c83ff9304997f8427dcfc7d6ed003843f80c6b883d6ff00befd35bdcd3fe5c28

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Size

344KB
MD5

e9688c5ebb1b08ecc154c69cfa47a037
SHA1

c21c5e6e4d98317905b7f703df03b26f3e1aae4d
SHA256

c83ff9304997f8427dcfc7d6ed003843f80c6b883d6ff00befd35bdcd3fe5c28
SHA512

c08c79abf1c0f9e91d4151571af9fe471a90f686f6ced9c2ceb5d24a686134eb86aaddf1f04fb2df7f2654f3e297d97086c760722df1dc6f5b07e12a3f899ae5
SSDEEP

3072:mEGh0o3lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGllqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}\stubpath = "C:\\Windows\\{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe"	{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{722C10F2-F978-4c12-9760-8DD7E1C506F3}\stubpath = "C:\\Windows\\{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe"	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}\stubpath = "C:\\Windows\\{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe"	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40722E17-7DDD-472f-9905-A43CABB4B3AB}	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A90FE3-923D-499c-A301-8F48B9C2D933}\stubpath = "C:\\Windows\\{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe"	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7AF2816-048B-4c52-8543-7C14C93D9192}\stubpath = "C:\\Windows\\{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe"	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}\stubpath = "C:\\Windows\\{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe"	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{722C10F2-F978-4c12-9760-8DD7E1C506F3}	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40722E17-7DDD-472f-9905-A43CABB4B3AB}\stubpath = "C:\\Windows\\{40722E17-7DDD-472f-9905-A43CABB4B3AB}.exe"	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F53E664-3385-44fc-9418-C4F3AE946311}\stubpath = "C:\\Windows\\{8F53E664-3385-44fc-9418-C4F3AE946311}.exe"	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A90FE3-923D-499c-A301-8F48B9C2D933}	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7AF2816-048B-4c52-8543-7C14C93D9192}	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}\stubpath = "C:\\Windows\\{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe"	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D7404F2-235F-4548-983E-B7AE1CE3B02A}	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D7404F2-235F-4548-983E-B7AE1CE3B02A}\stubpath = "C:\\Windows\\{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe"	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}\stubpath = "C:\\Windows\\{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe"	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}	{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}\stubpath = "C:\\Windows\\{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe"	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F53E664-3385-44fc-9418-C4F3AE946311}	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe

Executes dropped EXE 11 IoCs

pid	Process
4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe
2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe
4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe
4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe
2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe
4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe
3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe
2724	{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe
4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe
5112	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe
404	{40722E17-7DDD-472f-9905-A43CABB4B3AB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe
File created	C:\Windows\{40722E17-7DDD-472f-9905-A43CABB4B3AB}.exe	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe
File created	C:\Windows\{8F53E664-3385-44fc-9418-C4F3AE946311}.exe	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe
File created	C:\Windows\{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe
File created	C:\Windows\{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe
File created	C:\Windows\{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe
File created	C:\Windows\{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe
File created	C:\Windows\{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
File created	C:\Windows\{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe
File created	C:\Windows\{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe
File created	C:\Windows\{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1756	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe
Token: SeIncBasePriorityPrivilege	2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe
Token: SeIncBasePriorityPrivilege	4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe
Token: SeIncBasePriorityPrivilege	4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe
Token: SeIncBasePriorityPrivilege	2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe
Token: SeIncBasePriorityPrivilege	4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe
Token: SeIncBasePriorityPrivilege	3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe
Token: SeIncBasePriorityPrivilege	532	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe
Token: SeIncBasePriorityPrivilege	4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe
Token: SeIncBasePriorityPrivilege	5112	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4648	1756	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	93
PID 1756 wrote to memory of 4648	1756	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	93
PID 1756 wrote to memory of 4648	1756	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	93
PID 1756 wrote to memory of 4568	1756	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	94
PID 1756 wrote to memory of 4568	1756	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	94
PID 1756 wrote to memory of 4568	1756	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	94
PID 4648 wrote to memory of 2272	4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe	102
PID 4648 wrote to memory of 2272	4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe	102
PID 4648 wrote to memory of 2272	4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe	102
PID 4648 wrote to memory of 2224	4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe	103
PID 4648 wrote to memory of 2224	4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe	103
PID 4648 wrote to memory of 2224	4648	{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe	103
PID 2272 wrote to memory of 4356	2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe	106
PID 2272 wrote to memory of 4356	2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe	106
PID 2272 wrote to memory of 4356	2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe	106
PID 2272 wrote to memory of 3496	2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe	105
PID 2272 wrote to memory of 3496	2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe	105
PID 2272 wrote to memory of 3496	2272	{8F53E664-3385-44fc-9418-C4F3AE946311}.exe	105
PID 4356 wrote to memory of 4908	4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe	108
PID 4356 wrote to memory of 4908	4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe	108
PID 4356 wrote to memory of 4908	4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe	108
PID 4356 wrote to memory of 3748	4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe	109
PID 4356 wrote to memory of 3748	4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe	109
PID 4356 wrote to memory of 3748	4356	{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe	109
PID 4908 wrote to memory of 2340	4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe	110
PID 4908 wrote to memory of 2340	4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe	110
PID 4908 wrote to memory of 2340	4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe	110
PID 4908 wrote to memory of 4612	4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe	111
PID 4908 wrote to memory of 4612	4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe	111
PID 4908 wrote to memory of 4612	4908	{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe	111
PID 2340 wrote to memory of 4452	2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe	113
PID 2340 wrote to memory of 4452	2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe	113
PID 2340 wrote to memory of 4452	2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe	113
PID 2340 wrote to memory of 5040	2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe	114
PID 2340 wrote to memory of 5040	2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe	114
PID 2340 wrote to memory of 5040	2340	{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe	114
PID 4452 wrote to memory of 3516	4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe	115
PID 4452 wrote to memory of 3516	4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe	115
PID 4452 wrote to memory of 3516	4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe	115
PID 4452 wrote to memory of 1392	4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe	116
PID 4452 wrote to memory of 1392	4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe	116
PID 4452 wrote to memory of 1392	4452	{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe	116
PID 3516 wrote to memory of 2724	3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe	117
PID 3516 wrote to memory of 2724	3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe	117
PID 3516 wrote to memory of 2724	3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe	117
PID 3516 wrote to memory of 4472	3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe	118
PID 3516 wrote to memory of 4472	3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe	118
PID 3516 wrote to memory of 4472	3516	{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe	118
PID 532 wrote to memory of 4776	532	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe	126
PID 532 wrote to memory of 4776	532	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe	126
PID 532 wrote to memory of 4776	532	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe	126
PID 532 wrote to memory of 1908	532	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe	125
PID 532 wrote to memory of 1908	532	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe	125
PID 532 wrote to memory of 1908	532	{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe	125
PID 4776 wrote to memory of 5112	4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe	128
PID 4776 wrote to memory of 5112	4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe	128
PID 4776 wrote to memory of 5112	4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe	128
PID 4776 wrote to memory of 4256	4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe	127
PID 4776 wrote to memory of 4256	4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe	127
PID 4776 wrote to memory of 4256	4776	{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe	127
PID 5112 wrote to memory of 404	5112	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe	129
PID 5112 wrote to memory of 404	5112	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe	129
PID 5112 wrote to memory of 404	5112	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe	129
PID 5112 wrote to memory of 456	5112	{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe
  C:\Windows\{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\{8F53E664-3385-44fc-9418-C4F3AE946311}.exe
    C:\Windows\{8F53E664-3385-44fc-9418-C4F3AE946311}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F53E~1.EXE > nul
      4⤵
      PID:3496
  - - C:\Windows\{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe
      C:\Windows\{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe
        
        C:\Windows\{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe
        
        C:\Windows\{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe
        
        C:\Windows\{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe
        
        C:\Windows\{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe
        
        C:\Windows\{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D740~1.EXE > nul
        10⤵
        
        PID:4720
        
        C:\Windows\{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe
        
        C:\Windows\{9DB8A540-ABC9-4921-B5D7-8E9FCF343596}.exe
        10⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB8A~1.EXE > nul
        11⤵
        
        PID:1908
        
        C:\Windows\{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe
        
        C:\Windows\{722C10F2-F978-4c12-9760-8DD7E1C506F3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{722C1~1.EXE > nul
        12⤵
        
        PID:4256
        
        C:\Windows\{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe
        
        C:\Windows\{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{40722E17-7DDD-472f-9905-A43CABB4B3AB}.exe
        
        C:\Windows\{40722E17-7DDD-472f-9905-A43CABB4B3AB}.exe
        13⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF27~1.EXE > nul
        13⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF03F~1.EXE > nul
        9⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FCDA~1.EXE > nul
        8⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F30~1.EXE > nul
        7⤵
        
        PID:5040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7AF2~1.EXE > nul
        6⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5A90~1.EXE > nul
        5⤵
        
        PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1B03D~1.EXE > nul
    3⤵
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B03D64E-6D9C-4082-94A4-61D2241AD9CD}.exe

Filesize
344KB

MD5
cdae87e011de695c167ecc6c9f0d8345

SHA1
6763dc7b5a3963d82e087a6b969bafa726e2878b

SHA256
88b7a97d28896a0c8f2ffa8958f32a0fdaf8457d19d500fd6e92e82e525fe5d3

SHA512
f792c9ff05d10acfe77c542ef8ef6b2a7f5f19392a6a22c82eedc26abcdcc3c7834aec31fbb3a3e6d80a63d17aef33d6be7a811f06a6d1429e6132f9953a7b1f

Download Submit
C:\Windows\{2D7404F2-235F-4548-983E-B7AE1CE3B02A}.exe

Filesize
344KB

MD5
5e63b18b1e5e3e99f3db2a9b2f134bdc

SHA1
95405e8eb8b28dd18e2b123e1e5825fdf36280d3

SHA256
c4aac3b827a80f98fffcbc956488033d6943a863b1a9f77a674b22139aac2d35

SHA512
598f86321f7b86e7e285bd599946e57d309249489f60d41bd3c7aa14c8e67225766fb4e9627f791d611fdc09bb02dc9786d68adcfb391fc84e6176478738d11d

Download Submit
C:\Windows\{2EF278B0-3664-4934-BFCA-A40A5DAEAE14}.exe

Filesize
344KB

MD5
5c33aa476f35001e96cf895104217b70

SHA1
4e11e84702936c799b571032d7ae6b8ee25c1e3c

SHA256
bd61aff0cc238b91e2fda899a6f871721326a728a73e731a078d1d24211e5967

SHA512
76d1be3ac3b845dd1925c0caba01c1c9ff8c2ce524cbd68d6d46c7409644bebb3e901adc58003af4660d07cda28653f2f59b4f8bf41cb91bcfdc162b87d97701

Download Submit
C:\Windows\{40722E17-7DDD-472f-9905-A43CABB4B3AB}.exe

Filesize
344KB

MD5
9d6106f654e5c9d00d0d4041021a5ec8

SHA1
31ba043589f67fcf3a5bee3769270c0bec3db088

SHA256
969dc10452c4061753b5c5041ed57928e8d7de747e2173336bde3615f6ddfb9c

SHA512
60d277f1303a750a3be015b09637f99c687e0d5e31c31efb71f5caf5513b27cb3e1baa3c3e8e0a95d19bf650bdf3da4d09b49f504c3eda2a47f1dbd3523cd58b

Download Submit
C:\Windows\{8F53E664-3385-44fc-9418-C4F3AE946311}.exe

Filesize
344KB

MD5
80e0ffb7bbd78c27cfbadaae1484d998

SHA1
3f741b0facb691ae2ffe40e9d8c9ea6c4bf1403a

SHA256
acbdffc65dd5d4de20cc133b12431953e892d85cafcf2d6ce042459954f9907c

SHA512
d1028308cd5b819da2032f524c29d4a3ebd91de75a988ccb2286cf8142a092ecc4bb8f8f9e63e8b2ac3c43bd7ad707b8e4de4bcde53cb4a0b952f9190bbb09a4

Download Submit
C:\Windows\{8FCDA75A-C900-4e2e-9DFC-590E72F9CDE8}.exe

Filesize
344KB

MD5
e6d256fb09a20e81420d1962195f0618

SHA1
46bb95729223788661d52f5d0f6116c4b8ed868c

SHA256
9c24271230087feb857e31be46f44b064ad6d2b12ceab10ef7f2801ac428c1b9

SHA512
4b2a629672194a097d3ceefd0bc1d31bf84aebc561b9b9bc598a22805ac9ed7f7f8dc7de4fc35b7aac03ed5905e3c6a7914aafd706113ebb45157115dfc4b16a

Download Submit
C:\Windows\{91F3081B-C7A1-4e33-BED6-C0071CDE1C1B}.exe

Filesize
344KB

MD5
45d67513c7872d873b3052b289611b2b

SHA1
1cb9da878f10212906f809033385008c301a63a4

SHA256
680ecd2815447e2e6178aa926f8d9da6cef11692f2578e307746e18b60949793

SHA512
ed8d7ce9fb095dc301661e4053de91325bf44d92a6fe23e721586a01b78d457ddf8f5599970bf2bba8357e1d82d4293db540c1a8305c21ae6821f8d9f8cb6600

Download Submit
C:\Windows\{A7AF2816-048B-4c52-8543-7C14C93D9192}.exe

Filesize
344KB

MD5
0d189fd3dc1ad03389281f4633b79dff

SHA1
e6237f7091a7cc584666d85687d6e9ff8679594a

SHA256
e4882c57cb08214746706b3f9ba43c9624fe50f81dfb81f1a4d08f0685cf835d

SHA512
10fd25f4add2f5ec7b821fbe1490c30bf88551f3a44e5e046999c3ef54a4071ee5384168cf38c6b48c505fa5c707c71ee37fe0fb4aaf65c9ff4dbfd4582ca271

Download Submit
C:\Windows\{CF03F839-CBD8-4692-95BC-DEFA0C6CBAED}.exe

Filesize
344KB

MD5
74238501280cf3611421ce95852fe56a

SHA1
ce0b0059f6c6cea3055e777c7bf7925c2efc10ef

SHA256
cf25b7376308904fff3ed146f6acffd409e60659af4c634328bd70a08a41c62a

SHA512
f6ed83a954d5afe9d927bb9842941278578f92eed08b1ed8f2e9e410fe549e7b6248f4055fcf91e9b40c4033ee3a69bea520a2fbe64cf5c540bd09726e37d763

Download Submit
C:\Windows\{F5A90FE3-923D-499c-A301-8F48B9C2D933}.exe

Filesize
344KB

MD5
8f79596fdbb0d04cea90181f130e47a8

SHA1
877ed7f7b8711f7fd8d23526c6edbe07539cafc8

SHA256
3d1be0694caa554aca3ac906f4444d819a2a9bb18d9dce5081b875876b890146

SHA512
2de5089a2bb6c1c7d889e9de5d87d0f05899a6f047078cfe8bac0d4e600e3cdc7bf50630a1bd36e2088680a77494c5a84f436b5044c2777bca05b6b20788dbf6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads