f966abfad0983cf36184e5725b0961613cf7104833ad390b7a9710ba43eb1c46

Analysis

max time kernel
149s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Size

168KB
MD5

6813224d0a52e9d893678d844bfe499f
SHA1

3bf440bfc3ced85fa68d470dfa7266f670bb7a22
SHA256

f966abfad0983cf36184e5725b0961613cf7104833ad390b7a9710ba43eb1c46
SHA512

8d03669c8fccf52a531a62efe17c26b502431b6ec9389450cc56d8fc43af5bd4aed1f06b5700332931e9cf52e132355422a6606c7abec6fa5ce7c448f45ab80f
SSDEEP

1536:1EGh0oqli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17A4B905-DF03-4803-847C-620BDAD86F43}\stubpath = "C:\\Windows\\{17A4B905-DF03-4803-847C-620BDAD86F43}.exe"	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}\stubpath = "C:\\Windows\\{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}.exe"	{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}\stubpath = "C:\\Windows\\{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe"	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CB7321-6900-4b21-BDE2-F92218F252F4}	{AA55B8F6-D246-4205-901B-82862213E906}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}\stubpath = "C:\\Windows\\{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe"	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EFAB79-381B-4041-B488-C39A06410D65}	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}\stubpath = "C:\\Windows\\{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe"	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CB7321-6900-4b21-BDE2-F92218F252F4}\stubpath = "C:\\Windows\\{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe"	{AA55B8F6-D246-4205-901B-82862213E906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4E23399-3C39-402d-B551-E9D97B54EE09}\stubpath = "C:\\Windows\\{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe"	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78EFAB79-381B-4041-B488-C39A06410D65}\stubpath = "C:\\Windows\\{78EFAB79-381B-4041-B488-C39A06410D65}.exe"	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7341C4-2617-4d9f-8326-0D8C6425FA19}	{78EFAB79-381B-4041-B488-C39A06410D65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17A4B905-DF03-4803-847C-620BDAD86F43}	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}\stubpath = "C:\\Windows\\{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe"	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}	{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA55B8F6-D246-4205-901B-82862213E906}	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA55B8F6-D246-4205-901B-82862213E906}\stubpath = "C:\\Windows\\{AA55B8F6-D246-4205-901B-82862213E906}.exe"	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F7341C4-2617-4d9f-8326-0D8C6425FA19}\stubpath = "C:\\Windows\\{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe"	{78EFAB79-381B-4041-B488-C39A06410D65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4E23399-3C39-402d-B551-E9D97B54EE09}	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}\stubpath = "C:\\Windows\\{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe"	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe
4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe
4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe
1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe
4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe
4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe
116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe
4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe
100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe
3528	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe
1008	{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe
3660	{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
File created	C:\Windows\{AA55B8F6-D246-4205-901B-82862213E906}.exe	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe
File created	C:\Windows\{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe
File created	C:\Windows\{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe	{78EFAB79-381B-4041-B488-C39A06410D65}.exe
File created	C:\Windows\{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe
File created	C:\Windows\{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe
File created	C:\Windows\{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe
File created	C:\Windows\{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe	{AA55B8F6-D246-4205-901B-82862213E906}.exe
File created	C:\Windows\{78EFAB79-381B-4041-B488-C39A06410D65}.exe	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe
File created	C:\Windows\{17A4B905-DF03-4803-847C-620BDAD86F43}.exe	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe
File created	C:\Windows\{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe
File created	C:\Windows\{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}.exe	{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1008	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Token: SeIncBasePriorityPrivilege	3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe
Token: SeIncBasePriorityPrivilege	4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe
Token: SeIncBasePriorityPrivilege	4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe
Token: SeIncBasePriorityPrivilege	1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe
Token: SeIncBasePriorityPrivilege	4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe
Token: SeIncBasePriorityPrivilege	4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe
Token: SeIncBasePriorityPrivilege	116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe
Token: SeIncBasePriorityPrivilege	4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe
Token: SeIncBasePriorityPrivilege	100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe
Token: SeIncBasePriorityPrivilege	3528	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe
Token: SeIncBasePriorityPrivilege	1008	{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3992	1008	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	89
PID 1008 wrote to memory of 3992	1008	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	89
PID 1008 wrote to memory of 3992	1008	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	89
PID 1008 wrote to memory of 4848	1008	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	90
PID 1008 wrote to memory of 4848	1008	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	90
PID 1008 wrote to memory of 4848	1008	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	90
PID 3992 wrote to memory of 4040	3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe	91
PID 3992 wrote to memory of 4040	3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe	91
PID 3992 wrote to memory of 4040	3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe	91
PID 3992 wrote to memory of 1928	3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe	92
PID 3992 wrote to memory of 1928	3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe	92
PID 3992 wrote to memory of 1928	3992	{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe	92
PID 4040 wrote to memory of 4328	4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe	95
PID 4040 wrote to memory of 4328	4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe	95
PID 4040 wrote to memory of 4328	4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe	95
PID 4040 wrote to memory of 932	4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe	96
PID 4040 wrote to memory of 932	4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe	96
PID 4040 wrote to memory of 932	4040	{AA55B8F6-D246-4205-901B-82862213E906}.exe	96
PID 4328 wrote to memory of 1568	4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe	98
PID 4328 wrote to memory of 1568	4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe	98
PID 4328 wrote to memory of 1568	4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe	98
PID 4328 wrote to memory of 2424	4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe	99
PID 4328 wrote to memory of 2424	4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe	99
PID 4328 wrote to memory of 2424	4328	{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe	99
PID 1568 wrote to memory of 4468	1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe	100
PID 1568 wrote to memory of 4468	1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe	100
PID 1568 wrote to memory of 4468	1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe	100
PID 1568 wrote to memory of 3888	1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe	101
PID 1568 wrote to memory of 3888	1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe	101
PID 1568 wrote to memory of 3888	1568	{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe	101
PID 4468 wrote to memory of 4464	4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe	102
PID 4468 wrote to memory of 4464	4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe	102
PID 4468 wrote to memory of 4464	4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe	102
PID 4468 wrote to memory of 4964	4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe	103
PID 4468 wrote to memory of 4964	4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe	103
PID 4468 wrote to memory of 4964	4468	{78EFAB79-381B-4041-B488-C39A06410D65}.exe	103
PID 4464 wrote to memory of 116	4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe	104
PID 4464 wrote to memory of 116	4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe	104
PID 4464 wrote to memory of 116	4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe	104
PID 4464 wrote to memory of 4968	4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe	105
PID 4464 wrote to memory of 4968	4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe	105
PID 4464 wrote to memory of 4968	4464	{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe	105
PID 116 wrote to memory of 4388	116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe	106
PID 116 wrote to memory of 4388	116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe	106
PID 116 wrote to memory of 4388	116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe	106
PID 116 wrote to memory of 4276	116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe	107
PID 116 wrote to memory of 4276	116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe	107
PID 116 wrote to memory of 4276	116	{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe	107
PID 4388 wrote to memory of 100	4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe	108
PID 4388 wrote to memory of 100	4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe	108
PID 4388 wrote to memory of 100	4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe	108
PID 4388 wrote to memory of 3892	4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe	109
PID 4388 wrote to memory of 3892	4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe	109
PID 4388 wrote to memory of 3892	4388	{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe	109
PID 100 wrote to memory of 3528	100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe	110
PID 100 wrote to memory of 3528	100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe	110
PID 100 wrote to memory of 3528	100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe	110
PID 100 wrote to memory of 4076	100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe	111
PID 100 wrote to memory of 4076	100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe	111
PID 100 wrote to memory of 4076	100	{17A4B905-DF03-4803-847C-620BDAD86F43}.exe	111
PID 3528 wrote to memory of 1008	3528	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe	112
PID 3528 wrote to memory of 1008	3528	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe	112
PID 3528 wrote to memory of 1008	3528	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe	112
PID 3528 wrote to memory of 1012	3528	{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe	113

C:\Users\Admin\AppData\Local\Temp\202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe
  C:\Windows\{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\{AA55B8F6-D246-4205-901B-82862213E906}.exe
    C:\Windows\{AA55B8F6-D246-4205-901B-82862213E906}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe
      C:\Windows\{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe
        
        C:\Windows\{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\{78EFAB79-381B-4041-B488-C39A06410D65}.exe
        
        C:\Windows\{78EFAB79-381B-4041-B488-C39A06410D65}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe
        
        C:\Windows\{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe
        
        C:\Windows\{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe
        
        C:\Windows\{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\{17A4B905-DF03-4803-847C-620BDAD86F43}.exe
        
        C:\Windows\{17A4B905-DF03-4803-847C-620BDAD86F43}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe
        
        C:\Windows\{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe
        
        C:\Windows\{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}.exe
        
        C:\Windows\{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}.exe
        13⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A7D3~1.EXE > nul
        13⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E957~1.EXE > nul
        12⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17A4B~1.EXE > nul
        11⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4E23~1.EXE > nul
        10⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F980~1.EXE > nul
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F734~1.EXE > nul
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78EFA~1.EXE > nul
        7⤵
        
        PID:4964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61A4A~1.EXE > nul
        6⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6CB7~1.EXE > nul
        5⤵
        
        PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA55B~1.EXE > nul
      4⤵
      PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F722E~1.EXE > nul
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202404~1.EXE > nul
  2⤵
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17A4B905-DF03-4803-847C-620BDAD86F43}.exe

Filesize
168KB

MD5
6556538fca3f5959dd3355da5dd789ef

SHA1
eb53e46293bcc298169b180055275e96ee421413

SHA256
d4f46a178078bce5d937477b6dfcedb8c7587e3c3b2b6d63010260174f9bb46e

SHA512
bb722e81b791074de0f4f721df71f11d8b7b7c1ecc60c0427dd19be04353fe1a214808831716f2482cdef67a43aa13af0b3b99a32227c86e22450cae0b370058

Download Submit
C:\Windows\{2A7D374D-EDEC-4f37-A3EC-DA67BF973EF9}.exe

Filesize
168KB

MD5
ae6d7a5f1fa6b1fd09931e65b609da93

SHA1
4d3785c0260b0e26bc676ad18d1144cc2aac4e20

SHA256
f71c9aacd2d4f242af39e64c57754c49d1fe6bb51657e2fd3cde78adfccb6a6f

SHA512
e181f7266c2d9f784d42a324bf8d48eb0ebfadd59e4d240b1df3b6651e66c79d9ab9ef48b32e0755cf915239a848d5e68fcaac526dde9eae57df2310e23a69e5

Download Submit
C:\Windows\{2E957FCE-DF2E-4078-ABF3-B09BBAC9BA9F}.exe

Filesize
168KB

MD5
378c262522724d6d2b591707e6ce5744

SHA1
2d2b0943aea3bdedc5420feb1ad2d460f0e18c5b

SHA256
744eaf043ea370bb1c6d49924e984a93e326783dc94ac17e59ad532ac96e9be0

SHA512
1624477ecc0e58f3829475f93fde78b63279626d4f0c3bc771d3b3c8089d0634734a4c199439f12c5378b243a3388b3a5f0402aac4d4ff897a03d7a680c3de31

Download Submit
C:\Windows\{4F7341C4-2617-4d9f-8326-0D8C6425FA19}.exe

Filesize
168KB

MD5
051912255be6133ba51ed9b592b0ac60

SHA1
e0229c1c903d524c891fd44a7743617bb92d076c

SHA256
a9d5d30ba10f9b6ba9179fe2c0191954558b059c69ff733e17acf4766e9f495e

SHA512
e4459bf319efc849720c2b35863b266957a2cd462e629b5b20a06ef105ffbbd330800bc4cfda536d9da339e4cf3a75cb73cf4550e2c7e33b58f98d3b6f652228

Download Submit
C:\Windows\{61A4A59A-DB95-4cdb-A2DA-5034C79C7E86}.exe

Filesize
168KB

MD5
a61bf58aacd83ea3943e4e00dd9c0628

SHA1
28cfeb3aeae69958a330229610f14ff4add51a2f

SHA256
144071a7e200f01446e55a64f88aa211351b2a26647f8d1a9519a99f175ea175

SHA512
61397cffcaf53169f1b19ee290df361a5913f93f070ad4b01d34030aa504f504e0e43e8675855a6068e0333d93c46d018c099e7f0bbcdf21b4021fb2cd8506c8

Download Submit
C:\Windows\{78EFAB79-381B-4041-B488-C39A06410D65}.exe

Filesize
168KB

MD5
266ede16c19c0e4e1c2bac3b62c4514c

SHA1
df6f6fead05dc0090bfb77e48261b109d15283c5

SHA256
42be69060bab4774881d5d1cb56c5723989d62fc3fd70d5b88c797bec70b8c94

SHA512
fd2407ccb6ab838550f49ec5266c084c35afcc7bb5698453559d215ff921d0eeae6c54af3145aa35b2084571fcf775eb687c8d94edc5fbc62611d8703b949a3c

Download Submit
C:\Windows\{9F980C16-B1A2-4c3f-AE85-92CBB204AFD0}.exe

Filesize
168KB

MD5
1f656870b92056ba50d207908e82ef21

SHA1
89f9b502e3c2223fc53ae1576fa39ff1790ef62b

SHA256
4439182fad1d4db15accdf9921e7ee5ad632fe65e8c9c0d4ed33215b47871365

SHA512
429c9ae1c41f05041a2f08a012f25052a8d1dc50cbf701a2e365f1f0420873700f35d6537da8700ac4598941993245bef1cee178b39552ebd4478b7792b82ede

Download Submit
C:\Windows\{A6CB7321-6900-4b21-BDE2-F92218F252F4}.exe

Filesize
168KB

MD5
ef338793ebe16ef08a95eb3b9272c6b1

SHA1
709a270b3cb2f16a4fb23fbaa751ccd5f31cfaed

SHA256
7c984d8374145d42c01a958cecf045f0500fb294edcefb106b4a29c3b6a1d275

SHA512
c45d7062b0356cd1bab54d7475e1add018062258abdcc637c4f4fcf74bd752a92d5a6c2a4c206e7d1ca2ff8cbf0f34999e71c1323a74027157fb95b8370b2c4b

Download Submit
C:\Windows\{A84D5D2B-E101-4b70-99FD-FE5B7FEF0267}.exe

Filesize
168KB

MD5
a32401832a5bdc48820b2845c360f8b9

SHA1
2900aeaec9edac26f263ea0945c405247678fdcf

SHA256
16b42595930b37f32430deb3908fdc18fa6afdb42ac6485022d6890a682e8490

SHA512
9d45361f0b0c90b6ae8acb3756eb48bfbbb90cf8e99c6ee2cfe26828239c5153e8f91146ce2159650499b50fa6729592f9798c595eddff163e184838cc0b5857

Download Submit
C:\Windows\{AA55B8F6-D246-4205-901B-82862213E906}.exe

Filesize
168KB

MD5
f0a5279945b3f553f1b0e7111e2e9cb4

SHA1
c8a3a7f89e2262f8a88cee6836c2d42488aa2bf4

SHA256
e99ee71bb94170c69f441f0e0333147eef801bf9c6263b63e46d0159ec7db3a8

SHA512
8cb02c7166a2b3e8dc2ceb1a7aa0c296517e83d7d5e74a1555bad0497f13c81e0e3672e251413fe9ba4ef321613122560cd67dc85c4f0fab2f7d95fcf6cc7cec

Download Submit
C:\Windows\{B4E23399-3C39-402d-B551-E9D97B54EE09}.exe

Filesize
168KB

MD5
2fc70569729cc452fc52473d31e89082

SHA1
3381d06c265d11a8164a4778cb0b1b1d2f6403c3

SHA256
d18b02848d4da394aae6631237c4f25b53931bca8c98407a6a0442f988484949

SHA512
deac40d687c7030f4c9d866d967653d914e04caf2c33d4a8150d49585b0db28982f1fe1b94f3dea0ccb3b1a982e2f251554a05e299922d09a9815335932c958b

Download Submit
C:\Windows\{F722E4A1-F8C5-4d9f-ABAE-F07648A6C54F}.exe

Filesize
168KB

MD5
6506a700ec0e69c2c95933181a27023e

SHA1
5458447c43bc62f3069f18b01544975a577b0b95

SHA256
9ba187c47b83b206f62724edfdc2d616d2deefeb255661fcaf6d54dc81f7b09a

SHA512
26b9979a921b9ae5eb9424a35dcfc195ff4b394dd0cebf6533942e5b14b76f943fcedac356a2f79ef2f2df4695a9a263214a2078b9e1e224958b6e278a3060a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads