	2024	{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe	39
PID 1756 wrote to memory of 2672	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	40
PID 1756 wrote to memory of 2672	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	40
PID 1756 wrote to memory of 2672	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	40
PID 1756 wrote to memory of 2672	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	40
PID 1756 wrote to memory of 1612	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	41
PID 1756 wrote to memory of 1612	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	41
PID 1756 wrote to memory of 1612	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	41
PID 1756 wrote to memory of 1612	1756	{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe	41
PID 2672 wrote to memory of 2488	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	43
PID 2672 wrote to memory of 2488	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	43
PID 2672 wrote to memory of 2488	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	43
PID 2672 wrote to memory of 2488	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	43
PID 2672 wrote to memory of 2524	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	42
PID 2672 wrote to memory of 2524	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	42
PID 2672 wrote to memory of 2524	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	42
PID 2672 wrote to memory of 2524	2672	{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe	42
PID 2488 wrote to memory of 1868	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	44
PID 2488 wrote to memory of 1868	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	44
PID 2488 wrote to memory of 1868	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	44
PID 2488 wrote to memory of 1868	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	44
PID 2488 wrote to memory of 1844	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	45
PID 2488 wrote to memory of 1844	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	45
PID 2488 wrote to memory of 1844	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	45
PID 2488 wrote to memory of 1844	2488	{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_799fe906d0ecada1aa6edc07e9510556_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2676
- C:\Windows\{773844E4-A476-4969-A056-4831E8BDB1E3}.exe
  C:\Windows\{773844E4-A476-4969-A056-4831E8BDB1E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{77384~1.EXE > nul
    3⤵
    PID:2688
- - C:\Windows\{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe
    C:\Windows\{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe
      C:\Windows\{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9C24~1.EXE > nul
        5⤵
        
        PID:680
    - - C:\Windows\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe
        
        C:\Windows\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe
        
        C:\Windows\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe
        
        C:\Windows\{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1E71~1.EXE > nul
        8⤵
        
        PID:2524
        
        C:\Windows\{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe
        
        C:\Windows\{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe
        
        C:\Windows\{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31358~1.EXE > nul
        10⤵
        
        PID:760
        
        C:\Windows\{CD29A352-7BEB-4189-B01D-537E18FEEF2A}.exe
        
        C:\Windows\{CD29A352-7BEB-4189-B01D-537E18FEEF2A}.exe
        10⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD29A~1.EXE > nul
        11⤵
        
        PID:2144
        
        C:\Windows\{86954E94-BA3C-4030-A26B-D4239455134E}.exe
        
        C:\Windows\{86954E94-BA3C-4030-A26B-D4239455134E}.exe
        11⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86954~1.EXE > nul
        12⤵
        
        PID:2120
        
        C:\Windows\{D25502D0-488D-4d63-8D0F-65862C4F23C6}.exe
        
        C:\Windows\{D25502D0-488D-4d63-8D0F-65862C4F23C6}.exe
        12⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D17~1.EXE > nul
        9⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B39~1.EXE > nul
        7⤵
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C3F1~1.EXE > nul
        6⤵
        
        PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{85DD3~1.EXE > nul
      4⤵
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe

Filesize
339KB

MD5
f707244548ac15a986eacdea24064fd0

SHA1
4d0c959ee69904970263984881c445e834c1af01

SHA256
67e3ddf5cfdd03ab07baaebf595916983b1f588085c3b2162b8551df4345fd48

SHA512
d9cd60b5504acd3baa5fcca674859385f3adce17bac2515bdf9ce2551096f30e0f04be496603d0f9be0434126f732a76c2b16a3c665f132351cd5134694d7d86

Download Submit
C:\Windows\{2C3F10DB-61ED-4f58-86DE-F3C8A941C138}.exe

Filesize
45KB

MD5
fb691d513170147665a1cb74935d3ace

SHA1
e79bde2d0a8ab2c43fe67ae73b6c8b08d1ef87a1

SHA256
7a40657bd619e8383708cf01cfc2752e449c29c0a4fd6188581a32f73b1e389c

SHA512
079676ba9026e4277a02806f26890094cfe9a55eedbef813e8e558ac61919593264316a9a101dc8331554a7cedeb06b6e6dbfa8e3899318e683033489cada17b

Download Submit
C:\Windows\{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe

Filesize
50KB

MD5
4f8e3dab1e650b051144bb8c7a0039b9

SHA1
fb61d11c291d789c6c7ee29b5ca4936d67f577af

SHA256
89b9679c4788aeb123d33e903f6317a4cb4da6c5cba169eab57a0ddc92315271

SHA512
875c00be738b2162030dfcd3c3417e4ad5c459c86538b1eba9b2e687f7376d65d7f7838b4e4a703c4d3c76eeb13924e4a020670b2d796449ccddbb83e700f197

Download Submit
C:\Windows\{313585EE-60B1-4958-A975-92FE8FE7CC14}.exe

Filesize
57KB

MD5
d16ff5697ab27806fd686c54414385a6

SHA1
88eb2bc1ede0b0f280af54af4e6e5debe635a18a

SHA256
b4dd1a87e13dee65318583070b12b341336891c279e5674f936c53db85c38f3f

SHA512
6ffe68e6774096039a68be89d4439269efb914e809179047ba2fb6654cbc1f250cda1329a5f6e0a9a9aa9f08e49dfd1329903b4018b96769148eb2d8bd0e97e3

Download Submit
C:\Windows\{773844E4-A476-4969-A056-4831E8BDB1E3}.exe

Filesize
183KB

MD5
f9be7bfc430fb6d85ba5565dddf0662a

SHA1
47f2e2234816343e90baf51e0cf1e7dbb53d8854

SHA256
0879d8b9e693dcfdbbf0a6a963dc75a44cc12943a8b5e7efadf9322e098a2d9f

SHA512
243afba1fe950babee86da4e12396ba48678567068df9e0879ee9f3b3161b7832e6498726039ffb955682c4746b48d5ddc5e0b2035d8208f5b66e3b2f55f2814

Download Submit
C:\Windows\{773844E4-A476-4969-A056-4831E8BDB1E3}.exe

Filesize
168KB

MD5
f6ea079caf7498725fe88ef4dc11e3a8

SHA1
5be2b593febb9aeebd030c76aaa9f75efcb85ea4

SHA256
4087853afbde05eff1a01dd865bce9663747566f41bf726fcdc8345bfc8bfca1

SHA512
78ac6412c2956f75c3fd51ab0e31380f99e718db0f3ff1e06680aafe00a4c12e5c610fd3aa095c5cc4dc51c12e138cfa0523ccca8acbd3a788610de253cfcd3a

Download Submit
C:\Windows\{773844E4-A476-4969-A056-4831E8BDB1E3}.exe

Filesize
1KB

MD5
0469c37c06779c374b10516f746e54cd

SHA1
a554cdfb5bfe2fdbef5626dff44175a0a14c9aa7

SHA256
42a50b9c0cdee18b6513ca0684fe36d5108fee23b4202466ba22f5312f2c43b5

SHA512
8116e597ca3fc7d7b801424a1b37533ade4fbe62b33f7045e6eaeb6b03275c7e981498b4e237230262e157aed9d257faadb6ba1586191f0ebb8d87f292cf4ce0

Download Submit
C:\Windows\{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe

Filesize
147KB

MD5
4c9eb36e3d2cfe188dce142c93575a72

SHA1
e0cabd17085f2d32b1bb7891913f5389f9a46b96

SHA256
e4abf6d86e1e202560c07c699f5c1cc5d5bb90e5fb5cc8c8efc0ca1c3cf619ba

SHA512
78fa2d7626eb3cc17b3bac9ad2743722034f273dda75d1afd35f77aafdb20aeec7f42e37732cfd3cef4cb0788f7ec8b62ea2bdf338c1d67f6bd1ddb2e01317b7

Download Submit
C:\Windows\{85DD3B02-9A94-443e-B608-25C04D4B02E8}.exe

Filesize
380KB

MD5
82f2029f03820129e6195571bd510345

SHA1
e5a17edebb4a8ed5c0617997ebcadc42b4bc8171

SHA256
fac958fe5144e4016dfa047f089a500b5abe0ea96d41b13dec5e711c972f1298

SHA512
dc2f2a8b4f48ccc5d5f5e0ad1f0afbc66837beb7aab0cd4f2597ce9dab38ad2058b1710012de89664d031d6ba6b28da82537b27e46f898c1572765b759e62ac6

Download Submit
C:\Windows\{86954E94-BA3C-4030-A26B-D4239455134E}.exe

Filesize
45KB

MD5
fdd72fc33c3a852e64015a758c235d78

SHA1
2f7b6fb749da6ff958d9ac3cdb1fbe642c70cbcd

SHA256
a8e41876a2c146d8bb7be1c7fab2767627a48deec2bfba61f2d92753494ae73e

SHA512
d138dc4256d4180d2440bdbf2f98e13576b49cf6af8932d63fac6f80763e1403e9f997c3eea81863ace9e8ab5e40a5559d261175a2142fc8c01fca442f313d9e

Download Submit
C:\Windows\{86954E94-BA3C-4030-A26B-D4239455134E}.exe

Filesize
25KB

MD5
bcfccf61fd7858ad119b7e3df214fb45

SHA1
00dff0dba839cf266058581558f9a19281d8b875

SHA256
f5d72773207e03e9056644241f29f30597cb04ea515bf795895832f69859adeb

SHA512
e15d1f4490adc00b45e414e8f191916a2eba05c3523576936e60a4572fde1abf0a828efc64c941f3ccaffe4db1625ace8b39f6954350b91d6811083432edbc75

Download Submit
C:\Windows\{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe

Filesize
11KB

MD5
df8a3e4c9d2de0fffa48dd18eace26fc

SHA1
6fb640003f7ca729ca8673a14d72971792cfeea4

SHA256
cecab930dea532da4fb561e1cea86993de1f7176d8335248874a440d4c49ea0f

SHA512
6bb187490b7c6ae602618b143d7202d6e7e35bb2326d518e87c0c7919341fcd963cb5afbb9408045b316e0dd723d3f76977746cc97f3b709a0ec1be4b439ef6c

Download Submit
C:\Windows\{87D17613-ED16-4d36-A9D1-548BCD192D9C}.exe

Filesize
41KB

MD5
eaba8f38920b172a01a53a972ce3ceb4

SHA1
97ba8a77af83f9e6b770040a7033812e6462fd68

SHA256
c3bf0edde343ffc743a29e63d8cab5b7768adbbfc181962c842e64127757ebb7

SHA512
aaf8ce62e8e39944ffff1702b856f8e2d31f8bcd13d30b653f7958d293bcf2d2df78224e78da021eb80374fdaa771905ffac6769501f4bfb1e1d815609e937cf

Download Submit
C:\Windows\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe

Filesize
27KB

MD5
c64e7108a8d91feafc8c27b149f18316

SHA1
1f5694613f96cafcb1a06b768892c975ea0fe210

SHA256
e3e1aeefd3896feeeb48ae2be5c1380334fd987fa2d6b1e6ef30e3d49639d416

SHA512
e697167c39afd163bd321bc1a29d989a73fc6a258f78b5672d76b3f8ec9ef1d24c27c746ef64409030c0bbffa197fd543e7a356e5976c6d4c4a6ea763b640968

Download Submit
C:\Windows\{B7B39B0D-71AF-484f-B21A-5C8E10E7CC71}.exe

Filesize
56KB

MD5
07c1e4944597d31892177964d40e7d4c

SHA1
362660454dbc244e3ca9c68d7507ce52bd72fa76

SHA256
d938318af9d7a48bdf4f8d9d42da89fd0004dcfdb84e0ae4c72292c9dd933bed

SHA512
ad557916482d96514f583cfe735355bdf52faf14c706c15f413836311e119b5018d9c9c537cf41db3547cca2e517cba1d8698eeb5627bfa4c28b583a61c40eec

Download Submit
C:\Windows\{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe

Filesize
15KB

MD5
e77ef0fb25ffaa728f0f86a9618c19e8

SHA1
71a3c5045495527cf4cf254d416fc3810082024d

SHA256
a26da5d443c7662697f8ee9669709bd7137cde869ed393ff1888a5cafb3b2dca

SHA512
de5c55d6577ca1f61f4109a6e3ed411c134ec83cec58027ae02a9f0475b2e58572759a2054976c9c834bbb2a9bf60a670cc05b0fab02f08c4dd16f1e83f89ed0

Download Submit
C:\Windows\{C1E7198D-2A3F-45ae-A900-432FAF01B479}.exe

Filesize
64KB

MD5
d5d07c1dfbf8bafdfd850b071365accf

SHA1
8d60f10ca39708078378deb5479a990aa6c1be86

SHA256
abccbed910c723c174ef17ac85eacb2823ff9fd2530e590c8ee9b706f9e51618

SHA512
b5a3ef936dbf4e5e06d37074628f0be77c1955451724984e9438e2cb83fc358b4726fd01a5171ca0037606af6aeb411b259ba526d60bcbac9456b3d3f754b5b5

Download Submit
C:\Windows\{CD29A352-7BEB-4189-B01D-537E18FEEF2A}.exe

Filesize
4KB

MD5
14b20f74e5955a62cede6aea4185e6ec

SHA1
1902b581a6f2e733f37100011ceead099d04cca6

SHA256
96790b5cc2be58099734f6bcbe6e5f7f03b7bf05795a4a1e11920d849b296b36

SHA512
5d76a026ba6c1a36c01f3a011fd1abac8259bfd4c9117515d5fe1122ff8b9b13a4aa7cacf896238ac6d77f5a277a848c04a903bbf1e1086f19fbf921f0afc99a

Download Submit
C:\Windows\{D25502D0-488D-4d63-8D0F-65862C4F23C6}.exe

Filesize
34KB

MD5
8a8b6de723df4bba23f5bd248582309c

SHA1
122b3941d2d8fe78d9138d48e3799bc9c12517e3

SHA256
5ce5a3f809834de607abd2af01230437007d4055e7aaaf239880b5b2156e5844

SHA512
a60be053eb1f5517ee62b622eebc3e64ae570ebd06ca591229dfc65102f78c9f5eae560671ccf81fe66b5e6b39eb3162e9844a00538648e706c56c2a393e7a31

Download Submit
C:\Windows\{E9C24862-999F-4e1a-B14C-7ADC37E83062}.exe

Filesize
380KB

MD5
bc6a36def7db722345410e6bb28ffe78

SHA1
de3f1c84e32f03b9ab717e1e3a39875e36290118

SHA256
27b498c67036c0579b59f01ea31c9046cb41c0badedd3bbe9afbb38982ab05a8

SHA512
1321415a9b0da856ead6d37a9cff2030d09e6a3aff7b411b09ac368756d2d16270f307b0b938c7fdf227eb4a2173ee5bbf0b5e60cb2d92eb5143fe6df4988d07

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads