998775e75aeb7e955a3d21846f04f8850406d3600474576b39b6b2ad4df53220

Analysis

max time kernel
169s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe
Size

216KB
MD5

d55220a22c6e8e15aed43b7264b54224
SHA1

a59933ad769f904c0ec4090b413c7f299696806d
SHA256

998775e75aeb7e955a3d21846f04f8850406d3600474576b39b6b2ad4df53220
SHA512

75c2e20605b80ae53484436750c14f96d70e12e3a2380f775dd8e8e4d3fdc19a5bad7ccc2d14286b2399bf0d89906cde3ac7d51be2e9509226ad96ac9c626ff3
SSDEEP

3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGPlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D086071-E263-4704-AD5C-267DCF9C9C9E}	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{206B055B-A6F2-466b-8507-5C30872AB86C}	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}\stubpath = "C:\\Windows\\{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe"	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B42F0153-49B5-4eb1-82DC-5C602BA32189}	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A33E803-610F-465d-A9CC-000C8254005C}	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}	{7A33E803-610F-465d-A9CC-000C8254005C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}\stubpath = "C:\\Windows\\{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe"	{7A33E803-610F-465d-A9CC-000C8254005C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}\stubpath = "C:\\Windows\\{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe"	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78B3CD02-64A2-4676-881F-4E2A00DBD979}\stubpath = "C:\\Windows\\{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe"	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A33E803-610F-465d-A9CC-000C8254005C}\stubpath = "C:\\Windows\\{7A33E803-610F-465d-A9CC-000C8254005C}.exe"	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}\stubpath = "C:\\Windows\\{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe"	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D086071-E263-4704-AD5C-267DCF9C9C9E}\stubpath = "C:\\Windows\\{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe"	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{206B055B-A6F2-466b-8507-5C30872AB86C}\stubpath = "C:\\Windows\\{206B055B-A6F2-466b-8507-5C30872AB86C}.exe"	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B42F0153-49B5-4eb1-82DC-5C602BA32189}\stubpath = "C:\\Windows\\{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe"	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}\stubpath = "C:\\Windows\\{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe"	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78B3CD02-64A2-4676-881F-4E2A00DBD979}	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}\stubpath = "C:\\Windows\\{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}.exe"	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe

Executes dropped EXE 11 IoCs

pid	Process
3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe
2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe
764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe
4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe
2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe
2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe
3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe
2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe
4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe
4060	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe
4512	{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe
File created	C:\Windows\{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe
File created	C:\Windows\{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe
File created	C:\Windows\{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe
File created	C:\Windows\{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}.exe	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe
File created	C:\Windows\{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe
File created	C:\Windows\{7A33E803-610F-465d-A9CC-000C8254005C}.exe	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe
File created	C:\Windows\{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe	{7A33E803-610F-465d-A9CC-000C8254005C}.exe
File created	C:\Windows\{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe
File created	C:\Windows\{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe
File created	C:\Windows\{206B055B-A6F2-466b-8507-5C30872AB86C}.exe	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1012	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe
Token: SeIncBasePriorityPrivilege	2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe
Token: SeIncBasePriorityPrivilege	764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe
Token: SeIncBasePriorityPrivilege	4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe
Token: SeIncBasePriorityPrivilege	2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe
Token: SeIncBasePriorityPrivilege	2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe
Token: SeIncBasePriorityPrivilege	3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe
Token: SeIncBasePriorityPrivilege	2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe
Token: SeIncBasePriorityPrivilege	4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe
Token: SeIncBasePriorityPrivilege	4060	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3508	1012	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe	95
PID 1012 wrote to memory of 3508	1012	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe	95
PID 1012 wrote to memory of 3508	1012	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe	95
PID 1012 wrote to memory of 3148	1012	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe	96
PID 1012 wrote to memory of 3148	1012	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe	96
PID 1012 wrote to memory of 3148	1012	2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe	96
PID 3508 wrote to memory of 2316	3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe	97
PID 3508 wrote to memory of 2316	3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe	97
PID 3508 wrote to memory of 2316	3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe	97
PID 3508 wrote to memory of 1668	3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe	98
PID 3508 wrote to memory of 1668	3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe	98
PID 3508 wrote to memory of 1668	3508	{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe	98
PID 2316 wrote to memory of 764	2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe	100
PID 2316 wrote to memory of 764	2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe	100
PID 2316 wrote to memory of 764	2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe	100
PID 2316 wrote to memory of 2412	2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe	101
PID 2316 wrote to memory of 2412	2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe	101
PID 2316 wrote to memory of 2412	2316	{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe	101
PID 764 wrote to memory of 4132	764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe	103
PID 764 wrote to memory of 4132	764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe	103
PID 764 wrote to memory of 4132	764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe	103
PID 764 wrote to memory of 4320	764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe	102
PID 764 wrote to memory of 4320	764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe	102
PID 764 wrote to memory of 4320	764	{7A33E803-610F-465d-A9CC-000C8254005C}.exe	102
PID 4132 wrote to memory of 2176	4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe	110
PID 4132 wrote to memory of 2176	4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe	110
PID 4132 wrote to memory of 2176	4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe	110
PID 4132 wrote to memory of 3692	4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe	111
PID 4132 wrote to memory of 3692	4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe	111
PID 4132 wrote to memory of 3692	4132	{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe	111
PID 2176 wrote to memory of 2968	2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe	114
PID 2176 wrote to memory of 2968	2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe	114
PID 2176 wrote to memory of 2968	2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe	114
PID 2176 wrote to memory of 2572	2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe	115
PID 2176 wrote to memory of 2572	2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe	115
PID 2176 wrote to memory of 2572	2176	{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe	115
PID 2968 wrote to memory of 3964	2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe	116
PID 2968 wrote to memory of 3964	2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe	116
PID 2968 wrote to memory of 3964	2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe	116
PID 2968 wrote to memory of 1888	2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe	117
PID 2968 wrote to memory of 1888	2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe	117
PID 2968 wrote to memory of 1888	2968	{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe	117
PID 3964 wrote to memory of 2620	3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe	118
PID 3964 wrote to memory of 2620	3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe	118
PID 3964 wrote to memory of 2620	3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe	118
PID 3964 wrote to memory of 4332	3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe	119
PID 3964 wrote to memory of 4332	3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe	119
PID 3964 wrote to memory of 4332	3964	{206B055B-A6F2-466b-8507-5C30872AB86C}.exe	119
PID 2620 wrote to memory of 4772	2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe	123
PID 2620 wrote to memory of 4772	2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe	123
PID 2620 wrote to memory of 4772	2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe	123
PID 2620 wrote to memory of 404	2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe	124
PID 2620 wrote to memory of 404	2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe	124
PID 2620 wrote to memory of 404	2620	{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe	124
PID 4772 wrote to memory of 4060	4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe	131
PID 4772 wrote to memory of 4060	4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe	131
PID 4772 wrote to memory of 4060	4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe	131
PID 4772 wrote to memory of 644	4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe	132
PID 4772 wrote to memory of 644	4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe	132
PID 4772 wrote to memory of 644	4772	{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe	132
PID 4060 wrote to memory of 4512	4060	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe	133
PID 4060 wrote to memory of 4512	4060	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe	133
PID 4060 wrote to memory of 4512	4060	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe	133
PID 4060 wrote to memory of 4692	4060	{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_d55220a22c6e8e15aed43b7264b54224_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe
  C:\Windows\{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe
    C:\Windows\{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\{7A33E803-610F-465d-A9CC-000C8254005C}.exe
      C:\Windows\{7A33E803-610F-465d-A9CC-000C8254005C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A33E~1.EXE > nul
        5⤵
        
        PID:4320
    - - C:\Windows\{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe
        
        C:\Windows\{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
      - C:\Windows\{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe
        
        C:\Windows\{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe
        
        C:\Windows\{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{206B055B-A6F2-466b-8507-5C30872AB86C}.exe
        
        C:\Windows\{206B055B-A6F2-466b-8507-5C30872AB86C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe
        
        C:\Windows\{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe
        
        C:\Windows\{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe
        
        C:\Windows\{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}.exe
        
        C:\Windows\{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}.exe
        12⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A7B7~1.EXE > nul
        12⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B42F0~1.EXE > nul
        11⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BDF6~1.EXE > nul
        10⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{206B0~1.EXE > nul
        9⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D086~1.EXE > nul
        8⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C1C~1.EXE > nul
        7⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5B36~1.EXE > nul
        6⤵
        
        PID:3692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{78B3C~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1CF33~1.EXE > nul
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CF33D58-26BA-43e4-A9D6-8CF97C8CB355}.exe

Filesize
216KB

MD5
4c2c727a45e07471d611662fb35109f6

SHA1
35ebb44e100de7496e1a958f2eb66057efe2381b

SHA256
1b449e5cf8f1b10294c6334b6dde5faeb39f240ed32725f39048199c3f111e05

SHA512
a674ebb07a6a771dcb5bbd0a1974a93faa0258cc15533f9a7dab610e4824654437148706d2dcfea0e4698c0194c8412868ce76e0de4ac3989696f59b0333eb1d

Download Submit
C:\Windows\{206B055B-A6F2-466b-8507-5C30872AB86C}.exe

Filesize
216KB

MD5
a47c808ab53eb2efdf4e740a62e61433

SHA1
e9705e8e7649d9be1fe9d701f122d40418ce4f05

SHA256
05a872c0464d9206e44ac096bf5065bd6f86721c5c48b7c02f273dd82731df35

SHA512
f641a5bc4b4c5a33da5b6f588e9149f92bd682f75471d97151a540e72c7771556da7789d91b0367405a1faa38d461c102e2f870ed28d3baa9dc6f0b9289493af

Download Submit
C:\Windows\{2A7B74B9-BFAA-433b-BDA9-A4969BA62E0E}.exe

Filesize
216KB

MD5
30252b50b949cb23c8050c77243879ab

SHA1
8c431a8e3d2b3da992d7045eb85485fea6ae6b0a

SHA256
339fe22f4fee8c3f6303f53ae402ce31e3cdc558a27f833e31221b29e051c7ea

SHA512
8a0cd05427ba3d46a68304744267f70d59cd5fbbd78cb5d3b7f73dc71649bf43d3a436b4b4190870f9b57933b38f28c4a77260e020ee68b8dd10ee340693ce4c

Download Submit
C:\Windows\{535066E1-FC40-41ec-B9DD-BD3FFEBBE38A}.exe

Filesize
216KB

MD5
620c8b03bb46fb21b8e48217be72ad5f

SHA1
f10c457dfe97d5be8a0c87f129759bedbf1681e5

SHA256
367b188a945b6a809703f8a46b5671be6cdcc67f7efc440e822473f503180e26

SHA512
5a8b726ea166a742bd0b884a6faa838174de554738089fbdfcd2904e6c300c4a5ac75137456d41114cb69d5a6e222219f894abca51c66c3ce453ac2712d10efd

Download Submit
C:\Windows\{6D086071-E263-4704-AD5C-267DCF9C9C9E}.exe

Filesize
216KB

MD5
09e7eb5a051f9f96b2ff06353291b210

SHA1
67059e7e9bc46764049666b70364c1cc7812de29

SHA256
cc2f4aefcb9c788f098cdfdf3493d6908077875eff4f90a867f0cdd3fe2014bd

SHA512
71bb53e4ec6a128954dc107dbcc7ee3e59583ed51b372d0fe9286a0f69b19ecc356f446b8bf756d703e1a5be4c0e82692c319ca1da6256cba38a3e406932a531

Download Submit
C:\Windows\{78B3CD02-64A2-4676-881F-4E2A00DBD979}.exe

Filesize
216KB

MD5
ab586d52c4ccc9abe397431dc0e99844

SHA1
6d8b3ee69ec1c95440d93dad895cb9da15ec69fb

SHA256
c79ad1d11715c6c0cc9c389860fed382e3c16c1a8d1d2fd0b67453fd7f30ff31

SHA512
d29803372bfba673ca9546fe18d5e1ab1a97681dee11154d8f008f20539e66b962cd160a6901598fbeffa313d4e22a95709fbac9bfcea95771fecdca10b031b5

Download Submit
C:\Windows\{7A33E803-610F-465d-A9CC-000C8254005C}.exe

Filesize
216KB

MD5
84640b7d72321386fa1702c03666d90b

SHA1
80cedbc41a56a87ab9e48fb9fc64aab340b41079

SHA256
b9a08ca75bb849c72fc6f020bf56491bf6905e837a91f876367fc569135871f1

SHA512
6e77eb17adb1888cc0ebf8e4d274a1aa1f28612e06802423307c69195d7b4779138042b9c656c5e008bd8370f55e28ccbffce1b1a3fc805264608d4c8c3da9c8

Download Submit
C:\Windows\{8BDF6F66-2AF8-46f8-9FCA-A0C74138613A}.exe

Filesize
216KB

MD5
f3f4846362034ec324ceb0e675a108d7

SHA1
7b1f23da3ca6e81f7bfa43ddfacadf844d86d760

SHA256
7bd061c2d96f8164de45efc729776f46ad58a95b9651d8ff6ca4f4046ffcc54d

SHA512
4999b37cce7e5cf63ec510d46862fc695170454df0e4fbe12b05dd354354bcb5ad40bf3f1bdc60fcd0718df18e463cdcfc94507f4f1ad379343255a2c0a6d20d

Download Submit
C:\Windows\{B42F0153-49B5-4eb1-82DC-5C602BA32189}.exe

Filesize
216KB

MD5
cff3d09c9fc17d46e23be6659887ae3f

SHA1
50da2ed7a6b49d6274f2ceffaece6489b9f9ded2

SHA256
646a2e5ba2a1f5566bfb48ffa53230fdb78e816b97fb479d4c30dc46f8b4acb8

SHA512
a66367050e9c956376d6483df2d03914b7da20da3220c6ff95d92fb3ced7a276b35599adae7f937dca1836827d580f8e8aac084fb534d1c451fd398e8153072c

Download Submit
C:\Windows\{B8C1CBD4-BAEE-44d2-97D4-E788A518C639}.exe

Filesize
216KB

MD5
58c75c1c8526b3d62521b848082061c5

SHA1
e7dcc64e75ca7d429d05ef7f802258495d287051

SHA256
61a0fc4fe9b5c7bf827ee32080899a715a3921c9f2ab33cb6e42641f87eae83b

SHA512
bdaea46fdd97d52f8807147f5a38b5d1380b67155c8bdc808c5349fc3612ef548d24f23fd607b610a8f656449bf4e12d13b91fc2e5994c6bc12fd73137a483e2

Download Submit
C:\Windows\{F5B36EF4-ACEC-4fa8-A24F-B1D9663041B9}.exe

Filesize
216KB

MD5
4f3740f4d62f5b3935e91281d55e3402

SHA1
bb2997c4cb5270fe1a14b696def102040a08dce8

SHA256
784d44d7a2c3e13d08ef0fd99102a4543df6e8ed54fdbf2aaed56e742f077300

SHA512
7cf848efc432f50baccbc245a2bcaccd59baeac66c099b10a1f8057ae406493a0788480934455b8601c8e27847a8c10465742f6fa284ff16f54260d147db35e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads