746e41b0ebe89f9912780645849a17e7506c1fd8e149e923d80ee17970a788ef

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Size

380KB
MD5

03db89c3f85ef8203a180a2b3cecc04e
SHA1

2fb12a1f9f57697914eae9f6a767eae647268b61
SHA256

746e41b0ebe89f9912780645849a17e7506c1fd8e149e923d80ee17970a788ef
SHA512

c515a40c54a8bc2fa781f5bf5acf8b1eb26420031183d616d4d5125bf9a9ae886e6bf33c390d62b5e84eb31b3ae6ec30d55a2a18be988e8c400b132669b37a48
SSDEEP

3072:mEGh0o3lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2220BADD-9E01-4262-A8AF-DE95475FA6F6}\stubpath = "C:\\Windows\\{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe"	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}\stubpath = "C:\\Windows\\{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe"	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9947D72-771F-4deb-9EF0-C37227E44411}	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}\stubpath = "C:\\Windows\\{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe"	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A1455F9-6EEF-441e-8176-4731BB5CD599}	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}\stubpath = "C:\\Windows\\{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}.exe"	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13583A09-FB87-4b42-9049-2DCC21B71B0A}	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9947D72-771F-4deb-9EF0-C37227E44411}\stubpath = "C:\\Windows\\{E9947D72-771F-4deb-9EF0-C37227E44411}.exe"	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A1455F9-6EEF-441e-8176-4731BB5CD599}\stubpath = "C:\\Windows\\{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe"	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2220BADD-9E01-4262-A8AF-DE95475FA6F6}	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B0FEC32-4A78-4b9d-A399-149F73A48517}\stubpath = "C:\\Windows\\{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe"	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}\stubpath = "C:\\Windows\\{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe"	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13583A09-FB87-4b42-9049-2DCC21B71B0A}\stubpath = "C:\\Windows\\{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe"	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B0FEC32-4A78-4b9d-A399-149F73A48517}	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}\stubpath = "C:\\Windows\\{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe"	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}\stubpath = "C:\\Windows\\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe"	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe

Executes dropped EXE 11 IoCs

pid	Process
4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe
4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe
1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe
3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe
3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe
3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe
4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe
3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe
4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe
2380	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe
3824	{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe
File created	C:\Windows\{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe
File created	C:\Windows\{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe
File created	C:\Windows\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe
File created	C:\Windows\{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe
File created	C:\Windows\{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe
File created	C:\Windows\{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe
File created	C:\Windows\{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}.exe	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe
File created	C:\Windows\{E9947D72-771F-4deb-9EF0-C37227E44411}.exe	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
File created	C:\Windows\{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe
File created	C:\Windows\{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2476	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe
Token: SeIncBasePriorityPrivilege	4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe
Token: SeIncBasePriorityPrivilege	1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe
Token: SeIncBasePriorityPrivilege	3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe
Token: SeIncBasePriorityPrivilege	3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe
Token: SeIncBasePriorityPrivilege	3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe
Token: SeIncBasePriorityPrivilege	4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe
Token: SeIncBasePriorityPrivilege	3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe
Token: SeIncBasePriorityPrivilege	4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe
Token: SeIncBasePriorityPrivilege	2380	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 4164	2476	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	98
PID 2476 wrote to memory of 4164	2476	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	98
PID 2476 wrote to memory of 4164	2476	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	98
PID 2476 wrote to memory of 2792	2476	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	99
PID 2476 wrote to memory of 2792	2476	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	99
PID 2476 wrote to memory of 2792	2476	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	99
PID 4164 wrote to memory of 4380	4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe	102
PID 4164 wrote to memory of 4380	4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe	102
PID 4164 wrote to memory of 4380	4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe	102
PID 4164 wrote to memory of 4784	4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe	103
PID 4164 wrote to memory of 4784	4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe	103
PID 4164 wrote to memory of 4784	4164	{E9947D72-771F-4deb-9EF0-C37227E44411}.exe	103
PID 4380 wrote to memory of 1976	4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe	106
PID 4380 wrote to memory of 1976	4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe	106
PID 4380 wrote to memory of 1976	4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe	106
PID 4380 wrote to memory of 1496	4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe	105
PID 4380 wrote to memory of 1496	4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe	105
PID 4380 wrote to memory of 1496	4380	{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe	105
PID 1976 wrote to memory of 3788	1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe	110
PID 1976 wrote to memory of 3788	1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe	110
PID 1976 wrote to memory of 3788	1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe	110
PID 1976 wrote to memory of 2792	1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe	109
PID 1976 wrote to memory of 2792	1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe	109
PID 1976 wrote to memory of 2792	1976	{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe	109
PID 3788 wrote to memory of 3508	3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe	112
PID 3788 wrote to memory of 3508	3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe	112
PID 3788 wrote to memory of 3508	3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe	112
PID 3788 wrote to memory of 2380	3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe	111
PID 3788 wrote to memory of 2380	3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe	111
PID 3788 wrote to memory of 2380	3788	{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe	111
PID 3508 wrote to memory of 3500	3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe	115
PID 3508 wrote to memory of 3500	3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe	115
PID 3508 wrote to memory of 3500	3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe	115
PID 3508 wrote to memory of 4084	3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe	114
PID 3508 wrote to memory of 4084	3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe	114
PID 3508 wrote to memory of 4084	3508	{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe	114
PID 3500 wrote to memory of 4652	3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe	117
PID 3500 wrote to memory of 4652	3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe	117
PID 3500 wrote to memory of 4652	3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe	117
PID 3500 wrote to memory of 3648	3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe	116
PID 3500 wrote to memory of 3648	3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe	116
PID 3500 wrote to memory of 3648	3500	{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe	116
PID 4652 wrote to memory of 3464	4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe	118
PID 4652 wrote to memory of 3464	4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe	118
PID 4652 wrote to memory of 3464	4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe	118
PID 4652 wrote to memory of 900	4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe	119
PID 4652 wrote to memory of 900	4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe	119
PID 4652 wrote to memory of 900	4652	{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe	119
PID 3464 wrote to memory of 4872	3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe	128
PID 3464 wrote to memory of 4872	3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe	128
PID 3464 wrote to memory of 4872	3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe	128
PID 3464 wrote to memory of 1572	3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe	127
PID 3464 wrote to memory of 1572	3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe	127
PID 3464 wrote to memory of 1572	3464	{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe	127
PID 4872 wrote to memory of 2380	4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe	129
PID 4872 wrote to memory of 2380	4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe	129
PID 4872 wrote to memory of 2380	4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe	129
PID 4872 wrote to memory of 712	4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe	130
PID 4872 wrote to memory of 712	4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe	130
PID 4872 wrote to memory of 712	4872	{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe	130
PID 2380 wrote to memory of 3824	2380	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe	132
PID 2380 wrote to memory of 3824	2380	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe	132
PID 2380 wrote to memory of 3824	2380	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe	132
PID 2380 wrote to memory of 2232	2380	{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\{E9947D72-771F-4deb-9EF0-C37227E44411}.exe
  C:\Windows\{E9947D72-771F-4deb-9EF0-C37227E44411}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe
    C:\Windows\{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{466E6~1.EXE > nul
      4⤵
      PID:1496
  - - C:\Windows\{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe
      C:\Windows\{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB3B~1.EXE > nul
        5⤵
        
        PID:2792
    - - C:\Windows\{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe
        
        C:\Windows\{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F458F~1.EXE > nul
        6⤵
        
        PID:2380
      - C:\Windows\{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe
        
        C:\Windows\{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A145~1.EXE > nul
        7⤵
        
        PID:4084
        
        C:\Windows\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe
        
        C:\Windows\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{874E9~1.EXE > nul
        8⤵
        
        PID:3648
        
        C:\Windows\{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe
        
        C:\Windows\{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe
        
        C:\Windows\{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5696F~1.EXE > nul
        10⤵
        
        PID:1572
        
        C:\Windows\{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe
        
        C:\Windows\{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe
        
        C:\Windows\{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B0FE~1.EXE > nul
        12⤵
        
        PID:2232
        
        C:\Windows\{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}.exe
        
        C:\Windows\{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}.exe
        12⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32EFF~1.EXE > nul
        13⤵
        
        PID:412
        
        C:\Windows\{19C9B6AC-D1F7-4fb3-AEB2-8E45632E06AC}.exe
        
        C:\Windows\{19C9B6AC-D1F7-4fb3-AEB2-8E45632E06AC}.exe
        13⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13583~1.EXE > nul
        11⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2220B~1.EXE > nul
        9⤵
        
        PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E9947~1.EXE > nul
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FB3B573-7D43-414c-9BDF-6F3169FCE96D}.exe

Filesize
95KB

MD5
bfb8ca0971818ab0e7889d78d3f16021

SHA1
41e6e6d3aa123b4147e252f2924f6c93a8b6ca74

SHA256
7544cd1d9545e8e2ed5afcc15278ef17e6568b1f8730cccfdefd42ac26b28d7a

SHA512
6c221e53be5a3e427419b00b11181adf2d121a6246a29fd50a82f1d28f6722c0a259aa2b6a179abaad95e090ad591f44104534a2345603e7ab91adbde53a0438

Download Submit
C:\Windows\{13583A09-FB87-4b42-9049-2DCC21B71B0A}.exe

Filesize
380KB

MD5
5dff2dd27a778f07573a8e86fe3f8de0

SHA1
f337845cac53d9214ba4ef8b69f87285e272ea10

SHA256
40d151a1fafa7113a4190498e22dbb6efd2ed0de0aa40c61edc1fcb093a1f819

SHA512
e746fa05b4c06d5cb633c2235d0e864cb23ecdd5393312cbf0442a2f1147e0ebf057c42e30c0b8c1b5c0cadc8bbad3c40ab08461e80c5fde5c7048266b41c0a0

Download Submit
C:\Windows\{19C9B6AC-D1F7-4fb3-AEB2-8E45632E06AC}.exe

Filesize
380KB

MD5
73b4f276f9cc276feb2312e3b685c3bb

SHA1
fa845ae3a79c12b8848cf538450984cb7e3594a0

SHA256
36ceb98e55b97f6c87e4a2c67884513b28f8224dcb171ba73847d3ce70d76b2a

SHA512
cdb03f9553bb3d224189244b824fbc14593de1c01708ecdfd939e521997a56ba6ad0e870361c1ecc07454b7e8c669256b0e03d3ad1b563252e4aa747a87d875b

Download Submit
C:\Windows\{2220BADD-9E01-4262-A8AF-DE95475FA6F6}.exe

Filesize
380KB

MD5
6ab4e4929195a8a80990b6443fc6049d

SHA1
7e31668ca33799b93a56f4e92118a5322404f545

SHA256
e6354fc0ad54c34aac87d48cc2a30fa8ab8b5be9d924039436f2f465343f0aaa

SHA512
7f7d9987f3275145188ffddc5090f74a4a5d2acedb324c5166638ddbf36e9b58f21b1f28112cc1f51b86cf7a13043f4308db4510278d2e7a512594323c883053

Download Submit
C:\Windows\{32EFF9E8-E3EF-49d2-B444-CA748C48E64B}.exe

Filesize
380KB

MD5
3bcbefc510a3997941c04216dcf147f3

SHA1
6b82c8f5ed576a868fed36927cb2c6bc64628b94

SHA256
c6610b3cceb4b42438ae300ff298e5939bb6705f1b94dd79bfa5a5e9c8260f49

SHA512
9f931f7592437210236c079058723d97a6babff76bd7e2a574c760c151f3ee0c721256948f59136dd5e157566dd5ab4fb17a1cbcb938ff7327b2857a9978d966

Download Submit
C:\Windows\{3A1455F9-6EEF-441e-8176-4731BB5CD599}.exe

Filesize
380KB

MD5
26951ff22cc7776ffcd3e9b76154557f

SHA1
7d5a2339639f940ce99a4f48e037046dc84b707f

SHA256
0b3109fa1c87e98b132f061ae32718308974b89d0e97a23791b51e190beac2c9

SHA512
739d868b1117d35fe6385b2d68f517d5145f4879721026861b2319eaf7910bd670aef53014e421fc19ee7d666d6ac144b578cea4e3a1b763be07bbf6ff915173

Download Submit
C:\Windows\{3B0FEC32-4A78-4b9d-A399-149F73A48517}.exe

Filesize
380KB

MD5
2d8bc5d88a4123797aab3c1e20fdd43c

SHA1
6f7b40499d88935795b099de4cc8ce2b71407366

SHA256
a64f61a08aa3ee6d473e2b826706d99c43b9805a81292515a2132075c235634c

SHA512
e0432d0f1476e176fa734a5a36c01fd80abbca377d01e824e2858167d01f946f10072805c10df85e6262589fb85eb7b9a2ac4aaea32f16ac892e3c799b35ab9b

Download Submit
C:\Windows\{466E6E6B-CB29-4ace-A0EA-3645B026A4F9}.exe

Filesize
380KB

MD5
3eafe39d9a1759bd0231bf8fdcdadfc7

SHA1
f7b98e8fc731efbadae33bd21d73e7c8883a7f6f

SHA256
5f0552b64a4b22191bc04dba22e28c52082b40346cc88f43f63b3e687ad1137b

SHA512
6033ec6dca28d4db0b7771d273e12a619872f2df3e261b5cc3ab9c52864032c5555c3576b94210c97151ba931c87decce041c4267b1dec9d3b445c8fb6390b3b

Download Submit
C:\Windows\{5696F3DC-4877-4db9-822D-B2AA2C72FDD7}.exe

Filesize
380KB

MD5
cb1b691867d5965d2aa86601b655b540

SHA1
f132ed3e15776f839d1f38f4fad4fe8cc265c0e3

SHA256
e9ed50ac52a5cdac75795da4d91e69bd43c82cf486ab2abe344460e75dcb163f

SHA512
6a630f21128881486921ecf712ca9fc66c6796b392be2d5b3d5b6edfa838a3d1ead36d57395187ea63de8168d5e9fb81f0ccc292887e3ed8b832c80c066eaec9

Download Submit
C:\Windows\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe

Filesize
380KB

MD5
ba48ffe5f846e1ff3d39e7ea23ed541d

SHA1
20c356ba0dbff6425ff82da817d45d8a12458a2a

SHA256
f8f720992770a60de98cedd05bbb68bd40e696af77f2834107d1fe0f12f6f457

SHA512
363c1fa200b8061292e67546b2f130d3b035925ff97f629c196b9fcfe7fabe3d65a55ac6d450329639a1d85c9a336a03d6cb2f3e76cd464e030bc06d0320c7b1

Download Submit
C:\Windows\{874E994D-360A-4e17-B7F2-6B4AE1BB9D0F}.exe

Filesize
93KB

MD5
b8b1aa7c67e81c309145fd6e6ebd2a19

SHA1
3cc862c87b97d2eb2f082194e04566f263b0b466

SHA256
0f548173af0b6d863bb22c5ee8e0febe69cc21eaba957e8f798bec5141d70aa5

SHA512
fb6a56ab4d4560d49e0b9f46e5200fe37fd868ca8449ca44027f0313988d1095c9ba7f90a1b6c71d05827c1493061d37d91f0e484150d5ff29c226a157283613

Download Submit
C:\Windows\{E9947D72-771F-4deb-9EF0-C37227E44411}.exe

Filesize
380KB

MD5
7254e979d92ccc9aa841e2f60d674761

SHA1
302720af03668f6acab95905754115686c298d38

SHA256
dd083671f3f1e133ac1d84103392f70f281e8987747d2f272d3948296fd6bb6d

SHA512
74e818596a579d325a2f2d842ec1325f8602e53b27c012bb6d7a9564e680e5cd460a48739f9b37a84d39f7ecb562eb2abaddda908e2e0e02f79ebb6a778b7475

Download Submit
C:\Windows\{F458F07C-1F66-4ec0-AEFE-2F9314B6F72E}.exe

Filesize
380KB

MD5
751062830282bc5fc861772095207874

SHA1
f1233e2ab4b6e8943f0c9afa853a5978e82907a0

SHA256
e82b46ca7dd03680b3e6c38cf41d35ca6412cf286b4759e6229024a213a2c88f

SHA512
e7b220bbf7b3d88523c7ef014a9f56ea9fff0132c54581ad3acb358c7d29f03f853073b3d3c3c645e137331f688874c0ceccc0e61b656e41b0344f3f8bba15d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads