b58731615ac57e57e370eadec3b4621fbe61d7f6c2ae347a984b4e5010d6f634

Analysis

max time kernel
156s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Size

380KB
MD5

384957d4b0664e9777c1244e130ba4a9
SHA1

04287983cf47b156caa91f84bd65b2f21fedd126
SHA256

b58731615ac57e57e370eadec3b4621fbe61d7f6c2ae347a984b4e5010d6f634
SHA512

0ee0af5807e0ed01b6278630a170aebeeb2025d888debba68b83049fe5c84c975bd2750058e62a36ca9152d4e32970169083aba0fdcbca6c5ac12c8bf2d863f1
SSDEEP

3072:mEGh0oLlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGJl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82721032-EBA8-4415-AD00-FD9D52564174}	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82721032-EBA8-4415-AD00-FD9D52564174}\stubpath = "C:\\Windows\\{82721032-EBA8-4415-AD00-FD9D52564174}.exe"	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CAA3790-03F9-47c1-AE55-CA2920DB953D}	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5565F5E8-5E14-4f85-AA57-A82AA1132A44}\stubpath = "C:\\Windows\\{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe"	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82285A8-E545-4a23-9191-E3950A0313A1}\stubpath = "C:\\Windows\\{C82285A8-E545-4a23-9191-E3950A0313A1}.exe"	{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}\stubpath = "C:\\Windows\\{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe"	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}\stubpath = "C:\\Windows\\{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe"	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E962FA2E-6B99-4329-A651-CE0E9B8A438D}\stubpath = "C:\\Windows\\{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe"	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BB17875-AF62-465a-B22B-543C77CD4361}	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC3C6075-19E4-4563-A184-24FD3C0C68E3}	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908BF321-510F-4158-9EA0-D25777F9B3CA}	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}	{82721032-EBA8-4415-AD00-FD9D52564174}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}\stubpath = "C:\\Windows\\{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe"	{82721032-EBA8-4415-AD00-FD9D52564174}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E962FA2E-6B99-4329-A651-CE0E9B8A438D}	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2948F29F-8661-4382-A7DD-959AFB11F184}	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5565F5E8-5E14-4f85-AA57-A82AA1132A44}	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC3C6075-19E4-4563-A184-24FD3C0C68E3}\stubpath = "C:\\Windows\\{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe"	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82285A8-E545-4a23-9191-E3950A0313A1}	{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BB17875-AF62-465a-B22B-543C77CD4361}\stubpath = "C:\\Windows\\{0BB17875-AF62-465a-B22B-543C77CD4361}.exe"	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CAA3790-03F9-47c1-AE55-CA2920DB953D}\stubpath = "C:\\Windows\\{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe"	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2948F29F-8661-4382-A7DD-959AFB11F184}\stubpath = "C:\\Windows\\{2948F29F-8661-4382-A7DD-959AFB11F184}.exe"	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908BF321-510F-4158-9EA0-D25777F9B3CA}\stubpath = "C:\\Windows\\{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe"	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe

Executes dropped EXE 12 IoCs

pid	Process
1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe
2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe
3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe
4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe
4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe
3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe
4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe
1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe
1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe
4496	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe
1964	{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe
3680	{C82285A8-E545-4a23-9191-E3950A0313A1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe
File created	C:\Windows\{82721032-EBA8-4415-AD00-FD9D52564174}.exe	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe
File created	C:\Windows\{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe
File created	C:\Windows\{0BB17875-AF62-465a-B22B-543C77CD4361}.exe	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe
File created	C:\Windows\{2948F29F-8661-4382-A7DD-959AFB11F184}.exe	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe
File created	C:\Windows\{C82285A8-E545-4a23-9191-E3950A0313A1}.exe	{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe
File created	C:\Windows\{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
File created	C:\Windows\{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe
File created	C:\Windows\{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe
File created	C:\Windows\{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe	{82721032-EBA8-4415-AD00-FD9D52564174}.exe
File created	C:\Windows\{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe
File created	C:\Windows\{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2376	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe
Token: SeIncBasePriorityPrivilege	2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe
Token: SeIncBasePriorityPrivilege	3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe
Token: SeIncBasePriorityPrivilege	4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe
Token: SeIncBasePriorityPrivilege	4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe
Token: SeIncBasePriorityPrivilege	3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe
Token: SeIncBasePriorityPrivilege	4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe
Token: SeIncBasePriorityPrivilege	1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe
Token: SeIncBasePriorityPrivilege	1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe
Token: SeIncBasePriorityPrivilege	4496	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe
Token: SeIncBasePriorityPrivilege	1964	{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1960	2376	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	95
PID 2376 wrote to memory of 1960	2376	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	95
PID 2376 wrote to memory of 1960	2376	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	95
PID 2376 wrote to memory of 2612	2376	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	96
PID 2376 wrote to memory of 2612	2376	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	96
PID 2376 wrote to memory of 2612	2376	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	96
PID 1960 wrote to memory of 2536	1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe	100
PID 1960 wrote to memory of 2536	1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe	100
PID 1960 wrote to memory of 2536	1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe	100
PID 1960 wrote to memory of 4028	1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe	101
PID 1960 wrote to memory of 4028	1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe	101
PID 1960 wrote to memory of 4028	1960	{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe	101
PID 2536 wrote to memory of 3592	2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe	103
PID 2536 wrote to memory of 3592	2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe	103
PID 2536 wrote to memory of 3592	2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe	103
PID 2536 wrote to memory of 4868	2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe	102
PID 2536 wrote to memory of 4868	2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe	102
PID 2536 wrote to memory of 4868	2536	{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe	102
PID 3592 wrote to memory of 4648	3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe	107
PID 3592 wrote to memory of 4648	3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe	107
PID 3592 wrote to memory of 4648	3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe	107
PID 3592 wrote to memory of 2796	3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe	108
PID 3592 wrote to memory of 2796	3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe	108
PID 3592 wrote to memory of 2796	3592	{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe	108
PID 4648 wrote to memory of 4804	4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe	109
PID 4648 wrote to memory of 4804	4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe	109
PID 4648 wrote to memory of 4804	4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe	109
PID 4648 wrote to memory of 2740	4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe	110
PID 4648 wrote to memory of 2740	4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe	110
PID 4648 wrote to memory of 2740	4648	{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe	110
PID 4804 wrote to memory of 3708	4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe	111
PID 4804 wrote to memory of 3708	4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe	111
PID 4804 wrote to memory of 3708	4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe	111
PID 4804 wrote to memory of 2456	4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe	112
PID 4804 wrote to memory of 2456	4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe	112
PID 4804 wrote to memory of 2456	4804	{82721032-EBA8-4415-AD00-FD9D52564174}.exe	112
PID 3708 wrote to memory of 4184	3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe	116
PID 3708 wrote to memory of 4184	3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe	116
PID 3708 wrote to memory of 4184	3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe	116
PID 3708 wrote to memory of 1108	3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe	117
PID 3708 wrote to memory of 1108	3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe	117
PID 3708 wrote to memory of 1108	3708	{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe	117
PID 4184 wrote to memory of 1876	4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe	118
PID 4184 wrote to memory of 1876	4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe	118
PID 4184 wrote to memory of 1876	4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe	118
PID 4184 wrote to memory of 2124	4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe	119
PID 4184 wrote to memory of 2124	4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe	119
PID 4184 wrote to memory of 2124	4184	{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe	119
PID 1876 wrote to memory of 1936	1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe	121
PID 1876 wrote to memory of 1936	1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe	121
PID 1876 wrote to memory of 1936	1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe	121
PID 1876 wrote to memory of 1896	1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe	120
PID 1876 wrote to memory of 1896	1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe	120
PID 1876 wrote to memory of 1896	1876	{0BB17875-AF62-465a-B22B-543C77CD4361}.exe	120
PID 1936 wrote to memory of 4496	1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe	122
PID 1936 wrote to memory of 4496	1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe	122
PID 1936 wrote to memory of 4496	1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe	122
PID 1936 wrote to memory of 1568	1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe	123
PID 1936 wrote to memory of 1568	1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe	123
PID 1936 wrote to memory of 1568	1936	{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe	123
PID 4496 wrote to memory of 1964	4496	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe	124
PID 4496 wrote to memory of 1964	4496	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe	124
PID 4496 wrote to memory of 1964	4496	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe	124
PID 4496 wrote to memory of 2736	4496	{2948F29F-8661-4382-A7DD-959AFB11F184}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe
  C:\Windows\{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe
    C:\Windows\{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{908BF~1.EXE > nul
      4⤵
      PID:4868
  - - C:\Windows\{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe
      C:\Windows\{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe
        
        C:\Windows\{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\{82721032-EBA8-4415-AD00-FD9D52564174}.exe
        
        C:\Windows\{82721032-EBA8-4415-AD00-FD9D52564174}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe
        
        C:\Windows\{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe
        
        C:\Windows\{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\{0BB17875-AF62-465a-B22B-543C77CD4361}.exe
        
        C:\Windows\{0BB17875-AF62-465a-B22B-543C77CD4361}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB17~1.EXE > nul
        10⤵
        
        PID:1896
        
        C:\Windows\{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe
        
        C:\Windows\{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{2948F29F-8661-4382-A7DD-959AFB11F184}.exe
        
        C:\Windows\{2948F29F-8661-4382-A7DD-959AFB11F184}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe
        
        C:\Windows\{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{C82285A8-E545-4a23-9191-E3950A0313A1}.exe
        
        C:\Windows\{C82285A8-E545-4a23-9191-E3950A0313A1}.exe
        13⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5565F~1.EXE > nul
        13⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2948F~1.EXE > nul
        12⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CAA3~1.EXE > nul
        11⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E962F~1.EXE > nul
        9⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F03~1.EXE > nul
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82721~1.EXE > nul
        7⤵
        
        PID:2456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9D1C~1.EXE > nul
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F90FF~1.EXE > nul
        5⤵
        
        PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC3C6~1.EXE > nul
    3⤵
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BB17875-AF62-465a-B22B-543C77CD4361}.exe

Filesize
380KB

MD5
5bca817ba697de62fd0b36a530d16610

SHA1
56dc707778a7c3e3e8f72efa98c33af470f5c8a9

SHA256
8ff4316323acdf0160581a01204d165e58ba179fa54996df4c98d4142719f01d

SHA512
204ae771871dc1f952ed8336ca233b1b6d24dc7e618adf27233df47997d139ec541f6992033e00704319e21fb55d0515464e53b7651e9064ec8ad94139e7b9a1

Download Submit
C:\Windows\{2948F29F-8661-4382-A7DD-959AFB11F184}.exe

Filesize
380KB

MD5
39cbb313621b83ef3a64756a937de372

SHA1
72a9f81d3bd5686880d0850d6d1382d746c6569b

SHA256
8d9c218495c21f3bcb14ea3746e4a36c19d8708ce6421f24ef615dcd0ed2606b

SHA512
394d59c72ff91c58df24d18926280986040287cb59d146f6062a81577f1fb082bf6a83a50ed60ab221b2165476b6b81ef6b52fae8dd6ef8d2c433be00707a1d7

Download Submit
C:\Windows\{5565F5E8-5E14-4f85-AA57-A82AA1132A44}.exe

Filesize
380KB

MD5
fcdf6456d65306fed735d2af174d4f2c

SHA1
596111ee66633da46e6c91d4d771021c5e06955e

SHA256
9a71e62f622fddf95ad255397b60f787c28d2499a926de18e61abab48ccff042

SHA512
8ee761d876af18d94a90fe352207d02ac98e4226b00bc0510b351a988e873296ad4fe1d395a14901f8f65b3fdc7fa8540b10021b16e157be33b041b3745ae7e3

Download Submit
C:\Windows\{5CAA3790-03F9-47c1-AE55-CA2920DB953D}.exe

Filesize
380KB

MD5
c1113008c34268ac405b2f2857981f86

SHA1
08694abb289c860acfc40d3211e24f9b8dbf537a

SHA256
2baed0497f7d3e4f1e876631e8c6634ea9606e3a6a662c809d8aeef85b91caa7

SHA512
e703564b426221306cf27f3aa76680d450eb9d650a0df776dd8eb831c41b72c703aca0cbb095edcfd08597991aeef810b370165245d9b5616136de65d40374a1

Download Submit
C:\Windows\{82721032-EBA8-4415-AD00-FD9D52564174}.exe

Filesize
380KB

MD5
54f87eabeeebf96a305baef9bb1849b1

SHA1
65589d19fa8fa3e56b8a7257a9a69d6fa85713ea

SHA256
7cb7c9d50cffe5dc87a9a9fa02fc67d908ac68715a53c8df527083011acc06b2

SHA512
b746259d0a067bafd9390ca63a872c30acc938bdb417ad3b7ae5d10d393607a4cc1f98bcc69ea39305d41dde48132dffece344019e458f32363c8cb20cf4f99a

Download Submit
C:\Windows\{908BF321-510F-4158-9EA0-D25777F9B3CA}.exe

Filesize
380KB

MD5
5d2bbb7588bb88526717d8071936ece5

SHA1
10969bb36a78671a4e01b30a45760d5b0644da00

SHA256
b9e0d634ba6e4174c0268a5955b1eccd44db01657e8a9acb19208cab3a67a4c4

SHA512
efca794213312805efe5618bd6a1b47966c1bc3b3892a11453fe1cf6fc469768a8eb1bb5da0b7f0c10f79ce483a45ce8a9e554b4d03cd2314a8da77123e7e8ae

Download Submit
C:\Windows\{A9D1CBC0-6F2B-4e69-A804-CDAD46046ECB}.exe

Filesize
380KB

MD5
1c39c9ac50eef658df1c25302dd1891b

SHA1
2b29b88627271a57134409f1744177a3949f3536

SHA256
0bd12ebf3af4202291a23efe409a84817edc6b4237e4783ce8a993dfbf0100cd

SHA512
c073f4483bafbcd2f855e6e2081dfd0dc60354e3e49e3076a3a2900c3a0a3bb1508d95b44ca664f418c9484cff9d9b67d452ee457e03b0ff1ae03b355eeb0a6e

Download Submit
C:\Windows\{AC3C6075-19E4-4563-A184-24FD3C0C68E3}.exe

Filesize
380KB

MD5
1a433d433907c2333fe8a7583dcd346d

SHA1
094874378ae4d42e1b8fd94b104842461f52bfb1

SHA256
b7b3c7cd8fb7b502242985c0d6275b9693fc48c87d437e3ae9b476874f0b64bf

SHA512
88a18ea27374af4bd40b773ef421bd0fd977da3c98b967f04d8b0073e2312fdb1d272ad3f8ca91d56b0bbca9e81eadebde59cfb110f93ea19968750aa2b27ef1

Download Submit
C:\Windows\{C82285A8-E545-4a23-9191-E3950A0313A1}.exe

Filesize
380KB

MD5
9b9b5e94e0fdd9908d219f855c2b7b77

SHA1
b2d26ce074ed12a7dadd16dfa32884441ade5886

SHA256
0b8846836536fef8958a2e9c27b6e3079cc2385efdbab40ee78ef7dc437fb4fc

SHA512
38eab232b31d81e47d45eaa3ac30f5ec4a877d881fe8a45f7a75ef117b57706a0188328047894968330044ac729cdc646542765abb4e3f5b929015a0e06eab52

Download Submit
C:\Windows\{C9F03A80-30F0-4927-98E0-35DFB1F3A2C6}.exe

Filesize
380KB

MD5
035860470911efd3bd2c4a23a8956759

SHA1
01b0450ad58822373eeaa8b1eb5132bf9800d78c

SHA256
5a50cdca1bed1a67e26a486bf99e570c65a613dbe017211e711b50f49d72e7b6

SHA512
ff8cabea0844a8f568c86ee4e0142f19337b9912fa0f96401298b9120730cb63c9c9c551f22253a4c0f14c3cf346320c5fb4fa466fc973a34afaf4390d10c9b4

Download Submit
C:\Windows\{E962FA2E-6B99-4329-A651-CE0E9B8A438D}.exe

Filesize
380KB

MD5
10b45c3b8a4bfbd8fed65ddabbdfbedd

SHA1
53978653bcc6522a47912e2e2f9e91f7ce5d09cb

SHA256
072f53b6d2c8e125e92bd5e7dd1da80baf2b4d2690a2194cd02129822d8cfc26

SHA512
9883f9dddc7d2c9907062a6020aa714b65f36f1a169347d59a4ed9b0c7fc9bd94c83fb6807df923b3b838ba3474afab17d0d535b3d57781fd71d2b884c3beccf

Download Submit
C:\Windows\{F90FF8F7-8E6C-4d2e-9DAA-1F850C84395C}.exe

Filesize
380KB

MD5
a598cef3984daa135ae6b9f0e8cf0bd7

SHA1
33d8f23796be7973112401fd17071fd172459353

SHA256
9b749cb5f23463de7f9cbe871297fd6c5bc5c2ef9aab302265195768e472b71d

SHA512
94b8220f8109259e73f15b01b0a41ecba9bbe8b821e770d51b0a29f3eeb7c006ac1eaaaab3f44cd42063df6b83f2fd865faa29becc0d500ed2a9857545882b57

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads