772e39cfbdbbc007daee216be24fe70cd6cecc5e54915de0288c2505842acb5d

Analysis

max time kernel
168s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Size

180KB
MD5

31f7b4798c74d1b96897b7504e0f807f
SHA1

c3703db1b73f0a9d50d2f7610d02dcf8140a2365
SHA256

772e39cfbdbbc007daee216be24fe70cd6cecc5e54915de0288c2505842acb5d
SHA512

8a6b96f4d12e3eb27fb709e0727b0e0aabd2067137f7bfb1c335573f8ef7e6d2c11e73b5c8e1f92357e16d0e637a1b83181ff1caa351803e6f1a8c018fac9bd8
SSDEEP

3072:jEGh0oElfeso7ie+rMC4F0fJGRIS8Rfd7eQEsGcr:jEGelJeKMAEs

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01439510-E12A-4cbb-9752-038CFD399D6C}\stubpath = "C:\\Windows\\{01439510-E12A-4cbb-9752-038CFD399D6C}.exe"	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BECB20B6-C157-486c-BE01-092887795AF7}	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}\stubpath = "C:\\Windows\\{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe"	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BECB20B6-C157-486c-BE01-092887795AF7}\stubpath = "C:\\Windows\\{BECB20B6-C157-486c-BE01-092887795AF7}.exe"	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}\stubpath = "C:\\Windows\\{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe"	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}\stubpath = "C:\\Windows\\{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe"	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}\stubpath = "C:\\Windows\\{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe"	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}\stubpath = "C:\\Windows\\{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe"	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}\stubpath = "C:\\Windows\\{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe"	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}\stubpath = "C:\\Windows\\{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe"	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01439510-E12A-4cbb-9752-038CFD399D6C}	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe

Executes dropped EXE 9 IoCs

pid	Process
3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe
3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe
1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe
628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe
3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe
3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe
1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe
2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe
4848	{BECB20B6-C157-486c-BE01-092887795AF7}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe
File created	C:\Windows\{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe
File created	C:\Windows\{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe
File created	C:\Windows\{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe
File created	C:\Windows\{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe
File created	C:\Windows\{BECB20B6-C157-486c-BE01-092887795AF7}.exe	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe
File created	C:\Windows\{01439510-E12A-4cbb-9752-038CFD399D6C}.exe	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
File created	C:\Windows\{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe
File created	C:\Windows\{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	860	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe
Token: SeIncBasePriorityPrivilege	3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe
Token: SeIncBasePriorityPrivilege	1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe
Token: SeIncBasePriorityPrivilege	628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe
Token: SeIncBasePriorityPrivilege	3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe
Token: SeIncBasePriorityPrivilege	3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe
Token: SeIncBasePriorityPrivilege	1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe
Token: SeIncBasePriorityPrivilege	2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3528	860	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	97
PID 860 wrote to memory of 3528	860	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	97
PID 860 wrote to memory of 3528	860	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	97
PID 860 wrote to memory of 1736	860	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	98
PID 860 wrote to memory of 1736	860	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	98
PID 860 wrote to memory of 1736	860	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	98
PID 3528 wrote to memory of 3624	3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe	99
PID 3528 wrote to memory of 3624	3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe	99
PID 3528 wrote to memory of 3624	3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe	99
PID 3528 wrote to memory of 3896	3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe	100
PID 3528 wrote to memory of 3896	3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe	100
PID 3528 wrote to memory of 3896	3528	{01439510-E12A-4cbb-9752-038CFD399D6C}.exe	100
PID 3624 wrote to memory of 1540	3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe	102
PID 3624 wrote to memory of 1540	3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe	102
PID 3624 wrote to memory of 1540	3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe	102
PID 3624 wrote to memory of 748	3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe	101
PID 3624 wrote to memory of 748	3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe	101
PID 3624 wrote to memory of 748	3624	{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe	101
PID 1540 wrote to memory of 628	1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe	105
PID 1540 wrote to memory of 628	1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe	105
PID 1540 wrote to memory of 628	1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe	105
PID 1540 wrote to memory of 4668	1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe	106
PID 1540 wrote to memory of 4668	1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe	106
PID 1540 wrote to memory of 4668	1540	{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe	106
PID 628 wrote to memory of 3568	628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe	107
PID 628 wrote to memory of 3568	628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe	107
PID 628 wrote to memory of 3568	628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe	107
PID 628 wrote to memory of 1456	628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe	108
PID 628 wrote to memory of 1456	628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe	108
PID 628 wrote to memory of 1456	628	{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe	108
PID 3568 wrote to memory of 3364	3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe	113
PID 3568 wrote to memory of 3364	3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe	113
PID 3568 wrote to memory of 3364	3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe	113
PID 3568 wrote to memory of 3160	3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe	114
PID 3568 wrote to memory of 3160	3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe	114
PID 3568 wrote to memory of 3160	3568	{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe	114
PID 3364 wrote to memory of 1368	3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe	120
PID 3364 wrote to memory of 1368	3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe	120
PID 3364 wrote to memory of 1368	3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe	120
PID 3364 wrote to memory of 4516	3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe	119
PID 3364 wrote to memory of 4516	3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe	119
PID 3364 wrote to memory of 4516	3364	{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe	119
PID 1368 wrote to memory of 2712	1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe	124
PID 1368 wrote to memory of 2712	1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe	124
PID 1368 wrote to memory of 2712	1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe	124
PID 1368 wrote to memory of 2320	1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe	125
PID 1368 wrote to memory of 2320	1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe	125
PID 1368 wrote to memory of 2320	1368	{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe	125
PID 2712 wrote to memory of 4848	2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe	126
PID 2712 wrote to memory of 4848	2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe	126
PID 2712 wrote to memory of 4848	2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe	126
PID 2712 wrote to memory of 4880	2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe	127
PID 2712 wrote to memory of 4880	2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe	127
PID 2712 wrote to memory of 4880	2712	{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\{01439510-E12A-4cbb-9752-038CFD399D6C}.exe
  C:\Windows\{01439510-E12A-4cbb-9752-038CFD399D6C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe
    C:\Windows\{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D913B~1.EXE > nul
      4⤵
      PID:748
  - - C:\Windows\{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe
      C:\Windows\{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe
        
        C:\Windows\{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe
        
        C:\Windows\{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe
        
        C:\Windows\{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A7CA~1.EXE > nul
        8⤵
        
        PID:4516
        
        C:\Windows\{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe
        
        C:\Windows\{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe
        
        C:\Windows\{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{BECB20B6-C157-486c-BE01-092887795AF7}.exe
        
        C:\Windows\{BECB20B6-C157-486c-BE01-092887795AF7}.exe
        10⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1CB9~1.EXE > nul
        10⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A6EB~1.EXE > nul
        9⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B8C1~1.EXE > nul
        7⤵
        
        PID:3160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30054~1.EXE > nul
        6⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF6A~1.EXE > nul
        5⤵
        
        PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{01439~1.EXE > nul
    3⤵
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01439510-E12A-4cbb-9752-038CFD399D6C}.exe

Filesize
180KB

MD5
74912c7a098518bba3832027fbc0d40a

SHA1
5d0f4f417173874cda779f832f6248f48721ff80

SHA256
0504cc77feb95ed80ecb0eba2c18eec8395ee58a476d3a68bfb1dff7f86c6795

SHA512
1b777dcd8a90af6cbd12bbb4b632dc0106265c2078292b4d934da979025899fc917a7d9a023e0bf84b00230c1d9a78f1c34b3bc6c37b68aaee32380b130edaa3

Download Submit
C:\Windows\{0B8C1827-4EF6-4ac6-8E63-7676C191FB2D}.exe

Filesize
180KB

MD5
c3cdd0abb7e3a27f9d0f877b8ff1d4b8

SHA1
3b66fa487582a825f80cf3d7e19f0f5574a5cef3

SHA256
61fb13509ef413a088bfaec0f38d5bc66ed8c6a010f2211ffe5ac5665836d3a0

SHA512
63166142049c3190053080d01d1b2698c86ce8f7ab961460e4687d6f5d585f1f3efc7c05885d95a1ddc42508ab23c7d8247b0939a2ee872d1771f971a26bfa1b

Download Submit
C:\Windows\{30054804-B25E-4e8d-86EC-F5CF0C0B88E6}.exe

Filesize
180KB

MD5
68575d02c3d83afd7020bc1143cb0c6f

SHA1
a6da4c3d5c5bc28e250027f283b6e721b2b951ac

SHA256
78c7e995f767bfa12c75a5733a552b13b25949d3758b824cbcfbd701c8e96455

SHA512
a8e958c002288531039de6028c693322c37ab1f3d3b22dd750ac8311129eaa862414271d971d15a0b491950d97c9f4e08f4d382987800e7e95751c01ecb4c24b

Download Submit
C:\Windows\{5A7CAC9E-3ED5-4ac3-ADFF-D5BDA6A9A08F}.exe

Filesize
180KB

MD5
6fd2e5afaeacb90f256867dc64803edf

SHA1
bfa3b680e8c8cb5236f728ac2b43a112128f4710

SHA256
6d332a2e3bb6d1ed283a413cab85167e5fd187b94a655b76c7afa48cbf83b23e

SHA512
683955e3bc582d12326c397c5b6a46525c708fdfbbaf9537870b0b19e45a2b1968503646d218da3d9827c663db2ec30e0a32c0106bb611b7732dcd6431b30401

Download Submit
C:\Windows\{5FF6AFDA-0EED-43a6-A79F-537F4ED79B1B}.exe

Filesize
180KB

MD5
71b5fb9526913b4a79c68c46a1a582c8

SHA1
6bac8399b73e13c786f2465e9878f4515aa8eb04

SHA256
2c02edf932206828ecf20fdfdeae77da8c80da1be272ffb9b5cb8036f66ef68f

SHA512
c729dfcba838e2d89519ee7c57ba282bb5203c4441ca23ecb4e6776216d6eadc5ba48d9c30c9169aeb583063949df5d448bf3f07cc3ba5fc137dfc8bd0f68a92

Download Submit
C:\Windows\{6A6EBE77-72C6-4181-AB42-8BD1ACC9A32B}.exe

Filesize
180KB

MD5
f491e8d5438c80cb1b59331276d0ebec

SHA1
1e7a7eb9553ec54ae865530cfe958139dbfaabfb

SHA256
d746c23d0ef12d9b9bea341b9f2106de1924333bcdbeb221b77e6d5ab62af7ba

SHA512
08500723577f31986da75b13599d67cc03123984120ed6a797989076004438a2a2355b42106efd30f614b8bff6af28d31195d59bda99459797c826d7dd12dc6e

Download Submit
C:\Windows\{BECB20B6-C157-486c-BE01-092887795AF7}.exe

Filesize
180KB

MD5
218c00e4c9c475397dd139edfb6a1596

SHA1
66bdbf9ce5db394617287eff08044d975ec6483d

SHA256
5bec08775b43954bb431212b73ca579b871147e728a507c15aa9a8f5e5094bce

SHA512
2ff90aa567d4d4f3938c70df0d9e315620322fdde8be99e48b5db2e1147a0089ddb123da568285d299f6bbba8817bba5fa083eb4b896cdeec3bfc0aa059ea9c0

Download Submit
C:\Windows\{D913BCBA-1B68-4435-A6DB-47C3CFD9FDA7}.exe

Filesize
180KB

MD5
23db17e62b564ff323329a0db9cdbd98

SHA1
b25241b65f95c1e4f7a44785bf67a128d91a016f

SHA256
ea8a7ef54b4cd7bee83b236e8f8fe45a6e677f9bfc12932c138cdf943bbd8c4c

SHA512
fdb32018e6e37bc6c78264650800607255e72def02d80dc6122a5b994531c8dc128c887398e757c5351f8705735783cab0c3f9e1634c962c143c33c9fc75685f

Download Submit
C:\Windows\{E1CB9567-E6C1-48a0-B9A1-E5C72CFF38A9}.exe

Filesize
180KB

MD5
ac9776883f4ae060b47e3928ac804c32

SHA1
7e85c661cdcfac7f25f62095e582a5ae6ef0f8f3

SHA256
08e83dcdcce36e277fd2be2d7527a6d6311beac59e89ee31345d1a7c81e205e4

SHA512
739aac21d716067ded8fcc5a8dd76c0b3fb1a04bd5d1e7d2069b36b9666a8958c900089addd404426f1e41c10ff888ad75880fdd8251dd6cdf3d37decd4c1ffd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads