5decc3f4172c8a1b785f0b0277bc7c4f19bc51ab61241b5a2492bea7ccb98ac1

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe
Size

408KB
MD5

d7e69a63e912945cc826f7d2490edac8
SHA1

05fd197715f65b8e7de0a1028226817d11835bd6
SHA256

5decc3f4172c8a1b785f0b0277bc7c4f19bc51ab61241b5a2492bea7ccb98ac1
SHA512

a152928ca759cd211cb6bac01b0ae8701809394c07a13ed04f1cb8d53891c28bb22b0d64364bca46ddaaf9404937f6b032c01760c5be518cc92f0a75f296fb8c
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGQldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}\stubpath = "C:\\Windows\\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe"	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}\stubpath = "C:\\Windows\\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe"	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}\stubpath = "C:\\Windows\\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe"	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D52E40-111B-4460-B211-847733496A32}\stubpath = "C:\\Windows\\{F3D52E40-111B-4460-B211-847733496A32}.exe"	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}\stubpath = "C:\\Windows\\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe"	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}\stubpath = "C:\\Windows\\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe"	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}\stubpath = "C:\\Windows\\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe"	{F3D52E40-111B-4460-B211-847733496A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}\stubpath = "C:\\Windows\\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe"	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B9A718-DD51-40b7-92F9-0C17036ACAFC}	{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D52E40-111B-4460-B211-847733496A32}	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}\stubpath = "C:\\Windows\\{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe"	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B9A718-DD51-40b7-92F9-0C17036ACAFC}\stubpath = "C:\\Windows\\{C0B9A718-DD51-40b7-92F9-0C17036ACAFC}.exe"	{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}	{F3D52E40-111B-4460-B211-847733496A32}.exe

Executes dropped EXE 9 IoCs

pid	Process
4564	{F3D52E40-111B-4460-B211-847733496A32}.exe
3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe
3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe
5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe
2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe
2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe
3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe
644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe
3980	{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{C0B9A718-DD51-40b7-92F9-0C17036ACAFC}.exe	{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe
File created	C:\Windows\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe	{F3D52E40-111B-4460-B211-847733496A32}.exe
File created	C:\Windows\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe
File created	C:\Windows\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe
File created	C:\Windows\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe
File created	C:\Windows\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe
File created	C:\Windows\{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe
File created	C:\Windows\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe
File created	C:\Windows\{F3D52E40-111B-4460-B211-847733496A32}.exe	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe
File created	C:\Windows\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1780	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4564	{F3D52E40-111B-4460-B211-847733496A32}.exe
Token: SeIncBasePriorityPrivilege	3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe
Token: SeIncBasePriorityPrivilege	3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe
Token: SeIncBasePriorityPrivilege	5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe
Token: SeIncBasePriorityPrivilege	2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe
Token: SeIncBasePriorityPrivilege	2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe
Token: SeIncBasePriorityPrivilege	3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe
Token: SeIncBasePriorityPrivilege	644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4564	1780	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe	91
PID 1780 wrote to memory of 4564	1780	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe	91
PID 1780 wrote to memory of 4564	1780	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe	91
PID 1780 wrote to memory of 3368	1780	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe	93
PID 1780 wrote to memory of 3368	1780	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe	93
PID 1780 wrote to memory of 3368	1780	2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe	93
PID 4564 wrote to memory of 3416	4564	{F3D52E40-111B-4460-B211-847733496A32}.exe	98
PID 4564 wrote to memory of 3416	4564	{F3D52E40-111B-4460-B211-847733496A32}.exe	98
PID 4564 wrote to memory of 3416	4564	{F3D52E40-111B-4460-B211-847733496A32}.exe	98
PID 4564 wrote to memory of 2676	4564	{F3D52E40-111B-4460-B211-847733496A32}.exe	97
PID 4564 wrote to memory of 2676	4564	{F3D52E40-111B-4460-B211-847733496A32}.exe	97
PID 4564 wrote to memory of 2676	4564	{F3D52E40-111B-4460-B211-847733496A32}.exe	97
PID 3416 wrote to memory of 3112	3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe	104
PID 3416 wrote to memory of 3112	3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe	104
PID 3416 wrote to memory of 3112	3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe	104
PID 3416 wrote to memory of 2532	3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe	103
PID 3416 wrote to memory of 2532	3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe	103
PID 3416 wrote to memory of 2532	3416	{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe	103
PID 3112 wrote to memory of 5072	3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe	107
PID 3112 wrote to memory of 5072	3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe	107
PID 3112 wrote to memory of 5072	3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe	107
PID 3112 wrote to memory of 3828	3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe	106
PID 3112 wrote to memory of 3828	3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe	106
PID 3112 wrote to memory of 3828	3112	{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe	106
PID 5072 wrote to memory of 2580	5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe	114
PID 5072 wrote to memory of 2580	5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe	114
PID 5072 wrote to memory of 2580	5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe	114
PID 5072 wrote to memory of 3740	5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe	115
PID 5072 wrote to memory of 3740	5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe	115
PID 5072 wrote to memory of 3740	5072	{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe	115
PID 2580 wrote to memory of 2948	2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe	119
PID 2580 wrote to memory of 2948	2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe	119
PID 2580 wrote to memory of 2948	2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe	119
PID 2580 wrote to memory of 4460	2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe	118
PID 2580 wrote to memory of 4460	2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe	118
PID 2580 wrote to memory of 4460	2580	{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe	118
PID 2948 wrote to memory of 3180	2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe	121
PID 2948 wrote to memory of 3180	2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe	121
PID 2948 wrote to memory of 3180	2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe	121
PID 2948 wrote to memory of 2468	2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe	120
PID 2948 wrote to memory of 2468	2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe	120
PID 2948 wrote to memory of 2468	2948	{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe	120
PID 3180 wrote to memory of 644	3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe	123
PID 3180 wrote to memory of 644	3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe	123
PID 3180 wrote to memory of 644	3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe	123
PID 3180 wrote to memory of 1780	3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe	124
PID 3180 wrote to memory of 1780	3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe	124
PID 3180 wrote to memory of 1780	3180	{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe	124
PID 644 wrote to memory of 3980	644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe	125
PID 644 wrote to memory of 3980	644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe	125
PID 644 wrote to memory of 3980	644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe	125
PID 644 wrote to memory of 4824	644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe	126
PID 644 wrote to memory of 4824	644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe	126
PID 644 wrote to memory of 4824	644	{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_d7e69a63e912945cc826f7d2490edac8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\{F3D52E40-111B-4460-B211-847733496A32}.exe
  C:\Windows\{F3D52E40-111B-4460-B211-847733496A32}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3D52~1.EXE > nul
    3⤵
    PID:2676
- - C:\Windows\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe
    C:\Windows\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66DFA~1.EXE > nul
      4⤵
      PID:2532
  - - C:\Windows\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe
      C:\Windows\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD2E~1.EXE > nul
        5⤵
        
        PID:3828
    - - C:\Windows\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe
        
        C:\Windows\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe
        
        C:\Windows\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4E19~1.EXE > nul
        7⤵
        
        PID:4460
        
        C:\Windows\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe
        
        C:\Windows\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BFD8~1.EXE > nul
        8⤵
        
        PID:2468
        
        C:\Windows\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe
        
        C:\Windows\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe
        
        C:\Windows\{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe
        
        C:\Windows\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDADA~1.EXE > nul
        10⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B70A~1.EXE > nul
        9⤵
        
        PID:1780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{022EA~1.EXE > nul
        6⤵
        
        PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe

Filesize
306KB

MD5
bc6b4a6a6d0c2a2b7c8d2728f2a7ae5a

SHA1
1b8be5e967dff364aa7423e7373478177dd34840

SHA256
f609ddb0f680f4ee36753abf8716d7e3d5d9a711e111b3c20455d4c2b448c2bc

SHA512
fd6a1edc8ea861c2ff2b77fe6977038e94434d8c31d6fd9816311df0bdd0bccde4b0e0f25eae6086f1c48fb3ba61e1b9a5b0d769d580c9d3969f78455946405f

Download Submit
C:\Windows\{022EA18E-0B0A-42bf-9DEF-01D8FDC163D2}.exe

Filesize
121KB

MD5
1dd87b11b0a397fcde56533de98c0059

SHA1
57bb392d6e98369df3de9641029ee8aa1f1e687e

SHA256
82eb5165632bbcc7133a3cf6ec52ad79866b4580cfe7ef92955253ab77b5f908

SHA512
8f38df994ab2485b98e6eb65abbfa0dbb65dc91bf52ea7b8f06f270e8377202105ca8701e09d92b3686cc684c7678bd97b9417cc0ba14e1e6e60c0844c66f156

Download Submit
C:\Windows\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe

Filesize
30KB

MD5
e8e91c47853c737491f8dc05454ac381

SHA1
44aec7ef29388c59ce70c3f6b5fc223c008a7dfc

SHA256
409244ac68aa3666b4154e4f814b22235f0ecd52178c756ad2a3699d14acf74a

SHA512
4dff3aabc93c6da60af049d91660768e3af167f5eb27307d7154447f0d4cbd21a324de20807099cf097566e6c764b7b38549d45fe01fb4a24e7532bb2d142959

Download Submit
C:\Windows\{0B70A07D-D3B9-47ca-B64C-F4F8B344792F}.exe

Filesize
13KB

MD5
4975ac49ad243b69e98791eae85c00e7

SHA1
2c42e0b8b695c10dc454507c8fd0be9e72b0b2ff

SHA256
178ee4ebe2f2c97c440e67b5d95c9773de366ee4db8b9df12742aa7399b5f3ef

SHA512
fb6d3f93d27dceb32461cc7ec69fb147b91358f75b7198846aa6f797a022bc7f3f8079905f491b15d031e570b14217109a41bee63a2fa19125c31ee950939d63

Download Submit
C:\Windows\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe

Filesize
31KB

MD5
0414aa6ac6c20cfbf0401aa2a2967727

SHA1
dd8e9efe96d8f9bff5dfc15d01274f9bc6b97f6c

SHA256
c0230aec43f1713d5e5d2f6dd499f1fb7a024d08f5cbc9350e97e02f183935b3

SHA512
cc76c0e57cf5d0339b371cd179e993d3d1fd73da3d9630451f4ff84b47bd445a77297e7f59ecb65704c5b058fe162582f680359fb4345dcf21ffcaa7bb830fb4

Download Submit
C:\Windows\{66DFA1BF-FD69-431e-8243-F46C8945AEAF}.exe

Filesize
48KB

MD5
2a0cbdef5e0cda1995981d94f4bb2119

SHA1
04bd4579ab92aaf47a8c86d5b23175a6878314e2

SHA256
8f6da238d6b5d65e68b5914694f061736ae298d11d960d3564e08165c25ea15b

SHA512
a356ec48cd746f5be2476a092dffcfb391e47d03139b7c98977a3da9a8683d5d0fd44ededf872648953dc8a7096b6a50a10198e0cdb7b16fc9530923f742b0d3

Download Submit
C:\Windows\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe

Filesize
1KB

MD5
e390d5e1c9a5f95b99521de37c76e69b

SHA1
37cde85109a08b3b0d68aef382e00b09f3768e2d

SHA256
80ca884b931bb88ac3c9c819bf370704a34239361066e032d31c01fe2e1ee4c6

SHA512
fad1ef08769adc38455e2b5a614e36854b41144719f164202398888d97d387dac4c98de29088b222fb2756fe416ef6deb4fdf88649aa55ea91de4927542f8e69

Download Submit
C:\Windows\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe

Filesize
54KB

MD5
d8d0e214f9bbbed6c6f6fffbd40929bf

SHA1
77d0eebae0ab281cd93cb8784f808da76b94a42e

SHA256
17e7d44fdd36a46c93d3472b2c860316c96e3760e05b9c4c3c66daf53f14b64f

SHA512
48e7161b5da61ed37d88d7700096af7ccb4c0f77f18104986742917cd46465b454b10abc2d17898bc6816f59f50fdbd2c82011bd1015ba801d364f98312e85dd

Download Submit
C:\Windows\{7CD2EB89-31FD-4a01-8CFE-A9F3D17DAC02}.exe

Filesize
26KB

MD5
7dc49fb52425bf66dacdf8149a0f878f

SHA1
5e23dfc9bdfe4e6de88ae53549db6f27757ea216

SHA256
d5133cfda39499a4bf63ec935e495ac56e682edd6c3c100fdc5ecbb6ca01af61

SHA512
8adf31f5d9f77284cea4092eedb5b5a74a23155751ee64dea357c9f645531cc4554816c43c1766cc76780536b86688272c8a059b3fb02b9b82cc5356dd8e087f

Download Submit
C:\Windows\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe

Filesize
24KB

MD5
d7a6edfe237a7c3b89a4845bafca36db

SHA1
7e68c87d7b3a643f4243dc27630307549df9ab70

SHA256
d59a92ba845a4f6435a4fd470df586cd5f21915b93f01194202e1a1406b89a9a

SHA512
174eabf19becedec2d3d6af4c3d56bf2976523e6285e1c10c63c030f5acc14d4eaee0758ff7be315f7e179a9a18cda9eef1b210b2fa870ef795a5c82b1920cc2

Download Submit
C:\Windows\{8BFD8512-FB7D-4f5f-9A82-AAA04446017D}.exe

Filesize
14KB

MD5
d09019a11f71afdabc836f911ca0820f

SHA1
d2156c2cc31a7ac26ace83fd0d8ac423d3933bad

SHA256
6909384ef9a4959f3bc51905c902d48f08006bb9b002ea80786dbbbf14fc8786

SHA512
942eb702873224cbf3d2d9973499f62d6ac4a059bd0d700e28e4d133534b615eba2b6503820e1b2dd86ff02260af6a920f636861e70b73412cf5d524b0e0aca9

Download Submit
C:\Windows\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe

Filesize
98KB

MD5
615dabcbb20946b336683d6e04b3df2e

SHA1
99f25331696acec379a0178f221e0ba96f79bd0c

SHA256
040d39bc2785cb78a5ac4ad6d5be64182738b11b8b87f4e4f7aa2acc1d362f95

SHA512
d0524f9bd2f56324788fbb063af46d2cf0e239704cb4dd12ac4062cf4f608647160650aaac6882cdec11e76c67a64722f8566b145ab43bef87723bd2093dc6d4

Download Submit
C:\Windows\{9C74DB93-E27C-4a0e-963A-3D8023FDD4A7}.exe

Filesize
85KB

MD5
923655e2306ab074c6a9995b34693fd9

SHA1
a01019f66fc14ba2793753edca53f1d54294b0be

SHA256
c63bbfa50a855ee864b49b22350ddf788ea3c05bc12ca3b1c9a314f8e6a7bd89

SHA512
4ac8259c367190cb30abcf7b83618592586f85c6127d6df8acb63838db47551359b9143101fc37e8f35da03b8315b1c5522edd93f3734ed5cbbdaf7b647c846d

Download Submit
C:\Windows\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe

Filesize
71KB

MD5
b42ebc332ed056a6b2cdb6dae80ecc6b

SHA1
fdc55b8172028a468511779582f881ac7f9406a7

SHA256
bd0791535fc98ce6a7a4abac692539545dfd9ca9ac7791f51614b5dee7694fe1

SHA512
59e8b0a5af3d41126720d71c5b198db04a7c67ba78e300079438b10a8dfb60d26e9f6b495c36836efc8bab184e9ac326d6d87213081c67cda574d4a2ffe3a814

Download Submit
C:\Windows\{E4E19A7D-8BBF-4c7d-B9C3-9E39715AD8EE}.exe

Filesize
47KB

MD5
d036bd42772815d5d8df207e61062ac7

SHA1
84d9815fb8c4f88db1ef6ae2d8b77ba570c1cddb

SHA256
83c3188a47932e98a44d6abed6c80b3d646867702211e1db54df68dff846d5c4

SHA512
c119e240459cd393f9340529cc5b11da602dcdb3b2cbec967ee9188b366ce6209c1eedeeeb9f1aec7dd60efc01fa835b09d9bf91cd1b56b3485530aebba0e49a

Download Submit
C:\Windows\{F3D52E40-111B-4460-B211-847733496A32}.exe

Filesize
52KB

MD5
072b66cbb104a19945f8f7c6866cff03

SHA1
acabf5d8ad6390e519be1164e87a7f06eea62436

SHA256
d9503083b5b0a573fe45bd457bf040691783ec5cf7fea4aa3fe78c53929b2f9e

SHA512
2eca93e907239f97a0cf3b7887bf95b3af058cf406dd37803a2b847aa224a21aebf592306e22f8cb86c6d784d12b290d33c1b0c37160bea218e85bc7b2762d75

Download Submit
C:\Windows\{F3D52E40-111B-4460-B211-847733496A32}.exe

Filesize
78KB

MD5
bab63db935951d1783c7a1c0334d60a4

SHA1
bfabc095ce6f05b6869899c9e09705b5f6313f39

SHA256
0aab6d13c6f03361732a3fcf975cf1c34736226c7d44dc40a95610195919eab9

SHA512
a1aeaf2eb389ba49640e15f8b76d318fefba5a7a1a79e8ce3a905a4caa8fe47f5139fe7c0779f551e8ed8b89008937391967ab6bfb13fc711abe8f8fe972c978

Download Submit
C:\Windows\{FDADAF35-69C8-48ee-9375-DC66AD81B3CC}.exe

Filesize
408KB

MD5
292c4193eb8dfa38fcbbcabecbd3c4aa

SHA1
0f15436a17e8cd5767d0efa8a5ecb53541c4478c

SHA256
d77ab07da84fd7bc5590e448c37a28dd8bfd1571be9ec87e3976d0616aa75751

SHA512
3558b9b07925b3d59b029cc532c1563691e099feb9e264f172507842cf5bffbbbd3f8a94fa9520c632207efe9e565a0298d290c0b98701a84fe731032ea438bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads