0daf9fad0b1cd00cd699c7e98083a9fb574b3013a7bed80668864522a28b0852

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Size

168KB
MD5

0c12ca2e409da390bc1b6764252c7153
SHA1

0b21435a7fef4bb88a71da2f0f397ad6213baccf
SHA256

0daf9fad0b1cd00cd699c7e98083a9fb574b3013a7bed80668864522a28b0852
SHA512

882f94dd7857ac77c2b3357b83e8b4de9ff80d2f9556694f5a9669f2e6972dd9a36d8865a5c4052328697c46ae6d6a8951bddaa06a2d1048abe40de901286d72
SSDEEP

1536:1EGh0oUlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oUlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3141FF17-A484-43a9-946D-13E67A1D8BEE}	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{753F5902-424E-4e56-932A-14F1CFC8FA8E}	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4FB7288-766C-449c-A50D-B5125680DA85}\stubpath = "C:\\Windows\\{E4FB7288-766C-449c-A50D-B5125680DA85}.exe"	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A12C4CE7-06DE-42cd-BDEE-579755A46C45}	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A12C4CE7-06DE-42cd-BDEE-579755A46C45}\stubpath = "C:\\Windows\\{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe"	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F05EAE7-6231-4c22-976E-90F4D7E3A670}\stubpath = "C:\\Windows\\{4F05EAE7-6231-4c22-976E-90F4D7E3A670}.exe"	{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}\stubpath = "C:\\Windows\\{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe"	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}\stubpath = "C:\\Windows\\{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe"	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4FB7288-766C-449c-A50D-B5125680DA85}	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}\stubpath = "C:\\Windows\\{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe"	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}	{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08836F67-4648-43a7-B7A4-0D7AA9131A5A}\stubpath = "C:\\Windows\\{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe"	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}\stubpath = "C:\\Windows\\{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe"	{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}\stubpath = "C:\\Windows\\{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe"	{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08836F67-4648-43a7-B7A4-0D7AA9131A5A}	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3141FF17-A484-43a9-946D-13E67A1D8BEE}\stubpath = "C:\\Windows\\{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe"	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{753F5902-424E-4e56-932A-14F1CFC8FA8E}\stubpath = "C:\\Windows\\{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe"	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}	{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F05EAE7-6231-4c22-976E-90F4D7E3A670}	{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe
2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe
2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe
2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe
652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe
3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe
764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe
2564	{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe
1552	{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe
2340	{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe
2928	{4F05EAE7-6231-4c22-976E-90F4D7E3A670}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe
File created	C:\Windows\{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe
File created	C:\Windows\{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe
File created	C:\Windows\{4F05EAE7-6231-4c22-976E-90F4D7E3A670}.exe	{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe
File created	C:\Windows\{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
File created	C:\Windows\{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe
File created	C:\Windows\{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe
File created	C:\Windows\{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe	{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe
File created	C:\Windows\{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe	{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe
File created	C:\Windows\{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe
File created	C:\Windows\{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe
Token: SeIncBasePriorityPrivilege	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe
Token: SeIncBasePriorityPrivilege	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe
Token: SeIncBasePriorityPrivilege	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe
Token: SeIncBasePriorityPrivilege	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe
Token: SeIncBasePriorityPrivilege	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe
Token: SeIncBasePriorityPrivilege	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe
Token: SeIncBasePriorityPrivilege	2564	{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe
Token: SeIncBasePriorityPrivilege	1552	{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe
Token: SeIncBasePriorityPrivilege	2340	{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2904	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	28
PID 2964 wrote to memory of 2904	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	28
PID 2964 wrote to memory of 2904	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	28
PID 2964 wrote to memory of 2904	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	28
PID 2964 wrote to memory of 2780	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	29
PID 2964 wrote to memory of 2780	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	29
PID 2964 wrote to memory of 2780	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	29
PID 2964 wrote to memory of 2780	2964	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	29
PID 2904 wrote to memory of 2836	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	32
PID 2904 wrote to memory of 2836	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	32
PID 2904 wrote to memory of 2836	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	32
PID 2904 wrote to memory of 2836	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	32
PID 2904 wrote to memory of 2620	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	33
PID 2904 wrote to memory of 2620	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	33
PID 2904 wrote to memory of 2620	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	33
PID 2904 wrote to memory of 2620	2904	{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe	33
PID 2836 wrote to memory of 2844	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	34
PID 2836 wrote to memory of 2844	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	34
PID 2836 wrote to memory of 2844	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	34
PID 2836 wrote to memory of 2844	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	34
PID 2836 wrote to memory of 2608	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	35
PID 2836 wrote to memory of 2608	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	35
PID 2836 wrote to memory of 2608	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	35
PID 2836 wrote to memory of 2608	2836	{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe	35
PID 2844 wrote to memory of 2532	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	36
PID 2844 wrote to memory of 2532	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	36
PID 2844 wrote to memory of 2532	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	36
PID 2844 wrote to memory of 2532	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	36
PID 2844 wrote to memory of 2144	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	37
PID 2844 wrote to memory of 2144	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	37
PID 2844 wrote to memory of 2144	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	37
PID 2844 wrote to memory of 2144	2844	{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe	37
PID 2532 wrote to memory of 652	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	38
PID 2532 wrote to memory of 652	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	38
PID 2532 wrote to memory of 652	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	38
PID 2532 wrote to memory of 652	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	38
PID 2532 wrote to memory of 588	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	39
PID 2532 wrote to memory of 588	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	39
PID 2532 wrote to memory of 588	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	39
PID 2532 wrote to memory of 588	2532	{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe	39
PID 652 wrote to memory of 3040	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	40
PID 652 wrote to memory of 3040	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	40
PID 652 wrote to memory of 3040	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	40
PID 652 wrote to memory of 3040	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	40
PID 652 wrote to memory of 2372	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	41
PID 652 wrote to memory of 2372	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	41
PID 652 wrote to memory of 2372	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	41
PID 652 wrote to memory of 2372	652	{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe	41
PID 3040 wrote to memory of 764	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	42
PID 3040 wrote to memory of 764	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	42
PID 3040 wrote to memory of 764	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	42
PID 3040 wrote to memory of 764	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	42
PID 3040 wrote to memory of 1124	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	43
PID 3040 wrote to memory of 1124	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	43
PID 3040 wrote to memory of 1124	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	43
PID 3040 wrote to memory of 1124	3040	{E4FB7288-766C-449c-A50D-B5125680DA85}.exe	43
PID 764 wrote to memory of 2564	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	44
PID 764 wrote to memory of 2564	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	44
PID 764 wrote to memory of 2564	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	44
PID 764 wrote to memory of 2564	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	44
PID 764 wrote to memory of 1544	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	45
PID 764 wrote to memory of 1544	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	45
PID 764 wrote to memory of 1544	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	45
PID 764 wrote to memory of 1544	764	{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe
  C:\Windows\{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe
    C:\Windows\{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe
      C:\Windows\{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe
        
        C:\Windows\{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe
        
        C:\Windows\{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{E4FB7288-766C-449c-A50D-B5125680DA85}.exe
        
        C:\Windows\{E4FB7288-766C-449c-A50D-B5125680DA85}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe
        
        C:\Windows\{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe
        
        C:\Windows\{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A12C4~1.EXE > nul
        10⤵
        
        PID:1428
        
        C:\Windows\{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe
        
        C:\Windows\{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe
        
        C:\Windows\{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\{4F05EAE7-6231-4c22-976E-90F4D7E3A670}.exe
        
        C:\Windows\{4F05EAE7-6231-4c22-976E-90F4D7E3A670}.exe
        12⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36A85~1.EXE > nul
        12⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37FC7~1.EXE > nul
        11⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7A93~1.EXE > nul
        9⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4FB7~1.EXE > nul
        8⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{753F5~1.EXE > nul
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3141F~1.EXE > nul
        6⤵
        
        PID:588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2EE6~1.EXE > nul
        5⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9EAC~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{08836~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08836F67-4648-43a7-B7A4-0D7AA9131A5A}.exe

Filesize
168KB

MD5
18ccbf932a1c959043d634121df3dedd

SHA1
fab85e92c60f28cbb47aea51ae768bba9a5df6dc

SHA256
f8ab727f93b7c524c37e58929f893ad73f7c7669d38a1acb43df091a61f6c1d9

SHA512
79ca14a862b69d9855401923cabb5bec99adee97614319c097ddbc73c1343ccd3a5a7e5f1cb9417334ac66eff56c72db30ecb83db39b865792ba247896e74f5d

Download Submit
C:\Windows\{3141FF17-A484-43a9-946D-13E67A1D8BEE}.exe

Filesize
168KB

MD5
68d20088d67509ff44a850549498fcdf

SHA1
c4e3641468dffe39bdaf41e8de03f5208202a3db

SHA256
01b4b5a7d6109a9d2d9597dec4d78df3d1f9304c92438388e9399efecd215a02

SHA512
15fb0bfb812b8faba7765703c6563b078f39ddf21c506e93df598736742ef1bb23ffb7a9aa76c0f9bd507e21146d0d4c1d2aedbe52e50e54ac2f88a5335b39cf

Download Submit
C:\Windows\{36A85D05-2B5B-41b0-BB4C-9EFB83997E87}.exe

Filesize
168KB

MD5
312c6e1237d15f538236867535a4e05e

SHA1
919b217e76060ef4bf65cf55575d09f7b27c002f

SHA256
27706fa0040b6918fe7af986c4a97ed2078d45ec1bba2915bccdad47d834d7be

SHA512
cadfcc21dd1d67e7ac5c45ea11c46a878d4f05b820eca76d59b2d7922f0c60e675e8ebad3daf5eb80e759b2420fac0d7184882f0ef70d1441f4e20bf087add78

Download Submit
C:\Windows\{37FC7AF7-E3DA-45b6-A9A2-EB5496A2BA5B}.exe

Filesize
168KB

MD5
cc08bff0da18581d7c28a144e061d65e

SHA1
7f421975409f502b2d16febd622eeb6b46312c18

SHA256
90a66ee8210163677d529c153c19a4515c2286a3d979053eed574aa16a2fc1b1

SHA512
ad69b7d1b21712d61f0243f62aa158c35dfc2e089c7705d7a72ddce6fc6292782ec2e7610e2e70b8a6f00c63f525d19a8b273c0ec39ae55308f0106cbaf8c125

Download Submit
C:\Windows\{4F05EAE7-6231-4c22-976E-90F4D7E3A670}.exe

Filesize
168KB

MD5
69cff3382eba0c1ecb234df86a24a36f

SHA1
b608f959efe365692416aeb1f1e8d14d8ebd9a94

SHA256
9dd7abc1d0e53b3e70921f03b876a3df39ab45efba65bbcd025d7c9c4c018bef

SHA512
5473b6736c4ec3b98db3a79c13d6785757a31274809bcea0f96c4ae0cdf49a775d6385fbbccb35a10dcbd6b8a66fde35cdd00a8bcdd61b1e9e3e3a24e773b821

Download Submit
C:\Windows\{753F5902-424E-4e56-932A-14F1CFC8FA8E}.exe

Filesize
168KB

MD5
86a833401836048fe3fb68107550f071

SHA1
f0d631864cfcd147725ec33ea74eb11cfaf33fec

SHA256
0937f0baf368734ae3c3a71ef5e0b64c027d31d8cc4642c58af19596b2589fe9

SHA512
b9165f8f6435be3b3590ad6c5f7e745c7e9861f0e3aef11f8b2c36ac7b04ca4f515e809bef27c6d7bba4f91d8d71e22c84031d2c58c549f17c4307318c56ec4a

Download Submit
C:\Windows\{A12C4CE7-06DE-42cd-BDEE-579755A46C45}.exe

Filesize
168KB

MD5
7da4f6ad7cd74aafa2a44998993153ac

SHA1
58b2bed1c93188dcc3da97fc6f91f2ea22a4ca95

SHA256
16539dcf08abb51282fb9b368d68c634076f8e0248789eda5a68a0598b434609

SHA512
718dacdd85dd9ac90e4a80273777586001e9a5dbb564bd9af5ddefd8677b26f973e8fc640555f3fbe187408cc1341c1db1b7cac4f9c8c489b920cc43d030f463

Download Submit
C:\Windows\{A9EAC0B8-3D61-47ef-8AE7-50EAAA3469F3}.exe

Filesize
168KB

MD5
8ec167c3fe64b301d23c4284a9ccdf90

SHA1
5d0825373047e6c5d32e16d99f1bb1a9c03d71e4

SHA256
c43c9a69deaba61e13948ad49020bd441a0fb4feb3e6bb97610af500baeaa31b

SHA512
967e2c8c021c1c6d774335dfd81c3e0d996b3f3de744e769966e9c3a8ae48ddcd1f80a7c14dcf0fd102c599747a3e34c6c117c2842fca558071ef27c2a162b54

Download Submit
C:\Windows\{D7A93097-5E6F-4a58-9496-6C2DD1A4D65F}.exe

Filesize
168KB

MD5
60253a060da60bbd156d499719914474

SHA1
45213d665b90471e362d963f3ef3362ed219fe9e

SHA256
f1dcdefddfe50dba4c0290745386b765fcb794f05b0894fc94ab44e1cc90a303

SHA512
f049f885492a5cd5c57637698519aa5275095f4e307e5946852458643276d7d0459dcf971b7b174853a7bd8fb1a7cf3615997f3325ab3d21effe012bdf6d9160

Download Submit
C:\Windows\{E4FB7288-766C-449c-A50D-B5125680DA85}.exe

Filesize
168KB

MD5
36fd2a7b40fb6a6a214fe46e1465fe0e

SHA1
4c35d41da01ce5d712b01acd5be409cde70a9b13

SHA256
9b520551b678f54c17d20a53f39609e80be917304eb2f59c021ad4ac8fbcbaf3

SHA512
6e449cca731263a2d9b77aa8fad4659bb3f26f6b4d09860d9c10d6b9a6d163e2e54ba16043231fa4bf46c8cc082e2156db567a5f47eb35f360c416cab7dbce9d

Download Submit
C:\Windows\{F2EE68AD-EC94-43ab-8BF0-E327BDC90C1A}.exe

Filesize
168KB

MD5
c6e3827caad060f991ffec25d95b77c6

SHA1
3677a93d944308534c8e508b4ba1cd56e0adfafc

SHA256
b762cbdbd2e8ab992ce3e4a2c23016e5a725dc058cf9bfac1ee21501545d5f4d

SHA512
abbe98252c1b66794f46693bb7377c18be2b02bc8023e2a03ade0e42c3254ae33940658dc8fba18c770a3aad281c80c1e97ec658c44eafe2050fccbb7fc5ffaa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads