d243e8cb84d370b6fad5657ce29ed44611a7375a582731e34706edcb4bdba1c9

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
Size

216KB
MD5

994c614a58af12a4580fdb0065ac385e
SHA1

71dde59f4d7c1639eaba42ce9d493e8ffe4eb264
SHA256

d243e8cb84d370b6fad5657ce29ed44611a7375a582731e34706edcb4bdba1c9
SHA512

27cda735992861d6cf0f19f894b9030855bf9c926216afa9c91c608107d5535ea285f47b7f72f32abc0b1c45dbf10c811a7e0db3638412e0d3fd23f602fef8f4
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGGlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE016E0-3215-45c9-B911-382A93EA53F7}\stubpath = "C:\\Windows\\{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe"	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}\stubpath = "C:\\Windows\\{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe"	{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}	{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA6C688-B01F-4682-A6F8-4123F2102625}\stubpath = "C:\\Windows\\{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe"	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDE016E0-3215-45c9-B911-382A93EA53F7}	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}\stubpath = "C:\\Windows\\{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe"	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}	{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0A508BD-5731-423f-A167-F4EC731C76E0}	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0A508BD-5731-423f-A167-F4EC731C76E0}\stubpath = "C:\\Windows\\{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe"	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}\stubpath = "C:\\Windows\\{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe"	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAC096FA-375B-426c-8F8B-B3E04CCEA913}	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}\stubpath = "C:\\Windows\\{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe"	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}	{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}\stubpath = "C:\\Windows\\{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe"	{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA6C688-B01F-4682-A6F8-4123F2102625}	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}\stubpath = "C:\\Windows\\{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe"	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAC096FA-375B-426c-8F8B-B3E04CCEA913}\stubpath = "C:\\Windows\\{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe"	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}\stubpath = "C:\\Windows\\{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}.exe"	{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe

Deletes itself 1 IoCs

pid	Process
1728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe
3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe
1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe
2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe
3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe
1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe
1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe
2316	{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe
876	{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe
2736	{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe
2268	{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe
File created	C:\Windows\{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe
File created	C:\Windows\{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}.exe	{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe
File created	C:\Windows\{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
File created	C:\Windows\{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe
File created	C:\Windows\{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe
File created	C:\Windows\{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe
File created	C:\Windows\{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe
File created	C:\Windows\{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe	{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe
File created	C:\Windows\{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe	{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe
File created	C:\Windows\{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe
Token: SeIncBasePriorityPrivilege	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe
Token: SeIncBasePriorityPrivilege	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe
Token: SeIncBasePriorityPrivilege	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe
Token: SeIncBasePriorityPrivilege	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe
Token: SeIncBasePriorityPrivilege	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe
Token: SeIncBasePriorityPrivilege	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe
Token: SeIncBasePriorityPrivilege	2316	{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe
Token: SeIncBasePriorityPrivilege	876	{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe
Token: SeIncBasePriorityPrivilege	2736	{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2476	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	28
PID 1252 wrote to memory of 2476	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	28
PID 1252 wrote to memory of 2476	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	28
PID 1252 wrote to memory of 2476	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	28
PID 1252 wrote to memory of 1728	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	29
PID 1252 wrote to memory of 1728	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	29
PID 1252 wrote to memory of 1728	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	29
PID 1252 wrote to memory of 1728	1252	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	29
PID 2476 wrote to memory of 3064	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	30
PID 2476 wrote to memory of 3064	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	30
PID 2476 wrote to memory of 3064	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	30
PID 2476 wrote to memory of 3064	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	30
PID 2476 wrote to memory of 2744	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	31
PID 2476 wrote to memory of 2744	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	31
PID 2476 wrote to memory of 2744	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	31
PID 2476 wrote to memory of 2744	2476	{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe	31
PID 3064 wrote to memory of 1972	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	32
PID 3064 wrote to memory of 1972	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	32
PID 3064 wrote to memory of 1972	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	32
PID 3064 wrote to memory of 1972	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	32
PID 3064 wrote to memory of 3040	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	33
PID 3064 wrote to memory of 3040	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	33
PID 3064 wrote to memory of 3040	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	33
PID 3064 wrote to memory of 3040	3064	{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe	33
PID 1972 wrote to memory of 2520	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	36
PID 1972 wrote to memory of 2520	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	36
PID 1972 wrote to memory of 2520	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	36
PID 1972 wrote to memory of 2520	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	36
PID 1972 wrote to memory of 2580	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	37
PID 1972 wrote to memory of 2580	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	37
PID 1972 wrote to memory of 2580	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	37
PID 1972 wrote to memory of 2580	1972	{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe	37
PID 2520 wrote to memory of 3024	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	38
PID 2520 wrote to memory of 3024	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	38
PID 2520 wrote to memory of 3024	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	38
PID 2520 wrote to memory of 3024	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	38
PID 2520 wrote to memory of 1628	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	39
PID 2520 wrote to memory of 1628	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	39
PID 2520 wrote to memory of 1628	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	39
PID 2520 wrote to memory of 1628	2520	{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe	39
PID 3024 wrote to memory of 1936	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	40
PID 3024 wrote to memory of 1936	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	40
PID 3024 wrote to memory of 1936	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	40
PID 3024 wrote to memory of 1936	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	40
PID 3024 wrote to memory of 1752	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	41
PID 3024 wrote to memory of 1752	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	41
PID 3024 wrote to memory of 1752	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	41
PID 3024 wrote to memory of 1752	3024	{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe	41
PID 1936 wrote to memory of 1612	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	42
PID 1936 wrote to memory of 1612	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	42
PID 1936 wrote to memory of 1612	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	42
PID 1936 wrote to memory of 1612	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	42
PID 1936 wrote to memory of 2204	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	43
PID 1936 wrote to memory of 2204	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	43
PID 1936 wrote to memory of 2204	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	43
PID 1936 wrote to memory of 2204	1936	{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe	43
PID 1612 wrote to memory of 2316	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	44
PID 1612 wrote to memory of 2316	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	44
PID 1612 wrote to memory of 2316	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	44
PID 1612 wrote to memory of 2316	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	44
PID 1612 wrote to memory of 768	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	45
PID 1612 wrote to memory of 768	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	45
PID 1612 wrote to memory of 768	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	45
PID 1612 wrote to memory of 768	1612	{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe
  C:\Windows\{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe
    C:\Windows\{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe
      C:\Windows\{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe
        
        C:\Windows\{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe
        
        C:\Windows\{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe
        
        C:\Windows\{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe
        
        C:\Windows\{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe
        
        C:\Windows\{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe
        
        C:\Windows\{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe
        
        C:\Windows\{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}.exe
        
        C:\Windows\{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C42F~1.EXE > nul
        12⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4506D~1.EXE > nul
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC3FC~1.EXE > nul
        10⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAC09~1.EXE > nul
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC6E5~1.EXE > nul
        8⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{470F2~1.EXE > nul
        7⤵
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFC5D~1.EXE > nul
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDE01~1.EXE > nul
        5⤵
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A50~1.EXE > nul
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8DA6C~1.EXE > nul
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C42FAFF-C906-4e9b-B4DD-3D8357B1EE17}.exe

Filesize
216KB

MD5
6945d4f3f3f1d52e0660a329eafe23eb

SHA1
8cd36799c25f1207f3cf5fe6761fef4c2a513fd7

SHA256
a1d535135351c88f56b0fbe381ef8a88fbbfbf61058def12387fd58da58429f4

SHA512
ac240cb7b9efa7a8988faf4524be0138df96c3b25883a0ae209b9b0a8a7ac1843e2c1a7750ffd49a181ddf138b7ee2b67b74d3e9217f4220f80f2eb6b6e2aeca

Download Submit
C:\Windows\{4506D9A0-9F74-4acb-A1ED-3A3897E1AE15}.exe

Filesize
216KB

MD5
455aa23be0ae51d8549e30b9b641c7ec

SHA1
7635d57c7ffb6f53173b53afdcc748dce8648c6b

SHA256
a4effe8af583c0cc6803f3e4482460b6ca7edac26b1cf6fc3702a3bb569edc3f

SHA512
ac95e604771b775192eda09669b972fe48b261ff15f714350dd9e3f1ae1ad5441316bc7d14de01bb09097d4c81b562a322217c3b8cf03d0d5f086146a294e889

Download Submit
C:\Windows\{470F2D6C-8D0C-45f6-B8DD-8B2D90CE6A4B}.exe

Filesize
216KB

MD5
9bb22f9d803e296489b903a4ac7d0ebd

SHA1
ecc3f3deeb094816348d226c05c8a4a9cc6d0c6a

SHA256
be692d11bf5fd5aebe096d769bd1616ba4959036b6b57b12f45ab812c5b972a5

SHA512
3b26c0535d5569497cc0cc2f9039fb1e6dfb8edfa6ba462a2a35f796b2b3e981e8254eba666a8cba629732c6c60d961816b4b38c68a6e20a0cab038d0ec53cc1

Download Submit
C:\Windows\{8DA6C688-B01F-4682-A6F8-4123F2102625}.exe

Filesize
216KB

MD5
8eda86e3a4165fdab8d66d7eecb1c1f8

SHA1
96170d686a30841d31090c7b88ed8393eface596

SHA256
9049accb02b8b8f64f4d76dd2b5862610e5f17cb2175ba7896bffb5a2a930458

SHA512
5f66d886b666aead9f99c5ff3c14d34db1e313057a9cc45d5b314dea4746782d8673b5be538670303f02e906dc06ba7495983db883162910feb3c76ecdb48a14

Download Submit
C:\Windows\{AC281C1B-C5AF-472d-ADAF-1B1A9C3BFC7F}.exe

Filesize
216KB

MD5
d3dcb82c4426eb986b1b0ca504300da1

SHA1
164caba0d2d0088b3cba1a49068473e22b9afdce

SHA256
e84402aa9629d085296dd4b6e2ab17ad89c4ac7d91ac3896d261722b64e270f0

SHA512
e83716dbebb060117b0bd0bd79cdfeef092ea3a08ab2957542efacabbf65b66226710cf951474dfcfd2999b160073f5cd18c06c2e63ba7e63f00d1319575448c

Download Submit
C:\Windows\{BC3FC542-1E0B-4fe9-AFF9-0040AEDE8662}.exe

Filesize
216KB

MD5
40db3edad7bdb8d9ed287fb52766eca8

SHA1
a6affa21a4d04e58b3136d3247a5436d98a81181

SHA256
b8933ee091568c7472013f8161dba492b8a9767cabe0a3ce7fcd148baf26f1ea

SHA512
d4f1e645df423ad097eab35ffd5fbc2bb6b6b67659d06f29b84219d99ff5be24f80da0989256db9744197f7d46baaf907137babe1d5bec0505ba990da44df24f

Download Submit
C:\Windows\{C0A508BD-5731-423f-A167-F4EC731C76E0}.exe

Filesize
216KB

MD5
7c3bd758d48a2f4760e622fbc264185f

SHA1
d9e5dacfdc36870ca722eaff2992fbfcc5e03690

SHA256
0aea9bc2c9827cb12c3bc5e5164c6b6fb7f6c04df3cd4291589443ed3d6b20c5

SHA512
09b075c27487b6172408c6a931b2e6746109619c9bddf5d0cf40d0af5f49610a8d3dc1f92e763276a9ee46f5f8d24811c07ffc300c083854f4b28b21a71894bd

Download Submit
C:\Windows\{CC6E5013-F260-4155-B6BA-C9FD914CDB8B}.exe

Filesize
216KB

MD5
dab1c95ee156e400003c9c9ea1516f0e

SHA1
46faa71ab9dbef64a056b79737843183296f250b

SHA256
e6a8856e4c7fe80c381d7b5a9ed470cd91c10e8854794d4a0b218e6cce055634

SHA512
1ac67de191d0bfc273e84e37191691beb82d732bb0e9b2e7d94541363b9d7c6eb9f3b12e7cfb25f3b5b37e20522a7f9f0fa73f09f6f3e85e7de61a2d2912700f

Download Submit
C:\Windows\{CDE016E0-3215-45c9-B911-382A93EA53F7}.exe

Filesize
216KB

MD5
c1dc74ff140b895cfdc2400b87d73f50

SHA1
bcd1fea586438c8071a6b40c1ded844cb0aa9e07

SHA256
1fc2d824053e3c8e8a02516318527dc970d706193721ddfb3b0383950da64878

SHA512
cbc135145902177b48430b3349ed7a2aecebcdfa6b7ef5d601a0dfa1aa914999902f349e88ee6b1f912b6f196c7b4b813fe33437cbdfa676b68a5b659c31a269

Download Submit
C:\Windows\{DAC096FA-375B-426c-8F8B-B3E04CCEA913}.exe

Filesize
216KB

MD5
580488d233e1b82ca5326fc5dea61457

SHA1
facbfcf99b02edc8317a9dbe15e6cbed054153f6

SHA256
dcfe3be66e50821c4933ce7d23d6877edaf7585b600387938edbf69f7823fe59

SHA512
309c3feadd79824297299f5ed7721c20d514d1703669e708a48234d818ffa2c8c2c7cbbaca1a9b424283e1a844c209426a883a73e0797b3a0ec838b724a124c9

Download Submit
C:\Windows\{DFC5D4A2-A20A-4633-B296-C7EAC83821FD}.exe

Filesize
216KB

MD5
de6d41bcf5f6d51cfbe315a31cb7f800

SHA1
6f0acbc9effb9bc2a6dc1e38b07bac59c9dd11c8

SHA256
1577e2345a0bb69b67f42def767317d8d0feebcf11061d982363a1292c0f924e

SHA512
1d1eea5680608b23f59c0a39e78c3d7134c039a3227b0c17565bf470d3beb99872bcdcdff5aabbe5975e77d31b5e8af00b3ad60853298984da8506b16894c7d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads