e98e60e0b2552944d874c91b1678a94ebc4a5e3c1d0f3291e9da0b155715f839

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Size

380KB
MD5

0740051a483ba3199f183a02f3e56439
SHA1

8efd8ecba542fbe9aa4416ed7777d4f24ed60624
SHA256

e98e60e0b2552944d874c91b1678a94ebc4a5e3c1d0f3291e9da0b155715f839
SHA512

462665170ed77d28a0a625fde3137c584df82dfc221031aa68d63ee0189ed7a69202ae69d4af28cd73bf5969bf220c510ed31b1a8d3980712cbfb3e883b52af6
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG8l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}\stubpath = "C:\\Windows\\{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe"	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB63997-91ED-44ce-A627-BFD9FB87FC33}	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5072DE6-9D33-4139-9774-455D92290107}\stubpath = "C:\\Windows\\{D5072DE6-9D33-4139-9774-455D92290107}.exe"	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30BAEC5C-40CD-4677-9E06-F7862B75430D}\stubpath = "C:\\Windows\\{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe"	{D5072DE6-9D33-4139-9774-455D92290107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9E6610-4822-4398-88F0-C4033D41A48A}\stubpath = "C:\\Windows\\{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe"	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D742320F-5AEF-46f2-81A7-B21D542EEDEB}	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877B5C9B-F17B-4a80-A618-960FC706910A}\stubpath = "C:\\Windows\\{877B5C9B-F17B-4a80-A618-960FC706910A}.exe"	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}\stubpath = "C:\\Windows\\{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe"	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7E5068-C469-4256-847F-3A877D5618C0}\stubpath = "C:\\Windows\\{3A7E5068-C469-4256-847F-3A877D5618C0}.exe"	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877B5C9B-F17B-4a80-A618-960FC706910A}	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB63997-91ED-44ce-A627-BFD9FB87FC33}\stubpath = "C:\\Windows\\{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe"	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5072DE6-9D33-4139-9774-455D92290107}	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}\stubpath = "C:\\Windows\\{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe"	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}\stubpath = "C:\\Windows\\{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe"	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9E6610-4822-4398-88F0-C4033D41A48A}	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}\stubpath = "C:\\Windows\\{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}.exe"	{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30BAEC5C-40CD-4677-9E06-F7862B75430D}	{D5072DE6-9D33-4139-9774-455D92290107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}	{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D742320F-5AEF-46f2-81A7-B21D542EEDEB}\stubpath = "C:\\Windows\\{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe"	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7E5068-C469-4256-847F-3A877D5618C0}	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe

Executes dropped EXE 12 IoCs

pid	Process
1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe
5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe
2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe
4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe
3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe
2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe
4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe
1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe
2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe
2320	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe
4144	{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe
3324	{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe
File created	C:\Windows\{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}.exe	{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe
File created	C:\Windows\{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe
File created	C:\Windows\{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe
File created	C:\Windows\{3A7E5068-C469-4256-847F-3A877D5618C0}.exe	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe
File created	C:\Windows\{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe
File created	C:\Windows\{D5072DE6-9D33-4139-9774-455D92290107}.exe	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe
File created	C:\Windows\{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe	{D5072DE6-9D33-4139-9774-455D92290107}.exe
File created	C:\Windows\{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
File created	C:\Windows\{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe
File created	C:\Windows\{877B5C9B-F17B-4a80-A618-960FC706910A}.exe	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe
File created	C:\Windows\{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4900	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Token: SeIncBasePriorityPrivilege	1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe
Token: SeIncBasePriorityPrivilege	5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe
Token: SeIncBasePriorityPrivilege	2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe
Token: SeIncBasePriorityPrivilege	4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe
Token: SeIncBasePriorityPrivilege	3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe
Token: SeIncBasePriorityPrivilege	2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe
Token: SeIncBasePriorityPrivilege	4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe
Token: SeIncBasePriorityPrivilege	1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe
Token: SeIncBasePriorityPrivilege	2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe
Token: SeIncBasePriorityPrivilege	2320	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe
Token: SeIncBasePriorityPrivilege	4144	{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1616	4900	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	97
PID 4900 wrote to memory of 1616	4900	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	97
PID 4900 wrote to memory of 1616	4900	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	97
PID 4900 wrote to memory of 4956	4900	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	98
PID 4900 wrote to memory of 4956	4900	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	98
PID 4900 wrote to memory of 4956	4900	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	98
PID 1616 wrote to memory of 5000	1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe	99
PID 1616 wrote to memory of 5000	1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe	99
PID 1616 wrote to memory of 5000	1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe	99
PID 1616 wrote to memory of 4012	1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe	100
PID 1616 wrote to memory of 4012	1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe	100
PID 1616 wrote to memory of 4012	1616	{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe	100
PID 5000 wrote to memory of 2320	5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe	103
PID 5000 wrote to memory of 2320	5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe	103
PID 5000 wrote to memory of 2320	5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe	103
PID 5000 wrote to memory of 3044	5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe	104
PID 5000 wrote to memory of 3044	5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe	104
PID 5000 wrote to memory of 3044	5000	{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe	104
PID 2320 wrote to memory of 4616	2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe	105
PID 2320 wrote to memory of 4616	2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe	105
PID 2320 wrote to memory of 4616	2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe	105
PID 2320 wrote to memory of 732	2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe	106
PID 2320 wrote to memory of 732	2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe	106
PID 2320 wrote to memory of 732	2320	{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe	106
PID 4616 wrote to memory of 3448	4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe	107
PID 4616 wrote to memory of 3448	4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe	107
PID 4616 wrote to memory of 3448	4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe	107
PID 4616 wrote to memory of 3848	4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe	108
PID 4616 wrote to memory of 3848	4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe	108
PID 4616 wrote to memory of 3848	4616	{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe	108
PID 3448 wrote to memory of 2328	3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe	110
PID 3448 wrote to memory of 2328	3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe	110
PID 3448 wrote to memory of 2328	3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe	110
PID 3448 wrote to memory of 2084	3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe	111
PID 3448 wrote to memory of 2084	3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe	111
PID 3448 wrote to memory of 2084	3448	{3A7E5068-C469-4256-847F-3A877D5618C0}.exe	111
PID 2328 wrote to memory of 4520	2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe	112
PID 2328 wrote to memory of 4520	2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe	112
PID 2328 wrote to memory of 4520	2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe	112
PID 2328 wrote to memory of 2936	2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe	113
PID 2328 wrote to memory of 2936	2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe	113
PID 2328 wrote to memory of 2936	2328	{877B5C9B-F17B-4a80-A618-960FC706910A}.exe	113
PID 4520 wrote to memory of 1804	4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe	117
PID 4520 wrote to memory of 1804	4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe	117
PID 4520 wrote to memory of 1804	4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe	117
PID 4520 wrote to memory of 4204	4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe	118
PID 4520 wrote to memory of 4204	4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe	118
PID 4520 wrote to memory of 4204	4520	{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe	118
PID 1804 wrote to memory of 2228	1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe	122
PID 1804 wrote to memory of 2228	1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe	122
PID 1804 wrote to memory of 2228	1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe	122
PID 1804 wrote to memory of 4828	1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe	123
PID 1804 wrote to memory of 4828	1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe	123
PID 1804 wrote to memory of 4828	1804	{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe	123
PID 2228 wrote to memory of 2320	2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe	124
PID 2228 wrote to memory of 2320	2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe	124
PID 2228 wrote to memory of 2320	2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe	124
PID 2228 wrote to memory of 4028	2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe	125
PID 2228 wrote to memory of 4028	2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe	125
PID 2228 wrote to memory of 4028	2228	{D5072DE6-9D33-4139-9774-455D92290107}.exe	125
PID 2320 wrote to memory of 4144	2320	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe	128
PID 2320 wrote to memory of 4144	2320	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe	128
PID 2320 wrote to memory of 4144	2320	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe	128
PID 2320 wrote to memory of 948	2320	{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe	129

C:\Users\Admin\AppData\Local\Temp\202405240740051a483ba3199f183a02f3e56439goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202405240740051a483ba3199f183a02f3e56439goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe
  C:\Windows\{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe
    C:\Windows\{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe
      C:\Windows\{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe
        
        C:\Windows\{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\{3A7E5068-C469-4256-847F-3A877D5618C0}.exe
        
        C:\Windows\{3A7E5068-C469-4256-847F-3A877D5618C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\{877B5C9B-F17B-4a80-A618-960FC706910A}.exe
        
        C:\Windows\{877B5C9B-F17B-4a80-A618-960FC706910A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe
        
        C:\Windows\{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe
        
        C:\Windows\{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{D5072DE6-9D33-4139-9774-455D92290107}.exe
        
        C:\Windows\{D5072DE6-9D33-4139-9774-455D92290107}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe
        
        C:\Windows\{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe
        
        C:\Windows\{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}.exe
        
        C:\Windows\{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD9E6~1.EXE > nul
        13⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30BAE~1.EXE > nul
        12⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5072~1.EXE > nul
        11⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BB63~1.EXE > nul
        10⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FFAB~1.EXE > nul
        9⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{877B5~1.EXE > nul
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A7E5~1.EXE > nul
        7⤵
        
        PID:2084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7423~1.EXE > nul
        6⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C11F~1.EXE > nul
        5⤵
        
        PID:732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F4D6~1.EXE > nul
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AA1AD~1.EXE > nul
    3⤵
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202405~1.EXE > nul
  2⤵
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21D35A2A-4AE2-49c8-9FEF-268B3D9B6DBB}.exe

Filesize
380KB

MD5
ff7e4fcb4f46eb9cc5a0ebe738456a0a

SHA1
d8ff5b88a13261c2d24c19e88fc9494e184c6fa2

SHA256
25f852788e0f4f3a826516aa1fa92f430f9511c2a5315c7fe69fadad34813902

SHA512
12071470f15ee623b6b24e8f1a207052fc3ae239b8d22916aab2a92050fb4836153555f5dc1f79af535a497b5eb7a444f5c20e4e5e53950f2beaf3ca48295f28

Download Submit
C:\Windows\{30BAEC5C-40CD-4677-9E06-F7862B75430D}.exe

Filesize
380KB

MD5
f5cf7611bdcc2e13f16cc0b2d9ff89d0

SHA1
553b383491bccbf2c63b2fb6988f323e2a57fa45

SHA256
e0064563a2bc8641aee687f4d140fa40b80dc8ea1c2e287e3d221bf62dec3eb4

SHA512
0df707072f79393b3cc29eb389bfbdff0de23e7add8907c48a08d4e6cd37c95611bc27a86ddc8a2074e7fab1bd766a718fd4da7c9a4e1c734b47ebee7c93c0b1

Download Submit
C:\Windows\{3A7E5068-C469-4256-847F-3A877D5618C0}.exe

Filesize
380KB

MD5
d9a81cba4d4dc1f455062f1112aad0b9

SHA1
fc4dba1d361bf0949196b0a5a3f21be89a35285b

SHA256
736bbc5711b555ffcbd8d12e1815416496a12a6460a958d121a595ce50500092

SHA512
29727e49f770bf1f87166298c82cc916209f5ec01debf9187156e0730ab81efdf7a9ffc54b9d53e95e322bf9fee80cc1850b304e898cd8f2e74f75408b8d97b1

Download Submit
C:\Windows\{3F4D69F8-9DFD-414c-B791-CC98CCA852FB}.exe

Filesize
380KB

MD5
cbcb5d57506bbdf0277b504925ce1878

SHA1
8cd9c95e95644215f4f1173ae99a2cb343c4d22b

SHA256
a8cf2cc61c07677b6994b9dc7b1c92317264afde199ccdb9a5a55f31a6917f99

SHA512
50acc7290534d749e6c5fd1dc8997d95b595eda6d037439e165495f2490ca7e95e2c8a4afe06adac114f4e11873614a68de081d0f6421cf721b86d72ca92836b

Download Submit
C:\Windows\{4C11F3BB-A155-4b1d-8C1B-FEB66044D0EA}.exe

Filesize
380KB

MD5
c4d325376ba4ce49ee2156367bf4c9f0

SHA1
08278ef83c087429317390ff245fd3d2665f6b69

SHA256
9c35ff63d73304928db357b455eef611772c807395063fb6e6d1666afbf39f40

SHA512
f92dfd21499e39a638596f41675a4d469581c0fa5080cf0c0f3c99e24b8d3c77dc85f947caeabef259987b79d7af3e39b21d6199597c6ce2e37dfdaa87e98e81

Download Submit
C:\Windows\{6BB63997-91ED-44ce-A627-BFD9FB87FC33}.exe

Filesize
380KB

MD5
2ae4c214beebbf262ae30eb67839b17a

SHA1
2c72feb446a21203b90d2771f093c655459b6377

SHA256
4e5b761787feb7d69e4009837b86ad1fc25eeab67b086663e7bfc3f91815c0df

SHA512
4c703c011a16cd730622df357303b22f4a1a8a4551069281cff38d591c5919973a896a99cc4b8a25eea157eea23d7ae3624832b8aa4e7a001d73c7ce978a3680

Download Submit
C:\Windows\{6FFAB9DE-CC61-4d54-9680-2322A9D1FD0B}.exe

Filesize
380KB

MD5
7460fad5db2dfb911331bfb697ac0516

SHA1
8c87471b486255c1a09471210fb8ffe76ba220dd

SHA256
c3a73d9140795839d0893ea03f514de4b79f655d3d3c7240d23ab5f411a97273

SHA512
8c21ee2edb9ce27314e35d4fdb958277f2e4d0ea4d972dee3ca3be90e7cd14c58a21f3e7763e14483481be374e1f45ed8b304f37ee56100cc0c58fb8d259b074

Download Submit
C:\Windows\{877B5C9B-F17B-4a80-A618-960FC706910A}.exe

Filesize
380KB

MD5
a4ea23e933ecac56c865b9985fcda665

SHA1
b749b54a23ab85996040b8f5f8f4110e6a406ad5

SHA256
a8886d8a3e9a01b646edae4bcfd07bb6633ab3840fedc69de4d59cbfc60418ba

SHA512
876e25dc83928cd5896713903b8790f6a9e98ab07def2ba7812ad3e9c19c6494df60565ed213a61997243bb5c1b379f9e46e08fa05510f91ee858c3df90745ed

Download Submit
C:\Windows\{AA1AD7C7-BD8E-4236-8D2F-E3A585F2A882}.exe

Filesize
380KB

MD5
bc5c4f7065df39db207ecfc46ccae484

SHA1
5d7fa19612e7d80a3d116c56700888271801cef1

SHA256
ea8915263b4ff6c392273d75f7a49af5f18c86b3b11b35b19ec00eca2194bca1

SHA512
a6217ab4e97d815b45dbe9bf7c81976b76824f8e7b50cc65844d75c6b4e9bab707da52a6097bc6ee7b368d2bdacf4ba2dbb28acfd315f2fc0180600d574d7696

Download Submit
C:\Windows\{D5072DE6-9D33-4139-9774-455D92290107}.exe

Filesize
380KB

MD5
61a1a34537c03783ff32d3f13677142a

SHA1
9c543b2c4f26b40a765eac9f2af61a743a3ad18d

SHA256
10286d05b0249285432dafa71bceaa6e2c2c2676c29b0132e4b15b0fd1fabde5

SHA512
29d01a0ab0447d93f068d49980923952ba7116929c29b5df3b1f7ca1aaf68feb7ed50acf26f89954c03687747447512e2d77d2a0e857b861579faad24b0bfa7a

Download Submit
C:\Windows\{D742320F-5AEF-46f2-81A7-B21D542EEDEB}.exe

Filesize
380KB

MD5
b6424798f3281f9c8ebf0ea1c152fdb0

SHA1
7f251ed27806ea8f138d19be25df2eec98f27ec5

SHA256
c7523e730d74ee74b352eb5de639290ea5aa7d6f08e474f9cf5a4b5fe981c888

SHA512
5e8ab6d3cd357c75788eb4a7b26fe2309437ee99290e3a0f740a5b7483a6a7d4195d3df013faa6b3914b8de051d68529cf469774b7ef6fdbbbf32a12813cd255

Download Submit
C:\Windows\{DD9E6610-4822-4398-88F0-C4033D41A48A}.exe

Filesize
380KB

MD5
807734152ecd50af271802e654a56552

SHA1
ad5ee6360c6a8867b131073b72945e48c5cbce36

SHA256
bbbd9fe7912b31392d6a70a7a6196985b896228e5e806925c153f5efcd3e13c9

SHA512
f80997cd0ea96c9f063f8d25cd6fb99df6f8dd35d14b0aa07c004f50bfe7fdfa93727dbf0e522e480dd61e800bff6e336a64755691f3a6096a171c96442576c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads