73b98c542eaab9224730019989cdc0388df96328a2bdec3f6ceb47f26ab6f87d

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe
Size

192KB
MD5

fe96edf5822bcf7cf457246e499dab45
SHA1

1d9d5863657b95ecb547c85eed1e9c6a2bc00636
SHA256

73b98c542eaab9224730019989cdc0388df96328a2bdec3f6ceb47f26ab6f87d
SHA512

b6d30286e6016871c73594f548e23924f7ef48b92637ed3d7a245d7ab047dca81f1a1b172ea7066a88bee2db097c8ed9297ab82aa56da490e9ed666e0c2431c4
SSDEEP

1536:1EGh0oECl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oECl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6016BD0A-CDB3-4f02-9CE5-B3080304B258}	{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6016BD0A-CDB3-4f02-9CE5-B3080304B258}\stubpath = "C:\\Windows\\{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe"	{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E09FCF-FBF7-40a7-B38D-CD41856C558F}\stubpath = "C:\\Windows\\{90E09FCF-FBF7-40a7-B38D-CD41856C558F}.exe"	{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F93FF047-2195-48e5-BB51-CFB30AE08AF5}\stubpath = "C:\\Windows\\{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe"	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}\stubpath = "C:\\Windows\\{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe"	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B4DD4BE-1C51-4847-A599-894425A0114A}	{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}\stubpath = "C:\\Windows\\{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe"	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F93FF047-2195-48e5-BB51-CFB30AE08AF5}	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}\stubpath = "C:\\Windows\\{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe"	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E09FCF-FBF7-40a7-B38D-CD41856C558F}	{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}\stubpath = "C:\\Windows\\{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe"	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}\stubpath = "C:\\Windows\\{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe"	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}\stubpath = "C:\\Windows\\{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe"	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}\stubpath = "C:\\Windows\\{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe"	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B4DD4BE-1C51-4847-A599-894425A0114A}\stubpath = "C:\\Windows\\{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe"	{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe
2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe
2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe
684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe
2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe
748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe
1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe
2704	{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe
1580	{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe
2672	{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe
604	{90E09FCF-FBF7-40a7-B38D-CD41856C558F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe
File created	C:\Windows\{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe
File created	C:\Windows\{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe
File created	C:\Windows\{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe
File created	C:\Windows\{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe
File created	C:\Windows\{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe
File created	C:\Windows\{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe
File created	C:\Windows\{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe
File created	C:\Windows\{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe	{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe
File created	C:\Windows\{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe	{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe
File created	C:\Windows\{90E09FCF-FBF7-40a7-B38D-CD41856C558F}.exe	{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe
Token: SeIncBasePriorityPrivilege	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe
Token: SeIncBasePriorityPrivilege	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe
Token: SeIncBasePriorityPrivilege	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe
Token: SeIncBasePriorityPrivilege	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe
Token: SeIncBasePriorityPrivilege	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe
Token: SeIncBasePriorityPrivilege	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe
Token: SeIncBasePriorityPrivilege	2704	{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe
Token: SeIncBasePriorityPrivilege	1580	{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe
Token: SeIncBasePriorityPrivilege	2672	{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 3056	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	28
PID 2852 wrote to memory of 3056	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	28
PID 2852 wrote to memory of 3056	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	28
PID 2852 wrote to memory of 3056	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	28
PID 2852 wrote to memory of 2632	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	29
PID 2852 wrote to memory of 2632	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	29
PID 2852 wrote to memory of 2632	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	29
PID 2852 wrote to memory of 2632	2852	2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe	29
PID 3056 wrote to memory of 2600	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	30
PID 3056 wrote to memory of 2600	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	30
PID 3056 wrote to memory of 2600	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	30
PID 3056 wrote to memory of 2600	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	30
PID 3056 wrote to memory of 2720	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	31
PID 3056 wrote to memory of 2720	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	31
PID 3056 wrote to memory of 2720	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	31
PID 3056 wrote to memory of 2720	3056	{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe	31
PID 2600 wrote to memory of 2988	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	34
PID 2600 wrote to memory of 2988	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	34
PID 2600 wrote to memory of 2988	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	34
PID 2600 wrote to memory of 2988	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	34
PID 2600 wrote to memory of 2164	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	35
PID 2600 wrote to memory of 2164	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	35
PID 2600 wrote to memory of 2164	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	35
PID 2600 wrote to memory of 2164	2600	{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe	35
PID 2988 wrote to memory of 684	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	36
PID 2988 wrote to memory of 684	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	36
PID 2988 wrote to memory of 684	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	36
PID 2988 wrote to memory of 684	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	36
PID 2988 wrote to memory of 1052	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	37
PID 2988 wrote to memory of 1052	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	37
PID 2988 wrote to memory of 1052	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	37
PID 2988 wrote to memory of 1052	2988	{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe	37
PID 684 wrote to memory of 2832	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	38
PID 684 wrote to memory of 2832	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	38
PID 684 wrote to memory of 2832	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	38
PID 684 wrote to memory of 2832	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	38
PID 684 wrote to memory of 2820	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	39
PID 684 wrote to memory of 2820	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	39
PID 684 wrote to memory of 2820	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	39
PID 684 wrote to memory of 2820	684	{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe	39
PID 2832 wrote to memory of 748	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	40
PID 2832 wrote to memory of 748	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	40
PID 2832 wrote to memory of 748	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	40
PID 2832 wrote to memory of 748	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	40
PID 2832 wrote to memory of 976	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	41
PID 2832 wrote to memory of 976	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	41
PID 2832 wrote to memory of 976	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	41
PID 2832 wrote to memory of 976	2832	{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe	41
PID 748 wrote to memory of 1836	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	42
PID 748 wrote to memory of 1836	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	42
PID 748 wrote to memory of 1836	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	42
PID 748 wrote to memory of 1836	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	42
PID 748 wrote to memory of 1520	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	43
PID 748 wrote to memory of 1520	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	43
PID 748 wrote to memory of 1520	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	43
PID 748 wrote to memory of 1520	748	{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe	43
PID 1836 wrote to memory of 2704	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	44
PID 1836 wrote to memory of 2704	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	44
PID 1836 wrote to memory of 2704	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	44
PID 1836 wrote to memory of 2704	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	44
PID 1836 wrote to memory of 2460	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	45
PID 1836 wrote to memory of 2460	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	45
PID 1836 wrote to memory of 2460	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	45
PID 1836 wrote to memory of 2460	1836	{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_fe96edf5822bcf7cf457246e499dab45_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe
  C:\Windows\{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe
    C:\Windows\{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe
      C:\Windows\{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe
        
        C:\Windows\{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe
        
        C:\Windows\{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe
        
        C:\Windows\{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe
        
        C:\Windows\{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe
        
        C:\Windows\{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe
        
        C:\Windows\{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe
        
        C:\Windows\{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\{90E09FCF-FBF7-40a7-B38D-CD41856C558F}.exe
        
        C:\Windows\{90E09FCF-FBF7-40a7-B38D-CD41856C558F}.exe
        12⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6016B~1.EXE > nul
        12⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B4DD~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78F6C~1.EXE > nul
        10⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7D73~1.EXE > nul
        9⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F93FF~1.EXE > nul
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F4BA~1.EXE > nul
        7⤵
        
        PID:976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9291D~1.EXE > nul
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E6A6~1.EXE > nul
        5⤵
        
        PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F6E01~1.EXE > nul
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F4EF~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F4BAE36-49DC-4af5-8E79-C7E336F9D2DC}.exe

Filesize
192KB

MD5
688d23f0ab8faa7dea9478069938e596

SHA1
35311677560173197aab4a6b621d64a1609ff7c0

SHA256
0f8713692862d5a617be187646e2f98bfabf1197de2d42680908be6ab02979a9

SHA512
70e8cd2dd2aba235fa02251dbf852b7576531f5db1561c3d72d4a5e288b7c0217ceb482c1fe42a76f88db06b25dad557aff2c4c94af5496939cf0242b2119c09

Download Submit
C:\Windows\{3B4DD4BE-1C51-4847-A599-894425A0114A}.exe

Filesize
192KB

MD5
b4822655fdace2f54754bcc7b7bd6e63

SHA1
d72929c79e3c947bfe380f943e5b8d31f442d546

SHA256
2d786a2abb3dbc2cc1dabce8d94f3ba5b7e70a649a0b429e02d544a02fcb5592

SHA512
1f687a481938e6fb87f6faa1c83dafdab9205ff1ab6df2d903b9a83dd3f205602d9498e16cf8ae6163a0f463d0aa8f699fd2d3c70236f1f86077351e14c5a82a

Download Submit
C:\Windows\{4F4EF1B5-5DD7-4f47-9D38-03A6DE9A1336}.exe

Filesize
192KB

MD5
4d6b381c43c409f76b1b130e2ff74b28

SHA1
4374bd58388f40ec26d4855d4595873110a120f0

SHA256
861c14f7f26c5743213f46fbc7e60c73d59b17c56120efbf1e029ef34409b4c4

SHA512
cfac5c7cc197315fefe70c593977a55d193624fdf64609aed6ce1e7f9ee4989cfe0bb9309f72cb171f402b9149eade220a0fb1261c243724f708fc2ad160cbd6

Download Submit
C:\Windows\{6016BD0A-CDB3-4f02-9CE5-B3080304B258}.exe

Filesize
192KB

MD5
235edc450cf1b972f95b8d4018785be7

SHA1
e20186d6b3315b0c76db604c68bdbbf74a755399

SHA256
3a00d070a1b88337117a371ed6fa335098bd0e01869263e2d63df18cb49b830c

SHA512
6b09c7f90a396fac1dce0a9f0c5352fe385fbd6dfd0b8b57d69c13ec68324ad46f1bd88ff4497f1c83cfabcb47db5e39ab69b45a0d9fe9895c806dda7d4c71f9

Download Submit
C:\Windows\{78F6CC49-F1F7-43a1-8CE8-2450F6F3683F}.exe

Filesize
192KB

MD5
23fe4c21599c107f490b76dd0b1a7883

SHA1
ecaccd7633da52d15e5ded1fb17e6019770512d1

SHA256
1c2740a8d299836090787c29eab76497fd3b369085a62278a977d8beb7267db8

SHA512
6652e764bbd01ea28aeeae31c0501933ae564a75467f83ce0873dd838dcdc4c4828b753af3e073e9613b65580a72055812bdc11ee6b4ad15ef1ccbe3e7548219

Download Submit
C:\Windows\{7E6A6A63-7B76-4fba-B4E2-DB0619A84CBE}.exe

Filesize
192KB

MD5
9dec3018eff420cac5da2e48435efc0b

SHA1
a5090d88a4a0b619d5a3c530dd9bbc89807cc6d4

SHA256
6c951d6baf96075e2ce3ad1345115139fcde89d1dabeecbb53dcbd55ada6f18a

SHA512
9bc5814a516ac30b0aa98eb65befb6b50e2e2b80803b42c3aad0f3240972ae6287c85c8e4a95060280322ea6aa1e193350d638b92f896ede536d5a4f8d9c9ccd

Download Submit
C:\Windows\{90E09FCF-FBF7-40a7-B38D-CD41856C558F}.exe

Filesize
192KB

MD5
6d876e92da74f8002295ee5a36610f06

SHA1
c6109a216e01616ac428c623396356552797eef1

SHA256
2f9a74032209e185ebe8d94104e1e4d524253a1f936d61b895a5454469afa9b5

SHA512
fe8d91b4d10e12a97d1794fd745ab405c6a4b8ea91df05d39226957610aa0022f66b702d3aceaf38596cec6130f89e146bc518beb3e0421a9b4003f7e04116c9

Download Submit
C:\Windows\{9291D39D-BAA9-4dd1-8C34-826CA8B2002E}.exe

Filesize
192KB

MD5
787e455c6516bc47b199f2f4bbeda976

SHA1
69a50d6c3794bad39a8c9c55178ac417b4c9b93d

SHA256
da79bc1e5392d17fc19ca10b5534a6d9382807670f5e969e7f50d83753d8dd43

SHA512
f740fb2659db7caeb5814dae910ef1935f02cbca0c9ce06650fe693d0ee7f24abd80c50131ae55d7ab4a8eddf807416c471ceb106dd079a05dcd56a47ad1b522

Download Submit
C:\Windows\{D7D73E12-8B52-4813-A0E1-AC3B7195EA24}.exe

Filesize
192KB

MD5
d149441540caa03f78d48c49b4c05c56

SHA1
e9921ba20b00e3d9467bca5a05b0f040d0886742

SHA256
f96a433307f3cc470f1e3dc24a3de69ccfb7d1a67a0153d42bf4f4304bbb522e

SHA512
5d01e5200a07edf2bebcf870b78451ae107ec21379f9f4a20d20c5b95576c366244046e4f5f9fd701d3e7f52104a39ec67c604921980f7c8c85d6c55d419b057

Download Submit
C:\Windows\{F6E0182D-E637-4b75-8838-F72E8A4DF6F0}.exe

Filesize
192KB

MD5
3fa46e3ed1de91ecb981b3c19d404d65

SHA1
4aa702db1bfa4f690de9591d21c119aa412d4181

SHA256
5d074ee16c5e7f4c00c334e2724ba03474478f21fd9c60ddefa550867b75d395

SHA512
7d95a5094d09e98f21a03d9dc1c119a242543be65fbe010667d4e9e3c715c2e092857753fd2c6b1ccea45049ce74ca0042ed0a5943596be89335db86ec866498

Download Submit
C:\Windows\{F93FF047-2195-48e5-BB51-CFB30AE08AF5}.exe

Filesize
192KB

MD5
9509c0a25c52a98ca49af978f62fea15

SHA1
e94ba3f4b4d33c183d562706130eb41d6a9c974b

SHA256
d0972e82b9a0ae6018ea165388915ce1b017f3e6763074fdb15e2ab1e0091395

SHA512
b834f53b198f128a21ac9b78d243d1593894134eadd420bafeba5934d93d1c6f0d22320d1c375b95b8879d4b208fafd471a1b3fd258808328eedd5743f9f575e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads