570d31518061af2b92a8bb384cb61337f372afea40f52d5d4b430f123c8f7df4

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Size

372KB
MD5

670bb9aab03cc7e461497b32357433a5
SHA1

103b04de84891b422f6e207d2416d3c0bbf0fe39
SHA256

570d31518061af2b92a8bb384cb61337f372afea40f52d5d4b430f123c8f7df4
SHA512

80181423ad215e228199a0c6150cbc0f46687f538534b5f5585127635c136a9706ce80ce3a10660dc5d3c79f1a35b4577d3e11b7f22ba914dd18a4a7218be98b
SSDEEP

3072:CEGh0oalMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG8lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}	{7F592928-B966-4089-B634-0914EA9A676A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}\stubpath = "C:\\Windows\\{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe"	{7F592928-B966-4089-B634-0914EA9A676A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB7770B-2498-467f-9E25-F45BE18558AE}	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F592928-B966-4089-B634-0914EA9A676A}	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}\stubpath = "C:\\Windows\\{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe"	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F592928-B966-4089-B634-0914EA9A676A}\stubpath = "C:\\Windows\\{7F592928-B966-4089-B634-0914EA9A676A}.exe"	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}\stubpath = "C:\\Windows\\{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe"	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB7770B-2498-467f-9E25-F45BE18558AE}\stubpath = "C:\\Windows\\{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe"	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E784C42-A845-46de-8C01-583BB58D89DD}\stubpath = "C:\\Windows\\{1E784C42-A845-46de-8C01-583BB58D89DD}.exe"	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}	{46DC3F60-9451-4746-A7B9-44B866B23830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}\stubpath = "C:\\Windows\\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}.exe"	{46DC3F60-9451-4746-A7B9-44B866B23830}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DCF6351-1735-405b-AD3B-0EA681F04E4B}	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DCF6351-1735-405b-AD3B-0EA681F04E4B}\stubpath = "C:\\Windows\\{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe"	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E784C42-A845-46de-8C01-583BB58D89DD}	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DC3F60-9451-4746-A7B9-44B866B23830}	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DC3F60-9451-4746-A7B9-44B866B23830}\stubpath = "C:\\Windows\\{46DC3F60-9451-4746-A7B9-44B866B23830}.exe"	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe
2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe
764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe
3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe
1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe
1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe
1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe
2264	{46DC3F60-9451-4746-A7B9-44B866B23830}.exe
2060	{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{7F592928-B966-4089-B634-0914EA9A676A}.exe	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
File created	C:\Windows\{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	{7F592928-B966-4089-B634-0914EA9A676A}.exe
File created	C:\Windows\{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe
File created	C:\Windows\{46DC3F60-9451-4746-A7B9-44B866B23830}.exe	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe
File created	C:\Windows\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}.exe	{46DC3F60-9451-4746-A7B9-44B866B23830}.exe
File created	C:\Windows\{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe
File created	C:\Windows\{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe
File created	C:\Windows\{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe
File created	C:\Windows\{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe
Token: SeIncBasePriorityPrivilege	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe
Token: SeIncBasePriorityPrivilege	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe
Token: SeIncBasePriorityPrivilege	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe
Token: SeIncBasePriorityPrivilege	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe
Token: SeIncBasePriorityPrivilege	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe
Token: SeIncBasePriorityPrivilege	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe
Token: SeIncBasePriorityPrivilege	2264	{46DC3F60-9451-4746-A7B9-44B866B23830}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2156	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	30
PID 2664 wrote to memory of 2156	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	30
PID 2664 wrote to memory of 2156	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	30
PID 2664 wrote to memory of 2156	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	30
PID 2156 wrote to memory of 2456	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	32
PID 2156 wrote to memory of 2456	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	32
PID 2156 wrote to memory of 2456	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	32
PID 2156 wrote to memory of 2456	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	32
PID 2664 wrote to memory of 2612	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	31
PID 2664 wrote to memory of 2612	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	31
PID 2664 wrote to memory of 2612	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	31
PID 2664 wrote to memory of 2612	2664	2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe	31
PID 2156 wrote to memory of 2540	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	33
PID 2156 wrote to memory of 2540	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	33
PID 2156 wrote to memory of 2540	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	33
PID 2156 wrote to memory of 2540	2156	{7F592928-B966-4089-B634-0914EA9A676A}.exe	33
PID 2456 wrote to memory of 764	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	34
PID 2456 wrote to memory of 764	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	34
PID 2456 wrote to memory of 764	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	34
PID 2456 wrote to memory of 764	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	34
PID 2456 wrote to memory of 1476	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	35
PID 2456 wrote to memory of 1476	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	35
PID 2456 wrote to memory of 1476	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	35
PID 2456 wrote to memory of 1476	2456	{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe	35
PID 764 wrote to memory of 3000	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	37
PID 764 wrote to memory of 3000	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	37
PID 764 wrote to memory of 3000	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	37
PID 764 wrote to memory of 3000	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	37
PID 764 wrote to memory of 2044	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	36
PID 764 wrote to memory of 2044	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	36
PID 764 wrote to memory of 2044	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	36
PID 764 wrote to memory of 2044	764	{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe	36
PID 3000 wrote to memory of 1352	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	38
PID 3000 wrote to memory of 1352	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	38
PID 3000 wrote to memory of 1352	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	38
PID 3000 wrote to memory of 1352	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	38
PID 3000 wrote to memory of 2868	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	39
PID 3000 wrote to memory of 2868	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	39
PID 3000 wrote to memory of 2868	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	39
PID 3000 wrote to memory of 2868	3000	{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe	39
PID 1352 wrote to memory of 1764	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	41
PID 1352 wrote to memory of 1764	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	41
PID 1352 wrote to memory of 1764	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	41
PID 1352 wrote to memory of 1764	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	41
PID 1352 wrote to memory of 2884	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	40
PID 1352 wrote to memory of 2884	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	40
PID 1352 wrote to memory of 2884	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	40
PID 1352 wrote to memory of 2884	1352	{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe	40
PID 1764 wrote to memory of 1896	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	42
PID 1764 wrote to memory of 1896	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	42
PID 1764 wrote to memory of 1896	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	42
PID 1764 wrote to memory of 1896	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	42
PID 1764 wrote to memory of 1248	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	43
PID 1764 wrote to memory of 1248	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	43
PID 1764 wrote to memory of 1248	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	43
PID 1764 wrote to memory of 1248	1764	{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe	43
PID 1896 wrote to memory of 2264	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	45
PID 1896 wrote to memory of 2264	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	45
PID 1896 wrote to memory of 2264	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	45
PID 1896 wrote to memory of 2264	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	45
PID 1896 wrote to memory of 1888	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	44
PID 1896 wrote to memory of 1888	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	44
PID 1896 wrote to memory of 1888	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	44
PID 1896 wrote to memory of 1888	1896	{1E784C42-A845-46de-8C01-583BB58D89DD}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_670bb9aab03cc7e461497b32357433a5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{7F592928-B966-4089-B634-0914EA9A676A}.exe
  C:\Windows\{7F592928-B966-4089-B634-0914EA9A676A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe
    C:\Windows\{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe
      C:\Windows\{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DCF6~1.EXE > nul
        5⤵
        
        PID:2044
    - - C:\Windows\{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe
        
        C:\Windows\{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe
        
        C:\Windows\{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6CA1~1.EXE > nul
        7⤵
        
        PID:2884
        
        C:\Windows\{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe
        
        C:\Windows\{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{1E784C42-A845-46de-8C01-583BB58D89DD}.exe
        
        C:\Windows\{1E784C42-A845-46de-8C01-583BB58D89DD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E784~1.EXE > nul
        9⤵
        
        PID:1888
        
        C:\Windows\{46DC3F60-9451-4746-A7B9-44B866B23830}.exe
        
        C:\Windows\{46DC3F60-9451-4746-A7B9-44B866B23830}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}.exe
        
        C:\Windows\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}.exe
        10⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB71B~1.EXE > nul
        11⤵
        
        PID:1716
        
        C:\Windows\{50E335B7-82CB-4352-AAFE-06E6B3901ED0}.exe
        
        C:\Windows\{50E335B7-82CB-4352-AAFE-06E6B3901ED0}.exe
        11⤵
        
        PID:1904
        
        C:\Windows\{18B71054-D8F0-4061-8CAA-62F9D5D9D662}.exe
        
        C:\Windows\{18B71054-D8F0-4061-8CAA-62F9D5D9D662}.exe
        12⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50E33~1.EXE > nul
        12⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46DC3~1.EXE > nul
        10⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CB77~1.EXE > nul
        8⤵
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{736D5~1.EXE > nul
        6⤵
        
        PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA99~1.EXE > nul
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F592~1.EXE > nul
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18B71054-D8F0-4061-8CAA-62F9D5D9D662}.exe

Filesize
44KB

MD5
e1d2de0e4eb6fd728633065da04cafcd

SHA1
c812d820b8cac69f2e17a4614467c9899f1a06f6

SHA256
9212dc2b8540552e93557b54a197a6d6421079a74d8f4b2a2527a807efbcec6f

SHA512
2706962519b4f14c8780b8124fbc4af5f8bad68e0e86b756d127e3df8b13dbcdd3f2dfb099616abba0ff088bafd61bf31c3663f08649c0c95855bb75b8da8a8f

Download Submit
C:\Windows\{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe

Filesize
372KB

MD5
80e9e27f85a05a9804bbaa4c6673af80

SHA1
ac6695815bb120aa027896f26871d0b09abb6597

SHA256
8fb59e7402aef6deb7e595a19e488983fb2e0a5b8228f7e354fdc108fa2b023b

SHA512
6f8fa92751c99e10a81a58d251a0d809c3a45b043bbc41ba511886d38869ff644e69ac6e7e614c95ec8a2ba599e91e681a3a619b84a1e5bb9978804630244156

Download Submit
C:\Windows\{1CB7770B-2498-467f-9E25-F45BE18558AE}.exe

Filesize
11KB

MD5
8ea12ee5000731d11fedd24fab1fa9e7

SHA1
399c15a3842255185d0f58f309debeb894705a9a

SHA256
18c9e8286316dfa68965305e27185297fe41f18fb98f6468651cf0d72754f631

SHA512
07f785dcbd4715ce3ddc1eb0fccb0e91fe4b4923bfcd794269930825d8f0689b87ad44d0c94b4f2a2952d39878d8714ccb881fbaaea7751183fb283dc68064ee

Download Submit
C:\Windows\{1E784C42-A845-46de-8C01-583BB58D89DD}.exe

Filesize
5KB

MD5
897f8900e6a2d2ca951117cc3b95f422

SHA1
409736eda0ee5cd7dfd0c2396c4725a031291055

SHA256
28b32be9ebce1eb87e5158906c1bf60ab7ed65498368309a798fed8eaea8cf8d

SHA512
6e56f2d22a6e32a1eeee2a7140ad258aa3499d45f22f2fd45d6be739db5eff66317e1ca8db430fccf0b5c3de27dda635f64ec9442eb89e52a265b572891b2bd5

Download Submit
C:\Windows\{46DC3F60-9451-4746-A7B9-44B866B23830}.exe

Filesize
12KB

MD5
8db6db853ca0101e7b8dd6e202bca2de

SHA1
6fd4d0262f558db17cfe9511bad1e1bc8221575b

SHA256
1018a49b8611b9ee9bb0cd863d2d27afa0cf2554ab556996441b23c517fc4532

SHA512
d1344d51edc4d62fae809dd5e6d52068ecb8d9b534127e7ef650800649dcfbd818736c0cfb9c6abd05f7cbb0c5c3da1006ed5a082af213318011bb58b9ab3b6e

Download Submit
C:\Windows\{46DC3F60-9451-4746-A7B9-44B866B23830}.exe

Filesize
67KB

MD5
a037f7021ae24034eceb62a438de3685

SHA1
f8db2236738dccf633a61af369fccf20cd405685

SHA256
20cb2a794a77fb7e65c0a1b33d2a9be694d46f23c205e39383e75e2b805b58d7

SHA512
4d2fd91298d530d734d4eaee00e8f33d1fb5ac14fffe713b0274b221f87731c6880dc56f76eb98f4f5c110035f352293dd429dbef9d87520055bf59b89700d73

Download Submit
C:\Windows\{4DCF6351-1735-405b-AD3B-0EA681F04E4B}.exe

Filesize
372KB

MD5
9af191c21f3ec271e319405f218c156b

SHA1
98db7ef37a1aa0e10ec0a3a245207f3a4df30503

SHA256
77f889e9e89001ef40a8b92a14aca4d00b123d925a30477f1ce9ee4586e93a0a

SHA512
a30d328693bf978b786634e67de1a731a166659825f65dd63c407e9fdfb7b3001dbc8fff8501e6cf2f9b8a5ea6c6bc5e84a20ee39cd448dbba05d4b4a48dc4e9

Download Submit
C:\Windows\{50E335B7-82CB-4352-AAFE-06E6B3901ED0}.exe

Filesize
21KB

MD5
3fd4a0bb59d656ab198c65766ffb7870

SHA1
b967a1ab5eb073fc6c760ad9280ab6c9e13af969

SHA256
4af14a6c11f8406e04ed3098525e323e64741fae5ec556bdf8394f4c415e7de6

SHA512
bb8bc5450869e82404aef815fc737148f8acdc55de27117446f17b09d80f4a2354ee8e415be5a2214a2faa120445df33cc38b70c7370d5c7b1040f19f079c402

Download Submit
C:\Windows\{736D5F4A-42DA-46f2-A9CB-E014DEF413F6}.exe

Filesize
372KB

MD5
6e69e3ebf6ecaba0baeafeb3207ebe8f

SHA1
bbfae2d3e0128d25c3f6806f45ab218d26110d76

SHA256
a5388c0a81394da03a07480cc5bc8ccc4fe1fde9281ecb7f8f6452cb68787263

SHA512
d38748725ba0617e30b00f72af3bf37d631bf74c169a8316b37f2e53ae942fbafc963ab173f8215ad0c5f555de14fd529f1a383d608121a81e61a2f8831aa7b3

Download Submit
C:\Windows\{7F592928-B966-4089-B634-0914EA9A676A}.exe

Filesize
1KB

MD5
e390d5e1c9a5f95b99521de37c76e69b

SHA1
37cde85109a08b3b0d68aef382e00b09f3768e2d

SHA256
80ca884b931bb88ac3c9c819bf370704a34239361066e032d31c01fe2e1ee4c6

SHA512
fad1ef08769adc38455e2b5a614e36854b41144719f164202398888d97d387dac4c98de29088b222fb2756fe416ef6deb4fdf88649aa55ea91de4927542f8e69

Download Submit
C:\Windows\{7F592928-B966-4089-B634-0914EA9A676A}.exe

Filesize
23KB

MD5
90f84fe9fafd1f689d7b79ff9a8d1d38

SHA1
bd185fb400a5f37f1d208169fa2bb635f3ee98f3

SHA256
236fdc60f8f6118c472461e2e7d060257979f5782554d47261948fe2703bcec3

SHA512
1879a556088ab4583149787e028dd0ff272ed37b8f0966b9411559b948a0086750b028dce3fcb893dad5eddd25b46711babdda2f6de4f27a5c4457cd31756e6b

Download Submit
C:\Windows\{7F592928-B966-4089-B634-0914EA9A676A}.exe

Filesize
128KB

MD5
332db3018e79a4c2dd5d2ee741fddf8b

SHA1
d9c0280904f643b10e1bd49e496b4af0861060af

SHA256
c3961461bbbe74c1930769e6fb0675866d02deaa948e221e083f14f4195c1a12

SHA512
bd752b4c28efd38fe3a114d2b5518b886f94bb8654b72cf6b0065374946bc13d2d9205ef2fc5b5fc7ab9f781480713a383c0e3e2e2f8f2a111982b47b9114f8a

Download Submit
C:\Windows\{E6CA1699-DDB6-45bc-BC9C-0CB257BA31AF}.exe

Filesize
372KB

MD5
378761ce3e2a8deea6eeb4d860feafda

SHA1
53da407642c6ae1c782b93132c24a9d5ecf13bc8

SHA256
fc6f4e881b6f97dca5438685baabcba107bd788e385d357b44238161da797c8c

SHA512
9b458044ebe7ee13f3af944098a6d9e1a930d82a7172d79714a1df0e3742d38e8415c93163c8e38468d1e20dd60ff9cf46019f12c83c4386b1498fede7df885b

Download Submit
C:\Windows\{EBA99C12-88C1-4496-AEC8-31D627E6ABBF}.exe

Filesize
372KB

MD5
373d83112487a3947f33b174fbbeb533

SHA1
7774a9a6cdcd96d2b30cf77d416972108b9326a1

SHA256
e98794d7e9931d7923e43c1ffc37dd877df4113c88e83f42c1b1c4207e69113e

SHA512
82e0540a46af32ed578b04397e2b341f2550356c4318fa5eeddd4580166ec8a5189e08aa1add7af83df1a7b0ccef923416fbb4ce099b7c3b48550433dca46037

Download Submit
C:\Windows\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}.exe

Filesize
40KB

MD5
a5f18a38b8a9c44b98effea969edcd53

SHA1
af301b1cde29b3dad216e2bdb9db259f57386134

SHA256
085c46ae60787566e0fa3461db67b330d16c359e2a1041acc3a28444ed45187e

SHA512
f98213cfc5e513c5bdf86a6f3c02437a76784aace2615538faf154ac0f3b79e4289bb31a98ab3edb3123e3ee2014a0b5ce41bb8ec4acee8aad40779a58332525

Download Submit
C:\Windows\{FB71BC54-A344-40e7-8CA5-51F2032FC4C8}.exe

Filesize
39KB

MD5
d3fc1eea050e8dd1f371fe0ecaa89395

SHA1
5abc1d280705c2b3adbe787164f75dc91d21df81

SHA256
2ae6766e0677cabc9f84c5f08aae86fd4da1b5c755a6b96e8441d1fa656c59f2

SHA512
43243ae1b6016078a5c8933461331e23cd190f5ff66b69d0b33af6f6adce05bb4410322aa4445ed956eff5783fc63c38d6a6c9967be911c750b63bd3ee756888

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads