f91bef2ebc08de880b5e7a3b4ac0cc779bc409b066e24c2b2502a4adf8c9620e

Analysis

max time kernel
158s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe
Size

380KB
MD5

2363692e5e1195466cb9433f2d6e72fe
SHA1

5e42b5a845dbc874e3d626c6a9abcef02668758f
SHA256

f91bef2ebc08de880b5e7a3b4ac0cc779bc409b066e24c2b2502a4adf8c9620e
SHA512

d96da64cf4d8ceaf168ad985e75930087e07050599be3c956cc9388fcf4dba7848e1bd3bcce4a27ea8bd4eeb9f97ce33c54aac8a3bfb477866caf20d3aec995a
SSDEEP

3072:mEGh0oZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG3l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA2E83B-E459-4825-A9C8-E3CBCD082501}	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA2E83B-E459-4825-A9C8-E3CBCD082501}\stubpath = "C:\\Windows\\{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe"	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{944EB3ED-1F10-4a13-8600-45DE0628CBD9}\stubpath = "C:\\Windows\\{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe"	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A49B4C22-D419-4743-B7D8-413CA8DDB546}\stubpath = "C:\\Windows\\{A49B4C22-D419-4743-B7D8-413CA8DDB546}.exe"	{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F91F129-F2CB-4373-8761-67DD65C3CA4B}\stubpath = "C:\\Windows\\{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe"	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06340A4B-F6E4-44e8-A469-BA30A032E6BA}	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06340A4B-F6E4-44e8-A469-BA30A032E6BA}\stubpath = "C:\\Windows\\{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe"	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}\stubpath = "C:\\Windows\\{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe"	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F64180-5A78-4509-9D8F-EF7EF03EF884}\stubpath = "C:\\Windows\\{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe"	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50608988-8C04-4f25-B2D8-D44A66BCD629}	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}\stubpath = "C:\\Windows\\{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe"	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}\stubpath = "C:\\Windows\\{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe"	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{944EB3ED-1F10-4a13-8600-45DE0628CBD9}	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E73983C-8215-466d-BA8F-A06D3D9A6654}\stubpath = "C:\\Windows\\{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe"	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A49B4C22-D419-4743-B7D8-413CA8DDB546}	{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F91F129-F2CB-4373-8761-67DD65C3CA4B}	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28625A3-A852-4ba0-BB2A-B9383A6BB266}	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28625A3-A852-4ba0-BB2A-B9383A6BB266}\stubpath = "C:\\Windows\\{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe"	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E73983C-8215-466d-BA8F-A06D3D9A6654}	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F64180-5A78-4509-9D8F-EF7EF03EF884}	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50608988-8C04-4f25-B2D8-D44A66BCD629}\stubpath = "C:\\Windows\\{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe"	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe

Executes dropped EXE 11 IoCs

pid	Process
2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe
624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe
5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe
4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe
3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe
2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe
416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe
4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe
1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe
3028	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe
1016	{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe
File created	C:\Windows\{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe
File created	C:\Windows\{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe
File created	C:\Windows\{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe
File created	C:\Windows\{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe
File created	C:\Windows\{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe
File created	C:\Windows\{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe
File created	C:\Windows\{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe
File created	C:\Windows\{A49B4C22-D419-4743-B7D8-413CA8DDB546}.exe	{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe
File created	C:\Windows\{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe
File created	C:\Windows\{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe
File created	C:\Windows\{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4412	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe
Token: SeIncBasePriorityPrivilege	624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe
Token: SeIncBasePriorityPrivilege	5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe
Token: SeIncBasePriorityPrivilege	4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe
Token: SeIncBasePriorityPrivilege	3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe
Token: SeIncBasePriorityPrivilege	2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe
Token: SeIncBasePriorityPrivilege	416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe
Token: SeIncBasePriorityPrivilege	4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe
Token: SeIncBasePriorityPrivilege	1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe
Token: SeIncBasePriorityPrivilege	3028	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2824	4412	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe	96
PID 4412 wrote to memory of 2824	4412	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe	96
PID 4412 wrote to memory of 2824	4412	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe	96
PID 4412 wrote to memory of 2052	4412	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe	97
PID 4412 wrote to memory of 2052	4412	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe	97
PID 4412 wrote to memory of 2052	4412	2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe	97
PID 2824 wrote to memory of 624	2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe	101
PID 2824 wrote to memory of 624	2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe	101
PID 2824 wrote to memory of 624	2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe	101
PID 2824 wrote to memory of 4596	2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe	102
PID 2824 wrote to memory of 4596	2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe	102
PID 2824 wrote to memory of 4596	2824	{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe	102
PID 624 wrote to memory of 5028	624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe	104
PID 624 wrote to memory of 5028	624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe	104
PID 624 wrote to memory of 5028	624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe	104
PID 624 wrote to memory of 1156	624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe	103
PID 624 wrote to memory of 1156	624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe	103
PID 624 wrote to memory of 1156	624	{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe	103
PID 5028 wrote to memory of 4828	5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe	107
PID 5028 wrote to memory of 4828	5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe	107
PID 5028 wrote to memory of 4828	5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe	107
PID 5028 wrote to memory of 2936	5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe	108
PID 5028 wrote to memory of 2936	5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe	108
PID 5028 wrote to memory of 2936	5028	{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe	108
PID 4828 wrote to memory of 3468	4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe	110
PID 4828 wrote to memory of 3468	4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe	110
PID 4828 wrote to memory of 3468	4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe	110
PID 4828 wrote to memory of 4784	4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe	111
PID 4828 wrote to memory of 4784	4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe	111
PID 4828 wrote to memory of 4784	4828	{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe	111
PID 3468 wrote to memory of 2820	3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe	112
PID 3468 wrote to memory of 2820	3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe	112
PID 3468 wrote to memory of 2820	3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe	112
PID 3468 wrote to memory of 3124	3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe	113
PID 3468 wrote to memory of 3124	3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe	113
PID 3468 wrote to memory of 3124	3468	{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe	113
PID 2820 wrote to memory of 416	2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe	114
PID 2820 wrote to memory of 416	2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe	114
PID 2820 wrote to memory of 416	2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe	114
PID 2820 wrote to memory of 1700	2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe	115
PID 2820 wrote to memory of 1700	2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe	115
PID 2820 wrote to memory of 1700	2820	{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe	115
PID 416 wrote to memory of 4868	416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe	117
PID 416 wrote to memory of 4868	416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe	117
PID 416 wrote to memory of 4868	416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe	117
PID 416 wrote to memory of 4116	416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe	118
PID 416 wrote to memory of 4116	416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe	118
PID 416 wrote to memory of 4116	416	{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe	118
PID 4868 wrote to memory of 1468	4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe	121
PID 4868 wrote to memory of 1468	4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe	121
PID 4868 wrote to memory of 1468	4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe	121
PID 4868 wrote to memory of 384	4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe	122
PID 4868 wrote to memory of 384	4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe	122
PID 4868 wrote to memory of 384	4868	{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe	122
PID 1468 wrote to memory of 3028	1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe	123
PID 1468 wrote to memory of 3028	1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe	123
PID 1468 wrote to memory of 3028	1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe	123
PID 1468 wrote to memory of 2596	1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe	124
PID 1468 wrote to memory of 2596	1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe	124
PID 1468 wrote to memory of 2596	1468	{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe	124
PID 3028 wrote to memory of 1016	3028	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe	126
PID 3028 wrote to memory of 1016	3028	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe	126
PID 3028 wrote to memory of 1016	3028	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe	126
PID 3028 wrote to memory of 3772	3028	{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_2363692e5e1195466cb9433f2d6e72fe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe
  C:\Windows\{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe
    C:\Windows\{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06340~1.EXE > nul
      4⤵
      PID:1156
  - - C:\Windows\{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe
      C:\Windows\{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe
        
        C:\Windows\{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe
        
        C:\Windows\{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe
        
        C:\Windows\{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe
        
        C:\Windows\{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe
        
        C:\Windows\{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe
        
        C:\Windows\{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe
        
        C:\Windows\{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E85EC~1.EXE > nul
        12⤵
        
        PID:3772
        
        C:\Windows\{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe
        
        C:\Windows\{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{944EB~1.EXE > nul
        11⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50608~1.EXE > nul
        10⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92F64~1.EXE > nul
        9⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA2E~1.EXE > nul
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A99A~1.EXE > nul
        7⤵
        
        PID:3124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BFE1~1.EXE > nul
        6⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2862~1.EXE > nul
        5⤵
        
        PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F91F~1.EXE > nul
    3⤵
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06340A4B-F6E4-44e8-A469-BA30A032E6BA}.exe

Filesize
380KB

MD5
b21666338547761af6dc850036b06f48

SHA1
97d1eaf1a5402cdeaedf7042ae59f33880d521ab

SHA256
fb2268fa34188f329dc488fe9de9b179828fadf377a70b05bedb58ab6d680f29

SHA512
fa1635c8e6301594886ebf7586769c104bcb4d67161dfb9a4e5aa01e73d46babb8e7ca36d96823fcd5318eb76d9fc97194477121c19adf97e399f910ea5859d6

Download Submit
C:\Windows\{1A99A4AB-30D2-41bc-A4BE-453D75A47ED7}.exe

Filesize
380KB

MD5
d83eb84f7bb572e881975a5b44b3207c

SHA1
cd4c0b32eda59ee5291a73faa2ecc3cbe889f567

SHA256
efdeac68fd738383248ef25c479c02b58950eee12ab88a1d0e053e25f17d2714

SHA512
7ccedc418c2e1666f8c41e416bcaa417a5e90589ed3c717c407f4e97f89727933b0ed24bd9604da3d4a04263c22bc01e61b4bdbe81a05616f41c665a0f6d5191

Download Submit
C:\Windows\{1BFE10E3-68AA-4a85-9ED7-5F8D123F3770}.exe

Filesize
380KB

MD5
f5b2ca12ec5642ef4bf2dd367a261ff8

SHA1
5e9d1268f2f8c3f944f1fb2c261929517ce967a9

SHA256
42e234347e5ff546f13f2558e62839097a857bb074d64ea039b3ae347af1cdd1

SHA512
6c61be77294bb598f298faffe9fae89ccb05d0726b782cfda90016d4e2a5da2caf6a75b85cf048dfa2983bbe5ff08418ce02da39944c7ed85cacb9df0955233f

Download Submit
C:\Windows\{3E73983C-8215-466d-BA8F-A06D3D9A6654}.exe

Filesize
380KB

MD5
f8a981973972011b88bbc3a445845e97

SHA1
0fd6a3e3f39800a0861ff47b92f16530697d7866

SHA256
e4d7b9e2c4ec0f118fbcdde6de217938c5d283f1d099fc662b8d361024218c17

SHA512
6c37124422c4ed91fade03e6372ac5fbcb8b2e040bb0642c5c40d10b4b5f3d96e2fbbb067abbbe8e614ba4badeec4acb7d150a13894619aba6bc44c12ca122f6

Download Submit
C:\Windows\{3EA2E83B-E459-4825-A9C8-E3CBCD082501}.exe

Filesize
380KB

MD5
96b8eb059dcbeef593d5cfcd730c0eb3

SHA1
c4206c9cfb31b654cb6275e943576c5a07ca5558

SHA256
e3e2874ec691e9738a1991cab566dc260cead494cb7b1186be451a1ad07d1ee7

SHA512
582b310bbc7ffc11849cd3b137ebea669bd31b2e107dcf5227235284dcee78ca576e9f5b845fa82c145a8aefec4709b0f25757d9313cef7e7c0024a8222a3120

Download Submit
C:\Windows\{50608988-8C04-4f25-B2D8-D44A66BCD629}.exe

Filesize
380KB

MD5
226ef1f0c70a21680d5d841d2eb3369c

SHA1
a42db027854647e1d6fccf705af83afe7969ff90

SHA256
3f96bedcd7614de2baed7d68a5826b3a9cb35e336ce2c2c13f8b748f4510babb

SHA512
f88f075adadacc60aad40a4007e7730e8fb473333c6c0aa217b6a76795ec2b51e50606eb55ed1cb484f0f368952a89c839370f19e83d34114e020d15e77115fa

Download Submit
C:\Windows\{7F91F129-F2CB-4373-8761-67DD65C3CA4B}.exe

Filesize
380KB

MD5
e6d1b759abc8cbc415ece837375ba0e3

SHA1
8608534805829d941aba0fb673dd30172585a2a6

SHA256
09ba7f11c30fbc5be474841a4e6766a11a9ef415578b8b98336bf10d05a275d0

SHA512
50b4deca4978a4c0667891e742f64060a1c723833b7dc73f4c793d05e5074eca70109563089f425739c57345b5aece56fb0de3b34f88dbe5b66ea821405b1d6c

Download Submit
C:\Windows\{92F64180-5A78-4509-9D8F-EF7EF03EF884}.exe

Filesize
380KB

MD5
e5047006dcefe45b3404e6a858530dc1

SHA1
8fb391a1ca5acdd9eb86806dfd384c5ff4fc3efa

SHA256
13343dd899607c492c1b9a7d2d9e3a0b97ff8222962aa84a7102093129a2c653

SHA512
828a8490a31d53344a1f6c0aa04828940723f0ee70d38cfce156ae35d349aff73ce08aa4bee79d28daaddb4d9a23ce42fabe1bfdefb94874443941fc6ecf8a48

Download Submit
C:\Windows\{944EB3ED-1F10-4a13-8600-45DE0628CBD9}.exe

Filesize
380KB

MD5
5c3c24e561274258f6786f26e1087dee

SHA1
b4541875909c5ad86035d99fb6aece9ebfa0270b

SHA256
c8bc2fa72ba7a8d3670c1a2b881536a31a7cefe8b9011828b0be2df3d16eb1f3

SHA512
5629672593b59e12e47d56b2e8de90dc9c26017fb7888caa96ef173df06a69855ed379ecb53884b9cfd5847e777c4c5192a8221b6d0c93a2524cfda42df1a99f

Download Submit
C:\Windows\{D28625A3-A852-4ba0-BB2A-B9383A6BB266}.exe

Filesize
380KB

MD5
4ec0ba1f8e5040792a1062f871312f9c

SHA1
2f4496fbed75504246d66779cc42337d32bea56d

SHA256
b94956d340eacb511e59ccf114216550da189c8266678be9c6984a17c2fc9a26

SHA512
b147f9a6da44ef1aabd33b80075ea907065aa56f6281c74b72de9216a34c7c1f17682758f8d65170915f671eac6c65e9c331c7aec74d0530b80a84fd610bbe74

Download Submit
C:\Windows\{E85EC2B0-9E8C-4b05-A35F-CBD5FC51423B}.exe

Filesize
380KB

MD5
a262b6a39515f205adeac82a22ecb70a

SHA1
b7e289c6765ece1ba7597ed9b093fe50c14904d5

SHA256
b5cf192d097781034a3fc7382fed0a9a51de672d11add499e8ef773c520e7868

SHA512
b7c289c780b75c6f6f3b71b4bd394299673e15e14f89265b582c9406156776ddd6a0a2424f092159d1765aff28f031e8f8447395a97b3829bdcf6157d2e91b88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads