22018eda162b32d9e94864666abdc83260dca552c7aee29c1a45301228527cc0

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe
Size

216KB
MD5

f95ddd59a0b0fe59620cb8e78ee19334
SHA1

a13db8b2d3805e305d4220016cad66b02d0e8dfc
SHA256

22018eda162b32d9e94864666abdc83260dca552c7aee29c1a45301228527cc0
SHA512

64b818b93bcdc7e020bd069f7e56a230e6e10c267e4d1ccb9b1dc9347f204fb820b561206b09737d12adc7271aecbdf3785357d9dc6cf082a96650688fba4109
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E39200-CA4B-4dd1-9317-E4C63181F676}\stubpath = "C:\\Windows\\{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe"	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F38CB88-5F5F-4330-9722-0E57106979B2}	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F38CB88-5F5F-4330-9722-0E57106979B2}\stubpath = "C:\\Windows\\{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe"	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951600A8-2A1D-438f-B77C-0DC3A80E7004}	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C8B2C2-1238-4ba3-9991-5714540053A0}\stubpath = "C:\\Windows\\{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe"	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0807C947-F73D-49cb-BF24-473F34393C00}	{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C538F07-33FA-4ecf-978F-0F81D0690772}	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C538F07-33FA-4ecf-978F-0F81D0690772}\stubpath = "C:\\Windows\\{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe"	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C8B2C2-1238-4ba3-9991-5714540053A0}	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14D0A83-30DF-4ca2-B16C-0603FAF48732}	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1B18FC-8C63-4c95-A7B6-AC321C182759}\stubpath = "C:\\Windows\\{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe"	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0807C947-F73D-49cb-BF24-473F34393C00}\stubpath = "C:\\Windows\\{0807C947-F73D-49cb-BF24-473F34393C00}.exe"	{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951600A8-2A1D-438f-B77C-0DC3A80E7004}\stubpath = "C:\\Windows\\{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe"	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14D0A83-30DF-4ca2-B16C-0603FAF48732}\stubpath = "C:\\Windows\\{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe"	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC1B18FC-8C63-4c95-A7B6-AC321C182759}	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}\stubpath = "C:\\Windows\\{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe"	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F02A277-6423-4588-BC2B-C8F778CBC12A}	{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E39200-CA4B-4dd1-9317-E4C63181F676}	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F02A277-6423-4588-BC2B-C8F778CBC12A}\stubpath = "C:\\Windows\\{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe"	{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88302605-E592-4634-AD3A-187FD6B33070}	{0807C947-F73D-49cb-BF24-473F34393C00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88302605-E592-4634-AD3A-187FD6B33070}\stubpath = "C:\\Windows\\{88302605-E592-4634-AD3A-187FD6B33070}.exe"	{0807C947-F73D-49cb-BF24-473F34393C00}.exe

Executes dropped EXE 11 IoCs

pid	Process
2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe
2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe
2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe
2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe
2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe
2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe
1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe
2444	{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe
1640	{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe
2332	{0807C947-F73D-49cb-BF24-473F34393C00}.exe
1880	{88302605-E592-4634-AD3A-187FD6B33070}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe
File created	C:\Windows\{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe	{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe
File created	C:\Windows\{88302605-E592-4634-AD3A-187FD6B33070}.exe	{0807C947-F73D-49cb-BF24-473F34393C00}.exe
File created	C:\Windows\{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe
File created	C:\Windows\{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe
File created	C:\Windows\{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe
File created	C:\Windows\{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe
File created	C:\Windows\{0807C947-F73D-49cb-BF24-473F34393C00}.exe	{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe
File created	C:\Windows\{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe
File created	C:\Windows\{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe
File created	C:\Windows\{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe
Token: SeIncBasePriorityPrivilege	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe
Token: SeIncBasePriorityPrivilege	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe
Token: SeIncBasePriorityPrivilege	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe
Token: SeIncBasePriorityPrivilege	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe
Token: SeIncBasePriorityPrivilege	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe
Token: SeIncBasePriorityPrivilege	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe
Token: SeIncBasePriorityPrivilege	2444	{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe
Token: SeIncBasePriorityPrivilege	1640	{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe
Token: SeIncBasePriorityPrivilege	2332	{0807C947-F73D-49cb-BF24-473F34393C00}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2768	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	28
PID 2840 wrote to memory of 2768	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	28
PID 2840 wrote to memory of 2768	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	28
PID 2840 wrote to memory of 2768	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	28
PID 2840 wrote to memory of 1420	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	29
PID 2840 wrote to memory of 1420	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	29
PID 2840 wrote to memory of 1420	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	29
PID 2840 wrote to memory of 1420	2840	2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe	29
PID 2768 wrote to memory of 2604	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	30
PID 2768 wrote to memory of 2604	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	30
PID 2768 wrote to memory of 2604	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	30
PID 2768 wrote to memory of 2604	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	30
PID 2768 wrote to memory of 2352	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	31
PID 2768 wrote to memory of 2352	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	31
PID 2768 wrote to memory of 2352	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	31
PID 2768 wrote to memory of 2352	2768	{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe	31
PID 2604 wrote to memory of 2548	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	34
PID 2604 wrote to memory of 2548	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	34
PID 2604 wrote to memory of 2548	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	34
PID 2604 wrote to memory of 2548	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	34
PID 2604 wrote to memory of 2664	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	35
PID 2604 wrote to memory of 2664	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	35
PID 2604 wrote to memory of 2664	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	35
PID 2604 wrote to memory of 2664	2604	{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe	35
PID 2548 wrote to memory of 2468	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	36
PID 2548 wrote to memory of 2468	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	36
PID 2548 wrote to memory of 2468	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	36
PID 2548 wrote to memory of 2468	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	36
PID 2548 wrote to memory of 580	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	37
PID 2548 wrote to memory of 580	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	37
PID 2548 wrote to memory of 580	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	37
PID 2548 wrote to memory of 580	2548	{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe	37
PID 2468 wrote to memory of 2180	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	38
PID 2468 wrote to memory of 2180	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	38
PID 2468 wrote to memory of 2180	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	38
PID 2468 wrote to memory of 2180	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	38
PID 2468 wrote to memory of 532	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	39
PID 2468 wrote to memory of 532	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	39
PID 2468 wrote to memory of 532	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	39
PID 2468 wrote to memory of 532	2468	{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe	39
PID 2180 wrote to memory of 2804	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	40
PID 2180 wrote to memory of 2804	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	40
PID 2180 wrote to memory of 2804	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	40
PID 2180 wrote to memory of 2804	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	40
PID 2180 wrote to memory of 1668	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	41
PID 2180 wrote to memory of 1668	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	41
PID 2180 wrote to memory of 1668	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	41
PID 2180 wrote to memory of 1668	2180	{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe	41
PID 2804 wrote to memory of 1968	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	42
PID 2804 wrote to memory of 1968	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	42
PID 2804 wrote to memory of 1968	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	42
PID 2804 wrote to memory of 1968	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	42
PID 2804 wrote to memory of 1996	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	43
PID 2804 wrote to memory of 1996	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	43
PID 2804 wrote to memory of 1996	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	43
PID 2804 wrote to memory of 1996	2804	{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe	43
PID 1968 wrote to memory of 2444	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	44
PID 1968 wrote to memory of 2444	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	44
PID 1968 wrote to memory of 2444	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	44
PID 1968 wrote to memory of 2444	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	44
PID 1968 wrote to memory of 2936	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	45
PID 1968 wrote to memory of 2936	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	45
PID 1968 wrote to memory of 2936	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	45
PID 1968 wrote to memory of 2936	1968	{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe
  C:\Windows\{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe
    C:\Windows\{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe
      C:\Windows\{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe
        
        C:\Windows\{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe
        
        C:\Windows\{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe
        
        C:\Windows\{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe
        
        C:\Windows\{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe
        
        C:\Windows\{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe
        
        C:\Windows\{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\{0807C947-F73D-49cb-BF24-473F34393C00}.exe
        
        C:\Windows\{0807C947-F73D-49cb-BF24-473F34393C00}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\{88302605-E592-4634-AD3A-187FD6B33070}.exe
        
        C:\Windows\{88302605-E592-4634-AD3A-187FD6B33070}.exe
        12⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0807C~1.EXE > nul
        12⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F02A~1.EXE > nul
        11⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D64CC~1.EXE > nul
        10⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC1B1~1.EXE > nul
        9⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D14D0~1.EXE > nul
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2C8B~1.EXE > nul
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95160~1.EXE > nul
        6⤵
        
        PID:532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F38C~1.EXE > nul
        5⤵
        
        PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C538~1.EXE > nul
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0E39~1.EXE > nul
    3⤵
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0807C947-F73D-49cb-BF24-473F34393C00}.exe

Filesize
216KB

MD5
bf34affde6ecff563107a74b8d21849d

SHA1
dfbe7cbcbb1f98e76f3da1eaf3fb827c3fcbac57

SHA256
9cba5cc0bacec619a0b5d9d2dc103061f9d9823530aeb22b9b71a128c0a5affb

SHA512
037505f64901cc7dddef08b41d3bfe265557ea1cecc638a14db0d66c0ea1d38647fbd39aa247cac256dddbd9364411d34e8aa8ca4ec448265f2395abdf69a23c

Download Submit
C:\Windows\{1F02A277-6423-4588-BC2B-C8F778CBC12A}.exe

Filesize
216KB

MD5
0cd08cc6b5b0745810f634254e9d466c

SHA1
efd5b39bd321f8d16257cfe18ab01f61bfc8380e

SHA256
ccfed344bca4c1c5acfc9afa5d87dd555a97535621f355f9f1d501311d1b94a5

SHA512
ef9409f09eb0a46d1c5c52fe1c708d186ba977436ee1047c4242788f52572cab632cdff66d87b6d9dda303be1802e39937700a7f2e51c30a49dc527bd5f43cbd

Download Submit
C:\Windows\{6C538F07-33FA-4ecf-978F-0F81D0690772}.exe

Filesize
216KB

MD5
5f3d6ee7b84819a6ae3a3dc32fb4a1be

SHA1
7c77e827e9318d28eab6e0e8f66dd8a6a65e621a

SHA256
5603f7fab4e5d4de84915ef461efb5acbb33b5349f0800810cfa1833767383b7

SHA512
af748c7a9b874bdfcccb113cf4684c6be1891ece573d93afcef9fbf81a48ec7d0d9d01036aca0deda16b074e55424a5bfc0563d8e70f818687753971c2f535f9

Download Submit
C:\Windows\{7F38CB88-5F5F-4330-9722-0E57106979B2}.exe

Filesize
216KB

MD5
e6b77d94cc1cb2e41b696c91542e5436

SHA1
32994a195ebc8b80cabf6a372953abab55258e7c

SHA256
e95220cb16615eacbc2f6d442d0bd562a2b5d9da81fb28597b6a802f160c41df

SHA512
765ef8561841e556c8e4463966ba3a197517db870b49a85253273e95c8f4a49d7572f5fe05462e068759e10e05094a4b6e8c0ca951de1104ce2ad6c89bc1639f

Download Submit
C:\Windows\{88302605-E592-4634-AD3A-187FD6B33070}.exe

Filesize
216KB

MD5
d286a57a922dd935779daa128d18ec08

SHA1
6d3c4c008287d3fa54bfc2dedfc0edabcda0febe

SHA256
2dda1bf1ce73d10b50c232d8c8191025ac9edcc2fdb06b22bbefd25eb291f62d

SHA512
c5330301add1186314f950f5794db077cf247e381319467113c554ae5364791a4168691ef37a143527e0c097d68cf1df5ea8f0deb8d4f7a7be3b836370952fe5

Download Submit
C:\Windows\{951600A8-2A1D-438f-B77C-0DC3A80E7004}.exe

Filesize
216KB

MD5
a652bcf82395178a7c5544767d076f05

SHA1
29d1234bebadb0b73f0318d14dee178d012c016d

SHA256
c49064f6348d3ea4b6574744b9d46386a4dc3ed5790cfa85a9b9d88a0f32ae24

SHA512
15fd0ea98f798e0b75be1b4cc135a82f247dda4731a415a8edb3e5aee5f6a9161f09034c81445ad716712dd890c7ff392e3815af954923c1a78e4bc47cc52863

Download Submit
C:\Windows\{C0E39200-CA4B-4dd1-9317-E4C63181F676}.exe

Filesize
216KB

MD5
2ea49f45f93b01dbc21f903f40cbd07b

SHA1
e6975b386bd575377eb0a749ec50ca38c4999321

SHA256
8109c3deea35c7a37ffdec84c9fe040d0d64fc6662c9a3764804696557b4d2bb

SHA512
85a1b1daef4a22c3f950f9fee559b3c12ba706f22787c07c0b1518c66f34922d013d329f35df6a92043347bd22615bd1401291518ef3a3dcc709af15d753322f

Download Submit
C:\Windows\{C2C8B2C2-1238-4ba3-9991-5714540053A0}.exe

Filesize
216KB

MD5
1219fd1b9d4eb0ef30a8ca327ce26711

SHA1
93730177d82427e0067694bc0fa211dfc5e49769

SHA256
ffdc6d50bf6cffee2053fc661757e5ee60cdd84a8c30877395aa6d651a5856ef

SHA512
0b909724ff37a730c25b12534b0d8471a34eba61c61a016484f9d20544d5fafffb4ad052949f85371d11771694174cf0292bbb6dcc357b2616fb023a2c394b73

Download Submit
C:\Windows\{CC1B18FC-8C63-4c95-A7B6-AC321C182759}.exe

Filesize
216KB

MD5
3627501190298c1ab46f2059f1d50304

SHA1
b72c6a5013fff41456cc85eefac16bc6eaee3238

SHA256
663771721f7b3949cf42d3436e596bd012b4e3eb744a8fdd7421d68df3917d4b

SHA512
92c604c3cd418fe608f6fe50f635c7f19a14901a245cd1dbd66fe751b2f37fa82dfbfc9be43c865bf4bfef5f415e27eba8cc0b6ec9b1dd56c8b12423f77e04d9

Download Submit
C:\Windows\{D14D0A83-30DF-4ca2-B16C-0603FAF48732}.exe

Filesize
216KB

MD5
04c9dcb22e96aa1fae14f9fdc8aecca6

SHA1
e1c4a860595eb3b61762bbbdbf0e2d9609cd2e62

SHA256
7f52f056c0ea9e56fa639dfc7935bb47b0e7527b6f442b53a387a176be4c25e0

SHA512
deee641939d292ae08978dd3096f5f655115aa11655e61b66750e8a5e11f6b46868e0c3b765cc4520b452c5dd26eb1d1bb178ff17341eb888ed8a8a128dd124a

Download Submit
C:\Windows\{D64CCA4C-9E89-42ab-9E2D-EB489BE62E31}.exe

Filesize
216KB

MD5
32ba60bc6c22301f7286408087fa2589

SHA1
e9474dfebdb0b92488ca1b17d6e10b5410c05445

SHA256
819cf7110c9b91f260bcbdb1e297cb3c0036d574d75035ea7d020fc62edab0ed

SHA512
32115ff9b12a3ee3732526ed32053ab3ede182f8b782183d0398c71869acd65fd5824030a71528f8e9fc03008b14f84bbbce1c8d0f4a9a28e41cf10ac1a52b81

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads