87dcfdcb46dc4554e7ccd23bfa37a0bf92cef1624062856f8b6edd7a0ca1e1d9

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
Size

180KB
MD5

bc5cb5e989627bbd1c16b3a0200be379
SHA1

1821f070f8d0b34f2ce8ab7e5cc2c20b663238c3
SHA256

87dcfdcb46dc4554e7ccd23bfa37a0bf92cef1624062856f8b6edd7a0ca1e1d9
SHA512

56dd0e7f020df9b586fc37e733aa62e900736a19e2972e5ff342b5a170b3e68f98751c27a07b128e6bbaa091afa8d327b4328c476aa5431ee9b531e9ecabab9f
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGol5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C32EED55-3EE8-483f-B2BC-06078E4329FB}\stubpath = "C:\\Windows\\{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe"	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}\stubpath = "C:\\Windows\\{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe"	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}\stubpath = "C:\\Windows\\{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe"	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A8C948-42B5-4f28-9EB5-4B2DE8722370}\stubpath = "C:\\Windows\\{84A8C948-42B5-4f28-9EB5-4B2DE8722370}.exe"	{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5DB53C9-F40C-4972-8572-6FC986CD10C1}	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC7B2D3-F686-4593-B54A-4B662A427036}	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC7B2D3-F686-4593-B54A-4B662A427036}\stubpath = "C:\\Windows\\{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe"	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}\stubpath = "C:\\Windows\\{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe"	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98105AF-2994-486e-9C03-B2F0CCAEDB26}\stubpath = "C:\\Windows\\{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe"	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5DB53C9-F40C-4972-8572-6FC986CD10C1}\stubpath = "C:\\Windows\\{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe"	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}\stubpath = "C:\\Windows\\{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe"	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}\stubpath = "C:\\Windows\\{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe"	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}\stubpath = "C:\\Windows\\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe"	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}\stubpath = "C:\\Windows\\{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe"	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A8C948-42B5-4f28-9EB5-4B2DE8722370}	{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98105AF-2994-486e-9C03-B2F0CCAEDB26}	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C32EED55-3EE8-483f-B2BC-06078E4329FB}	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe

Executes dropped EXE 12 IoCs

pid	Process
2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe
3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe
1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe
904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe
380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe
1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe
4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe
2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe
4940	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe
4524	{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe
1200	{84A8C948-42B5-4f28-9EB5-4B2DE8722370}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{84A8C948-42B5-4f28-9EB5-4B2DE8722370}.exe	{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe
File created	C:\Windows\{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
File created	C:\Windows\{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe
File created	C:\Windows\{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe
File created	C:\Windows\{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe
File created	C:\Windows\{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe
File created	C:\Windows\{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe
File created	C:\Windows\{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe
File created	C:\Windows\{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe
File created	C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe
File created	C:\Windows\{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
File created	C:\Windows\{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe
Token: SeIncBasePriorityPrivilege	3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe
Token: SeIncBasePriorityPrivilege	1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe
Token: SeIncBasePriorityPrivilege	904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe
Token: SeIncBasePriorityPrivilege	380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe
Token: SeIncBasePriorityPrivilege	1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe
Token: SeIncBasePriorityPrivilege	4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
Token: SeIncBasePriorityPrivilege	4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe
Token: SeIncBasePriorityPrivilege	2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe
Token: SeIncBasePriorityPrivilege	4940	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe
Token: SeIncBasePriorityPrivilege	4524	{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2992	1720	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	85
PID 1720 wrote to memory of 2992	1720	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	85
PID 1720 wrote to memory of 2992	1720	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	85
PID 1720 wrote to memory of 4532	1720	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	86
PID 1720 wrote to memory of 4532	1720	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	86
PID 1720 wrote to memory of 4532	1720	2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe	86
PID 2992 wrote to memory of 3552	2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe	90
PID 2992 wrote to memory of 3552	2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe	90
PID 2992 wrote to memory of 3552	2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe	90
PID 2992 wrote to memory of 1204	2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe	91
PID 2992 wrote to memory of 1204	2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe	91
PID 2992 wrote to memory of 1204	2992	{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe	91
PID 3552 wrote to memory of 1352	3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe	94
PID 3552 wrote to memory of 1352	3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe	94
PID 3552 wrote to memory of 1352	3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe	94
PID 3552 wrote to memory of 4084	3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe	95
PID 3552 wrote to memory of 4084	3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe	95
PID 3552 wrote to memory of 4084	3552	{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe	95
PID 1352 wrote to memory of 904	1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe	96
PID 1352 wrote to memory of 904	1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe	96
PID 1352 wrote to memory of 904	1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe	96
PID 1352 wrote to memory of 540	1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe	97
PID 1352 wrote to memory of 540	1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe	97
PID 1352 wrote to memory of 540	1352	{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe	97
PID 904 wrote to memory of 380	904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe	98
PID 904 wrote to memory of 380	904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe	98
PID 904 wrote to memory of 380	904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe	98
PID 904 wrote to memory of 4548	904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe	99
PID 904 wrote to memory of 4548	904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe	99
PID 904 wrote to memory of 4548	904	{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe	99
PID 380 wrote to memory of 1816	380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe	100
PID 380 wrote to memory of 1816	380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe	100
PID 380 wrote to memory of 1816	380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe	100
PID 380 wrote to memory of 3084	380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe	101
PID 380 wrote to memory of 3084	380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe	101
PID 380 wrote to memory of 3084	380	{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe	101
PID 1816 wrote to memory of 4248	1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe	102
PID 1816 wrote to memory of 4248	1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe	102
PID 1816 wrote to memory of 4248	1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe	102
PID 1816 wrote to memory of 3900	1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe	103
PID 1816 wrote to memory of 3900	1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe	103
PID 1816 wrote to memory of 3900	1816	{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe	103
PID 4248 wrote to memory of 4396	4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	104
PID 4248 wrote to memory of 4396	4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	104
PID 4248 wrote to memory of 4396	4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	104
PID 4248 wrote to memory of 2700	4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	105
PID 4248 wrote to memory of 2700	4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	105
PID 4248 wrote to memory of 2700	4248	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	105
PID 4396 wrote to memory of 2468	4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe	106
PID 4396 wrote to memory of 2468	4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe	106
PID 4396 wrote to memory of 2468	4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe	106
PID 4396 wrote to memory of 544	4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe	107
PID 4396 wrote to memory of 544	4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe	107
PID 4396 wrote to memory of 544	4396	{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe	107
PID 2468 wrote to memory of 4940	2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe	108
PID 2468 wrote to memory of 4940	2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe	108
PID 2468 wrote to memory of 4940	2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe	108
PID 2468 wrote to memory of 784	2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe	109
PID 2468 wrote to memory of 784	2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe	109
PID 2468 wrote to memory of 784	2468	{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe	109
PID 4940 wrote to memory of 4524	4940	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe	110
PID 4940 wrote to memory of 4524	4940	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe	110
PID 4940 wrote to memory of 4524	4940	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe	110
PID 4940 wrote to memory of 3188	4940	{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_bc5cb5e989627bbd1c16b3a0200be379_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe
  C:\Windows\{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe
    C:\Windows\{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe
      C:\Windows\{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe
        
        C:\Windows\{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Windows\{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe
        
        C:\Windows\{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe
        
        C:\Windows\{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
        
        C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe
        
        C:\Windows\{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe
        
        C:\Windows\{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe
        
        C:\Windows\{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe
        
        C:\Windows\{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\{84A8C948-42B5-4f28-9EB5-4B2DE8722370}.exe
        
        C:\Windows\{84A8C948-42B5-4f28-9EB5-4B2DE8722370}.exe
        13⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97DC1~1.EXE > nul
        13⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55CB6~1.EXE > nul
        12⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC30~1.EXE > nul
        11⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4A31~1.EXE > nul
        10⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0ABA~1.EXE > nul
        9⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EA35~1.EXE > nul
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA37C~1.EXE > nul
        7⤵
        
        PID:3084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C32EE~1.EXE > nul
        6⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC7B~1.EXE > nul
        5⤵
        
        PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5DB5~1.EXE > nul
      4⤵
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C9810~1.EXE > nul
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EA35045-02A2-4711-B2E7-7ACFFC7945A5}.exe

Filesize
180KB

MD5
69f40edcaade49f4bca284afdf51b0aa

SHA1
98ca283ea4b699ca1ec64e06bcb9290f6b7255f9

SHA256
377d6ed4e743ddef4fbcd7d296995376e73ad2903d078760c535243ed7e2e57d

SHA512
e25f69a38f8ce05bdf09af60d00ebee3ba2654b14bf5190420b4619d99a9b7c2185c9f0a353666cbe2acb7f2dcd11f55cb409476dea549341a728af9d127f7d3

Download Submit
C:\Windows\{4DC304D5-0AA9-4fe2-83A7-F17EF8D0ED73}.exe

Filesize
180KB

MD5
03818b9a27a7034c45c2141c9165fa56

SHA1
9f530bb9efe0601989e3b09bc5ed7b38409ce577

SHA256
2f423dca3f7b42e64af177654f56a9176a2a1dfeb3337b376280dce0fd8cd1ea

SHA512
91daa1bf3a5c098e86177f749070ad4a757e87e8929ecfc8c2635bc3ba0fe0182d119734dce641c52acad26b579960f395f0c91b7dae9d81419d8db69b2484ba

Download Submit
C:\Windows\{4DC7B2D3-F686-4593-B54A-4B662A427036}.exe

Filesize
180KB

MD5
4b347422b998d036bb5fd9a4479f7b2f

SHA1
23232f22cdaf6c40ffb126bd1e403b7a23a81d08

SHA256
4e6eff629c3a7dc8ab2e4777921e5a46ca1378b52904307e8f8967ced7eecb19

SHA512
668cf7e308ff5504ab09a7d264fb94c3531f1ddb06ac4976b60ed562c18ff563f80e5226befabd9393f84e6a9a2c20e34d9ee0f6ba1ad81eebca486189fb5553

Download Submit
C:\Windows\{55CB65FE-3D1A-4da3-9164-245E53E6F9D7}.exe

Filesize
180KB

MD5
cb46ab8b4eb80563419f7a83bc10cb6d

SHA1
d65c60ffc72adbb9098ad264fc2609b52b422713

SHA256
08a186881b07211b0fa7fa4bd710a95c355edb14ce0c03ab050ff2686d553f62

SHA512
bdf43634f6b618f4b3ce1bd435055ca73847ec26810d53f6ffc3936bce12b0b2ad535955038aefd5ee8bbbda10a48ec040ea09316e5a56ea70003bbab331a632

Download Submit
C:\Windows\{84A8C948-42B5-4f28-9EB5-4B2DE8722370}.exe

Filesize
180KB

MD5
49b5d92196ef051993825af407d774b6

SHA1
ee9f41c94ee29b21d771c4b0317d2deb7c282fdb

SHA256
56a0cc93e220d04d8e73a57550d1c18bf5ea6be864fdc8ca892ab7e29b2829a3

SHA512
29d7dd5050e4f380a88dcdc000ebc16ee8f841eb0d9a5c1d37f2f9cb21f0548d66b442951151b1cd304c205de130b869c70b8ee17f8124b3b051ff295c3f2f51

Download Submit
C:\Windows\{97DC1C07-07D6-4f9e-820A-9EFC3B9CD627}.exe

Filesize
180KB

MD5
fdb60aac94ba2fd0e7a738cfb091fa4b

SHA1
2682ffe5bf942ce5f3bd77738403a334d68e4391

SHA256
8ec5cd1d7bd4383d92f0883c993cac8c047a14a7032f4afa2cc996906eda511d

SHA512
ab736db3a8560edecb81ab7e5b1bb10d7d7e0dd392ebe38941a8a5ad0250f9877c76b63c8c90ba72eeb05f44d5b1a194e4c754ce415889e55fd9d969d7a920f9

Download Submit
C:\Windows\{C32EED55-3EE8-483f-B2BC-06078E4329FB}.exe

Filesize
180KB

MD5
66671f55defa71d6c63627fe442a5a3f

SHA1
c769ed7563f3a0eda9894c017a34b497276d8840

SHA256
6cbce28cb287fd080828e3a1a54b7a8cdcf8884b5aecacf433d8af0e4d16d6ca

SHA512
51aa8510f2a24d5fb98f31261bb07cfcae467bdc80d0c5dc10dbf2efdee40486b47b3872b0d55e003300f3cc3d6dc213e24b7d5133882168860eca4fc9c68d72

Download Submit
C:\Windows\{C98105AF-2994-486e-9C03-B2F0CCAEDB26}.exe

Filesize
180KB

MD5
859f6d8dc846c30aa6356f76debbc3a6

SHA1
b64f4d30e1c628ce88523b76f5c53aea7b444b6c

SHA256
611e57c365df7b83d13a69b7045e4876266d6186ed0ff4ad61dc8bd556e3e562

SHA512
85ce792bbb9376827f5109be68854d8f053803be564d05eabe9da2072ed0fa68e44acd180451549df0be25ec670474350e8bb25b03d0a8b9d67a0232314c182c

Download Submit
C:\Windows\{CA37CCD5-E366-49ca-BDFF-C72CE81C6076}.exe

Filesize
180KB

MD5
209fb04dcbbf06c12e937b745036c8cb

SHA1
02424779fc4be8d8905abf5db841f8ffe7c05af2

SHA256
4fbb0dc7b4ba987d01b989694749554ae66cd086e82bfae50229a19ef96aa829

SHA512
90c221d97a3860aa01f4bad862913426582f2083481542dfc6365416e21dd64e9104ca8416c077cdb8a4d5eace24e5566e4d0f9213d04bdc4dd6d8476971325c

Download Submit
C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe

Filesize
180KB

MD5
384fc548b8e1052c75fa1d1e92e29c6e

SHA1
d6e1e6323269b232b99d4a802f4ea3abab51a086

SHA256
906fca499db115be7242472afad42c63ce1bf758c3c4450ea3a8fb4c5561ab49

SHA512
a09f44ee50c63a0e91560219b5e18925f74df2c9a0e192c5215472f49b57e25d1317e7c33efd543be71a19062d2f565bb9f21a215801764d61955c73c2bf4adc

Download Submit
C:\Windows\{E4A3160F-1A55-476d-97A2-D6BBC4D5E585}.exe

Filesize
180KB

MD5
d2798d2e87823fb4ac2ffb5e7f97d03e

SHA1
ebf3e71076c38060df2b91df63a2196a44b8778b

SHA256
c94f98f3711a795eda6990394b17a2b3998cebfa4afd81cf829d55e7dac66c5a

SHA512
0fac203c7098e6830f8ec665b10a88f7d4248a09471b3b2efa54edd3fb279a2b04159084a76b4523bc53e9339a21580121e8913d58c1e7ec20c3a60361eec4f1

Download Submit
C:\Windows\{E5DB53C9-F40C-4972-8572-6FC986CD10C1}.exe

Filesize
180KB

MD5
dcfad707c92619fefde3dcd0be1ee1af

SHA1
678ee734d10528bf37882a00064001f380ad895f

SHA256
484da0efb200d3fbb8017740d85ba2b08dc5b3a8c582d1a2b7b0b6280fd51707

SHA512
ecb8d6681b23a388d85e5fc0da4116dda54065463ba990743ad971c18f1acf0ca7435a3564b984b49cad8167a3f677abb098c38c4b5bfeac57410da4388958e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads