334b6f9fb9aed8801b470433519f76593b60d880067238dec0afbfd84fc30cc3

Analysis

max time kernel
157s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe
Size

204KB
MD5

d46544f9d529fa71710758dac91a97c2
SHA1

f45bf486235c70a7c5fd7abe74101be0962a1ce4
SHA256

334b6f9fb9aed8801b470433519f76593b60d880067238dec0afbfd84fc30cc3
SHA512

86fe250606f5b40ebc133ef7269b423fe4c50959d97a18029e61bf6c6c40f0cbab49a0eef69eabc128b94229717a5f225f9ce6a8fad6d686d36a9d77eece641f
SSDEEP

1536:1EGh0onl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0onl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3CF0E2-BA19-4364-802E-1693646E5559}	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3CF0E2-BA19-4364-802E-1693646E5559}\stubpath = "C:\\Windows\\{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe"	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}\stubpath = "C:\\Windows\\{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe"	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}\stubpath = "C:\\Windows\\{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe"	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}\stubpath = "C:\\Windows\\{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe"	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B2610D2-21C4-482c-B510-CBA608F8228F}\stubpath = "C:\\Windows\\{3B2610D2-21C4-482c-B510-CBA608F8228F}.exe"	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}\stubpath = "C:\\Windows\\{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe"	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}\stubpath = "C:\\Windows\\{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe"	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}\stubpath = "C:\\Windows\\{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe"	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}\stubpath = "C:\\Windows\\{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe"	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC653BB-4BBE-4113-8703-332DCE14F95E}	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC653BB-4BBE-4113-8703-332DCE14F95E}\stubpath = "C:\\Windows\\{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe"	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5280BE70-8F72-4311-8E6E-33E3E313D58A}	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5280BE70-8F72-4311-8E6E-33E3E313D58A}\stubpath = "C:\\Windows\\{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe"	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B2610D2-21C4-482c-B510-CBA608F8228F}	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe

Executes dropped EXE 11 IoCs

pid	Process
3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe
2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe
920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe
4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe
1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe
988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe
2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe
3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe
1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe
3952	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe
2444	{3B2610D2-21C4-482c-B510-CBA608F8228F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe
File created	C:\Windows\{3B2610D2-21C4-482c-B510-CBA608F8228F}.exe	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe
File created	C:\Windows\{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe
File created	C:\Windows\{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe
File created	C:\Windows\{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe
File created	C:\Windows\{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe
File created	C:\Windows\{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe
File created	C:\Windows\{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe
File created	C:\Windows\{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe
File created	C:\Windows\{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe
File created	C:\Windows\{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4896	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe
Token: SeIncBasePriorityPrivilege	2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe
Token: SeIncBasePriorityPrivilege	920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe
Token: SeIncBasePriorityPrivilege	4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe
Token: SeIncBasePriorityPrivilege	1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe
Token: SeIncBasePriorityPrivilege	988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe
Token: SeIncBasePriorityPrivilege	2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe
Token: SeIncBasePriorityPrivilege	3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe
Token: SeIncBasePriorityPrivilege	1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe
Token: SeIncBasePriorityPrivilege	3952	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3576	4896	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe	90
PID 4896 wrote to memory of 3576	4896	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe	90
PID 4896 wrote to memory of 3576	4896	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe	90
PID 4896 wrote to memory of 3352	4896	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe	91
PID 4896 wrote to memory of 3352	4896	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe	91
PID 4896 wrote to memory of 3352	4896	2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe	91
PID 3576 wrote to memory of 2340	3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe	95
PID 3576 wrote to memory of 2340	3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe	95
PID 3576 wrote to memory of 2340	3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe	95
PID 3576 wrote to memory of 684	3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe	94
PID 3576 wrote to memory of 684	3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe	94
PID 3576 wrote to memory of 684	3576	{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe	94
PID 2340 wrote to memory of 920	2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe	103
PID 2340 wrote to memory of 920	2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe	103
PID 2340 wrote to memory of 920	2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe	103
PID 2340 wrote to memory of 2168	2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe	104
PID 2340 wrote to memory of 2168	2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe	104
PID 2340 wrote to memory of 2168	2340	{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe	104
PID 920 wrote to memory of 4260	920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe	107
PID 920 wrote to memory of 4260	920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe	107
PID 920 wrote to memory of 4260	920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe	107
PID 920 wrote to memory of 4344	920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe	108
PID 920 wrote to memory of 4344	920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe	108
PID 920 wrote to memory of 4344	920	{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe	108
PID 4260 wrote to memory of 1780	4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe	109
PID 4260 wrote to memory of 1780	4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe	109
PID 4260 wrote to memory of 1780	4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe	109
PID 4260 wrote to memory of 5044	4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe	110
PID 4260 wrote to memory of 5044	4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe	110
PID 4260 wrote to memory of 5044	4260	{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe	110
PID 1780 wrote to memory of 988	1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe	112
PID 1780 wrote to memory of 988	1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe	112
PID 1780 wrote to memory of 988	1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe	112
PID 1780 wrote to memory of 2284	1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe	113
PID 1780 wrote to memory of 2284	1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe	113
PID 1780 wrote to memory of 2284	1780	{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe	113
PID 988 wrote to memory of 2440	988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe	114
PID 988 wrote to memory of 2440	988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe	114
PID 988 wrote to memory of 2440	988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe	114
PID 988 wrote to memory of 2508	988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe	115
PID 988 wrote to memory of 2508	988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe	115
PID 988 wrote to memory of 2508	988	{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe	115
PID 2440 wrote to memory of 3300	2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe	116
PID 2440 wrote to memory of 3300	2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe	116
PID 2440 wrote to memory of 3300	2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe	116
PID 2440 wrote to memory of 748	2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe	117
PID 2440 wrote to memory of 748	2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe	117
PID 2440 wrote to memory of 748	2440	{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe	117
PID 3300 wrote to memory of 1636	3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe	121
PID 3300 wrote to memory of 1636	3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe	121
PID 3300 wrote to memory of 1636	3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe	121
PID 3300 wrote to memory of 4732	3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe	122
PID 3300 wrote to memory of 4732	3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe	122
PID 3300 wrote to memory of 4732	3300	{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe	122
PID 1636 wrote to memory of 3952	1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe	123
PID 1636 wrote to memory of 3952	1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe	123
PID 1636 wrote to memory of 3952	1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe	123
PID 1636 wrote to memory of 1652	1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe	124
PID 1636 wrote to memory of 1652	1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe	124
PID 1636 wrote to memory of 1652	1636	{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe	124
PID 3952 wrote to memory of 2444	3952	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe	125
PID 3952 wrote to memory of 2444	3952	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe	125
PID 3952 wrote to memory of 2444	3952	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe	125
PID 3952 wrote to memory of 1624	3952	{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_d46544f9d529fa71710758dac91a97c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe
  C:\Windows\{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5280B~1.EXE > nul
    3⤵
    PID:684
- - C:\Windows\{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe
    C:\Windows\{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe
      C:\Windows\{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe
        
        C:\Windows\{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe
        
        C:\Windows\{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe
        
        C:\Windows\{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe
        
        C:\Windows\{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe
        
        C:\Windows\{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe
        
        C:\Windows\{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe
        
        C:\Windows\{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{3B2610D2-21C4-482c-B510-CBA608F8228F}.exe
        
        C:\Windows\{3B2610D2-21C4-482c-B510-CBA608F8228F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C8D7~1.EXE > nul
        12⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF3CF~1.EXE > nul
        11⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC65~1.EXE > nul
        10⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B4F~1.EXE > nul
        9⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3E74~1.EXE > nul
        8⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49E3D~1.EXE > nul
        7⤵
        
        PID:2284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA07~1.EXE > nul
        6⤵
        
        PID:5044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79D7E~1.EXE > nul
        5⤵
        
        PID:4344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EC6D5~1.EXE > nul
      4⤵
      PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3B2610D2-21C4-482c-B510-CBA608F8228F}.exe

Filesize
204KB

MD5
d0b97c100649252928f5f3c302ee0c93

SHA1
baf9d19eb87605491a8f0c068ae039edd2b8bdf6

SHA256
9dcd29d7c0104257b1b2222cf7733f6c21fbb0d4c9bf32371640a9f4dc125aa4

SHA512
cfd1e8c95544bdad051790377922eebb46bda6a82d380edb5d8e2dc11d8725a0014072a84996cb38d5cb0d8a580a4dd7f1a8a431a28daf18a39bf562a723a971

Download Submit
C:\Windows\{49E3DE24-B2D2-4ef4-9E3D-731C5ED677C3}.exe

Filesize
204KB

MD5
2e19390b99f93962bb0716aae8263a23

SHA1
3fbaff5f33066881a642ef3966c40df571378b38

SHA256
875390c1994201c63e8b3b2b64b32787c5627e754edb297e4cabd2f41e9d2faf

SHA512
53122beda65714bdadad682328b567782004d579998b02aeb17cb76b9186d21e33bdea537dc122233e6ebb4924b39b132ed4a9212678beea91606e3a2b4ead85

Download Submit
C:\Windows\{5280BE70-8F72-4311-8E6E-33E3E313D58A}.exe

Filesize
204KB

MD5
2a79be0dcf209a3f0fa7d0e69c606122

SHA1
d8ffcbc6a626db30319cb1c7d494c7d97871567f

SHA256
bcea36f5ef8f1b009fa5f6176bc0e023ff61d881b774a92d668c4545070bdf15

SHA512
1ca57bf234d3d78df47c82bb39e1537e64d632dc0b75edb6a745564d5f07fe48184a4e3e05e7694553a24bb1b84e5063e3a99eadc9ddfee8377b5bf9a605e8fd

Download Submit
C:\Windows\{5AA07E21-B3D5-41c4-89F7-034A9D179AC1}.exe

Filesize
204KB

MD5
98b046d0d74b9cfe485a58d808a91000

SHA1
b80ffe5e33b3f5c5f6ccf56fa14b1487f0581309

SHA256
6eff68724751f384573f91494ab477ea588d78bed316a1e9d6445be9fb8c5035

SHA512
78c737f8fb9851c21cf7ef3ff85dc1d9e3f1891af96863fe7d8c0c839b39486ab4ed70799de6a8a40b7e55f2438ccf1a32f3cc3d8c0ba2718ebb4192d7818979

Download Submit
C:\Windows\{79D7EE52-3AB7-47d4-AE74-9E02EE81BF73}.exe

Filesize
204KB

MD5
4b3a33c3f87a87a8642f49bb12d9bcaf

SHA1
a83f5f15b2e936c727c2b3498b6d194de6752f69

SHA256
36df0479a792eb70773ce983f42cfb04107e0b5414598aac60155451a73fc924

SHA512
d149c7e02d39570c5104450b445e2d5ca43e08fd3bed2b5e56cec21a1df08726336e51d8ee9ac242a5093fe42a58f7eac76e78c3cb12d4f1926080bb9947b1e9

Download Submit
C:\Windows\{7C8D7482-99BC-4d7e-8F29-B5EDD6366F98}.exe

Filesize
204KB

MD5
fcf9e614e1cb69c977cf0eb60e3774e0

SHA1
dd8e7b665b2237eee4adf3293ee18681a3b8f376

SHA256
ae5be5856152e45111f4c99c4232702e9f40f78d6eb22a0ba17c97db0ecb354d

SHA512
bdc9c4f2d77f5f3619ee30a73939168b78218eb68b01ce0c06e2bf93d9594f177c409e3b4ab1328f28de4610e8f2ccb634b62f01d9bfea4cfe42f5e87f61b068

Download Submit
C:\Windows\{AF3CF0E2-BA19-4364-802E-1693646E5559}.exe

Filesize
204KB

MD5
d4df3035f24c8367484f763ee46a656c

SHA1
a7f474cb9b1218bdf575db0b9dc9ce45d13cfc61

SHA256
95af5f0ef9cde5336f27de960cbbe39055075f412e856af2c5d28402c32e7a74

SHA512
44788f615e696501c3a823d03239bcd7aaa201cfb42ec2319bbccf4a27b947f69360247004feaa23aaf81b2df03431b6d05f9673d801af06bbf4a2c2bd7bae90

Download Submit
C:\Windows\{E9B4FB83-94AF-41ab-9D76-9774E06AD6FB}.exe

Filesize
204KB

MD5
44d519247e5d05be9557e26170294337

SHA1
6d760bffc8272d4e2694623e99ac01e3391c52f9

SHA256
9a3f831b9470fb56e322ef557a02e00b38e66a6263ca1fe5407ccce75b96aaf9

SHA512
57fffacc135658dc5ca00e9bc73d12fe1716386f3a562b956465ae2e4176efe43fccda8c67d5f51ee054e405ffa14da4ff7919419d014f286b373cd3a831afa4

Download Submit
C:\Windows\{EC6D5DB3-A176-4bb3-93B0-F1A47887A678}.exe

Filesize
204KB

MD5
4fde867632ce91a8e352dc676f816804

SHA1
31c726d8c3d0c6beb4b447e5ce2f88bc1acdbdf9

SHA256
e89ed50d91a19020b16a7ab594fbb35fdc48e28bd27a5a29441205ffdf487c59

SHA512
93dd51f455f8f129cc13f3de0860a24d15697b3d96ec2cdade75f6d0594eb2f4b3af5b130b9c984667b8ed5a7c735ed95f1f2de75bb5738b9e6f090ec3f52a4e

Download Submit
C:\Windows\{EDC653BB-4BBE-4113-8703-332DCE14F95E}.exe

Filesize
204KB

MD5
6e360bb306430468770a529d600c0842

SHA1
a60fa23fde2f76fb0135db87e573aea3a7e27308

SHA256
e0a40382504e49003d6f005a6aa9b4dbf68f9c010f91c53c2a433518b10db0c5

SHA512
11968f03050550126ec0c5e70c2de07b71a23bdaacc9d06bc5848f937441be2991403f6bc19e7e9ad7fa721abbb7257b9a3c776accb04520ab018d41a48f9080

Download Submit
C:\Windows\{F3E7470A-390E-4f09-882D-3CEC3EA0D0BB}.exe

Filesize
204KB

MD5
5451e36a2ced79e475e1272fb6714158

SHA1
f9a6935b7fb6b5ded7132c159ed7de6df8adb68a

SHA256
fa4829e58eab50de31ee300500539c6d48029c3398704f5e4cd37da8dd3c665a

SHA512
fa1858a93134b22b68a0ca667ffeb45dd1db5108847ab7b225f30b10973c64058710a043637adc32e5ff644e375cc8e8d30a7d6686267d886f596adad4351d87

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads