3ff33248f6957f1579e61078e2067b2d71ad70afe5bc43f7d4684b4f134c6aea

Analysis

max time kernel
149s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 11:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe
Size

168KB
MD5

304d65b0cdfcb2fd5705928ce114b85d
SHA1

5e42641fee5fa91404570006dec546181c4dfacd
SHA256

3ff33248f6957f1579e61078e2067b2d71ad70afe5bc43f7d4684b4f134c6aea
SHA512

489351ecab22818219a3372c7b17b30ac49dec53bdb4371ccb763d57c6d6552d1af660d3dc554028c3d73232a87c9684bb737c6c309e1f10e98d5ba0a203a459
SSDEEP

1536:1EGh0oelq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oelqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}\stubpath = "C:\\Windows\\{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe"	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60493D1-48F9-4a29-BFB7-78CEE4395714}	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}\stubpath = "C:\\Windows\\{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe"	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C28D0FA6-DA22-4e40-9588-6D500C23C424}	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}\stubpath = "C:\\Windows\\{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe"	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B758658-2248-4b6c-A8B8-18861863F0A2}	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B758658-2248-4b6c-A8B8-18861863F0A2}\stubpath = "C:\\Windows\\{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe"	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}	{3985A284-1870-4fed-A523-BEAC2D782667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}	{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}\stubpath = "C:\\Windows\\{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}.exe"	{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858E0272-7356-4fea-8DD4-107C2400EC8D}\stubpath = "C:\\Windows\\{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe"	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4A760D-31A9-4211-8514-6330561F140D}	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0AA5C96-3833-476a-81B4-3018BC56924D}\stubpath = "C:\\Windows\\{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe"	{3D4A760D-31A9-4211-8514-6330561F140D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3985A284-1870-4fed-A523-BEAC2D782667}	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3985A284-1870-4fed-A523-BEAC2D782667}\stubpath = "C:\\Windows\\{3985A284-1870-4fed-A523-BEAC2D782667}.exe"	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}\stubpath = "C:\\Windows\\{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe"	{3985A284-1870-4fed-A523-BEAC2D782667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858E0272-7356-4fea-8DD4-107C2400EC8D}	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4A760D-31A9-4211-8514-6330561F140D}\stubpath = "C:\\Windows\\{3D4A760D-31A9-4211-8514-6330561F140D}.exe"	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0AA5C96-3833-476a-81B4-3018BC56924D}	{3D4A760D-31A9-4211-8514-6330561F140D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C28D0FA6-DA22-4e40-9588-6D500C23C424}\stubpath = "C:\\Windows\\{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe"	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E60493D1-48F9-4a29-BFB7-78CEE4395714}\stubpath = "C:\\Windows\\{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe"	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe

Executes dropped EXE 12 IoCs

pid	Process
2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe
1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe
4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe
1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe
2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe
2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe
1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe
1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe
3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe
4584	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe
3700	{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe
2568	{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe
File created	C:\Windows\{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}.exe	{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe
File created	C:\Windows\{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe
File created	C:\Windows\{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe
File created	C:\Windows\{3D4A760D-31A9-4211-8514-6330561F140D}.exe	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe
File created	C:\Windows\{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe	{3985A284-1870-4fed-A523-BEAC2D782667}.exe
File created	C:\Windows\{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe
File created	C:\Windows\{3985A284-1870-4fed-A523-BEAC2D782667}.exe	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe
File created	C:\Windows\{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe
File created	C:\Windows\{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe
File created	C:\Windows\{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe
File created	C:\Windows\{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe	{3D4A760D-31A9-4211-8514-6330561F140D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1856	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe
Token: SeIncBasePriorityPrivilege	1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe
Token: SeIncBasePriorityPrivilege	4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe
Token: SeIncBasePriorityPrivilege	1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe
Token: SeIncBasePriorityPrivilege	2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe
Token: SeIncBasePriorityPrivilege	2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe
Token: SeIncBasePriorityPrivilege	1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe
Token: SeIncBasePriorityPrivilege	1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe
Token: SeIncBasePriorityPrivilege	3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe
Token: SeIncBasePriorityPrivilege	4584	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe
Token: SeIncBasePriorityPrivilege	3700	{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2400	1856	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe	81
PID 1856 wrote to memory of 2400	1856	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe	81
PID 1856 wrote to memory of 2400	1856	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe	81
PID 1856 wrote to memory of 408	1856	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe	82
PID 1856 wrote to memory of 408	1856	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe	82
PID 1856 wrote to memory of 408	1856	2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe	82
PID 2400 wrote to memory of 1176	2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe	83
PID 2400 wrote to memory of 1176	2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe	83
PID 2400 wrote to memory of 1176	2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe	83
PID 2400 wrote to memory of 2416	2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe	84
PID 2400 wrote to memory of 2416	2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe	84
PID 2400 wrote to memory of 2416	2400	{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe	84
PID 1176 wrote to memory of 4500	1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe	90
PID 1176 wrote to memory of 4500	1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe	90
PID 1176 wrote to memory of 4500	1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe	90
PID 1176 wrote to memory of 3828	1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe	91
PID 1176 wrote to memory of 3828	1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe	91
PID 1176 wrote to memory of 3828	1176	{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe	91
PID 4500 wrote to memory of 1668	4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe	94
PID 4500 wrote to memory of 1668	4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe	94
PID 4500 wrote to memory of 1668	4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe	94
PID 4500 wrote to memory of 1036	4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe	95
PID 4500 wrote to memory of 1036	4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe	95
PID 4500 wrote to memory of 1036	4500	{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe	95
PID 1668 wrote to memory of 2476	1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe	96
PID 1668 wrote to memory of 2476	1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe	96
PID 1668 wrote to memory of 2476	1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe	96
PID 1668 wrote to memory of 4608	1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe	97
PID 1668 wrote to memory of 4608	1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe	97
PID 1668 wrote to memory of 4608	1668	{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe	97
PID 2476 wrote to memory of 2596	2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe	98
PID 2476 wrote to memory of 2596	2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe	98
PID 2476 wrote to memory of 2596	2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe	98
PID 2476 wrote to memory of 3388	2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe	99
PID 2476 wrote to memory of 3388	2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe	99
PID 2476 wrote to memory of 3388	2476	{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe	99
PID 2596 wrote to memory of 1000	2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe	100
PID 2596 wrote to memory of 1000	2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe	100
PID 2596 wrote to memory of 1000	2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe	100
PID 2596 wrote to memory of 2356	2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe	101
PID 2596 wrote to memory of 2356	2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe	101
PID 2596 wrote to memory of 2356	2596	{3D4A760D-31A9-4211-8514-6330561F140D}.exe	101
PID 1000 wrote to memory of 1608	1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe	102
PID 1000 wrote to memory of 1608	1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe	102
PID 1000 wrote to memory of 1608	1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe	102
PID 1000 wrote to memory of 3376	1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe	103
PID 1000 wrote to memory of 3376	1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe	103
PID 1000 wrote to memory of 3376	1000	{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe	103
PID 1608 wrote to memory of 3304	1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe	104
PID 1608 wrote to memory of 3304	1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe	104
PID 1608 wrote to memory of 3304	1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe	104
PID 1608 wrote to memory of 4956	1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe	105
PID 1608 wrote to memory of 4956	1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe	105
PID 1608 wrote to memory of 4956	1608	{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe	105
PID 3304 wrote to memory of 4584	3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe	106
PID 3304 wrote to memory of 4584	3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe	106
PID 3304 wrote to memory of 4584	3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe	106
PID 3304 wrote to memory of 3944	3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe	107
PID 3304 wrote to memory of 3944	3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe	107
PID 3304 wrote to memory of 3944	3304	{3985A284-1870-4fed-A523-BEAC2D782667}.exe	107
PID 4584 wrote to memory of 3700	4584	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe	108
PID 4584 wrote to memory of 3700	4584	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe	108
PID 4584 wrote to memory of 3700	4584	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe	108
PID 4584 wrote to memory of 3748	4584	{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_304d65b0cdfcb2fd5705928ce114b85d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe
  C:\Windows\{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe
    C:\Windows\{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe
      C:\Windows\{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe
        
        C:\Windows\{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe
        
        C:\Windows\{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\{3D4A760D-31A9-4211-8514-6330561F140D}.exe
        
        C:\Windows\{3D4A760D-31A9-4211-8514-6330561F140D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe
        
        C:\Windows\{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe
        
        C:\Windows\{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{3985A284-1870-4fed-A523-BEAC2D782667}.exe
        
        C:\Windows\{3985A284-1870-4fed-A523-BEAC2D782667}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe
        
        C:\Windows\{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe
        
        C:\Windows\{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
        
        C:\Windows\{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}.exe
        
        C:\Windows\{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}.exe
        13⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{630DE~1.EXE > nul
        13⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EC0E~1.EXE > nul
        12⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3985A~1.EXE > nul
        11⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C28D0~1.EXE > nul
        10⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0AA5~1.EXE > nul
        9⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D4A7~1.EXE > nul
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{858E0~1.EXE > nul
        7⤵
        
        PID:3388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C701E~1.EXE > nul
        6⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6049~1.EXE > nul
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8316E~1.EXE > nul
      4⤵
      PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6B758~1.EXE > nul
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3985A284-1870-4fed-A523-BEAC2D782667}.exe

Filesize
168KB

MD5
5e62078508509dd101df80774471c991

SHA1
8c1ea52ab2add44b3808ca778b273923a41ec163

SHA256
e4fa42e794fbc321b3ec14b0dc027abfe7c7ed04cbbe1ed937910a68a56d47ca

SHA512
7d6f1b6bbf01250ec5e732d65a71f032c2e48125a928cf82df13803adea1e80fda6e5776eab3ce40e8a398044412c149a694a0cafa70c7d1449b2247481303b3

Download Submit
C:\Windows\{3D4A760D-31A9-4211-8514-6330561F140D}.exe

Filesize
168KB

MD5
6d115955b7fdeda0e799f48ac6affcba

SHA1
5b161322cbbbfd9832d812ee7621bd8ce602d859

SHA256
428ea102f5fc259d7401c214c195dac2d5f428ca75f78028810ba0b936072ce9

SHA512
4c8ad4907e18639bd33fed7cc1fb432dda07fb472a3c93af7a16d43a64e87e91e078a82fa8baa451e3dfc22a5d25b8a04cba532ca448569b13d3ae9f0206e9b0

Download Submit
C:\Windows\{44D13AA2-ECB7-4987-B591-BD0E37F2EFA5}.exe

Filesize
168KB

MD5
4434016256704a316ab72a0011036e96

SHA1
f06c2d3d3b558bc85a519b721f0cf593fa10f4ea

SHA256
571909540acf568e2e3b0b5e5c80addcabb27bc47f4d1486c6d4a44f958aa41e

SHA512
d0952a618c0178e0a4a802a9f12e2527d58b81792e0f76c354c2962e345dc4b8112990a6a47d2dd9b05ee7c9ab0f61a04f972d8b40299dfb73884a2615585527

Download Submit
C:\Windows\{630DE8ED-E23F-4677-8F54-DAA7FAEE8762}.exe

Filesize
168KB

MD5
c73cbe58c30d1ef2126d49cfc5564177

SHA1
317ebe03bdfc7c5ce58c1df2ab2f32145422ead9

SHA256
5b47683a4a1511807f003dba46a8227bc9a4ef6b34f67796e5028ad475e2b3e7

SHA512
cae57aaee947d223fa35a333d5afd0c5df1c8c8ed9f94f9a7acef4373e0e6a10efd2ebc1384ddc585149207a78586c9f52164b69be259d8e192052ad2763f368

Download Submit
C:\Windows\{6B758658-2248-4b6c-A8B8-18861863F0A2}.exe

Filesize
168KB

MD5
5b300dcae5bd32ca0a8de992e50899f6

SHA1
f82586749aeb4a01992391c02f203de63c2e976e

SHA256
6a1f11d80079c33dafe270b8f856494221d259d105a699747baafc7a4e225bed

SHA512
db3fab699204bc39f2321eabc005b4b432ab34a3aa71f8992e7c0f2ecf5dade2565d6169e78cee8c8f6f9bc39793489ca9f09f41168ad7d1b7625e1e4cf7bc2b

Download Submit
C:\Windows\{6EC0EC63-EB97-4d0d-A7F1-9B20194E0703}.exe

Filesize
168KB

MD5
380f517c7d5d8775a2000bcd41960dea

SHA1
5c113975e9e479d4a89a69e511703fd915e900d7

SHA256
cedc5a3698ee316a7474afc7613f5c1927f849ed09468949435d4d0e13bb22f0

SHA512
16a68cec5f15014b263b5edf0d90bd72f57ba4c31aa685dcfc58f5e0551891ad66ac68eb2a2ebb71a2c1b82e57cb91d281759a2963846c5e9fd8f9395e914927

Download Submit
C:\Windows\{8316EAF8-1AA0-4e86-A7FC-6A0FF248D594}.exe

Filesize
168KB

MD5
ac7809b99512771820874928daa35bd2

SHA1
fcc8beceaf55262df745cf48b372acf7076a32a7

SHA256
d67a34cde07c1ecad6d107796d477ecb647bb242fb32c241879eb0958c01fff4

SHA512
c5596e6c6f7daea7d88df6c4e1670b2abde6f4041fcce02ec69bccaab4105a07431cc96250b91ca583973625e0aff784d6b9dcb412ab262ceecb2e5dc3439c60

Download Submit
C:\Windows\{858E0272-7356-4fea-8DD4-107C2400EC8D}.exe

Filesize
168KB

MD5
63609fcf054a616da84763243936d4a9

SHA1
71f078c8453dd28d1711236569b5afc611b1e8d4

SHA256
c21873bf47410f39b5d5437081ee82ea5c3d9d5ab622e7b937e3d8177e4db79e

SHA512
74c634bca5bf19341551c39df359ea275b30d82ad0890eaf7c872c7090dabb9a5351d4c04173cc900d92d5cdde30b1f4f20812324b1b59447852fe7fe49a4311

Download Submit
C:\Windows\{C28D0FA6-DA22-4e40-9588-6D500C23C424}.exe

Filesize
168KB

MD5
7cdd5c78760fca73948e96a2690413ea

SHA1
3f95344e28bc2a559a9c0f50a4fca86f3ba6d1e4

SHA256
5f4ddab0cbbeca2aab4685263f6fd4714eb595d56da925e375fd51b496f751bd

SHA512
6cb5aa5015ad140401985819e53f81ca9d6c14d6527ee64abb937e21c48098f7ce75f7970fe6f4575aab436651800f33235d22b04cbe8187d641191335d12aa1

Download Submit
C:\Windows\{C701EA0F-DA5C-425d-BCC2-9EC506A264C1}.exe

Filesize
168KB

MD5
0b78af912403afe042aa546600b65470

SHA1
160ded3496782c1fc0574c5cad0517cb28036b79

SHA256
a2d03d2c8418532fd1299b990c3d22c85dce2b2987cf8759df92d275c4f6bcff

SHA512
70fe3d2d03b6ddcb2e29fcf19b3f74afe4beb117a60374abd47f0ec3032ba56001c523f1f9c03d38bb1374e78de8132ff9fc501d276a8e767b4c067034258dd7

Download Submit
C:\Windows\{D0AA5C96-3833-476a-81B4-3018BC56924D}.exe

Filesize
168KB

MD5
fe01cfc588da6fc19b3f038e8fae1954

SHA1
2d1967e1e56d35aaaf361f62f17183fb625b0237

SHA256
ebf77f79879cdf0b14f20f9d3bbe99b81064f948030bf5b53916bd1c01dcc8de

SHA512
8c417208398dbf77d3de42e8e3b1a835f02cdace42f7156f962c56e18cbc2d79b934e164ba789e6df8193ef3f27bc8fd9cf98a9742394bb5df46d0571522fdc5

Download Submit
C:\Windows\{E60493D1-48F9-4a29-BFB7-78CEE4395714}.exe

Filesize
168KB

MD5
416215ea9f259c3be9a5052b80f5be1b

SHA1
a928484d21cb3f5dddff1eba0487f8991412d13f

SHA256
7f663d91590b174e79320324858fa1f2a33f6176cffc03ccdb1f9f768341a557

SHA512
590aa82bd46087dba05e1ace661c16a4f03bb2534159c76ba27784894938e2f51ac51dffc707ab6e2bc2757104df2aa1053f847f8e6ffbf8bc17ed08682f13bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads