7ce31488e8e95348042cc7e02eb62db910dfdda9878998894468db5906ef550b

Analysis

max time kernel
149s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Size

180KB
MD5

9734b89b91f4cb005a2c1f4700876df9
SHA1

b60998717d8a053a7ee147ac7eccba410a6cfeba
SHA256

7ce31488e8e95348042cc7e02eb62db910dfdda9878998894468db5906ef550b
SHA512

0c184fa09629749e9a282560f870df02a7a80f046627521651e92ec150bf750a5873b24725438e1789e113e4eb80bf1150c8fdaf0887bab1fdc87df483b60186
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B599A84-4705-4a6a-B745-FBB4F18B89AD}	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A5A1463-CD35-4059-A7AC-64C64CC80693}	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EE989C-7295-4118-AF8A-997077BF03B0}	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E655A1E-E540-4c89-9505-C8E110010F9E}	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A5A1463-CD35-4059-A7AC-64C64CC80693}\stubpath = "C:\\Windows\\{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe"	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{330C9028-FA8E-40c1-8A81-AC3408AD13B2}	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{330C9028-FA8E-40c1-8A81-AC3408AD13B2}\stubpath = "C:\\Windows\\{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe"	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E655A1E-E540-4c89-9505-C8E110010F9E}\stubpath = "C:\\Windows\\{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe"	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}\stubpath = "C:\\Windows\\{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe"	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}\stubpath = "C:\\Windows\\{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe"	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}\stubpath = "C:\\Windows\\{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe"	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EE989C-7295-4118-AF8A-997077BF03B0}\stubpath = "C:\\Windows\\{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe"	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A3DF44-9768-4cb0-89B3-3068EF7B2730}	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{342A69F3-4485-49cd-9B6F-3613AEC29859}	{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{342A69F3-4485-49cd-9B6F-3613AEC29859}\stubpath = "C:\\Windows\\{342A69F3-4485-49cd-9B6F-3613AEC29859}.exe"	{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}\stubpath = "C:\\Windows\\{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe"	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B599A84-4705-4a6a-B745-FBB4F18B89AD}\stubpath = "C:\\Windows\\{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe"	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}\stubpath = "C:\\Windows\\{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe"	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A3DF44-9768-4cb0-89B3-3068EF7B2730}\stubpath = "C:\\Windows\\{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe"	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe
696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe
1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe
3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe
4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe
1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe
3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe
2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe
4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe
1640	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe
1452	{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe
4356	{342A69F3-4485-49cd-9B6F-3613AEC29859}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe
File created	C:\Windows\{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe
File created	C:\Windows\{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe
File created	C:\Windows\{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe
File created	C:\Windows\{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe
File created	C:\Windows\{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe
File created	C:\Windows\{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe
File created	C:\Windows\{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe
File created	C:\Windows\{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe
File created	C:\Windows\{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
File created	C:\Windows\{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe
File created	C:\Windows\{342A69F3-4485-49cd-9B6F-3613AEC29859}.exe	{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4760	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Token: SeIncBasePriorityPrivilege	1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe
Token: SeIncBasePriorityPrivilege	696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe
Token: SeIncBasePriorityPrivilege	1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe
Token: SeIncBasePriorityPrivilege	3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe
Token: SeIncBasePriorityPrivilege	4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe
Token: SeIncBasePriorityPrivilege	1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe
Token: SeIncBasePriorityPrivilege	3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe
Token: SeIncBasePriorityPrivilege	2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe
Token: SeIncBasePriorityPrivilege	4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe
Token: SeIncBasePriorityPrivilege	1640	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe
Token: SeIncBasePriorityPrivilege	1452	{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1124	4760	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	90
PID 4760 wrote to memory of 1124	4760	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	90
PID 4760 wrote to memory of 1124	4760	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	90
PID 4760 wrote to memory of 3428	4760	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	91
PID 4760 wrote to memory of 3428	4760	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	91
PID 4760 wrote to memory of 3428	4760	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	91
PID 1124 wrote to memory of 696	1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe	92
PID 1124 wrote to memory of 696	1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe	92
PID 1124 wrote to memory of 696	1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe	92
PID 1124 wrote to memory of 2408	1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe	93
PID 1124 wrote to memory of 2408	1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe	93
PID 1124 wrote to memory of 2408	1124	{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe	93
PID 696 wrote to memory of 1808	696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe	96
PID 696 wrote to memory of 1808	696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe	96
PID 696 wrote to memory of 1808	696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe	96
PID 696 wrote to memory of 456	696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe	97
PID 696 wrote to memory of 456	696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe	97
PID 696 wrote to memory of 456	696	{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe	97
PID 1808 wrote to memory of 3416	1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe	99
PID 1808 wrote to memory of 3416	1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe	99
PID 1808 wrote to memory of 3416	1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe	99
PID 1808 wrote to memory of 1532	1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe	100
PID 1808 wrote to memory of 1532	1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe	100
PID 1808 wrote to memory of 1532	1808	{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe	100
PID 3416 wrote to memory of 4124	3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe	101
PID 3416 wrote to memory of 4124	3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe	101
PID 3416 wrote to memory of 4124	3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe	101
PID 3416 wrote to memory of 4216	3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe	102
PID 3416 wrote to memory of 4216	3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe	102
PID 3416 wrote to memory of 4216	3416	{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe	102
PID 4124 wrote to memory of 1996	4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe	103
PID 4124 wrote to memory of 1996	4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe	103
PID 4124 wrote to memory of 1996	4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe	103
PID 4124 wrote to memory of 1872	4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe	104
PID 4124 wrote to memory of 1872	4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe	104
PID 4124 wrote to memory of 1872	4124	{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe	104
PID 1996 wrote to memory of 3744	1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe	105
PID 1996 wrote to memory of 3744	1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe	105
PID 1996 wrote to memory of 3744	1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe	105
PID 1996 wrote to memory of 1712	1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe	106
PID 1996 wrote to memory of 1712	1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe	106
PID 1996 wrote to memory of 1712	1996	{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe	106
PID 3744 wrote to memory of 2308	3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe	107
PID 3744 wrote to memory of 2308	3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe	107
PID 3744 wrote to memory of 2308	3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe	107
PID 3744 wrote to memory of 4212	3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe	108
PID 3744 wrote to memory of 4212	3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe	108
PID 3744 wrote to memory of 4212	3744	{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe	108
PID 2308 wrote to memory of 4468	2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe	109
PID 2308 wrote to memory of 4468	2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe	109
PID 2308 wrote to memory of 4468	2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe	109
PID 2308 wrote to memory of 2908	2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe	110
PID 2308 wrote to memory of 2908	2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe	110
PID 2308 wrote to memory of 2908	2308	{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe	110
PID 4468 wrote to memory of 1640	4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe	111
PID 4468 wrote to memory of 1640	4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe	111
PID 4468 wrote to memory of 1640	4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe	111
PID 4468 wrote to memory of 4048	4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe	112
PID 4468 wrote to memory of 4048	4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe	112
PID 4468 wrote to memory of 4048	4468	{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe	112
PID 1640 wrote to memory of 1452	1640	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe	113
PID 1640 wrote to memory of 1452	1640	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe	113
PID 1640 wrote to memory of 1452	1640	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe	113
PID 1640 wrote to memory of 2436	1640	{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe	114

C:\Users\Admin\AppData\Local\Temp\202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe
  C:\Windows\{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe
    C:\Windows\{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe
      C:\Windows\{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe
        
        C:\Windows\{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Windows\{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe
        
        C:\Windows\{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe
        
        C:\Windows\{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe
        
        C:\Windows\{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe
        
        C:\Windows\{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe
        
        C:\Windows\{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe
        
        C:\Windows\{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe
        
        C:\Windows\{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\{342A69F3-4485-49cd-9B6F-3613AEC29859}.exe
        
        C:\Windows\{342A69F3-4485-49cd-9B6F-3613AEC29859}.exe
        13⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73A3D~1.EXE > nul
        13⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E655~1.EXE > nul
        12⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{330C9~1.EXE > nul
        11⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B526F~1.EXE > nul
        10⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EE9~1.EXE > nul
        9⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A5A1~1.EXE > nul
        8⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8D8A~1.EXE > nul
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B599~1.EXE > nul
        6⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF80D~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9ABC~1.EXE > nul
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6842A~1.EXE > nul
    3⤵
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202404~1.EXE > nul
  2⤵
  PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E655A1E-E540-4c89-9505-C8E110010F9E}.exe

Filesize
180KB

MD5
91ebdc5e17eeab7c30c98d3e1eb35f2d

SHA1
195649f7d20708a69b6f530c4611e3c746e6660c

SHA256
2fb7a90b390e8ef1d21f7c1ae8023e9b1d253bb398b66987e6055dc579fef019

SHA512
4dad4685cdd459e93d1a30ab82bb5e980362fdab63997c119e2caedf1730a41f9ae37adae93ae4264cbb511bee8bf3da8d4dcf4fa681ce036b049f427c677ff3

Download Submit
C:\Windows\{330C9028-FA8E-40c1-8A81-AC3408AD13B2}.exe

Filesize
180KB

MD5
04e81dace1e7f265980eb1197e040126

SHA1
a0225529f5c383ea6fb42818a192948faf1e22f5

SHA256
074195673f15d487c5f986c71a3131bda38bc25bafc40390c2dffae8303820aa

SHA512
45309342f81ea9572c9d501788c5ae77eb113df091e1d871c76670b86727719151826c78748f71a245d83febf2e8f88b882dd7a51a7369b09633a6e6618fb4f4

Download Submit
C:\Windows\{342A69F3-4485-49cd-9B6F-3613AEC29859}.exe

Filesize
180KB

MD5
bdf86c894d59a4d918cefe23f0002b23

SHA1
bf71505f8664d5be708a1fbf0b43671ea0d72fa5

SHA256
fcf36aff42bd2521455dbfe40ea46dfae87226a2d481ef083c10782338331035

SHA512
b7c99211e292c5ba380e339d0e13371aec7b06c3103a45978b9fe2e32fa9c283e5cbe2f81e7d119640391d4ff4b57bd62213d3b53ddca139efc56c35655d343e

Download Submit
C:\Windows\{6842A59A-9DA5-47fa-9A8D-D64DA4BFA43C}.exe

Filesize
180KB

MD5
0daecbf49ddb9f90a0a3a3c613c0849e

SHA1
0f9bf735ef7f3dd1309b2665d2d7254aeb5e18a1

SHA256
cc0d9b9eba4c948313dbf1db9da7ccfb21c97816dd4c1fe8675e475ffda0ba6c

SHA512
f4ea56c2b0313354e91ea333c12920fa548f80df9e9aab416321f743ea46fd296c9d36cd6dea9d7d711eb1ff57f50645bac57ae0d24ac88d97f412110bd03759

Download Submit
C:\Windows\{73A3DF44-9768-4cb0-89B3-3068EF7B2730}.exe

Filesize
180KB

MD5
a1ebf18551c1d4fc78bab23f35fede23

SHA1
ea657563e7e79ccf571b4cc69d2c9d559f52ffaf

SHA256
8beee426513e98aa4eb8f40db0a43261cd617c4e2e8f3a86d4fcf88326bc2e4a

SHA512
75ac76211c0a1b2ca04d0ae2aad6b5ca028c2ba2dff6ac8820517ecf083e8d9856bf6825f35cc8d5edf77ebf45dc88ca8c36b2941f2a4fa9b9fb66feb156f7c4

Download Submit
C:\Windows\{9A5A1463-CD35-4059-A7AC-64C64CC80693}.exe

Filesize
180KB

MD5
1e3738f89c87d1e20e562dd46123da2c

SHA1
db96482a50b72bac98b13c6edf5b2ecce81e9e0c

SHA256
a5a76c6a906956e80b50c16f6cdb896fda43aa61050f786f0f94b004dc11622b

SHA512
a3a8b8261409d4699ee1aa4909c86944606cc53b938102a91297f45baa58747982912973598b408f2aff9b1cafbe2e651a7f429cdca16a9f5affef537fea156c

Download Submit
C:\Windows\{9B599A84-4705-4a6a-B745-FBB4F18B89AD}.exe

Filesize
180KB

MD5
e3ea941c6c26599fa3d791c40c3c5e65

SHA1
2e9821ffee26bcff67bea098f68ee9946e08f766

SHA256
72bc88583701a35d1ec4f4fac698b0f3fbbbde5de0ecc5446c21a31a3e481a1f

SHA512
80c0652a36639b33907717494681ef0df50738175c6305c22019fec85bbc423f846bf4fa4ecfe7443ddf4d5188a7e4b0314ee8d4dcaff96437da1a6812f96836

Download Submit
C:\Windows\{B526F5CA-AC57-4536-A97C-2DBA1EF181E7}.exe

Filesize
180KB

MD5
13d91ebbadcf3f15879c691b929fc1e9

SHA1
6be3ff110f9b5c6cb9b42cf3f87723b6c937d41f

SHA256
f6402e42a89bb10b5000907a86da3ac1dd44fc96ab3c2ed4c83ed72dcf0d1510

SHA512
b06435a908d3512f350d3ddc080564518dd2e0eaf9bbf4cb2ca18ed8c298ed64771c79ee80acee5de72fd5ce4729839f1dcc54e6c8cf6c8060b08b24f51c4d3d

Download Submit
C:\Windows\{C4EE989C-7295-4118-AF8A-997077BF03B0}.exe

Filesize
180KB

MD5
c7decd4966b8f4f6d79292fddba7987a

SHA1
d5059e3fa397cf58f8ca0ad2213d3361b4da7113

SHA256
49f1ff781140722e8f9ffd31f59de53b9a6efb5575c65a16136a6da1fc4a0bc9

SHA512
eddff1d5ec1dc0fe1e34b4920a7feefad61ac1125224943c93f7e6769885e5d3f1c93078ba4fdb1c9027ac0f435a89f6a507fedf5e4aa6472ef9e28feebc1e09

Download Submit
C:\Windows\{C9ABCF83-3FF3-486b-A1C0-49DA129F9452}.exe

Filesize
180KB

MD5
a2b24e0aa7167638a3e1d6098ca0caf9

SHA1
0453e34a164fc74ee5d789b75db3b2314a5b6509

SHA256
1f40af56bf8113da03266cbaf07730d9895466b454d0a586f9c72d608fcda5ac

SHA512
1189a5c1a87d618b6e9ba3d21c8751b87fa7b89cff1ede1f4d60c1117dcea498fa56024788cf22ba40cce2e26ce0697d4a9ec93586b8b5634e63a5847a5cf56b

Download Submit
C:\Windows\{DF80DFDA-BBC5-44a2-8E4A-E65EB712C7FA}.exe

Filesize
180KB

MD5
79f5dbfa5b9a3a95f6f2b5e3553cc161

SHA1
100f77f949d11fb98966ce961211354ad977559f

SHA256
275e28b159e4bc6cd3c9c36af36a7ae03c5846f115d66a1234bbbc54db077b54

SHA512
27c287b71bcc5869e8828c98b0d30c01e4c81282585397a13882e4969ec151410f996ea4dcb71f40ff0cac9b77fb10f30186d0b6f699ba9491371301cda9f307

Download Submit
C:\Windows\{F8D8A665-5095-41c9-8FEF-F4AF0E9B4D4F}.exe

Filesize
180KB

MD5
4fe134cf934aa54444eb1bbfb87e9f74

SHA1
85c9622d7832bfa0b6209676f584f9a889e9cc10

SHA256
3c647e9e37bb17064e73d0a8a2f16c29600635340de60dc4eaeba20ef46551bb

SHA512
8bbaf7fa28e7aa48a1573f436bbc7636256e9fbc012134995d072d3f227902e293bc3c404c264f87b05a1b643d2e9a3e3bed06750fb792b9b25dbf3f5c3be1bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads