8d8cfa7ae9eabe679f647cc14f73f4e999ea9052dd1e99364006fefb5eb2c6a9

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
Size

192KB
MD5

587bd66e4678def8d01ae189dec11eff
SHA1

39e7248ddf502ca93c1d18aefdaafc9ec21ab933
SHA256

8d8cfa7ae9eabe679f647cc14f73f4e999ea9052dd1e99364006fefb5eb2c6a9
SHA512

b81238cf34efaf286a916b0949eb07df84f5923b788d1dca69fd7d2d913e29e18a19644ceeb1db1abb39e4d7b60c2554a5a0b4e40619b43bb49c8e3365bd0dad
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oBl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{306E7543-1E15-4845-A019-2F7D5FC3774F}	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}\stubpath = "C:\\Windows\\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe"	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}	{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}\stubpath = "C:\\Windows\\{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe"	{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A87C50F-E854-48d0-9390-83E5A88745CF}\stubpath = "C:\\Windows\\{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe"	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}\stubpath = "C:\\Windows\\{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}.exe"	{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBE7E202-575E-4c3d-A32E-543043AD7CAA}\stubpath = "C:\\Windows\\{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe"	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}\stubpath = "C:\\Windows\\{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe"	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F78BEEFD-8289-44fb-A436-FD0726D57635}	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE2A852D-5F50-4462-99A2-57035F6E7491}	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59504FC7-B15E-4c49-92FE-973724089D34}	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59504FC7-B15E-4c49-92FE-973724089D34}\stubpath = "C:\\Windows\\{59504FC7-B15E-4c49-92FE-973724089D34}.exe"	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBE7E202-575E-4c3d-A32E-543043AD7CAA}	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{306E7543-1E15-4845-A019-2F7D5FC3774F}\stubpath = "C:\\Windows\\{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe"	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F78BEEFD-8289-44fb-A436-FD0726D57635}\stubpath = "C:\\Windows\\{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe"	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE2A852D-5F50-4462-99A2-57035F6E7491}\stubpath = "C:\\Windows\\{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe"	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}	{59504FC7-B15E-4c49-92FE-973724089D34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}\stubpath = "C:\\Windows\\{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe"	{59504FC7-B15E-4c49-92FE-973724089D34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}	{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A87C50F-E854-48d0-9390-83E5A88745CF}	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe
2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe
2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe
1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe
2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe
808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe
2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe
1524	{59504FC7-B15E-4c49-92FE-973724089D34}.exe
2296	{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe
540	{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe
1400	{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe
File created	C:\Windows\{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe
File created	C:\Windows\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe
File created	C:\Windows\{59504FC7-B15E-4c49-92FE-973724089D34}.exe	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe
File created	C:\Windows\{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe	{59504FC7-B15E-4c49-92FE-973724089D34}.exe
File created	C:\Windows\{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe	{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe
File created	C:\Windows\{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
File created	C:\Windows\{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe
File created	C:\Windows\{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}.exe	{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe
File created	C:\Windows\{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe
File created	C:\Windows\{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe
Token: SeIncBasePriorityPrivilege	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe
Token: SeIncBasePriorityPrivilege	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe
Token: SeIncBasePriorityPrivilege	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe
Token: SeIncBasePriorityPrivilege	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe
Token: SeIncBasePriorityPrivilege	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe
Token: SeIncBasePriorityPrivilege	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe
Token: SeIncBasePriorityPrivilege	1524	{59504FC7-B15E-4c49-92FE-973724089D34}.exe
Token: SeIncBasePriorityPrivilege	2296	{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe
Token: SeIncBasePriorityPrivilege	540	{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2416	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	28
PID 1708 wrote to memory of 2416	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	28
PID 1708 wrote to memory of 2416	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	28
PID 1708 wrote to memory of 2416	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	28
PID 1708 wrote to memory of 2752	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	29
PID 1708 wrote to memory of 2752	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	29
PID 1708 wrote to memory of 2752	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	29
PID 1708 wrote to memory of 2752	1708	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	29
PID 2416 wrote to memory of 2912	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	30
PID 2416 wrote to memory of 2912	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	30
PID 2416 wrote to memory of 2912	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	30
PID 2416 wrote to memory of 2912	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	30
PID 2416 wrote to memory of 2920	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	31
PID 2416 wrote to memory of 2920	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	31
PID 2416 wrote to memory of 2920	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	31
PID 2416 wrote to memory of 2920	2416	{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe	31
PID 2912 wrote to memory of 2216	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	32
PID 2912 wrote to memory of 2216	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	32
PID 2912 wrote to memory of 2216	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	32
PID 2912 wrote to memory of 2216	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	32
PID 2912 wrote to memory of 2776	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	33
PID 2912 wrote to memory of 2776	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	33
PID 2912 wrote to memory of 2776	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	33
PID 2912 wrote to memory of 2776	2912	{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe	33
PID 2216 wrote to memory of 1720	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	36
PID 2216 wrote to memory of 1720	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	36
PID 2216 wrote to memory of 1720	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	36
PID 2216 wrote to memory of 1720	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	36
PID 2216 wrote to memory of 2852	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	37
PID 2216 wrote to memory of 2852	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	37
PID 2216 wrote to memory of 2852	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	37
PID 2216 wrote to memory of 2852	2216	{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe	37
PID 1720 wrote to memory of 2992	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	38
PID 1720 wrote to memory of 2992	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	38
PID 1720 wrote to memory of 2992	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	38
PID 1720 wrote to memory of 2992	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	38
PID 1720 wrote to memory of 1592	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	39
PID 1720 wrote to memory of 1592	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	39
PID 1720 wrote to memory of 1592	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	39
PID 1720 wrote to memory of 1592	1720	{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe	39
PID 2992 wrote to memory of 808	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	40
PID 2992 wrote to memory of 808	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	40
PID 2992 wrote to memory of 808	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	40
PID 2992 wrote to memory of 808	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	40
PID 2992 wrote to memory of 1632	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	41
PID 2992 wrote to memory of 1632	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	41
PID 2992 wrote to memory of 1632	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	41
PID 2992 wrote to memory of 1632	2992	{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe	41
PID 808 wrote to memory of 2500	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	42
PID 808 wrote to memory of 2500	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	42
PID 808 wrote to memory of 2500	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	42
PID 808 wrote to memory of 2500	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	42
PID 808 wrote to memory of 308	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	43
PID 808 wrote to memory of 308	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	43
PID 808 wrote to memory of 308	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	43
PID 808 wrote to memory of 308	808	{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe	43
PID 2500 wrote to memory of 1524	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	44
PID 2500 wrote to memory of 1524	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	44
PID 2500 wrote to memory of 1524	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	44
PID 2500 wrote to memory of 1524	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	44
PID 2500 wrote to memory of 1412	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	45
PID 2500 wrote to memory of 1412	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	45
PID 2500 wrote to memory of 1412	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	45
PID 2500 wrote to memory of 1412	2500	{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe
  C:\Windows\{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe
    C:\Windows\{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe
      C:\Windows\{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe
        
        C:\Windows\{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe
        
        C:\Windows\{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe
        
        C:\Windows\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe
        
        C:\Windows\{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{59504FC7-B15E-4c49-92FE-973724089D34}.exe
        
        C:\Windows\{59504FC7-B15E-4c49-92FE-973724089D34}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe
        
        C:\Windows\{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe
        
        C:\Windows\{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}.exe
        
        C:\Windows\{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60762~1.EXE > nul
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E1BA~1.EXE > nul
        11⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59504~1.EXE > nul
        10⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE2A8~1.EXE > nul
        9⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1849~1.EXE > nul
        8⤵
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F78BE~1.EXE > nul
        7⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{127A8~1.EXE > nul
        6⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{306E7~1.EXE > nul
        5⤵
        
        PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A87C~1.EXE > nul
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CBE7E~1.EXE > nul
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{127A83B4-7D41-4fb3-BA81-4581AAE6A87B}.exe

Filesize
192KB

MD5
d561962cf3af1311379d19ee88ef3939

SHA1
408e441a0fcdd623e2a563e5802ac435982923bc

SHA256
a7f672b12bdaa19b9555a3db63c0fff9ac8b675b533c8bc9a842bb24ff6f792e

SHA512
989d9977e81babda780d8bafbe2850ace6c79f1dd5681d957e6aa1dc9c2a25cd472c3c43aa9ee825e99bce54f5f13ef98847d46520fae77e758059a50b759a96

Download Submit
C:\Windows\{1A87C50F-E854-48d0-9390-83E5A88745CF}.exe

Filesize
192KB

MD5
0feaa8f9d6faeed508ecbac39fc1dde2

SHA1
b425a9a6f2f77822424ee5d865c002cc83b0008f

SHA256
5c51dc1fadd36e3a0cde2f4c5766f1f533df346a6b582d43582185820da5701a

SHA512
93f3226f5aaaf4d3d5a5b2bfb41eb4ef69e38c2fd174d2964aae9716b908dda1376d52f2326d828710a50490196676a67101ffc1cb97b384a1ad59e4b20d9c86

Download Submit
C:\Windows\{306E7543-1E15-4845-A019-2F7D5FC3774F}.exe

Filesize
192KB

MD5
110ddd4a573094d4c3c1da2793a6270f

SHA1
65d593b76019633cd299799de5c361f70bf99b51

SHA256
53224efd52b1d0ce736a9968685debf01e1b40a093d021f6820843fb9d327618

SHA512
21f4059ae5d3dda481836910c8fc39cf07430ead819ee812a90fe3038c2d649cc1659e1421ce6e23991d72a1186961057b553c3dd46c03214e0000c7ebb8ce98

Download Submit
C:\Windows\{59504FC7-B15E-4c49-92FE-973724089D34}.exe

Filesize
192KB

MD5
d62b3652a9ce3a352287c0fbe3c56c69

SHA1
a0a974afa7a6aad9148d5b23c56e910bc63bdcf7

SHA256
edd7f30912045d50d2a6504cbaa16ccf1f6cca08e4a5ea7d2c5471e250a00c2c

SHA512
ac38d65b73bd3cd18868b0b2cd56a72a7e4b22548545a16cc421a4487e1453057e9ded8c223a350be22153a701072ff62c77cfe164fd699a24ca3c76eeb5e4d1

Download Submit
C:\Windows\{59504FC7-B15E-4c49-92FE-973724089D34}.exe

Filesize
162KB

MD5
fcde4d525e0f042e1eead34d74f736e9

SHA1
c54b8f2dec5854cf92b9434331dd6803d878d99e

SHA256
0c9990197a2e488bd197e8f2d45cdf20655e4230fc076d23ed45aa4f534831e6

SHA512
b358d594a06eb9e01a8464c1875cf0920b8e1a69947299eb9e99ff9aba35491023d4c452d60187c03a623e45c8575205bfcfcf335301e1b81db232d286500e72

Download Submit
C:\Windows\{60762FC9-F8AB-4e5a-B5A2-9AA60382F7F8}.exe

Filesize
192KB

MD5
4f6e8e9a7a35b38023dc1baf2c4fb606

SHA1
3f59a5bb5c5bd5e7e3be7d053734780f0cfcb808

SHA256
94d29e0f0d90e2057a9573db48e8a97e2f1392c411758062676921885434750f

SHA512
ea94dc4d0d0c7ac07513d6d154608d23b4bac150f92be6a1c589f2e798286801df6327b017bb51ff84005d6fe074e642fe9f963dcf05012e41b2f1892acc5f77

Download Submit
C:\Windows\{9E1BAD3A-5EE6-40cb-8B79-0B7FA6357EDC}.exe

Filesize
192KB

MD5
bac88435cbf04137353813d754db6b69

SHA1
8db32554203f809288bc4ec6716d10c27b529e71

SHA256
730796df6036a9b468479fb7a37fd37022ccc5288763aa438eea2e9cf853f844

SHA512
60be22dc7e59b316392dec0bcf9df07b7deb3b65c61269f27d4663017828362808df3805fb5f7fa7da875a75fb50d1ae1da68f2b53a794eed3b50dc57be96cd7

Download Submit
C:\Windows\{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe

Filesize
127KB

MD5
1b8f264ca2d32e2533d7e41982772247

SHA1
378c974691e0d85f89ce21ca1c1f1bc489454f37

SHA256
a807993b149f384e322e0598d397ac028af604ab5e65786fc8f77143b74de602

SHA512
0a7f197765265aa174ff900cb1a5f412a27c9a9564f252b877a78224c7d6b9681c4a09e88286ee7449d145f7269e57eb0c9071e4e021c2935aaca52570d52640

Download Submit
C:\Windows\{AE2A852D-5F50-4462-99A2-57035F6E7491}.exe

Filesize
192KB

MD5
7b619d14379d846989c8f773ca981172

SHA1
d602f473802082eb211223ab7db0bf3b6e495f2a

SHA256
bed4a3b6b13cfafe023893421df9c047c335791702718de9d90e8463eb004679

SHA512
20c30cf22b5692dbf83beeb7998195bf281b3cebca4516a612f1468a13ceb258824a9dce7b8ab478c81da3bfc71edd6e0be2daad426e5afef6c5b36d8abc50f9

Download Submit
C:\Windows\{CBE7E202-575E-4c3d-A32E-543043AD7CAA}.exe

Filesize
192KB

MD5
63281d5ce0afe54d46ac53710ea6fe44

SHA1
f0e95132b54f80b5f9b116cea216ffa2368d56cf

SHA256
83749474bf901765896e2e1fa26c83414cff76939f66e70e6a760d973266af5e

SHA512
95b9a1416c4e2aef5d9d49d6b7ddc1bede9e4a5626cc9b81dfd7a7a3e677909de20eeb629a92079f031014dd7be482ac37984288f9cfe72bfbae333f0f6d4256

Download Submit
C:\Windows\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe

Filesize
192KB

MD5
94925727aad5f29e3a2b7d2aa4796e65

SHA1
f2cf087289961a6f32203b180e356cd6b500f477

SHA256
e7fa4c521bd42f514789b70ee9338230c596837c47073c63c05d398413263b34

SHA512
d56e49ecefc27d7bbb852520f692399df9a55d667ad76cff441db20ecdc622737eb29728bb327de269a535acdd563cd97fe15d77151447963513801ed8fde8a4

Download Submit
C:\Windows\{D1849C2B-6F05-4c7c-9F53-321DAABE00F2}.exe

Filesize
98KB

MD5
6fe7474d932e752442ead416d7a4dc3c

SHA1
4e17f8220d4e7f329f1d232bef43bafeff78b7dc

SHA256
3aadf6367e86141600ba34e28a00432eeb4b5836d74eef8fcc16add056a5a516

SHA512
15fd33da99645493113b94fb59d1e746bd1ee9b8a5942144c2c1254a91467ef5bbf28734cbf8a30df654832407be99bbb373ccfd312872061070927bd3d2e475

Download Submit
C:\Windows\{F78BEEFD-8289-44fb-A436-FD0726D57635}.exe

Filesize
192KB

MD5
3eaccfaa47a52d7b223f483c0337e5d7

SHA1
77968d20db5be80d371f5bba6c10741b74cd47f5

SHA256
381f8103be86a74d51d383c254eb4849ee3596bdebc767ce7ffc6b3caae402d8

SHA512
75a8584f31536e90e08e703c3f9afd6b85e6546985c2409ed21e5128ca7dc500cb5ecf38bd3766e825e52eb7ea9fb5f61b65c8c3b5f6c11506ccbf1843197eae

Download Submit
C:\Windows\{FEDCB394-4FC4-473d-817C-7AFA0E3A46A7}.exe

Filesize
192KB

MD5
a9c3363404965edfea2d43058a127279

SHA1
e08d0e0bcc8f11f3fb1cff0842829d2645cd2336

SHA256
90cea7d5f1a7bc4f1f60360c42af12003047dd793b8d3bff6fc6caa10c0a5926

SHA512
42cc8938d0f4ffa79b7404508ac05f9eded1ee8b058695192045373bd96b2f2556f9c0cbf3641c51094518916976e38c324ead0a63aa0a26addee6515939a78c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads