982f72417d879885855a2ee5df32c587dcdc7019227f83869d2a81982f0f5eda

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe
Size

192KB
MD5

b0bc7bff58787ec7beb45155d3d49acc
SHA1

fa2254804db93f7035ff8b009929cee4eee176de
SHA256

982f72417d879885855a2ee5df32c587dcdc7019227f83869d2a81982f0f5eda
SHA512

93a18f35869f1745afd56e773aeda31fc8a98d29d87a86a8fbd81fcaca7c97664a9a6daaf1c069b5eb7d19048649aafdc36aeb073f9006ca8a038ac88e9b9230
SSDEEP

1536:1EGh0o2l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o2l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}	{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}\stubpath = "C:\\Windows\\{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe"	{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}\stubpath = "C:\\Windows\\{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe"	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A20DC1BD-DF3C-44c8-90BA-6F2641524628}	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}\stubpath = "C:\\Windows\\{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe"	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B753345-B956-44c7-91F7-9D01F704850C}	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B753345-B956-44c7-91F7-9D01F704850C}\stubpath = "C:\\Windows\\{8B753345-B956-44c7-91F7-9D01F704850C}.exe"	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}	{8B753345-B956-44c7-91F7-9D01F704850C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}\stubpath = "C:\\Windows\\{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe"	{8B753345-B956-44c7-91F7-9D01F704850C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}	{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}	{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}\stubpath = "C:\\Windows\\{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe"	{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E8F86C-930B-4687-9AB3-DD5A641621E9}	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80126F1C-8A6C-4482-9827-4EAF9842C1F7}	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B365EB-5C77-41f6-B56D-5613530A6F27}\stubpath = "C:\\Windows\\{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe"	{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}\stubpath = "C:\\Windows\\{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}.exe"	{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A20DC1BD-DF3C-44c8-90BA-6F2641524628}\stubpath = "C:\\Windows\\{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe"	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04E7BFA5-993F-402d-B039-BAD024D03BA5}	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04E7BFA5-993F-402d-B039-BAD024D03BA5}\stubpath = "C:\\Windows\\{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe"	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B365EB-5C77-41f6-B56D-5613530A6F27}	{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E8F86C-930B-4687-9AB3-DD5A641621E9}\stubpath = "C:\\Windows\\{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe"	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80126F1C-8A6C-4482-9827-4EAF9842C1F7}\stubpath = "C:\\Windows\\{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe"	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe
2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe
3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe
336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe
2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe
1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe
1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe
1620	{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe
1528	{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe
1720	{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe
3008	{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe
1044	{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe	{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe
File created	C:\Windows\{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}.exe	{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe
File created	C:\Windows\{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe
File created	C:\Windows\{8B753345-B956-44c7-91F7-9D01F704850C}.exe	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe
File created	C:\Windows\{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe
File created	C:\Windows\{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe
File created	C:\Windows\{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe
File created	C:\Windows\{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe	{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe
File created	C:\Windows\{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe
File created	C:\Windows\{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	{8B753345-B956-44c7-91F7-9D01F704850C}.exe
File created	C:\Windows\{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe
File created	C:\Windows\{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe	{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe
Token: SeIncBasePriorityPrivilege	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe
Token: SeIncBasePriorityPrivilege	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe
Token: SeIncBasePriorityPrivilege	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe
Token: SeIncBasePriorityPrivilege	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe
Token: SeIncBasePriorityPrivilege	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe
Token: SeIncBasePriorityPrivilege	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe
Token: SeIncBasePriorityPrivilege	1620	{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe
Token: SeIncBasePriorityPrivilege	1528	{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe
Token: SeIncBasePriorityPrivilege	1720	{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe
Token: SeIncBasePriorityPrivilege	3008	{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1944	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	28
PID 2040 wrote to memory of 1944	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	28
PID 2040 wrote to memory of 1944	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	28
PID 2040 wrote to memory of 1944	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	28
PID 2040 wrote to memory of 2680	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	29
PID 2040 wrote to memory of 2680	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	29
PID 2040 wrote to memory of 2680	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	29
PID 2040 wrote to memory of 2680	2040	2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe	29
PID 1944 wrote to memory of 2072	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	30
PID 1944 wrote to memory of 2072	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	30
PID 1944 wrote to memory of 2072	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	30
PID 1944 wrote to memory of 2072	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	30
PID 1944 wrote to memory of 2732	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	31
PID 1944 wrote to memory of 2732	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	31
PID 1944 wrote to memory of 2732	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	31
PID 1944 wrote to memory of 2732	1944	{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe	31
PID 2072 wrote to memory of 3056	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	34
PID 2072 wrote to memory of 3056	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	34
PID 2072 wrote to memory of 3056	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	34
PID 2072 wrote to memory of 3056	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	34
PID 2072 wrote to memory of 2008	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	35
PID 2072 wrote to memory of 2008	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	35
PID 2072 wrote to memory of 2008	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	35
PID 2072 wrote to memory of 2008	2072	{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe	35
PID 3056 wrote to memory of 336	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	36
PID 3056 wrote to memory of 336	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	36
PID 3056 wrote to memory of 336	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	36
PID 3056 wrote to memory of 336	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	36
PID 3056 wrote to memory of 1000	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	37
PID 3056 wrote to memory of 1000	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	37
PID 3056 wrote to memory of 1000	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	37
PID 3056 wrote to memory of 1000	3056	{8B753345-B956-44c7-91F7-9D01F704850C}.exe	37
PID 336 wrote to memory of 2756	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	38
PID 336 wrote to memory of 2756	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	38
PID 336 wrote to memory of 2756	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	38
PID 336 wrote to memory of 2756	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	38
PID 336 wrote to memory of 2824	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	39
PID 336 wrote to memory of 2824	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	39
PID 336 wrote to memory of 2824	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	39
PID 336 wrote to memory of 2824	336	{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe	39
PID 2756 wrote to memory of 1468	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	40
PID 2756 wrote to memory of 1468	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	40
PID 2756 wrote to memory of 1468	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	40
PID 2756 wrote to memory of 1468	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	40
PID 2756 wrote to memory of 2168	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	41
PID 2756 wrote to memory of 2168	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	41
PID 2756 wrote to memory of 2168	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	41
PID 2756 wrote to memory of 2168	2756	{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe	41
PID 1468 wrote to memory of 1572	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	42
PID 1468 wrote to memory of 1572	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	42
PID 1468 wrote to memory of 1572	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	42
PID 1468 wrote to memory of 1572	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	42
PID 1468 wrote to memory of 1992	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	43
PID 1468 wrote to memory of 1992	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	43
PID 1468 wrote to memory of 1992	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	43
PID 1468 wrote to memory of 1992	1468	{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe	43
PID 1572 wrote to memory of 1620	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	45
PID 1572 wrote to memory of 1620	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	45
PID 1572 wrote to memory of 1620	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	45
PID 1572 wrote to memory of 1620	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	45
PID 1572 wrote to memory of 2640	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	44
PID 1572 wrote to memory of 2640	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	44
PID 1572 wrote to memory of 2640	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	44
PID 1572 wrote to memory of 2640	1572	{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_b0bc7bff58787ec7beb45155d3d49acc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe
  C:\Windows\{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe
    C:\Windows\{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\{8B753345-B956-44c7-91F7-9D01F704850C}.exe
      C:\Windows\{8B753345-B956-44c7-91F7-9D01F704850C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe
        
        C:\Windows\{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe
        
        C:\Windows\{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe
        
        C:\Windows\{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe
        
        C:\Windows\{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5C46~1.EXE > nul
        9⤵
        
        PID:2640
        
        C:\Windows\{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe
        
        C:\Windows\{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe
        
        C:\Windows\{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe
        
        C:\Windows\{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe
        
        C:\Windows\{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}.exe
        
        C:\Windows\{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B36~1.EXE > nul
        13⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50B3A~1.EXE > nul
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74541~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04E7B~1.EXE > nul
        10⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A20DC~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30BFB~1.EXE > nul
        7⤵
        
        PID:2168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E6E8~1.EXE > nul
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B753~1.EXE > nul
        5⤵
        
        PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80126~1.EXE > nul
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46E8F~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04E7BFA5-993F-402d-B039-BAD024D03BA5}.exe

Filesize
192KB

MD5
00d613683c36c2ad312be70cc8fee1c0

SHA1
dc68596e6b8cf8064dc7b342e4ab4d75adc08518

SHA256
da393527d36610ad1182164e16a46cc2d323c963144b1de5287df6cc5a6fc909

SHA512
0c5e03f04437a41ccb20bf687bdf87343e8349c5f178b235105095f7722ec79bb4d0236fa4f0a0cf510143edf963188a43005c56e861f36771f48495faa9c87b

Download Submit
C:\Windows\{30BFBD03-911F-4e1e-9A2C-BF7B1657CA6A}.exe

Filesize
192KB

MD5
ee0e31ab763cec15bc55990cbc75d391

SHA1
8ad71decbcf6a910ec5cc99d8bb8d0f9a045ddca

SHA256
a0faa4de87f5c10add9a7a5283081f83a80da40c265cca367da3eaf5a32db78b

SHA512
4658227b6fa050249f330693350e59d020411d386c94da123d21edf0c0be74548d4041bc40f084289aa3c2d1450f9e7b6f02d963b1c7ff418bc66ff807ab72ea

Download Submit
C:\Windows\{46E8F86C-930B-4687-9AB3-DD5A641621E9}.exe

Filesize
192KB

MD5
735aed326c3ecd451c100b11831848d5

SHA1
61824991f554f15841f9b4ebef7f143dfe8fb8e2

SHA256
f96ac02e31a801089d81fd407b89da55d43c6b49aea57cd85b9d3653ae7bdfa1

SHA512
78810a3bdcdc1e4c13412f07d37051928e2f6255ecba3f14aa67dd82f9621ef329178e76e115dbf8218083250cb4d763987e6ef1d0987c89e69ace9de481d131

Download Submit
C:\Windows\{50B3A499-95DA-4b2a-AFC4-45BCE0C99F9F}.exe

Filesize
192KB

MD5
d7ebf7ec726778110169ebde2bc0726e

SHA1
ac13e03dfe70562a35e127e7900edc240a763d82

SHA256
931b197456f4f4e7804e8b55ccfe85a5771a03960e0965e021e867c8806e09f7

SHA512
ffbbedb55457b33621ad4905e31ba0017158e2ab389b74a6333967279ab3fbd2ed5dede65c5647bc3c9b9058ae9fc156a2c44c8b67990f2838a5b938ce3c8f0e

Download Submit
C:\Windows\{5A9DEC80-F780-45db-92A3-2C01BFB1E06E}.exe

Filesize
192KB

MD5
37e3b7ecf51c872ce91404181a5a6740

SHA1
80fcf292378ef81bb2ecbbc9558e0a2fa1394569

SHA256
26e3040510ddcd3433be20837bbe27651bb6dae424efe294e64e5dbee165b9c9

SHA512
372884b063be66dbd547f92abc889b0e6a5ce5c1d8a0cfa1a8854ee6cd228c968fff0e78d0018260441efd265dc9b0b4ef5042c73101467d4d60d5c8d6e7987f

Download Submit
C:\Windows\{745410E9-852C-4649-A2CD-FEBDAA1AF4DA}.exe

Filesize
192KB

MD5
1e18340842e7797cea4e7fef515cd095

SHA1
648f744c832f0031f07eb07e5f6f8b0cdc152b8c

SHA256
e31228de67a36b3b2b26b86bfd9d46404e94cbe0c53c99e4b21fd6a7fb4a5f7a

SHA512
b1c75c4042a9fe63a46568189deee90a88aa0a4ebef3e24cbdfeb09a4823fc0f9de493af5c50eb5e796892875c42746435cb03f069e692add6841a86cde48174

Download Submit
C:\Windows\{7E6E8EA7-631F-4d86-AF65-59E70A58ED14}.exe

Filesize
192KB

MD5
08a176f7bfb5569ec4041bc8a6da6173

SHA1
22997e9860e1d9f79fa5b12a26a185be115ac8a4

SHA256
4de887600474c6ae7b994f97d4de0f8b6e7be8eacbf185714b9d7469efd409a1

SHA512
1ceb8379061f438c16dcf3e39c668f42fa707c9a96e5d21cadb0b81fb6dc82ec48eca46661a8034024f227b39375ce5f66e774dba6f611585dccec44571f1b80

Download Submit
C:\Windows\{80126F1C-8A6C-4482-9827-4EAF9842C1F7}.exe

Filesize
192KB

MD5
17dee84d93c04ae18440d9898a273b7a

SHA1
2e510bfe5dd3813eb58158e52b9dbaabc5afd525

SHA256
44772ca179422a4fc301ad790c2fbb397aeb8e499e74cf5e7c948ecb16a851c3

SHA512
6e3898c6b1fb5dbac01f26356121f477a370a8b804baef134e53af33f490a777401024786f08939d649d808dd60e20a3a33223f77ed416e31332840838fdd6bd

Download Submit
C:\Windows\{8B753345-B956-44c7-91F7-9D01F704850C}.exe

Filesize
192KB

MD5
80bd25607f331ada82a9fedd981b4d37

SHA1
5d2aa44474a5398e9d4c3be86ed28d6c049aef28

SHA256
1973de18c11dd42b75450bdf4226163f3a46e42cf20b72b6caa5aa94c9b6fb88

SHA512
9836cd852ed41ad05d266c667040751188b694dfb770203dc9386e1323bed9968a9ff30b5d9843ac1301af12c575077b28b1af1c285b94a7dfa0e8502958ce16

Download Submit
C:\Windows\{A20DC1BD-DF3C-44c8-90BA-6F2641524628}.exe

Filesize
192KB

MD5
0ff8f75d88252733f4dfbe9d0c0bf49d

SHA1
7be6b37b92a7c28f9ee517db9fc30a6d7ad69f53

SHA256
b5f74e4efd20c5dd3230c84a08602a4051f58f1723c2ca738e92d3237a39f697

SHA512
8ce25fe0f7afe3fc1d85af5bd3d9624e71215d89d33fe99b09e756fdf971a6102d4c8103f40c0f3716f7fb06c9abf48a4486aea5d5b0197a4fbd0a817f59a027

Download Submit
C:\Windows\{B6B365EB-5C77-41f6-B56D-5613530A6F27}.exe

Filesize
192KB

MD5
739af3f00e3a809e053721bf4d946602

SHA1
ef00c57a8e23a4d7f520807be1e63ac735ba3517

SHA256
e1f8d9f933a393e67f2045d675c65056eb48ad33813d37c7d5cec83e076002aa

SHA512
1d330ecdedd3405a7c9d0988dfa343bdcc5bcf4d7e12ddfb5d789724addfcc8ed81cc3006ecb0c0c88396b2f55c34aee7e85ca708c21c0591ce2df7abb8ece0e

Download Submit
C:\Windows\{F5C463CB-FD8D-4ace-A123-7A42EF5F904C}.exe

Filesize
192KB

MD5
d6b09ec46aa3a34d65a4d66c1b5bbd8b

SHA1
a6c62e8ec91f44d1f08e12e300f16f1104d3abcd

SHA256
4559add9837ffa8c87fe202fa85ca96bc93517abb9ef0c59a39c9626effcda50

SHA512
1a7eeb365e1397d58d522dae48572a749cf0728668b5eb36a4dcb696ef1c9fbf3720fda7d075d3400f4166900f72d6904873b49ee0771f17acba7de11e4215b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads