5ec0ed8b8df1d975726b12638a9178f52e1ed12a15b52b8dc5886b58ee7f9d67

Analysis

max time kernel
163s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe
Size

180KB
MD5

91aaa7f6c51ea68922dec30577645691
SHA1

e38afdbb634c0bb3c3d1505757c55a30a49f6b68
SHA256

5ec0ed8b8df1d975726b12638a9178f52e1ed12a15b52b8dc5886b58ee7f9d67
SHA512

81e20d44070a45db9477b98a5d8f3918396f8ed4d20bf4b76a600ba2962e733940b9c326e8a414788ed55db60bc393b7b8d4b02df9b6405d5bad4f74ea194af9
SSDEEP

3072:jEGh0oHlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGll5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51120BE9-A94D-430b-8144-FE459D165E81}	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21734323-6C3E-44d7-A817-DF71A23C9D90}	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B890B5E-6652-4747-B54F-C58EB4773394}	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}\stubpath = "C:\\Windows\\{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe"	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}\stubpath = "C:\\Windows\\{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe"	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E27B44D3-923B-44e1-82BD-96DFB2F04388}	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E27B44D3-923B-44e1-82BD-96DFB2F04388}\stubpath = "C:\\Windows\\{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe"	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}	{51120BE9-A94D-430b-8144-FE459D165E81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B890B5E-6652-4747-B54F-C58EB4773394}\stubpath = "C:\\Windows\\{8B890B5E-6652-4747-B54F-C58EB4773394}.exe"	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}\stubpath = "C:\\Windows\\{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe"	{51120BE9-A94D-430b-8144-FE459D165E81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F4A118B-492F-4cb7-957E-AC7FE8459E39}\stubpath = "C:\\Windows\\{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe"	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}\stubpath = "C:\\Windows\\{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe"	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}\stubpath = "C:\\Windows\\{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe"	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F4A118B-492F-4cb7-957E-AC7FE8459E39}	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}\stubpath = "C:\\Windows\\{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}.exe"	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21734323-6C3E-44d7-A817-DF71A23C9D90}\stubpath = "C:\\Windows\\{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe"	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51120BE9-A94D-430b-8144-FE459D165E81}\stubpath = "C:\\Windows\\{51120BE9-A94D-430b-8144-FE459D165E81}.exe"	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe

Executes dropped EXE 11 IoCs

pid	Process
2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe
1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe
4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe
3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe
4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe
1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe
3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe
4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe
208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe
4044	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe
4588	{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe	{51120BE9-A94D-430b-8144-FE459D165E81}.exe
File created	C:\Windows\{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}.exe	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe
File created	C:\Windows\{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe
File created	C:\Windows\{8B890B5E-6652-4747-B54F-C58EB4773394}.exe	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe
File created	C:\Windows\{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe
File created	C:\Windows\{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe
File created	C:\Windows\{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe
File created	C:\Windows\{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe
File created	C:\Windows\{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe
File created	C:\Windows\{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe
File created	C:\Windows\{51120BE9-A94D-430b-8144-FE459D165E81}.exe	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1312	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe
Token: SeIncBasePriorityPrivilege	1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe
Token: SeIncBasePriorityPrivilege	4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe
Token: SeIncBasePriorityPrivilege	3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe
Token: SeIncBasePriorityPrivilege	4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe
Token: SeIncBasePriorityPrivilege	1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe
Token: SeIncBasePriorityPrivilege	3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe
Token: SeIncBasePriorityPrivilege	4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe
Token: SeIncBasePriorityPrivilege	208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe
Token: SeIncBasePriorityPrivilege	4044	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2052	1312	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe	94
PID 1312 wrote to memory of 2052	1312	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe	94
PID 1312 wrote to memory of 2052	1312	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe	94
PID 1312 wrote to memory of 392	1312	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe	95
PID 1312 wrote to memory of 392	1312	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe	95
PID 1312 wrote to memory of 392	1312	2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe	95
PID 2052 wrote to memory of 1424	2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe	96
PID 2052 wrote to memory of 1424	2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe	96
PID 2052 wrote to memory of 1424	2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe	96
PID 2052 wrote to memory of 5008	2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe	97
PID 2052 wrote to memory of 5008	2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe	97
PID 2052 wrote to memory of 5008	2052	{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe	97
PID 1424 wrote to memory of 4956	1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe	99
PID 1424 wrote to memory of 4956	1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe	99
PID 1424 wrote to memory of 4956	1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe	99
PID 1424 wrote to memory of 1728	1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe	100
PID 1424 wrote to memory of 1728	1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe	100
PID 1424 wrote to memory of 1728	1424	{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe	100
PID 4956 wrote to memory of 3980	4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe	104
PID 4956 wrote to memory of 3980	4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe	104
PID 4956 wrote to memory of 3980	4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe	104
PID 4956 wrote to memory of 3328	4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe	105
PID 4956 wrote to memory of 3328	4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe	105
PID 4956 wrote to memory of 3328	4956	{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe	105
PID 3980 wrote to memory of 4588	3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe	109
PID 3980 wrote to memory of 4588	3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe	109
PID 3980 wrote to memory of 4588	3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe	109
PID 3980 wrote to memory of 3780	3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe	110
PID 3980 wrote to memory of 3780	3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe	110
PID 3980 wrote to memory of 3780	3980	{8B890B5E-6652-4747-B54F-C58EB4773394}.exe	110
PID 4588 wrote to memory of 1520	4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe	111
PID 4588 wrote to memory of 1520	4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe	111
PID 4588 wrote to memory of 1520	4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe	111
PID 4588 wrote to memory of 3244	4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe	112
PID 4588 wrote to memory of 3244	4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe	112
PID 4588 wrote to memory of 3244	4588	{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe	112
PID 1520 wrote to memory of 3936	1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe	114
PID 1520 wrote to memory of 3936	1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe	114
PID 1520 wrote to memory of 3936	1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe	114
PID 1520 wrote to memory of 2412	1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe	115
PID 1520 wrote to memory of 2412	1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe	115
PID 1520 wrote to memory of 2412	1520	{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe	115
PID 3936 wrote to memory of 4860	3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe	116
PID 3936 wrote to memory of 4860	3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe	116
PID 3936 wrote to memory of 4860	3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe	116
PID 3936 wrote to memory of 2356	3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe	117
PID 3936 wrote to memory of 2356	3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe	117
PID 3936 wrote to memory of 2356	3936	{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe	117
PID 4860 wrote to memory of 208	4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe	121
PID 4860 wrote to memory of 208	4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe	121
PID 4860 wrote to memory of 208	4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe	121
PID 4860 wrote to memory of 3756	4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe	122
PID 4860 wrote to memory of 3756	4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe	122
PID 4860 wrote to memory of 3756	4860	{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe	122
PID 208 wrote to memory of 4044	208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe	125
PID 208 wrote to memory of 4044	208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe	125
PID 208 wrote to memory of 4044	208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe	125
PID 208 wrote to memory of 1864	208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe	126
PID 208 wrote to memory of 1864	208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe	126
PID 208 wrote to memory of 1864	208	{51120BE9-A94D-430b-8144-FE459D165E81}.exe	126
PID 4044 wrote to memory of 4588	4044	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe	127
PID 4044 wrote to memory of 4588	4044	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe	127
PID 4044 wrote to memory of 4588	4044	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe	127
PID 4044 wrote to memory of 2496	4044	{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_91aaa7f6c51ea68922dec30577645691_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe
  C:\Windows\{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe
    C:\Windows\{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe
      C:\Windows\{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\{8B890B5E-6652-4747-B54F-C58EB4773394}.exe
        
        C:\Windows\{8B890B5E-6652-4747-B54F-C58EB4773394}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe
        
        C:\Windows\{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe
        
        C:\Windows\{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe
        
        C:\Windows\{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe
        
        C:\Windows\{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{51120BE9-A94D-430b-8144-FE459D165E81}.exe
        
        C:\Windows\{51120BE9-A94D-430b-8144-FE459D165E81}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe
        
        C:\Windows\{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}.exe
        
        C:\Windows\{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}.exe
        12⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7B71~1.EXE > nul
        12⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51120~1.EXE > nul
        11⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E27B4~1.EXE > nul
        10⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCAF5~1.EXE > nul
        9⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{288AF~1.EXE > nul
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F4A1~1.EXE > nul
        7⤵
        
        PID:3244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B890~1.EXE > nul
        6⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21734~1.EXE > nul
        5⤵
        
        PID:3328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B5DE~1.EXE > nul
      4⤵
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{39E6F~1.EXE > nul
    3⤵
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21734323-6C3E-44d7-A817-DF71A23C9D90}.exe

Filesize
180KB

MD5
0fae410a6734ee089a1b44e868229ff7

SHA1
7e918323f4090a778de3ec9d313186f799a56759

SHA256
ed90b532039974d691455c4028adde88402a37cdf8cf2d37eaf02eb0f428ff36

SHA512
4f79cd10e692533250e5f8b8440dd379bfb92ae45a233e2019567892da1a569bc143395cbbebb7a3e32caaa7d6bbd7c3a54bb9552af39c89509237fa1b9a8e79

Download Submit
C:\Windows\{288AFD48-1FBE-4f21-BDEC-6C3BB9881870}.exe

Filesize
180KB

MD5
18dcc9210be0ba1966aa9770604cb546

SHA1
cb8e1e066a79d66cb516a4372d101faac6bf6aae

SHA256
ccab055a11c8ba1c145588964202d793064631f732885be9b6bc26894733579d

SHA512
d3c46fe0a782adcba939618c1b2f29554596bade6879ad3a4fbae6b8172b71e4c0430112b5d66bb9da04ea019ca02986ec3d6833a6c9ef1cdb44a5df4b1c9ffd

Download Submit
C:\Windows\{39E6FDC5-3306-405b-94CE-B1E0A01AC51A}.exe

Filesize
180KB

MD5
1b71c3454696c1a827e9d141041541c3

SHA1
c273c2c9f492a01d6d78828dbe22dd98939e923f

SHA256
39631957405024706ec3b98305ace20dc346263a09a78a493064a6280c18f3ef

SHA512
89b88d30201b2b2ad1ed0f539919f88c5fdcba3bab036af2fe6ae062ff71f65465bddf59f7c2db4f5866908259db7f4ce391df94422572dc84b797d3e3866e85

Download Submit
C:\Windows\{3F4A118B-492F-4cb7-957E-AC7FE8459E39}.exe

Filesize
180KB

MD5
b28aef0dc9a0e31ed284ba7dc3f445b1

SHA1
8a2bd40aa5e8225944a45300247def4256b7b0c1

SHA256
4a785e01592af2c341bdda4e0dba92526c59849b28c7640b4a048e6a99fb17a7

SHA512
adb1d46479e1c5905b6aa1652ccd705d833438562fba7890facd40c8ba8e466b9d968f792ad1da2a0aa3ea6092b9c0300eaf09e232c98b22208eeeff35937f4b

Download Submit
C:\Windows\{51120BE9-A94D-430b-8144-FE459D165E81}.exe

Filesize
180KB

MD5
5c311db59a80e4e5b2adf0142e3548e2

SHA1
35c613c399e5e12de9f2db3d531485995a1b6ebf

SHA256
62031c4ddf737a2132e763b8a1d244ad1969dc70a2770c2e8103fb6fe75cd98a

SHA512
ba01b18e0be47efd66a3bba55d77dd4d9565d42e5b96da274a92424e535348ad970fb12916db6a6229749fbf26857849045853e8f20183100da125a8d04b0da8

Download Submit
C:\Windows\{5B5DE644-A0BC-4f0a-A8B3-A03391A603D8}.exe

Filesize
180KB

MD5
21629881545accca5b078f5a12bae9c3

SHA1
77495b1b5253bde61e1c965716b7dc4aeba91bac

SHA256
bf8ccceac9c34adc40e7f25f5d73ebdeead81df8d2cbc64e6328930a1ca5d1a6

SHA512
cfb3068fbc1a04652543dbdbb736c6c9c5c010eaae3247fc3f8d70ccca3eddeb83e696a43f23d52dce101c28bc97f19cb73804cc21105df987320bedc714fd2b

Download Submit
C:\Windows\{8B890B5E-6652-4747-B54F-C58EB4773394}.exe

Filesize
180KB

MD5
42513f9912166baca6bc686c5760c442

SHA1
27204582fafb971ed1e3320fcdf04b7f575175f9

SHA256
096226110ea8e242410adcd4fa60682586908db8970df25f712d90583174ec5c

SHA512
7ef705ebd622aadefa738daaffcd74f6013286e029ee7f04d562d188e7279943bcb23d0ffa3f48961eed28068737a7c6824d41dd8f25dc032183c01aea5ec1ff

Download Submit
C:\Windows\{BAE5979A-82B3-4786-94C1-14DC8F1FE67D}.exe

Filesize
180KB

MD5
b309dacf133d689ce564fc4e6956cd4a

SHA1
cb14ded74e8404343a5409882112d44a2e9666be

SHA256
44c9900eb1562eeb7092fc5dfd7fb0cd81106f6cee2af3d616d376948ea615d5

SHA512
d11b181c9d3ee330f72c2034610e8304c61540c75fede168b6dd8acd126a0aa9e92e4c759f295030f917c1fce5d2d2d0933058cb4a7afdb1640ebbbbedfa99ee

Download Submit
C:\Windows\{BCAF5640-71BE-4bf0-A122-F9566E30ECE4}.exe

Filesize
180KB

MD5
747a598f1541c96e3ffd39ae7bedba0d

SHA1
a2f0a307642ebc165e2578f6b3b84d674c2efaa8

SHA256
1e31ddd03505c40b2b3b787259cb0f597cbf6c03a8001f06f32e7b7eff75028b

SHA512
acb9ffdfcf7fc767071c6811db12c0591d8f82a2f5de9cfec98f3c90a367be60384bdbe0cdeededced0922e1bcfe2026ae4e03a89d430715387dedd642863ac9

Download Submit
C:\Windows\{C7B718D9-F907-4e7b-B96D-C11BB8CD10B7}.exe

Filesize
180KB

MD5
0412dba1286cad3813626243fd999500

SHA1
4d948b46c5fda4b649fb8464bc488dec75c51ba0

SHA256
da3aa238c9890d627bc02e217a05539d69ccffaaabf68818905fae5644592a1a

SHA512
34bddb336ecffbf01c3d3fa67dfd9c953e53404c6dc31acb671c8c0ab442890b3c11e0cb80847fa2dc6126f70567521c2fff4160efbf6bf05f6249d2884d4fb1

Download Submit
C:\Windows\{E27B44D3-923B-44e1-82BD-96DFB2F04388}.exe

Filesize
180KB

MD5
423fb1fc32fef4bc67130ae7a53ca47b

SHA1
449e29054e40a3afbe4c6cff9a91564ca0a04991

SHA256
d9123eebe5ff0c28a5cbb2335e36c627fd9b2ce0022d31be6aad12b20a2f20fd

SHA512
8017f7e87d496923873c161cb3c28e7d03ae9e644488f67ec88ec606074db89f3d641cabb73ef12c990204144d3c0d24e2e02181c61008b07de977985eb32088

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads