c1dc38220defe38f3510c81fba38697a3a22815ced0c73dda6beb1e4f8a2bf76

Analysis

max time kernel
169s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe
Size

192KB
MD5

191d0ae8c4e4d13ca35767d51fa015f8
SHA1

4aceb4cfac5061dc277afbfa37c859b1cf8e95e8
SHA256

c1dc38220defe38f3510c81fba38697a3a22815ced0c73dda6beb1e4f8a2bf76
SHA512

d70c1a27b2c1d3a5085909963dac401f4531c57e8601b12b51dd8eaa50ae385d5591088186b842e81924d384633134ae1f48a94be85bfb0fa70054a7ea5ae753
SSDEEP

1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}\stubpath = "C:\\Windows\\{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe"	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637DBE47-80CD-409f-B0CC-9C5EC3C14351}\stubpath = "C:\\Windows\\{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe"	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}\stubpath = "C:\\Windows\\{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe"	{7D9C8C00-C825-436d-9919-CD284D063299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{637DBE47-80CD-409f-B0CC-9C5EC3C14351}	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5C23F16-4139-4827-B91F-8B34F8DAED22}	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF9757C2-1C01-48d9-97E0-545402EB814D}	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF9757C2-1C01-48d9-97E0-545402EB814D}\stubpath = "C:\\Windows\\{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe"	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}\stubpath = "C:\\Windows\\{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe"	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}	{7D9C8C00-C825-436d-9919-CD284D063299}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5C23F16-4139-4827-B91F-8B34F8DAED22}\stubpath = "C:\\Windows\\{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe"	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}\stubpath = "C:\\Windows\\{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe"	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}\stubpath = "C:\\Windows\\{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe"	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}\stubpath = "C:\\Windows\\{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe"	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9C8C00-C825-436d-9919-CD284D063299}	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9C8C00-C825-436d-9919-CD284D063299}\stubpath = "C:\\Windows\\{7D9C8C00-C825-436d-9919-CD284D063299}.exe"	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57ED764-F719-4a2f-962B-410409222503}	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57ED764-F719-4a2f-962B-410409222503}\stubpath = "C:\\Windows\\{E57ED764-F719-4a2f-962B-410409222503}.exe"	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe

Executes dropped EXE 11 IoCs

pid	Process
4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe
1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe
2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe
1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe
4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe
2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe
3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe
4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe
1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe
4540	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe
4040	{E57ED764-F719-4a2f-962B-410409222503}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe	{7D9C8C00-C825-436d-9919-CD284D063299}.exe
File created	C:\Windows\{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe
File created	C:\Windows\{E57ED764-F719-4a2f-962B-410409222503}.exe	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe
File created	C:\Windows\{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe
File created	C:\Windows\{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe
File created	C:\Windows\{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe
File created	C:\Windows\{7D9C8C00-C825-436d-9919-CD284D063299}.exe	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe
File created	C:\Windows\{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe
File created	C:\Windows\{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe
File created	C:\Windows\{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe
File created	C:\Windows\{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe
Token: SeIncBasePriorityPrivilege	1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe
Token: SeIncBasePriorityPrivilege	2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe
Token: SeIncBasePriorityPrivilege	1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe
Token: SeIncBasePriorityPrivilege	4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe
Token: SeIncBasePriorityPrivilege	2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe
Token: SeIncBasePriorityPrivilege	3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe
Token: SeIncBasePriorityPrivilege	4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe
Token: SeIncBasePriorityPrivilege	1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe
Token: SeIncBasePriorityPrivilege	4540	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4296	1708	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe	94
PID 1708 wrote to memory of 4296	1708	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe	94
PID 1708 wrote to memory of 4296	1708	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe	94
PID 1708 wrote to memory of 3228	1708	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe	95
PID 1708 wrote to memory of 3228	1708	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe	95
PID 1708 wrote to memory of 3228	1708	2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe	95
PID 4296 wrote to memory of 1968	4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe	96
PID 4296 wrote to memory of 1968	4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe	96
PID 4296 wrote to memory of 1968	4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe	96
PID 4296 wrote to memory of 2804	4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe	97
PID 4296 wrote to memory of 2804	4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe	97
PID 4296 wrote to memory of 2804	4296	{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe	97
PID 1968 wrote to memory of 2296	1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe	99
PID 1968 wrote to memory of 2296	1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe	99
PID 1968 wrote to memory of 2296	1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe	99
PID 1968 wrote to memory of 2568	1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe	100
PID 1968 wrote to memory of 2568	1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe	100
PID 1968 wrote to memory of 2568	1968	{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe	100
PID 2296 wrote to memory of 1476	2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe	104
PID 2296 wrote to memory of 1476	2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe	104
PID 2296 wrote to memory of 1476	2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe	104
PID 2296 wrote to memory of 1004	2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe	105
PID 2296 wrote to memory of 1004	2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe	105
PID 2296 wrote to memory of 1004	2296	{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe	105
PID 1476 wrote to memory of 4708	1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe	109
PID 1476 wrote to memory of 4708	1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe	109
PID 1476 wrote to memory of 4708	1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe	109
PID 1476 wrote to memory of 4456	1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe	110
PID 1476 wrote to memory of 4456	1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe	110
PID 1476 wrote to memory of 4456	1476	{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe	110
PID 4708 wrote to memory of 2284	4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe	113
PID 4708 wrote to memory of 2284	4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe	113
PID 4708 wrote to memory of 2284	4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe	113
PID 4708 wrote to memory of 1284	4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe	114
PID 4708 wrote to memory of 1284	4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe	114
PID 4708 wrote to memory of 1284	4708	{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe	114
PID 2284 wrote to memory of 3700	2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe	115
PID 2284 wrote to memory of 3700	2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe	115
PID 2284 wrote to memory of 3700	2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe	115
PID 2284 wrote to memory of 5036	2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe	116
PID 2284 wrote to memory of 5036	2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe	116
PID 2284 wrote to memory of 5036	2284	{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe	116
PID 3700 wrote to memory of 4844	3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe	117
PID 3700 wrote to memory of 4844	3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe	117
PID 3700 wrote to memory of 4844	3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe	117
PID 3700 wrote to memory of 2796	3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe	118
PID 3700 wrote to memory of 2796	3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe	118
PID 3700 wrote to memory of 2796	3700	{7D9C8C00-C825-436d-9919-CD284D063299}.exe	118
PID 4844 wrote to memory of 1488	4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe	122
PID 4844 wrote to memory of 1488	4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe	122
PID 4844 wrote to memory of 1488	4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe	122
PID 4844 wrote to memory of 4064	4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe	123
PID 4844 wrote to memory of 4064	4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe	123
PID 4844 wrote to memory of 4064	4844	{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe	123
PID 1488 wrote to memory of 4540	1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe	130
PID 1488 wrote to memory of 4540	1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe	130
PID 1488 wrote to memory of 4540	1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe	130
PID 1488 wrote to memory of 3196	1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe	131
PID 1488 wrote to memory of 3196	1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe	131
PID 1488 wrote to memory of 3196	1488	{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe	131
PID 4540 wrote to memory of 4040	4540	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe	132
PID 4540 wrote to memory of 4040	4540	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe	132
PID 4540 wrote to memory of 4040	4540	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe	132
PID 4540 wrote to memory of 3552	4540	{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_191d0ae8c4e4d13ca35767d51fa015f8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe
  C:\Windows\{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe
    C:\Windows\{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe
      C:\Windows\{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe
        
        C:\Windows\{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Windows\{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe
        
        C:\Windows\{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe
        
        C:\Windows\{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{7D9C8C00-C825-436d-9919-CD284D063299}.exe
        
        C:\Windows\{7D9C8C00-C825-436d-9919-CD284D063299}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe
        
        C:\Windows\{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe
        
        C:\Windows\{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe
        
        C:\Windows\{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{E57ED764-F719-4a2f-962B-410409222503}.exe
        
        C:\Windows\{E57ED764-F719-4a2f-962B-410409222503}.exe
        12⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C121~1.EXE > nul
        12⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5C23~1.EXE > nul
        11⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E84FF~1.EXE > nul
        10⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9C8~1.EXE > nul
        9⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74B7D~1.EXE > nul
        8⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{637DB~1.EXE > nul
        7⤵
        
        PID:1284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E015~1.EXE > nul
        6⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B4B4~1.EXE > nul
        5⤵
        
        PID:1004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1EFE~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF975~1.EXE > nul
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B4B457D-CD56-47d0-BAD8-8FBE4B63A7DF}.exe

Filesize
192KB

MD5
029acf518d8c9910dad410a830065025

SHA1
42ab688dfd1b740a8e02b2577f1709d5d40e3eaf

SHA256
1ab12ef0082e9badfba498bad7ae26b2ccf70fcecd277640dc892b3576cb2f11

SHA512
53faaf430537f8b2bbc4fcfa70757ea736938878a6d18d8e6cfce56365e14313d76c8b860711c9a9aa00cc3899d749bbc69a53468b5d36257e83715f055e3a02

Download Submit
C:\Windows\{2C1216F4-AAF9-40b2-BCDF-375A135D93B0}.exe

Filesize
192KB

MD5
302a50bc533e28808bffdbc12559add7

SHA1
42ca2d41362f2fe422e2d736effe671077f6fb83

SHA256
971b43bbc25068da5f04805cb1b1fdbbb85c5f85fd56ee9ea491bb19e33afaf5

SHA512
d518215fc4ddf1a0832b1083fefae105734132ea7bd80ec1d6a8d3025529f3a46f90496085ba6c19b3ee300fd782b67c2218777a1a8975d401eeb91547f8220d

Download Submit
C:\Windows\{2E015AC1-D5ED-4a06-81FA-AD2B1AD629CD}.exe

Filesize
192KB

MD5
0fab7059a3651e87074bb0ed6530ef9e

SHA1
a209dc0e446ae0ec5e6736830997bd0856abcb63

SHA256
5a5d3bc1caabda1d43b94cc96517821dbd327a976cc37b469dedae73adbf82f2

SHA512
fe10c9cf511fe9fa8b99877583f047d2e7d92f636df97382c7b973ffb5d59f25de807acc62c1dae7214446a857ac30156a26a7b0219f62a871bbd2015af723f7

Download Submit
C:\Windows\{637DBE47-80CD-409f-B0CC-9C5EC3C14351}.exe

Filesize
192KB

MD5
41e35edaaa9fbb4f149d0b2d5f586a4f

SHA1
3702393462f482d3dd2e02a4e8d08b11dd559cf3

SHA256
7c4e48b4914e34d7a04d6a1c8d1a1da46d01576d411cfe519145431dea1b912a

SHA512
df31ab42d14da0e55828a75cc8ce7ed7f5dcaa1c5f23c26ef2fc2bf7031e8b9d8a331578e400119717fbca55e2339c60803369083b6fa9b898a4bba798625e39

Download Submit
C:\Windows\{74B7DF77-2897-4e75-BEFE-F84B3CA1864C}.exe

Filesize
192KB

MD5
441258f8311c46fd226f62e741a1730f

SHA1
5c6a9ea41e2b77955b415660f0f095ff15aec01d

SHA256
c5af7a5f7c51ebd617db8a9af1f8936b5876a47c9dfbf04637fdf92b1e70f355

SHA512
4a8d8d3b212c03306fe55754f390eb4fc66d5e07caadcfb4a3569c3c756dfa3b122a7fcccc0137fb2daaae9a419d654f756e225113a4eadcbbc828cb4a9747aa

Download Submit
C:\Windows\{7D9C8C00-C825-436d-9919-CD284D063299}.exe

Filesize
192KB

MD5
ca389284b2a0cf7357f654a34a6fbf9d

SHA1
c95736c9654aee4d3a2e5379bfa6e34dfa39e6f2

SHA256
88929235765107ac8d3e22d8b6030f0c7f2f25ec35e7087ab79fae205b32b24a

SHA512
1609045b92d00e6d6459bd383b68a05131a600ffb0ef2c7a33ce34dfadf37e18c9d4c83af5f4df7bcdbbe60e8c60342ec4a7961d15ca66373290a52da2f3287f

Download Submit
C:\Windows\{B1EFE0DF-A5A3-405e-AA20-F1AF20E47741}.exe

Filesize
192KB

MD5
bbf532856a55ea123c073c215f9f7ee6

SHA1
55b850c89eb5d37f58517b9b6f17e6600414d1b5

SHA256
449a5e6e937a4144cf8beef14f8bcbd0b6096c75d44a5c1b3a293526ac592ac8

SHA512
f6a05ee2b43fb7d75ca97e7cb535a7b43133fda09dbb7832c5ebc0ce71dffed1b14f28ebfeb0de7120d5fd334152aefe8234e1ea5c7066fc7672c30ac66b4927

Download Submit
C:\Windows\{B5C23F16-4139-4827-B91F-8B34F8DAED22}.exe

Filesize
192KB

MD5
cbf0af1d9d640350fa6b46ca0f78daba

SHA1
8b106d022e487e19faad45bd437cb001b580c3a0

SHA256
a6a73309058268a4d769552633a80757d5cfe53d235c56a2da3ba1fa7de3b91f

SHA512
268b4ed70245b13add3cbf2a2a9b13607af08b4d95fee79ca6f4a5450677796613d3b9460f47bc2e802047c87f52024751a7e77a4b4d01f4c365ea0babae8f2f

Download Submit
C:\Windows\{DF9757C2-1C01-48d9-97E0-545402EB814D}.exe

Filesize
192KB

MD5
d8c11921abf0ebc86bc100b685c506ee

SHA1
f2bafdebd09c16447fdde2528246006923265123

SHA256
6aac9aca29c52a3dbb3b764db52e06bd992b08cc218d4d75ce8548d568e87b49

SHA512
535c7f25268d6a7e90ee9000f5b1722eea47e97dd19d5dcc81ea1c0bf80738a1c1229e1d8c50693d16c82d70340e54f897ba36de19979dc753ab35ea71e8e975

Download Submit
C:\Windows\{E57ED764-F719-4a2f-962B-410409222503}.exe

Filesize
192KB

MD5
758d05c2a1a2e41c1b70d0224ba7bbe2

SHA1
fcf135da0f0f16bd9294dbc9257aaef7cc5ab3cc

SHA256
f559b10569efb82873ef4a35d222f0b69a8f6840c708933715eaba323f61912c

SHA512
fd38801628b6239dff5febe3a88090324bc1ed807d7618c3732582ce9a48cceb4e53a8bca6856b4127aa6e0d6e59a27895c123fa4b2cef21424f4467bbf09de5

Download Submit
C:\Windows\{E84FF7D7-35AD-499c-A990-97BC2A70B0B0}.exe

Filesize
192KB

MD5
8a9c312c01e13b6ccf851cefb8d21e25

SHA1
8107575102bcf82f90d3bf40cdfc5cd63cfaa084

SHA256
f31ead02ed40d381a32bafe1042c5aabdf87a8a2b04900bfe1f07f53296d1bd2

SHA512
b6302f4f228205d06af2c2cee1df6fff4b48a6bd122584d8975912be2294c0f9ea7743acd268c8bf58581d1f681d253d323b3a507d6837414b38803bc7cc64ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads