ccd1aa4f26b33be9ebfb8b66db9190f9512c8303cebefcfde469e2774f727f51

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Size

344KB
MD5

975f1c7d711db0e3636490b02189b018
SHA1

225339848712eb1d7de00806a9203950a1976c45
SHA256

ccd1aa4f26b33be9ebfb8b66db9190f9512c8303cebefcfde469e2774f727f51
SHA512

c8ed086793e54ce84266dd89ee7fc01e12750a34a8811b71eaa5400c49cbdad0a88c6a5be311891dedbbeca10fd62136174b21d321e32644cb23393d4425feba
SSDEEP

3072:mEGh0o5lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGTlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0421E334-8B90-4930-8E2C-F86976569697}\stubpath = "C:\\Windows\\{0421E334-8B90-4930-8E2C-F86976569697}.exe"	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0664552B-ECF2-4112-8F79-642E9F0F4F3A}	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41464CBB-E776-4d73-8203-1EA39C3EFD75}	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16602923-4F50-4fee-8481-491C4E6633D0}\stubpath = "C:\\Windows\\{16602923-4F50-4fee-8481-491C4E6633D0}.exe"	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08E8569E-B5A1-4844-88A0-95CD3C0D334A}\stubpath = "C:\\Windows\\{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe"	{16602923-4F50-4fee-8481-491C4E6633D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E3860A-3ACD-428f-A933-6EF1E4B1E920}\stubpath = "C:\\Windows\\{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe"	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03EE76DE-B691-416c-B7D8-9625843563B0}\stubpath = "C:\\Windows\\{03EE76DE-B691-416c-B7D8-9625843563B0}.exe"	{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48670D49-56AF-4763-8489-1FBB59B34F69}	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08E8569E-B5A1-4844-88A0-95CD3C0D334A}	{16602923-4F50-4fee-8481-491C4E6633D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}	{0421E334-8B90-4930-8E2C-F86976569697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0664552B-ECF2-4112-8F79-642E9F0F4F3A}\stubpath = "C:\\Windows\\{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe"	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48670D49-56AF-4763-8489-1FBB59B34F69}\stubpath = "C:\\Windows\\{48670D49-56AF-4763-8489-1FBB59B34F69}.exe"	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}\stubpath = "C:\\Windows\\{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe"	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C803F1A-8D70-45ba-8C88-93F079A25E98}	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C803F1A-8D70-45ba-8C88-93F079A25E98}\stubpath = "C:\\Windows\\{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe"	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03EE76DE-B691-416c-B7D8-9625843563B0}	{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}\stubpath = "C:\\Windows\\{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe"	{0421E334-8B90-4930-8E2C-F86976569697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41464CBB-E776-4d73-8203-1EA39C3EFD75}\stubpath = "C:\\Windows\\{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe"	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}\stubpath = "C:\\Windows\\{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe"	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16602923-4F50-4fee-8481-491C4E6633D0}	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E3860A-3ACD-428f-A933-6EF1E4B1E920}	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0421E334-8B90-4930-8E2C-F86976569697}	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe

Executes dropped EXE 12 IoCs

pid	Process
2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe
436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe
2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe
2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe
3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe
4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe
3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe
4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe
3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe
1392	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe
4468	{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe
3840	{03EE76DE-B691-416c-B7D8-9625843563B0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe
File created	C:\Windows\{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe	{16602923-4F50-4fee-8481-491C4E6633D0}.exe
File created	C:\Windows\{48670D49-56AF-4763-8489-1FBB59B34F69}.exe	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe
File created	C:\Windows\{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe
File created	C:\Windows\{16602923-4F50-4fee-8481-491C4E6633D0}.exe	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe
File created	C:\Windows\{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe
File created	C:\Windows\{0421E334-8B90-4930-8E2C-F86976569697}.exe	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe
File created	C:\Windows\{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe	{0421E334-8B90-4930-8E2C-F86976569697}.exe
File created	C:\Windows\{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe
File created	C:\Windows\{03EE76DE-B691-416c-B7D8-9625843563B0}.exe	{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe
File created	C:\Windows\{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
File created	C:\Windows\{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3580	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe
Token: SeIncBasePriorityPrivilege	436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe
Token: SeIncBasePriorityPrivilege	2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe
Token: SeIncBasePriorityPrivilege	2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe
Token: SeIncBasePriorityPrivilege	3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe
Token: SeIncBasePriorityPrivilege	4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe
Token: SeIncBasePriorityPrivilege	3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe
Token: SeIncBasePriorityPrivilege	4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe
Token: SeIncBasePriorityPrivilege	3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe
Token: SeIncBasePriorityPrivilege	1392	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe
Token: SeIncBasePriorityPrivilege	4468	{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2528	3580	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	88
PID 3580 wrote to memory of 2528	3580	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	88
PID 3580 wrote to memory of 2528	3580	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	88
PID 3580 wrote to memory of 1364	3580	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	89
PID 3580 wrote to memory of 1364	3580	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	89
PID 3580 wrote to memory of 1364	3580	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	89
PID 2528 wrote to memory of 436	2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe	90
PID 2528 wrote to memory of 436	2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe	90
PID 2528 wrote to memory of 436	2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe	90
PID 2528 wrote to memory of 2456	2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe	91
PID 2528 wrote to memory of 2456	2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe	91
PID 2528 wrote to memory of 2456	2528	{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe	91
PID 436 wrote to memory of 2224	436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe	94
PID 436 wrote to memory of 2224	436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe	94
PID 436 wrote to memory of 2224	436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe	94
PID 436 wrote to memory of 1556	436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe	95
PID 436 wrote to memory of 1556	436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe	95
PID 436 wrote to memory of 1556	436	{48670D49-56AF-4763-8489-1FBB59B34F69}.exe	95
PID 2224 wrote to memory of 2008	2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe	96
PID 2224 wrote to memory of 2008	2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe	96
PID 2224 wrote to memory of 2008	2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe	96
PID 2224 wrote to memory of 1272	2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe	97
PID 2224 wrote to memory of 1272	2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe	97
PID 2224 wrote to memory of 1272	2224	{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe	97
PID 2008 wrote to memory of 3868	2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe	98
PID 2008 wrote to memory of 3868	2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe	98
PID 2008 wrote to memory of 3868	2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe	98
PID 2008 wrote to memory of 4304	2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe	99
PID 2008 wrote to memory of 4304	2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe	99
PID 2008 wrote to memory of 4304	2008	{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe	99
PID 3868 wrote to memory of 4092	3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe	100
PID 3868 wrote to memory of 4092	3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe	100
PID 3868 wrote to memory of 4092	3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe	100
PID 3868 wrote to memory of 3844	3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe	101
PID 3868 wrote to memory of 3844	3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe	101
PID 3868 wrote to memory of 3844	3868	{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe	101
PID 4092 wrote to memory of 3288	4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe	102
PID 4092 wrote to memory of 3288	4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe	102
PID 4092 wrote to memory of 3288	4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe	102
PID 4092 wrote to memory of 3328	4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe	103
PID 4092 wrote to memory of 3328	4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe	103
PID 4092 wrote to memory of 3328	4092	{16602923-4F50-4fee-8481-491C4E6633D0}.exe	103
PID 3288 wrote to memory of 4652	3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe	104
PID 3288 wrote to memory of 4652	3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe	104
PID 3288 wrote to memory of 4652	3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe	104
PID 3288 wrote to memory of 3300	3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe	105
PID 3288 wrote to memory of 3300	3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe	105
PID 3288 wrote to memory of 3300	3288	{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe	105
PID 4652 wrote to memory of 3628	4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe	106
PID 4652 wrote to memory of 3628	4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe	106
PID 4652 wrote to memory of 3628	4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe	106
PID 4652 wrote to memory of 4012	4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe	107
PID 4652 wrote to memory of 4012	4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe	107
PID 4652 wrote to memory of 4012	4652	{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe	107
PID 3628 wrote to memory of 1392	3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe	108
PID 3628 wrote to memory of 1392	3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe	108
PID 3628 wrote to memory of 1392	3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe	108
PID 3628 wrote to memory of 1540	3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe	109
PID 3628 wrote to memory of 1540	3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe	109
PID 3628 wrote to memory of 1540	3628	{0421E334-8B90-4930-8E2C-F86976569697}.exe	109
PID 1392 wrote to memory of 4468	1392	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe	110
PID 1392 wrote to memory of 4468	1392	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe	110
PID 1392 wrote to memory of 4468	1392	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe	110
PID 1392 wrote to memory of 516	1392	{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe
  C:\Windows\{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\{48670D49-56AF-4763-8489-1FBB59B34F69}.exe
    C:\Windows\{48670D49-56AF-4763-8489-1FBB59B34F69}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe
      C:\Windows\{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe
        
        C:\Windows\{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe
        
        C:\Windows\{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{16602923-4F50-4fee-8481-491C4E6633D0}.exe
        
        C:\Windows\{16602923-4F50-4fee-8481-491C4E6633D0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe
        
        C:\Windows\{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe
        
        C:\Windows\{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{0421E334-8B90-4930-8E2C-F86976569697}.exe
        
        C:\Windows\{0421E334-8B90-4930-8E2C-F86976569697}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe
        
        C:\Windows\{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe
        
        C:\Windows\{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\{03EE76DE-B691-416c-B7D8-9625843563B0}.exe
        
        C:\Windows\{03EE76DE-B691-416c-B7D8-9625843563B0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06645~1.EXE > nul
        13⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB3FD~1.EXE > nul
        12⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0421E~1.EXE > nul
        11⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07E38~1.EXE > nul
        10⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08E85~1.EXE > nul
        9⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16602~1.EXE > nul
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C803~1.EXE > nul
        7⤵
        
        PID:3844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FFCD~1.EXE > nul
        6⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B942E~1.EXE > nul
        5⤵
        
        PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{48670~1.EXE > nul
      4⤵
      PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{41464~1.EXE > nul
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03EE76DE-B691-416c-B7D8-9625843563B0}.exe

Filesize
344KB

MD5
0183f86ef3347575a4641febf8d71659

SHA1
86f0e6c6a76430dd8d0a13f98be51c331e8c5b76

SHA256
732ca9d5c0b8873ffda1557bcbce7df84f2b2505bfa099ae3c53bbfc71b6dfd3

SHA512
3aab14796773cbd1182779a9ecf46a69b69610439432bbb4fad04e8d97ed4259d1be49c9b479dca7e4f888867a4aef39f1cad63705189c37b045ad8e04dc9032

Download Submit
C:\Windows\{0421E334-8B90-4930-8E2C-F86976569697}.exe

Filesize
344KB

MD5
fe11ce34d4149386a3036b49fa28b501

SHA1
f50005a7fca534655d235c66854a65aa38c1e31d

SHA256
6e8b99d4122645c2f9d323785a4c66a3c17449e0d6fc0f43a51a671123eab59b

SHA512
aadf1bf46e97062a4449775babafd0496fa6831b539ea6ff6bbdd93e98e7e24c4885ac26b03b3cdb3e2919cd0387246bcf813b9c6590c8a39d3c2888ea3ffbc3

Download Submit
C:\Windows\{0664552B-ECF2-4112-8F79-642E9F0F4F3A}.exe

Filesize
344KB

MD5
391146487e6a51e4b622b104326396be

SHA1
5ed8f5c88a9743e53c3554554195d0f5cd9f79d1

SHA256
3e1c08c9f8fa753fb1b05620b3f1ba75223b779217202d7f231603672cfee122

SHA512
e6acd46513a3fefed887382c04ceff6daee019bcacb410cfc4c6cab3a1e5d3879d9702df953404afceeb82b7c807cd318ba25855b9d83b9729523d983f398bee

Download Submit
C:\Windows\{07E3860A-3ACD-428f-A933-6EF1E4B1E920}.exe

Filesize
344KB

MD5
5385182cc11db5ec19da7718365f0bf0

SHA1
a34ff2a57c78e788b17fd41ceae76de6a2d8bacc

SHA256
7aa326b5854d09358df1c63c2d033d51f9551d69ce77f59fd1ee51cd481c7b1d

SHA512
4f5d083d4232a27522cbb62b5f129c7818f269082845d7252dcee45cbf73b6cd8626b49789f1fda5fbdf1ec57da37b29f403313f4e544902a9ebc9fcca032910

Download Submit
C:\Windows\{08E8569E-B5A1-4844-88A0-95CD3C0D334A}.exe

Filesize
344KB

MD5
41ff4ca2820243a3f87954493c5bcc55

SHA1
0e99ee1d72938bc8b5bf87dd0d6be860254987fc

SHA256
c6af34221b2f30eedf04a383e1c45f79eb1512296bb809388d5edcd3e60058b7

SHA512
5c8f7b91e18c6a9021d396e4bfbb73240b404abec10768908bfc2b6d802e43eb8d6a746254ce0bba02a2fa40cb11df912fbdd2f5fa8069ea9dfe2e83d41711b0

Download Submit
C:\Windows\{0C803F1A-8D70-45ba-8C88-93F079A25E98}.exe

Filesize
344KB

MD5
6e22117e684d9263a17c402114a57b30

SHA1
40bc9934f75f8c7324d115d83624b63ecf3c41e8

SHA256
1546d5b212e15ed4e0c5dae486b7c875891be14bb7c769249aeee4a1a69f6bd0

SHA512
0c6c47ca764a39b06d0cc57c4d86d1e0360947eb1dc52fb8d536362a2627d0c48309b83753f1d3fcb07da2c0e084b4d09a80c88856d94fd359297ac1aa05048a

Download Submit
C:\Windows\{16602923-4F50-4fee-8481-491C4E6633D0}.exe

Filesize
344KB

MD5
11e6a20582080f3bb7d531fe61632a6a

SHA1
0089ae8a4e6db161a67fa4f4cc39fd2ccee515ae

SHA256
7f4520fe9134fa27f837295ac915033f31bd51d8ed21fa82802fa1f4da594e6d

SHA512
e10575baacc0c0c3e5a3b39bb67b7c75a696413bdad6d383dece25302d458dd3e6e4956241f02b69e52b11cb75c495d110521ef55c9f4321cc87892b2cb95989

Download Submit
C:\Windows\{41464CBB-E776-4d73-8203-1EA39C3EFD75}.exe

Filesize
344KB

MD5
0883ba2cad9d5a21dc78b1aed7f8d226

SHA1
1c40fdf29ab87ddaa51f95da104c747efe3a53c2

SHA256
fe52a2d42ccf93fc7cf69d7739a1f0d366183e1d90b9fa17b9699a4fdc04e2f2

SHA512
cc889311b683a2e049e291cfbea4c3d4504ad4cf3d490027d31cfb1a8ae59bad97ba8696cb32938c2ed4f6e7600f368b8d4ef64ccf15f88919d4ffd3cfcf5eb6

Download Submit
C:\Windows\{48670D49-56AF-4763-8489-1FBB59B34F69}.exe

Filesize
344KB

MD5
147181715c1b32e550ed58e406905dc5

SHA1
ce876f87757145bdfa245b8b51dda262150e5eb2

SHA256
2ef8644c529f0a36e14ac84c75f8ace7be7e1e5ab2b6257765dff4407673d5aa

SHA512
9ee3b22517471f6e64d48a2ce434a90d5ac2fd156ce05140dd574ace61ffcf36defe4120d62ffeed4a8c0e8d6824663e1691c0b1b2765e75795ef48ddc4a8852

Download Submit
C:\Windows\{5FFCDE39-45B3-40d7-ACC2-CBF98C91821D}.exe

Filesize
344KB

MD5
e9dd91ce05b186e5cf8537973661e340

SHA1
887517318180a30ea3e27d7e801501819a539c34

SHA256
b5df4ad7c62094b585aec962d5b9dca8295663b3365f5f8092297077d60f6c00

SHA512
0f1517d24b57cf19fe4adf58f03ebbc782e03751df3a3dc1b4397b4a75888f55d66f97a2b07f080101a3f161bea0046254ba726cc41357521aecf03b18022280

Download Submit
C:\Windows\{B942EEBF-64AF-4ca5-86E5-F4474FBA7F8E}.exe

Filesize
344KB

MD5
a9fb715d68f61db272db7c7cfce729fa

SHA1
1aa3787097c29a871523594ff59d84c63a279b7b

SHA256
86b6d47117d815eda2b8ce2c7926547c3c943043e2da633aa0f7bfacf23469ca

SHA512
ae7bcb8d6d99a6a117001b482e287e5fe6b566ad8138a2c85b8ca697dfff4157f4747ec67751c36649008d13bf92a72572f3f7a6112da1a083b6ad75655a3133

Download Submit
C:\Windows\{CB3FDB1D-96BB-4b39-92A1-FD5B2110025C}.exe

Filesize
344KB

MD5
8a8beee1994f0946683180b851155805

SHA1
f3b9255b9b29ad9e0e3d4831f109896c6252f3ca

SHA256
90534ca5483a7ee473ddde586054fe212a1ad8a5bd81638c602cb936d3aa113e

SHA512
fb2a0e48d11943ab0bc095cb17176135e5da5473c585fe1e56083d21c2d316f3ec734290e9c875e9414541482d6edf54227e3164872944ffb1f378d6bd841f7a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads