8d8cfa7ae9eabe679f647cc14f73f4e999ea9052dd1e99364006fefb5eb2c6a9

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
Size

192KB
MD5

587bd66e4678def8d01ae189dec11eff
SHA1

39e7248ddf502ca93c1d18aefdaafc9ec21ab933
SHA256

8d8cfa7ae9eabe679f647cc14f73f4e999ea9052dd1e99364006fefb5eb2c6a9
SHA512

b81238cf34efaf286a916b0949eb07df84f5923b788d1dca69fd7d2d913e29e18a19644ceeb1db1abb39e4d7b60c2554a5a0b4e40619b43bb49c8e3365bd0dad
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oBl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}\stubpath = "C:\\Windows\\{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe"	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23196DCA-8A6C-425a-8032-7863EE162831}\stubpath = "C:\\Windows\\{23196DCA-8A6C-425a-8032-7863EE162831}.exe"	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{444324F6-3CE5-48b4-9773-8F631C2E6ADB}\stubpath = "C:\\Windows\\{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe"	{23196DCA-8A6C-425a-8032-7863EE162831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A59E0C0-9F3E-4e67-9E0A-CBAA4006EBB5}\stubpath = "C:\\Windows\\{3A59E0C0-9F3E-4e67-9E0A-CBAA4006EBB5}.exe"	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C682ED25-67AD-40e9-AE0C-F48664250AE7}	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C682ED25-67AD-40e9-AE0C-F48664250AE7}\stubpath = "C:\\Windows\\{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe"	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADAEE634-534F-4297-96EE-37820C9AB580}	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A59E0C0-9F3E-4e67-9E0A-CBAA4006EBB5}	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23196DCA-8A6C-425a-8032-7863EE162831}	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB71157-624C-4fb7-97F0-BA5B31E108F1}	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADAEE634-534F-4297-96EE-37820C9AB580}\stubpath = "C:\\Windows\\{ADAEE634-534F-4297-96EE-37820C9AB580}.exe"	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{853EF5E0-1ABF-413f-9135-0259B38525DA}	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB71157-624C-4fb7-97F0-BA5B31E108F1}\stubpath = "C:\\Windows\\{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe"	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}\stubpath = "C:\\Windows\\{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe"	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{444324F6-3CE5-48b4-9773-8F631C2E6ADB}	{23196DCA-8A6C-425a-8032-7863EE162831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{853EF5E0-1ABF-413f-9135-0259B38525DA}\stubpath = "C:\\Windows\\{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe"	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe

Executes dropped EXE 9 IoCs

pid	Process
4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe
5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe
1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe
4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe
1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe
4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe
2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe
4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe
5040	{3A59E0C0-9F3E-4e67-9E0A-CBAA4006EBB5}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe	{23196DCA-8A6C-425a-8032-7863EE162831}.exe
File created	C:\Windows\{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe
File created	C:\Windows\{ADAEE634-534F-4297-96EE-37820C9AB580}.exe	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe
File created	C:\Windows\{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
File created	C:\Windows\{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe
File created	C:\Windows\{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe
File created	C:\Windows\{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe
File created	C:\Windows\{23196DCA-8A6C-425a-8032-7863EE162831}.exe	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe
File created	C:\Windows\{3A59E0C0-9F3E-4e67-9E0A-CBAA4006EBB5}.exe	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4296	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe
Token: SeIncBasePriorityPrivilege	5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe
Token: SeIncBasePriorityPrivilege	1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe
Token: SeIncBasePriorityPrivilege	4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe
Token: SeIncBasePriorityPrivilege	1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe
Token: SeIncBasePriorityPrivilege	4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe
Token: SeIncBasePriorityPrivilege	2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe
Token: SeIncBasePriorityPrivilege	4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4116	4296	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	98
PID 4296 wrote to memory of 4116	4296	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	98
PID 4296 wrote to memory of 4116	4296	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	98
PID 4296 wrote to memory of 3304	4296	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	99
PID 4296 wrote to memory of 3304	4296	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	99
PID 4296 wrote to memory of 3304	4296	2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe	99
PID 4116 wrote to memory of 5000	4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe	104
PID 4116 wrote to memory of 5000	4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe	104
PID 4116 wrote to memory of 5000	4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe	104
PID 4116 wrote to memory of 3500	4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe	105
PID 4116 wrote to memory of 3500	4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe	105
PID 4116 wrote to memory of 3500	4116	{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe	105
PID 5000 wrote to memory of 1324	5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe	107
PID 5000 wrote to memory of 1324	5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe	107
PID 5000 wrote to memory of 1324	5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe	107
PID 5000 wrote to memory of 1792	5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe	108
PID 5000 wrote to memory of 1792	5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe	108
PID 5000 wrote to memory of 1792	5000	{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe	108
PID 1324 wrote to memory of 4244	1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe	110
PID 1324 wrote to memory of 4244	1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe	110
PID 1324 wrote to memory of 4244	1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe	110
PID 1324 wrote to memory of 3864	1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe	111
PID 1324 wrote to memory of 3864	1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe	111
PID 1324 wrote to memory of 3864	1324	{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe	111
PID 4244 wrote to memory of 1144	4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe	112
PID 4244 wrote to memory of 1144	4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe	112
PID 4244 wrote to memory of 1144	4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe	112
PID 4244 wrote to memory of 2232	4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe	113
PID 4244 wrote to memory of 2232	4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe	113
PID 4244 wrote to memory of 2232	4244	{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe	113
PID 1144 wrote to memory of 4496	1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe	116
PID 1144 wrote to memory of 4496	1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe	116
PID 1144 wrote to memory of 4496	1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe	116
PID 1144 wrote to memory of 4064	1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe	115
PID 1144 wrote to memory of 4064	1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe	115
PID 1144 wrote to memory of 4064	1144	{23196DCA-8A6C-425a-8032-7863EE162831}.exe	115
PID 4496 wrote to memory of 2268	4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe	117
PID 4496 wrote to memory of 2268	4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe	117
PID 4496 wrote to memory of 2268	4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe	117
PID 4496 wrote to memory of 4384	4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe	118
PID 4496 wrote to memory of 4384	4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe	118
PID 4496 wrote to memory of 4384	4496	{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe	118
PID 2268 wrote to memory of 4396	2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe	120
PID 2268 wrote to memory of 4396	2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe	120
PID 2268 wrote to memory of 4396	2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe	120
PID 2268 wrote to memory of 2548	2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe	119
PID 2268 wrote to memory of 2548	2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe	119
PID 2268 wrote to memory of 2548	2268	{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe	119
PID 4396 wrote to memory of 5040	4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe	124
PID 4396 wrote to memory of 5040	4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe	124
PID 4396 wrote to memory of 5040	4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe	124
PID 4396 wrote to memory of 4968	4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe	123
PID 4396 wrote to memory of 4968	4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe	123
PID 4396 wrote to memory of 4968	4396	{ADAEE634-534F-4297-96EE-37820C9AB580}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_587bd66e4678def8d01ae189dec11eff_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe
  C:\Windows\{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe
    C:\Windows\{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe
      C:\Windows\{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe
        
        C:\Windows\{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\{23196DCA-8A6C-425a-8032-7863EE162831}.exe
        
        C:\Windows\{23196DCA-8A6C-425a-8032-7863EE162831}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23196~1.EXE > nul
        7⤵
        
        PID:4064
        
        C:\Windows\{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe
        
        C:\Windows\{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe
        
        C:\Windows\{C682ED25-67AD-40e9-AE0C-F48664250AE7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C682E~1.EXE > nul
        9⤵
        
        PID:2548
        
        C:\Windows\{ADAEE634-534F-4297-96EE-37820C9AB580}.exe
        
        C:\Windows\{ADAEE634-534F-4297-96EE-37820C9AB580}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADAEE~1.EXE > nul
        10⤵
        
        PID:4968
        
        C:\Windows\{3A59E0C0-9F3E-4e67-9E0A-CBAA4006EBB5}.exe
        
        C:\Windows\{3A59E0C0-9F3E-4e67-9E0A-CBAA4006EBB5}.exe
        10⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A59E~1.EXE > nul
        11⤵
        
        PID:968
        
        C:\Windows\{6E6053E1-9979-4657-8A1C-FC2E761ADA73}.exe
        
        C:\Windows\{6E6053E1-9979-4657-8A1C-FC2E761ADA73}.exe
        11⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E605~1.EXE > nul
        12⤵
        
        PID:212
        
        C:\Windows\{C033977E-E43B-446b-8610-B3EEBB1DA25F}.exe
        
        C:\Windows\{C033977E-E43B-446b-8610-B3EEBB1DA25F}.exe
        12⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44432~1.EXE > nul
        8⤵
        
        PID:4384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{652A0~1.EXE > nul
        6⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E77B~1.EXE > nul
        5⤵
        
        PID:3864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CB71~1.EXE > nul
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{853EF~1.EXE > nul
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23196DCA-8A6C-425a-8032-7863EE162831}.exe

Filesize
192KB

MD5
ceaea463a6ce039b2e796aeab4a04228

SHA1
38aee7b279644b74880f60b16c6f71e1efea8e18

SHA256
42a877d37e357bee26ea3981f44a852ac72078f00dabfe80951fd8117a9aa279

SHA512
99c90d46076b938389d9968f6b817e43f83dc2fcdf3c920ada209ba9f2d22f74d4b8af74b88552fae9dcacce34413a64ced956106004d41ef3e866eefe724b71

Download Submit
C:\Windows\{31831A90-A601-4b12-8D75-E1E64D5DFEE8}.exe

Filesize
11KB

MD5
ba964324c78c06affbfcb8eb03798452

SHA1
68c1e780b2d5ae5620b016327450bbc4d862b98a

SHA256
d6eecac62812facb6b49f96d095e20fc09f743bd28a21ba8ee5586dc147a1658

SHA512
3772fa7b47ce13997759e6f700f560dc38be5b7fcb2160da8f2b6fa8d135855c7713cbe410403d12b3f1d6b4e468a78246f3b9b1177d7915e205a012e49d0556

Download Submit
C:\Windows\{3CB71157-624C-4fb7-97F0-BA5B31E108F1}.exe

Filesize
192KB

MD5
2076b7b9e54147fa3155b5616781ab73

SHA1
093819eda420ee36569b24d7c458d932dcd58b28

SHA256
69f1aafdcf84beb57fee40729a2141e2cd1f4e98a7ff6327f7b01b864f884540

SHA512
7a7b94199f8defa342819767ce9f05d46f13ed3f0d03ed31398d4f12562352c39f84d5c3bdb522baaad54bf820b268c8176661ca074ecc3dfb9328f724e8287b

Download Submit
C:\Windows\{444324F6-3CE5-48b4-9773-8F631C2E6ADB}.exe

Filesize
192KB

MD5
05a2be80a79ae0825cd6ed35e210ba4d

SHA1
bd9e14f51d8079b5924ac389282dfffd85fbf288

SHA256
76a419baaaaae90b78d67a3fafbb47f3b7d7150e928e81205f82799396a10aa1

SHA512
c27d0e1dab9946c2949d925f07b991a5e0992d1e381085e8093b28d31e68e5486806886c599270ac69f25574db985cf67de981f93cbee04ce63e037dc77ef43c

Download Submit
C:\Windows\{5E77BE3C-4BBF-4fa8-9200-12E65F4097AB}.exe

Filesize
192KB

MD5
ddc0c90d37ff8fb129ecf13b1092fb59

SHA1
1ff5c0cbe1a0b1ccc1fcd967e38077417af6c44b

SHA256
5b9dbc2c252076dee737202b8799d41a4f9c0f9924efc655cae6b5c4799e3c7b

SHA512
0259abf6836c609af13fc159b3f463c204c9599a3c03174878f75d6eb545c83b586fc2ad4117b7edab257d78b4cb04abaabb84758d4e7678cc625c6656de8451

Download Submit
C:\Windows\{652A0A08-A6BB-40b0-B560-2E2D973B4DC3}.exe

Filesize
192KB

MD5
8953a0eae3f7bcfbe8c0a54d31b08115

SHA1
fe8f99c48fdd7cdab994234407416c1fec634382

SHA256
916c19655c55de3ce0c9e89ab30b7044555b281bd353c78a1bb981b1bd29ee27

SHA512
0890e8b27747b959fca36301c94e8b922081506efcdb0bb566967eb3f7bd16c01ea69de23c15a6c280de434ceb9beaa2848e832aba39cc93df03decb36ed2a5c

Download Submit
C:\Windows\{853EF5E0-1ABF-413f-9135-0259B38525DA}.exe

Filesize
192KB

MD5
dc65bfd236a193d2421d5b919dbd8086

SHA1
d62859ac91a677f06f11ebdf1a3151378cffab7b

SHA256
abfe7232d00992f6b10ce0d92ddb87d925c4c6c5d17ed840c4a97d0ac3a86873

SHA512
6d69ed18c58cb75245ff0930e9b522b0b822966fdc14002a83661b5308a3971d3bc615878e20bb16360fc1814d8c2083e5bc15a36fddb2cdfafbcfffaf5e65e4

Download Submit
C:\Windows\{C033977E-E43B-446b-8610-B3EEBB1DA25F}.exe

Filesize
192KB

MD5
45511d5f607718b80000dc385f4e4181

SHA1
69437284f79e22d679151b5ca4e0fd83da462b78

SHA256
583ec5d2017d3e7d168445eb5dd3f391f456b0ac6738a1d98980e09d11880bc3

SHA512
f032e41ae9440d5fc7c7e277bb4e93152a27f50a25d8d81463cdbbd1ae2eb59b091b473676abc6b9554b0dad531cba2a49e0b6fe7cbe1eb88fd682d2821448a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads