679668450e11539b95be483adc6f19e9f095d17b2c2f917d38248388059601a1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Size

380KB
MD5

f200c57927c7b4539e2364139d927063
SHA1

a2c884ccee6337877a10974c8749b7bfafe41bcd
SHA256

679668450e11539b95be483adc6f19e9f095d17b2c2f917d38248388059601a1
SHA512

adc5fa926d42993a52050f07745e0dbbf55bd81384054fe030af00cb022a5cce2b56ce1cf7a0170b6ac0385670e4a845b214f21a4fb30a15e9d8673008f8fbd4
SSDEEP

3072:mEGh0oGlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGol7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}\stubpath = "C:\\Windows\\{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe"	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{545F36A7-0EF7-4a6a-8C76-3C13827E8773}	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73EE73B9-93E8-4bab-9341-5A8DCA878795}	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68587D6-C0C3-40f9-9739-0CBD3263DD25}	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}\stubpath = "C:\\Windows\\{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe"	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D3D8A3-838F-42a8-9506-210B6BD86D87}	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0804E272-DD17-4e55-8550-C330E51D1CF7}\stubpath = "C:\\Windows\\{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe"	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0804E272-DD17-4e55-8550-C330E51D1CF7}	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}\stubpath = "C:\\Windows\\{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe"	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4870960-9B49-48f9-8F41-CE0785A97115}	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68587D6-C0C3-40f9-9739-0CBD3263DD25}\stubpath = "C:\\Windows\\{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe"	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D3D8A3-838F-42a8-9506-210B6BD86D87}\stubpath = "C:\\Windows\\{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe"	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}\stubpath = "C:\\Windows\\{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe"	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}\stubpath = "C:\\Windows\\{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe"	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{545F36A7-0EF7-4a6a-8C76-3C13827E8773}\stubpath = "C:\\Windows\\{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe"	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4870960-9B49-48f9-8F41-CE0785A97115}\stubpath = "C:\\Windows\\{F4870960-9B49-48f9-8F41-CE0785A97115}.exe"	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73EE73B9-93E8-4bab-9341-5A8DCA878795}\stubpath = "C:\\Windows\\{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe"	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D724A34-4718-4db8-A8F7-88F240119D5E}	{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D724A34-4718-4db8-A8F7-88F240119D5E}\stubpath = "C:\\Windows\\{8D724A34-4718-4db8-A8F7-88F240119D5E}.exe"	{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe
1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe
3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe
3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe
456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe
1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe
5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe
5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe
4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe
3012	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe
4220	{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe
2760	{8D724A34-4718-4db8-A8F7-88F240119D5E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe
File created	C:\Windows\{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe
File created	C:\Windows\{F4870960-9B49-48f9-8F41-CE0785A97115}.exe	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
File created	C:\Windows\{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe
File created	C:\Windows\{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe
File created	C:\Windows\{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe
File created	C:\Windows\{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe
File created	C:\Windows\{8D724A34-4718-4db8-A8F7-88F240119D5E}.exe	{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe
File created	C:\Windows\{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe
File created	C:\Windows\{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe
File created	C:\Windows\{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe
File created	C:\Windows\{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe
Token: SeIncBasePriorityPrivilege	1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe
Token: SeIncBasePriorityPrivilege	3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe
Token: SeIncBasePriorityPrivilege	3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe
Token: SeIncBasePriorityPrivilege	456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe
Token: SeIncBasePriorityPrivilege	1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe
Token: SeIncBasePriorityPrivilege	5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe
Token: SeIncBasePriorityPrivilege	5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe
Token: SeIncBasePriorityPrivilege	4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe
Token: SeIncBasePriorityPrivilege	3012	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe
Token: SeIncBasePriorityPrivilege	4220	{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2712	2304	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	96
PID 2304 wrote to memory of 2712	2304	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	96
PID 2304 wrote to memory of 2712	2304	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	96
PID 2304 wrote to memory of 4804	2304	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	97
PID 2304 wrote to memory of 4804	2304	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	97
PID 2304 wrote to memory of 4804	2304	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	97
PID 2712 wrote to memory of 1060	2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe	98
PID 2712 wrote to memory of 1060	2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe	98
PID 2712 wrote to memory of 1060	2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe	98
PID 2712 wrote to memory of 4232	2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe	99
PID 2712 wrote to memory of 4232	2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe	99
PID 2712 wrote to memory of 4232	2712	{F4870960-9B49-48f9-8F41-CE0785A97115}.exe	99
PID 1060 wrote to memory of 3124	1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe	103
PID 1060 wrote to memory of 3124	1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe	103
PID 1060 wrote to memory of 3124	1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe	103
PID 1060 wrote to memory of 3148	1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe	104
PID 1060 wrote to memory of 3148	1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe	104
PID 1060 wrote to memory of 3148	1060	{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe	104
PID 3124 wrote to memory of 3236	3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe	105
PID 3124 wrote to memory of 3236	3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe	105
PID 3124 wrote to memory of 3236	3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe	105
PID 3124 wrote to memory of 1864	3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe	106
PID 3124 wrote to memory of 1864	3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe	106
PID 3124 wrote to memory of 1864	3124	{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe	106
PID 3236 wrote to memory of 456	3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe	107
PID 3236 wrote to memory of 456	3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe	107
PID 3236 wrote to memory of 456	3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe	107
PID 3236 wrote to memory of 3620	3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe	108
PID 3236 wrote to memory of 3620	3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe	108
PID 3236 wrote to memory of 3620	3236	{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe	108
PID 456 wrote to memory of 1448	456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe	110
PID 456 wrote to memory of 1448	456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe	110
PID 456 wrote to memory of 1448	456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe	110
PID 456 wrote to memory of 412	456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe	111
PID 456 wrote to memory of 412	456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe	111
PID 456 wrote to memory of 412	456	{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe	111
PID 1448 wrote to memory of 5040	1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe	112
PID 1448 wrote to memory of 5040	1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe	112
PID 1448 wrote to memory of 5040	1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe	112
PID 1448 wrote to memory of 1408	1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe	113
PID 1448 wrote to memory of 1408	1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe	113
PID 1448 wrote to memory of 1408	1448	{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe	113
PID 5040 wrote to memory of 5016	5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe	116
PID 5040 wrote to memory of 5016	5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe	116
PID 5040 wrote to memory of 5016	5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe	116
PID 5040 wrote to memory of 5000	5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe	117
PID 5040 wrote to memory of 5000	5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe	117
PID 5040 wrote to memory of 5000	5040	{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe	117
PID 5016 wrote to memory of 4992	5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe	122
PID 5016 wrote to memory of 4992	5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe	122
PID 5016 wrote to memory of 4992	5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe	122
PID 5016 wrote to memory of 3684	5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe	123
PID 5016 wrote to memory of 3684	5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe	123
PID 5016 wrote to memory of 3684	5016	{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe	123
PID 4992 wrote to memory of 3012	4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe	124
PID 4992 wrote to memory of 3012	4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe	124
PID 4992 wrote to memory of 3012	4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe	124
PID 4992 wrote to memory of 4816	4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe	125
PID 4992 wrote to memory of 4816	4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe	125
PID 4992 wrote to memory of 4816	4992	{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe	125
PID 3012 wrote to memory of 4220	3012	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe	128
PID 3012 wrote to memory of 4220	3012	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe	128
PID 3012 wrote to memory of 4220	3012	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe	128
PID 3012 wrote to memory of 3260	3012	{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{F4870960-9B49-48f9-8F41-CE0785A97115}.exe
  C:\Windows\{F4870960-9B49-48f9-8F41-CE0785A97115}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe
    C:\Windows\{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe
      C:\Windows\{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe
        
        C:\Windows\{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe
        
        C:\Windows\{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe
        
        C:\Windows\{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe
        
        C:\Windows\{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe
        
        C:\Windows\{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe
        
        C:\Windows\{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe
        
        C:\Windows\{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe
        
        C:\Windows\{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\{8D724A34-4718-4db8-A8F7-88F240119D5E}.exe
        
        C:\Windows\{8D724A34-4718-4db8-A8F7-88F240119D5E}.exe
        13⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D78F9~1.EXE > nul
        13⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{545F3~1.EXE > nul
        12⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0804E~1.EXE > nul
        11⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A219~1.EXE > nul
        10⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69D3D~1.EXE > nul
        9⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55A3C~1.EXE > nul
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D429~1.EXE > nul
        7⤵
        
        PID:412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6858~1.EXE > nul
        6⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73EE7~1.EXE > nul
        5⤵
        
        PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F3F6~1.EXE > nul
      4⤵
      PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F4870~1.EXE > nul
    3⤵
    PID:4232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0804E272-DD17-4e55-8550-C330E51D1CF7}.exe

Filesize
380KB

MD5
223abb33b8f0850034a58e704bdc25a6

SHA1
2722d84a64aeb99d5aa128ff8cf899fe47c240a1

SHA256
9dcb6efadbc6d01e3d39d9d430df954336b340d32485095b2a02c2ae3e0aed5e

SHA512
53fc9dd1904db76b32deb407616fd38b059c0365dc5dad34decb80c2e7c7b1003476c8f3485fcc266fefa81ab5f4f53aa5c28fd3bcfb2502d75fc8dbaf677f5a

Download Submit
C:\Windows\{1F3F6AD2-F461-4437-AE84-2B6C40CBEA1A}.exe

Filesize
380KB

MD5
ed8dba607b06b9521ad0a3bc0dd668fe

SHA1
9c37ec6388f5d97f4abc0b3b9bf220c138f69d24

SHA256
3386e9efc1909e0b3696d2e3e80d8e572062045329bb4cc33d20147ceeda0564

SHA512
727b91baa59ec34b2672fbe89fdfa03b6a0a4006597d412508f2fbeca738cf8081b3961eafcd7103c08a4d4315e3bf3a52a203c3f10ae868e3ad0a22e7ed0d96

Download Submit
C:\Windows\{2A219C54-BA9F-4ca2-8697-07AF0D4E0AB5}.exe

Filesize
380KB

MD5
a9d52689eb712b88eba8f2cbaebe4bd1

SHA1
60c909419be6dddf9ac840a46d9cf5da2bd7383a

SHA256
70eae8dbe5fd5b8b81fcecf2c3df4c37cbafd551e747ad7b17456619fafe86b7

SHA512
2aa7b78c0afa1fc401fa4809b06d6c5a86f686fb4ec3d82efd0f3e7e3a1731c943f3da0d493852b41365cba57f3892fad66d1c877115125445ee41bbdacd77c2

Download Submit
C:\Windows\{4D4292EF-B0FA-43ab-91F2-8BBD528B393C}.exe

Filesize
380KB

MD5
7a2a09b11de4323a49a0ec9242b8cd7e

SHA1
de6dcff4a33d40656dcd3a70259e429645550fc5

SHA256
bef76d3ce6aabf8209ef53a73c69751bdeb575e29858fe0c576ea2ef22ab4905

SHA512
31f064768ba98e6378134cdd3dad79352adf8611b754076dedcd71e59fefd2586581cfd5a253821fbc7caa34f88b60daba249edf18fe02dca727f9bbfbbaffa0

Download Submit
C:\Windows\{545F36A7-0EF7-4a6a-8C76-3C13827E8773}.exe

Filesize
380KB

MD5
affc8f881dfad5234d8590b0e62f25fc

SHA1
8a35921d85d4923243f2ac8fd8b8eeeb5986cc34

SHA256
bdc8c20ed6cd56c561c13625bfb9a3b82afd85c1426480da43620762d0eb71fb

SHA512
c98e5d54190666c8a4b454e8ae927a56e856f879f6d4874b1e5568ee00de146544b67fc576c024f3ce28cd8278fecdc17eb80dd5755cca7f16be121d95ebf01f

Download Submit
C:\Windows\{55A3C6FF-7682-4c11-9B2F-A1AF88FFB017}.exe

Filesize
380KB

MD5
af59a6d9b4d48b86dbd8e5dfe9ff02a4

SHA1
79fda39fc6098487245a2fd7bb54e7c6fe57e51c

SHA256
de7bbf31c68545836c342944ad8200b1ad1c651aba6a96e7d0bd984dc6a56dce

SHA512
a55f33940a8b1b181fe8d233302914f5e8eb66e7fb6eff1f3cefb5f3bbff901b6f3a39837bb187544cb468d82e85e5a61fdf4bac2c52bcdba8703d8e7b943fbd

Download Submit
C:\Windows\{69D3D8A3-838F-42a8-9506-210B6BD86D87}.exe

Filesize
380KB

MD5
87d9ca1dfa01c8a234cde5ee12217595

SHA1
5e47984c123a8a7c54e086448cf9e4d135b5b3f3

SHA256
f1dd844cec5b52fcd753a264eae35fc8950747d6bf618e6ddc5a10f15d86ec10

SHA512
e0405106e5cd943e24a31131bc9bce638282b4dec89e424101360720c53d607f87dc0b07c8a441ee4e76facd4d8a6452cc9024d815146de7042b5e4795dfaf87

Download Submit
C:\Windows\{73EE73B9-93E8-4bab-9341-5A8DCA878795}.exe

Filesize
380KB

MD5
bee50f69cd47ac600a905bf1d359318f

SHA1
b9d0108f40b40b4e66fb0efc0df1ad9bc23ae4b9

SHA256
65bbdf5932523756f6cdbf5339e2946130b20681b4ad76ee65dd4e1e5a00534c

SHA512
070236903a73005afb9d4ab6c5eddf16fb39104f446281239a4efa7bab013769e11fdd1a9a8e4755a54cdfcee46c7d96ee4ff6c4aa38d94d253efc4d9695a574

Download Submit
C:\Windows\{8D724A34-4718-4db8-A8F7-88F240119D5E}.exe

Filesize
380KB

MD5
54c916fbe88583842ec6ee5252447271

SHA1
1a44e2d783f421d33f7ebe171c0207a5ad21f4a0

SHA256
7b88de340cec6c2ab8cd68b741185376381940f4b260f73e69d2faec7d3704c7

SHA512
e0510eb83adec533506b2b9366e2347e136e3f2473407a4722af610c162696bc3758d978f509cccf043099bae42915ff25c320008469544072998abb15c30a9b

Download Submit
C:\Windows\{D78F9F35-8C77-4495-89A9-2FBE7795B9F6}.exe

Filesize
380KB

MD5
98543637b890a70a11300df4fd4c779f

SHA1
2926b5ed1708acba357b725405097032e8a038b0

SHA256
67ffb247e96633122869f1cad8bc656caa31bb6ff50b4f1b602b1381ea6f18b3

SHA512
ee2dc77665fa992d93658bce37e263bea06f375d7094b6c2225564ca20630e9c6e20dec6cf4df69c1774b6632e38959b13018acf44e32e9da19f29f57e33f246

Download Submit
C:\Windows\{F4870960-9B49-48f9-8F41-CE0785A97115}.exe

Filesize
380KB

MD5
81ea621965cd86869bc4eaa379d95424

SHA1
4f86d10291324150c5f6fd0418d5231e332ffef7

SHA256
fba008f5db0d72bcf7f852704c6ee0a46eb556aa2021baeb60acf08388838a94

SHA512
5d254c106f1a1bca73cca58f3db3176da986607ba27d507bb1fd29ea58f05d7ffaf12fabf66b8b089a41021f433e90a8a8c625ef9a190930e0cb8df123e91d6e

Download Submit
C:\Windows\{F68587D6-C0C3-40f9-9739-0CBD3263DD25}.exe

Filesize
380KB

MD5
6ee11446818d8a0c30114a790f9e5089

SHA1
84576d064b198adcfe8958f92b075dbf795653bb

SHA256
4c5bba7959feb5df7ea2ca377cd47885d496aa89c1cb361bcd2e86e0be2bd5ce

SHA512
c7a8bea7f4c69b15a3020ae232f860da6e1b012a2836b652323651d08396ff89565ab2dff04e67f463397ee54a8fc6321fd2352e4b65d42077d9130312a0fc2f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads