e7bac3708927be8bfbdcc2bd095a56a0bdd06dd33bdb30f84086655d80dbd43a

Analysis

max time kernel
137s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe
Size

372KB
MD5

a951890c78c1b918ac584f7f7d69d9d7
SHA1

b8effafaa3c870cc8ce1ff09d73b5e4ef0249538
SHA256

e7bac3708927be8bfbdcc2bd095a56a0bdd06dd33bdb30f84086655d80dbd43a
SHA512

fa2e7be5bcd2a5e1cdbca530011443360e74ec8149ee8d9850120dd60ce419e0dc32f3fd358f2509fa11ed97a995b1f9d9f31d3a69759db5cffcc3919b631587
SSDEEP

3072:CEGh0osmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG3l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}\stubpath = "C:\\Windows\\{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe"	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10C3036-406B-48fc-81D7-0047A40851BE}\stubpath = "C:\\Windows\\{E10C3036-406B-48fc-81D7-0047A40851BE}.exe"	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E21C4B1-B877-4042-907B-2B9F426BA51A}	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5498296-A777-4ec7-8D70-1607196BEEDC}	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E21C4B1-B877-4042-907B-2B9F426BA51A}\stubpath = "C:\\Windows\\{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe"	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49AF02B8-8225-4d2d-AB64-8968AF63D91E}\stubpath = "C:\\Windows\\{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe"	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25DF87C7-DA62-473a-9410-C1F0E3F28E97}	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25DF87C7-DA62-473a-9410-C1F0E3F28E97}\stubpath = "C:\\Windows\\{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe"	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4582218-BEA8-489d-8EEF-2B13BFB242B6}\stubpath = "C:\\Windows\\{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe"	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16DF24A3-BBE4-46ef-B10A-EA014274BF36}	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16DF24A3-BBE4-46ef-B10A-EA014274BF36}\stubpath = "C:\\Windows\\{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe"	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49AF02B8-8225-4d2d-AB64-8968AF63D91E}	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}\stubpath = "C:\\Windows\\{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe"	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D0777BA-CAD7-4126-B542-8052BF10B73B}\stubpath = "C:\\Windows\\{1D0777BA-CAD7-4126-B542-8052BF10B73B}.exe"	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4582218-BEA8-489d-8EEF-2B13BFB242B6}	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D0777BA-CAD7-4126-B542-8052BF10B73B}	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}\stubpath = "C:\\Windows\\{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe"	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5498296-A777-4ec7-8D70-1607196BEEDC}\stubpath = "C:\\Windows\\{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe"	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10C3036-406B-48fc-81D7-0047A40851BE}	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe

Executes dropped EXE 11 IoCs

pid	Process
1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe
2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe
5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe
336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe
3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe
4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe
4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe
4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe
4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe
4388	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe
684	{1D0777BA-CAD7-4126-B542-8052BF10B73B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe
File created	C:\Windows\{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe
File created	C:\Windows\{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe
File created	C:\Windows\{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe
File created	C:\Windows\{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe
File created	C:\Windows\{1D0777BA-CAD7-4126-B542-8052BF10B73B}.exe	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe
File created	C:\Windows\{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe
File created	C:\Windows\{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe
File created	C:\Windows\{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe
File created	C:\Windows\{E10C3036-406B-48fc-81D7-0047A40851BE}.exe	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe
File created	C:\Windows\{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4756	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe
Token: SeIncBasePriorityPrivilege	2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe
Token: SeIncBasePriorityPrivilege	5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe
Token: SeIncBasePriorityPrivilege	336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe
Token: SeIncBasePriorityPrivilege	3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe
Token: SeIncBasePriorityPrivilege	4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe
Token: SeIncBasePriorityPrivilege	4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe
Token: SeIncBasePriorityPrivilege	4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe
Token: SeIncBasePriorityPrivilege	4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe
Token: SeIncBasePriorityPrivilege	4388	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1196	4756	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe	98
PID 4756 wrote to memory of 1196	4756	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe	98
PID 4756 wrote to memory of 1196	4756	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe	98
PID 4756 wrote to memory of 3016	4756	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe	99
PID 4756 wrote to memory of 3016	4756	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe	99
PID 4756 wrote to memory of 3016	4756	2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe	99
PID 1196 wrote to memory of 2000	1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe	101
PID 1196 wrote to memory of 2000	1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe	101
PID 1196 wrote to memory of 2000	1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe	101
PID 1196 wrote to memory of 1104	1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe	100
PID 1196 wrote to memory of 1104	1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe	100
PID 1196 wrote to memory of 1104	1196	{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe	100
PID 2000 wrote to memory of 5092	2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe	105
PID 2000 wrote to memory of 5092	2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe	105
PID 2000 wrote to memory of 5092	2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe	105
PID 2000 wrote to memory of 2060	2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe	104
PID 2000 wrote to memory of 2060	2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe	104
PID 2000 wrote to memory of 2060	2000	{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe	104
PID 5092 wrote to memory of 336	5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe	106
PID 5092 wrote to memory of 336	5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe	106
PID 5092 wrote to memory of 336	5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe	106
PID 5092 wrote to memory of 4232	5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe	107
PID 5092 wrote to memory of 4232	5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe	107
PID 5092 wrote to memory of 4232	5092	{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe	107
PID 336 wrote to memory of 3064	336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe	109
PID 336 wrote to memory of 3064	336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe	109
PID 336 wrote to memory of 3064	336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe	109
PID 336 wrote to memory of 2408	336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe	110
PID 336 wrote to memory of 2408	336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe	110
PID 336 wrote to memory of 2408	336	{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe	110
PID 3064 wrote to memory of 4640	3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe	114
PID 3064 wrote to memory of 4640	3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe	114
PID 3064 wrote to memory of 4640	3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe	114
PID 3064 wrote to memory of 2584	3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe	113
PID 3064 wrote to memory of 2584	3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe	113
PID 3064 wrote to memory of 2584	3064	{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe	113
PID 4640 wrote to memory of 4300	4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe	115
PID 4640 wrote to memory of 4300	4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe	115
PID 4640 wrote to memory of 4300	4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe	115
PID 4640 wrote to memory of 1992	4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe	116
PID 4640 wrote to memory of 1992	4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe	116
PID 4640 wrote to memory of 1992	4640	{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe	116
PID 4300 wrote to memory of 4356	4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe	117
PID 4300 wrote to memory of 4356	4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe	117
PID 4300 wrote to memory of 4356	4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe	117
PID 4300 wrote to memory of 368	4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe	118
PID 4300 wrote to memory of 368	4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe	118
PID 4300 wrote to memory of 368	4300	{E10C3036-406B-48fc-81D7-0047A40851BE}.exe	118
PID 4356 wrote to memory of 4956	4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe	124
PID 4356 wrote to memory of 4956	4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe	124
PID 4356 wrote to memory of 4956	4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe	124
PID 4356 wrote to memory of 3972	4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe	123
PID 4356 wrote to memory of 3972	4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe	123
PID 4356 wrote to memory of 3972	4356	{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe	123
PID 4956 wrote to memory of 4388	4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe	126
PID 4956 wrote to memory of 4388	4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe	126
PID 4956 wrote to memory of 4388	4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe	126
PID 4956 wrote to memory of 3584	4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe	125
PID 4956 wrote to memory of 3584	4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe	125
PID 4956 wrote to memory of 3584	4956	{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe	125
PID 4388 wrote to memory of 684	4388	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe	133
PID 4388 wrote to memory of 684	4388	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe	133
PID 4388 wrote to memory of 684	4388	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe	133
PID 4388 wrote to memory of 3808	4388	{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_a951890c78c1b918ac584f7f7d69d9d7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe
  C:\Windows\{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9ABD9~1.EXE > nul
    3⤵
    PID:1104
- - C:\Windows\{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe
    C:\Windows\{0E21C4B1-B877-4042-907B-2B9F426BA51A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E21C~1.EXE > nul
      4⤵
      PID:2060
  - - C:\Windows\{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe
      C:\Windows\{16DF24A3-BBE4-46ef-B10A-EA014274BF36}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe
        
        C:\Windows\{D5498296-A777-4ec7-8D70-1607196BEEDC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe
        
        C:\Windows\{49AF02B8-8225-4d2d-AB64-8968AF63D91E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49AF0~1.EXE > nul
        7⤵
        
        PID:2584
        
        C:\Windows\{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe
        
        C:\Windows\{B0DED4EB-0531-46e9-B9A1-1F58BF60EC79}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\{E10C3036-406B-48fc-81D7-0047A40851BE}.exe
        
        C:\Windows\{E10C3036-406B-48fc-81D7-0047A40851BE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe
        
        C:\Windows\{25DF87C7-DA62-473a-9410-C1F0E3F28E97}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25DF8~1.EXE > nul
        10⤵
        
        PID:3972
        
        C:\Windows\{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe
        
        C:\Windows\{E4582218-BEA8-489d-8EEF-2B13BFB242B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4582~1.EXE > nul
        11⤵
        
        PID:3584
        
        C:\Windows\{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe
        
        C:\Windows\{DF88EBB8-EC29-4078-A398-0ED5A2AD15C6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF88E~1.EXE > nul
        12⤵
        
        PID:3808
        
        C:\Windows\{1D0777BA-CAD7-4126-B542-8052BF10B73B}.exe
        
        C:\Windows\{1D0777BA-CAD7-4126-B542-8052BF10B73B}.exe
        12⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E10C3~1.EXE > nul
        9⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0DED~1.EXE > nul
        8⤵
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5498~1.EXE > nul
        6⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16DF2~1.EXE > nul
        5⤵
        
        PID:4232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{9ABD9887-B620-4262-ACE5-1DD1DDA115B4}.exe

Filesize
8KB

MD5
a8a0ed6a3d006b9c685416b2901469b8

SHA1
e38e49ee60f018d59dd150e73fb48bff8cc670b8

SHA256
97162b1da59d3332ba73ef4c0d1d1831e76b7db4782937b32ab053a209c6e90f

SHA512
314a17f1cbc41eb70a39548386d7f9bb9e264ba21a55ebd901649c28fe6d354c6df0bff6e9983ec9961d9735574663b902706429601113a04409b30be1c2443d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads