87dcfdcb46dc4554e7ccd23bfa37a0bf92cef1624062856f8b6edd7a0ca1e1d9

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
Size

180KB
MD5

bc5cb5e989627bbd1c16b3a0200be379
SHA1

1821f070f8d0b34f2ce8ab7e5cc2c20b663238c3
SHA256

87dcfdcb46dc4554e7ccd23bfa37a0bf92cef1624062856f8b6edd7a0ca1e1d9
SHA512

56dd0e7f020df9b586fc37e733aa62e900736a19e2972e5ff342b5a170b3e68f98751c27a07b128e6bbaa091afa8d327b4328c476aa5431ee9b531e9ecabab9f
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGol5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FCE8A64-C288-4485-83AD-216AC2962A3A}\stubpath = "C:\\Windows\\{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe"	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}\stubpath = "C:\\Windows\\{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe"	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8682B70-8502-4e52-9C20-0016FA09973E}\stubpath = "C:\\Windows\\{B8682B70-8502-4e52-9C20-0016FA09973E}.exe"	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CF78CCE-C204-44e4-B995-E86F2E58D518}\stubpath = "C:\\Windows\\{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe"	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FCE8A64-C288-4485-83AD-216AC2962A3A}	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}\stubpath = "C:\\Windows\\{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe"	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{368E287B-5D3F-43dd-8BED-9C8E060F2110}	{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{368E287B-5D3F-43dd-8BED-9C8E060F2110}\stubpath = "C:\\Windows\\{368E287B-5D3F-43dd-8BED-9C8E060F2110}.exe"	{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE4CBFD-F326-4f1c-8723-315971ACACFD}\stubpath = "C:\\Windows\\{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe"	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8682B70-8502-4e52-9C20-0016FA09973E}	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CF78CCE-C204-44e4-B995-E86F2E58D518}	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F351A6-F7F6-4356-9E8A-229443CBA988}	{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE4CBFD-F326-4f1c-8723-315971ACACFD}	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}\stubpath = "C:\\Windows\\{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe"	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}\stubpath = "C:\\Windows\\{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe"	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F351A6-F7F6-4356-9E8A-229443CBA988}\stubpath = "C:\\Windows\\{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe"	{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}	{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}\stubpath = "C:\\Windows\\{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe"	{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
1348	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe
2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe
2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe
2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe
2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe
1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe
768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe
1692	{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe
2304	{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe
2292	{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe
1500	{368E287B-5D3F-43dd-8BED-9C8E060F2110}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe	{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe
File created	C:\Windows\{368E287B-5D3F-43dd-8BED-9C8E060F2110}.exe	{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe
File created	C:\Windows\{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe
File created	C:\Windows\{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe
File created	C:\Windows\{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe
File created	C:\Windows\{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe
File created	C:\Windows\{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe
File created	C:\Windows\{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
File created	C:\Windows\{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe
File created	C:\Windows\{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe
File created	C:\Windows\{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe	{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe
Token: SeIncBasePriorityPrivilege	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe
Token: SeIncBasePriorityPrivilege	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe
Token: SeIncBasePriorityPrivilege	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe
Token: SeIncBasePriorityPrivilege	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe
Token: SeIncBasePriorityPrivilege	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe
Token: SeIncBasePriorityPrivilege	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe
Token: SeIncBasePriorityPrivilege	1692	{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe
Token: SeIncBasePriorityPrivilege	2304	{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe
Token: SeIncBasePriorityPrivilege	2292	{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2240	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	28
PID 2440 wrote to memory of 2240	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	28
PID 2440 wrote to memory of 2240	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	28
PID 2440 wrote to memory of 2240	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	28
PID 2440 wrote to memory of 1348	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	29
PID 2440 wrote to memory of 1348	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	29
PID 2440 wrote to memory of 1348	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	29
PID 2440 wrote to memory of 1348	2440	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	29
PID 2240 wrote to memory of 2624	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	30
PID 2240 wrote to memory of 2624	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	30
PID 2240 wrote to memory of 2624	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	30
PID 2240 wrote to memory of 2624	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	30
PID 2240 wrote to memory of 2676	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	31
PID 2240 wrote to memory of 2676	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	31
PID 2240 wrote to memory of 2676	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	31
PID 2240 wrote to memory of 2676	2240	{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe	31
PID 2624 wrote to memory of 2652	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	32
PID 2624 wrote to memory of 2652	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	32
PID 2624 wrote to memory of 2652	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	32
PID 2624 wrote to memory of 2652	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	32
PID 2624 wrote to memory of 2760	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	33
PID 2624 wrote to memory of 2760	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	33
PID 2624 wrote to memory of 2760	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	33
PID 2624 wrote to memory of 2760	2624	{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe	33
PID 2652 wrote to memory of 2552	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	36
PID 2652 wrote to memory of 2552	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	36
PID 2652 wrote to memory of 2552	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	36
PID 2652 wrote to memory of 2552	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	36
PID 2652 wrote to memory of 2956	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	37
PID 2652 wrote to memory of 2956	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	37
PID 2652 wrote to memory of 2956	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	37
PID 2652 wrote to memory of 2956	2652	{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe	37
PID 2552 wrote to memory of 2008	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	38
PID 2552 wrote to memory of 2008	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	38
PID 2552 wrote to memory of 2008	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	38
PID 2552 wrote to memory of 2008	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	38
PID 2552 wrote to memory of 668	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	39
PID 2552 wrote to memory of 668	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	39
PID 2552 wrote to memory of 668	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	39
PID 2552 wrote to memory of 668	2552	{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe	39
PID 2008 wrote to memory of 1048	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	40
PID 2008 wrote to memory of 1048	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	40
PID 2008 wrote to memory of 1048	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	40
PID 2008 wrote to memory of 1048	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	40
PID 2008 wrote to memory of 2496	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	41
PID 2008 wrote to memory of 2496	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	41
PID 2008 wrote to memory of 2496	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	41
PID 2008 wrote to memory of 2496	2008	{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe	41
PID 1048 wrote to memory of 768	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	42
PID 1048 wrote to memory of 768	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	42
PID 1048 wrote to memory of 768	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	42
PID 1048 wrote to memory of 768	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	42
PID 1048 wrote to memory of 2708	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	43
PID 1048 wrote to memory of 2708	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	43
PID 1048 wrote to memory of 2708	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	43
PID 1048 wrote to memory of 2708	1048	{B8682B70-8502-4e52-9C20-0016FA09973E}.exe	43
PID 768 wrote to memory of 1692	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	44
PID 768 wrote to memory of 1692	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	44
PID 768 wrote to memory of 1692	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	44
PID 768 wrote to memory of 1692	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	44
PID 768 wrote to memory of 1680	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	45
PID 768 wrote to memory of 1680	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	45
PID 768 wrote to memory of 1680	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	45
PID 768 wrote to memory of 1680	768	{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe
  C:\Windows\{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe
    C:\Windows\{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe
      C:\Windows\{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe
        
        C:\Windows\{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe
        
        C:\Windows\{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{B8682B70-8502-4e52-9C20-0016FA09973E}.exe
        
        C:\Windows\{B8682B70-8502-4e52-9C20-0016FA09973E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe
        
        C:\Windows\{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe
        
        C:\Windows\{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe
        
        C:\Windows\{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe
        
        C:\Windows\{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\{368E287B-5D3F-43dd-8BED-9C8E060F2110}.exe
        
        C:\Windows\{368E287B-5D3F-43dd-8BED-9C8E060F2110}.exe
        12⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{970F7~1.EXE > nul
        12⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79F35~1.EXE > nul
        11⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CF78~1.EXE > nul
        10⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E27~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8682~1.EXE > nul
        8⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FFFB~1.EXE > nul
        7⤵
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E83F~1.EXE > nul
        6⤵
        
        PID:668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE4C~1.EXE > nul
        5⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9FCE8~1.EXE > nul
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7C02D~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E83F041-9DFD-4819-85D0-8E9C9D6EBD32}.exe

Filesize
180KB

MD5
248ebcaba2cf3b821e2dc0d86b7eccfa

SHA1
9427d6635b4cd709b57cadd79d056422fd360dd3

SHA256
0abd58ebb54d252898923c60948729494af19baaa3f5c3a2174e07244eff52a1

SHA512
428ec94ccffb0a6a5612fba2269b4a04fc8089e0712882c0bc3a9ff64f09eb99ffcf6c0d58df9981f9d1c527ea883416cc3f3e14fc623e0f062647514fe38c77

Download Submit
C:\Windows\{2CF78CCE-C204-44e4-B995-E86F2E58D518}.exe

Filesize
180KB

MD5
b384c0929c956da37ceaccb04b01f65b

SHA1
b93ab34c29afbe58b14cd12112f0a9bfffc1471a

SHA256
5aa5db18a3d55e4c3e5e5da1c1b2f072b8bd4b8d710e266da144637ce81af7ea

SHA512
83ffbfc9d0e2675bed0dd7b8f9ae1d76d9806e963647b731cf60a72f45d573207c0d1eed0789cc35c48e44394618830a9d3c995bd3a5c681ec54851fb974f99f

Download Submit
C:\Windows\{368E287B-5D3F-43dd-8BED-9C8E060F2110}.exe

Filesize
180KB

MD5
7906a39031ce1e1ae8eda46e814c0b2b

SHA1
ee231e43b87d5a32bb5c1ee867f71e3d507a7e28

SHA256
38a33685276710a9ded72e025f0ee97ec35d42749246e27ce7d71acff097a467

SHA512
68453c8bfdcd2ecebcd069fbc614a681427091a119bc1de6078683254033edd5492f23957a1b849bb87b5ea6efaab0b706dd1778fabeab5dd78448e4a408e1c6

Download Submit
C:\Windows\{6DE4CBFD-F326-4f1c-8723-315971ACACFD}.exe

Filesize
180KB

MD5
390dc53a8f4eae416379e1a347d5dbba

SHA1
6c0313a18b3bfa04e1dc965f62a6540a8494698c

SHA256
1797d5dadc80c0309d9c2c12ca7d5e9e2f11234042ed428bbada810273699d3e

SHA512
366de6308106a1880cfb8c366d0f7fbc65b5a61b2ef58aa49838fd721d060443747fd2200ed80e32baa71e4bda102c360cac91add987a4ea7f237dc34d137c69

Download Submit
C:\Windows\{79F351A6-F7F6-4356-9E8A-229443CBA988}.exe

Filesize
180KB

MD5
d0aca18331b70289df6739f27378aca3

SHA1
b6534484c39003fc84108c215b46dd36a4fab86d

SHA256
b00d69483348e0d5d6d72520a3f5e3e29ffb27e79176b58a5173fb50054ce629

SHA512
95153832fa28e19b49f4363abfeeb104f6d026b05bf02c4104a01d728cc808125c0627f075b907e5dd80ea4b92960580dfbab007ac14f357967c99c197f0884c

Download Submit
C:\Windows\{7C02D631-1338-4ed8-B8A9-1AD4E7FBAC50}.exe

Filesize
180KB

MD5
bd8cf846f4a35a35978abb5a3fe1cc7f

SHA1
aeb12841d3429af50212ce73c4ae662ee59fbccf

SHA256
71e2304dd8a91a1d05898171e8548d05969e176a00b5d2e66ff5fed1783ba56e

SHA512
95eb3c3afafd060b46c04df4e433f99769a6d97619aaf43a011793bf940ad9e3b1d722812c7ba4f12c723d6bf283c836189de3f0ec96a6044b8ee5cf293270dd

Download Submit
C:\Windows\{8FFFBDCF-7F7F-4b21-B5B1-7296D8B550A9}.exe

Filesize
180KB

MD5
9ae6a757e6dff3eae1fcc788021910e0

SHA1
b5cf27161f390cd3688c3820227dad19bec13612

SHA256
33e10121da1c1c62373dd31dec5e7003ea58988f0346715fd6857174d40414c6

SHA512
094ee42e4bbe2d9b83c7f4b91efe6cde2e10cb0b2c6daef9aed871da6e1d1ce71dd0335db743e008fd1395d4d828556ab3ada3fe64eb26c0a56df907c6f293a3

Download Submit
C:\Windows\{970F7AE3-CCA9-4ba7-A4DF-00668F9E813E}.exe

Filesize
180KB

MD5
1bb9895e32d01cd5a838d0f15447372c

SHA1
9d5ddcb8ac606f0b3127cf26e3bee199bf389d35

SHA256
589cf0cc48e35986eeed5ab094019a8c8ecdd9f2bd9b40cda2c7af529d4cf5ce

SHA512
2e2e3c052d41e8a4ab3d39b0c1b306037719d1db209f1ba848d8bfcd0f60b6ced9ad04d607588fecfd9e00040beb3e21e572078e7fac399f1130bfec2ec60cdb

Download Submit
C:\Windows\{9FCE8A64-C288-4485-83AD-216AC2962A3A}.exe

Filesize
180KB

MD5
53e5d0412bd9e843192a2f1575f243cf

SHA1
bcfcca7c9e9d408e68f131217d42fdd890af2c5b

SHA256
930c63cb829e3a5a4e6261e0c1ee3728a0d048ab8c70f84776dd2a10c52e0b45

SHA512
1fca02ef81070db57f8ff09e4d3a7f6203effda064250b0116162f5d7d436008061658dce187f2fac891a1f6a3a30ceaed9cb894201d4add982b073eb523ffb7

Download Submit
C:\Windows\{B8682B70-8502-4e52-9C20-0016FA09973E}.exe

Filesize
180KB

MD5
23f29076dba1e704857773f0e04635f5

SHA1
a506f63bccfd3907e1dc1f9756e5cab295457fd3

SHA256
f93104e2b8b70ba99ea68ff9eed46deabed09eb7fbd49de23eb4c487172af87f

SHA512
04327f8f3877bad5afcc2d12794f91d62e5e8720cf0f31266ccd8d0f8d7499aa67b3916cf80de08af5362e7c9b70790e151a0f93d29de8a1d9ba1a2bdcb49d1b

Download Submit
C:\Windows\{C9E27ED5-8A9B-47d2-B3F4-07FA2131CFB7}.exe

Filesize
180KB

MD5
480841ce9b161faa42edf2f61bdd85b3

SHA1
2e218a7629fc047b7e57bcef543223e60d902bcd

SHA256
1879cdea3c49ea74652b5374a8ce5dff7d1027bd118580b844b0e41fddd6905c

SHA512
d844d334fc8b24c59f6df8d501c665cfa8f10dc29303fd8429e20c69137cf5e71162f5bac9ba6c52702702cb4d9e08954e8b0fa9c82144f4bd2400e46882eaa3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads