8e811f130100ffd084bff99c03aa0fa6793b3f8b0b9d8510608fba535d1307f7

Analysis

max time kernel
149s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Size

192KB
MD5

d2d67417eb9b04798aaedd17f8ab53cf
SHA1

9b8dabf83d13b5042eefb10a2dfe787a35574fb4
SHA256

8e811f130100ffd084bff99c03aa0fa6793b3f8b0b9d8510608fba535d1307f7
SHA512

bdc514a91ff31ebe669382135f23bc879d5aadb14624e52d3f563d343c5348f53e4a0355047978de17a9fe43c6f328eeefe82957a83376147f2069dea17c494d
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oUl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE036EA-6DCA-4301-9646-3EB97768C06D}\stubpath = "C:\\Windows\\{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe"	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37E9124-B45D-485b-A823-F283794B4E6E}	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}\stubpath = "C:\\Windows\\{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe"	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{703D63F8-919F-465d-99A7-A1221C755FE8}\stubpath = "C:\\Windows\\{703D63F8-919F-465d-99A7-A1221C755FE8}.exe"	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82EC7A6A-129F-45b2-A890-4F47E95957B0}\stubpath = "C:\\Windows\\{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe"	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0684DF1D-B509-40d7-9390-10742599F378}\stubpath = "C:\\Windows\\{0684DF1D-B509-40d7-9390-10742599F378}.exe"	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}	{0684DF1D-B509-40d7-9390-10742599F378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A983F957-0541-4e08-A5D2-382D8F1D1781}\stubpath = "C:\\Windows\\{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe"	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{911E6D7E-91A1-44f4-8A85-224B22D0DF96}	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}\stubpath = "C:\\Windows\\{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}.exe"	{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B52577-0930-43b8-AB95-B2B4D5201E4D}\stubpath = "C:\\Windows\\{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe"	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}\stubpath = "C:\\Windows\\{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe"	{0684DF1D-B509-40d7-9390-10742599F378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE036EA-6DCA-4301-9646-3EB97768C06D}	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{703D63F8-919F-465d-99A7-A1221C755FE8}	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0684DF1D-B509-40d7-9390-10742599F378}	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A983F957-0541-4e08-A5D2-382D8F1D1781}	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{911E6D7E-91A1-44f4-8A85-224B22D0DF96}\stubpath = "C:\\Windows\\{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe"	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}	{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B52577-0930-43b8-AB95-B2B4D5201E4D}	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}\stubpath = "C:\\Windows\\{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe"	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82EC7A6A-129F-45b2-A890-4F47E95957B0}	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37E9124-B45D-485b-A823-F283794B4E6E}\stubpath = "C:\\Windows\\{E37E9124-B45D-485b-A823-F283794B4E6E}.exe"	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe
4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe
2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe
1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe
1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe
3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe
3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe
1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe
2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe
3292	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe
4504	{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe
4360	{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe
File created	C:\Windows\{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}.exe	{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe
File created	C:\Windows\{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe
File created	C:\Windows\{0684DF1D-B509-40d7-9390-10742599F378}.exe	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe
File created	C:\Windows\{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe
File created	C:\Windows\{E37E9124-B45D-485b-A823-F283794B4E6E}.exe	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe
File created	C:\Windows\{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe
File created	C:\Windows\{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe
File created	C:\Windows\{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
File created	C:\Windows\{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe
File created	C:\Windows\{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe	{0684DF1D-B509-40d7-9390-10742599F378}.exe
File created	C:\Windows\{703D63F8-919F-465d-99A7-A1221C755FE8}.exe	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4936	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe
Token: SeIncBasePriorityPrivilege	4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe
Token: SeIncBasePriorityPrivilege	2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe
Token: SeIncBasePriorityPrivilege	1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe
Token: SeIncBasePriorityPrivilege	1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe
Token: SeIncBasePriorityPrivilege	3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe
Token: SeIncBasePriorityPrivilege	3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe
Token: SeIncBasePriorityPrivilege	1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe
Token: SeIncBasePriorityPrivilege	2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe
Token: SeIncBasePriorityPrivilege	3292	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe
Token: SeIncBasePriorityPrivilege	4504	{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1252	4936	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	81
PID 4936 wrote to memory of 1252	4936	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	81
PID 4936 wrote to memory of 1252	4936	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	81
PID 4936 wrote to memory of 4640	4936	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	82
PID 4936 wrote to memory of 4640	4936	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	82
PID 4936 wrote to memory of 4640	4936	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	82
PID 1252 wrote to memory of 4336	1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe	83
PID 1252 wrote to memory of 4336	1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe	83
PID 1252 wrote to memory of 4336	1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe	83
PID 1252 wrote to memory of 1240	1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe	84
PID 1252 wrote to memory of 1240	1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe	84
PID 1252 wrote to memory of 1240	1252	{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe	84
PID 4336 wrote to memory of 2192	4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe	90
PID 4336 wrote to memory of 2192	4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe	90
PID 4336 wrote to memory of 2192	4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe	90
PID 4336 wrote to memory of 1884	4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe	91
PID 4336 wrote to memory of 1884	4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe	91
PID 4336 wrote to memory of 1884	4336	{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe	91
PID 2192 wrote to memory of 1396	2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe	94
PID 2192 wrote to memory of 1396	2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe	94
PID 2192 wrote to memory of 1396	2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe	94
PID 2192 wrote to memory of 1120	2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe	95
PID 2192 wrote to memory of 1120	2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe	95
PID 2192 wrote to memory of 1120	2192	{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe	95
PID 1396 wrote to memory of 1416	1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe	96
PID 1396 wrote to memory of 1416	1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe	96
PID 1396 wrote to memory of 1416	1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe	96
PID 1396 wrote to memory of 2560	1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe	97
PID 1396 wrote to memory of 2560	1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe	97
PID 1396 wrote to memory of 2560	1396	{0684DF1D-B509-40d7-9390-10742599F378}.exe	97
PID 1416 wrote to memory of 3656	1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe	98
PID 1416 wrote to memory of 3656	1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe	98
PID 1416 wrote to memory of 3656	1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe	98
PID 1416 wrote to memory of 4604	1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe	99
PID 1416 wrote to memory of 4604	1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe	99
PID 1416 wrote to memory of 4604	1416	{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe	99
PID 3656 wrote to memory of 3528	3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe	100
PID 3656 wrote to memory of 3528	3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe	100
PID 3656 wrote to memory of 3528	3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe	100
PID 3656 wrote to memory of 2488	3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe	101
PID 3656 wrote to memory of 2488	3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe	101
PID 3656 wrote to memory of 2488	3656	{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe	101
PID 3528 wrote to memory of 1480	3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe	102
PID 3528 wrote to memory of 1480	3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe	102
PID 3528 wrote to memory of 1480	3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe	102
PID 3528 wrote to memory of 436	3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe	103
PID 3528 wrote to memory of 436	3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe	103
PID 3528 wrote to memory of 436	3528	{E37E9124-B45D-485b-A823-F283794B4E6E}.exe	103
PID 1480 wrote to memory of 2056	1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe	104
PID 1480 wrote to memory of 2056	1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe	104
PID 1480 wrote to memory of 2056	1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe	104
PID 1480 wrote to memory of 1648	1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe	105
PID 1480 wrote to memory of 1648	1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe	105
PID 1480 wrote to memory of 1648	1480	{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe	105
PID 2056 wrote to memory of 3292	2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe	106
PID 2056 wrote to memory of 3292	2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe	106
PID 2056 wrote to memory of 3292	2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe	106
PID 2056 wrote to memory of 2544	2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe	107
PID 2056 wrote to memory of 2544	2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe	107
PID 2056 wrote to memory of 2544	2056	{703D63F8-919F-465d-99A7-A1221C755FE8}.exe	107
PID 3292 wrote to memory of 4504	3292	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe	108
PID 3292 wrote to memory of 4504	3292	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe	108
PID 3292 wrote to memory of 4504	3292	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe	108
PID 3292 wrote to memory of 740	3292	{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe
  C:\Windows\{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe
    C:\Windows\{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe
      C:\Windows\{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\{0684DF1D-B509-40d7-9390-10742599F378}.exe
        
        C:\Windows\{0684DF1D-B509-40d7-9390-10742599F378}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe
        
        C:\Windows\{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe
        
        C:\Windows\{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\{E37E9124-B45D-485b-A823-F283794B4E6E}.exe
        
        C:\Windows\{E37E9124-B45D-485b-A823-F283794B4E6E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe
        
        C:\Windows\{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{703D63F8-919F-465d-99A7-A1221C755FE8}.exe
        
        C:\Windows\{703D63F8-919F-465d-99A7-A1221C755FE8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe
        
        C:\Windows\{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe
        
        C:\Windows\{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}.exe
        
        C:\Windows\{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}.exe
        13⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{911E6~1.EXE > nul
        13⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A983F~1.EXE > nul
        12⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{703D6~1.EXE > nul
        11⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB670~1.EXE > nul
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E37E9~1.EXE > nul
        9⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AE03~1.EXE > nul
        8⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACD1E~1.EXE > nul
        7⤵
        
        PID:4604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0684D~1.EXE > nul
        6⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82EC7~1.EXE > nul
        5⤵
        
        PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0064F~1.EXE > nul
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B52~1.EXE > nul
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0064F3A2-EE3D-43f4-A590-1FE5C1E719C4}.exe

Filesize
192KB

MD5
ac27355969d5e590a63312f5a46639eb

SHA1
1d60581ce1e693425373a3b95d6132b266dc02f4

SHA256
0e47ca7bbbe53cb4fdf5eaa0e80a4ccb5ef835e5a8f40ec0e355cb30cff9dbdb

SHA512
67e815ecc075f73528b16081b24285806f2a45eaa9520422f5386dde76ad79fe9df1ff0cebd0ddb5ab7d8b4bfc78df3a16c9f874e6e322e47c52f7cf75ccaad4

Download Submit
C:\Windows\{0684DF1D-B509-40d7-9390-10742599F378}.exe

Filesize
192KB

MD5
fcdf99893fafff1a844eb85bdebb8d7d

SHA1
71c07f0ef6542101fbbcc949b43184d01f721273

SHA256
db6bffaced20c02aa2e69006e0ed5ecfb401bb05fe9d9a2bac0fe19878727845

SHA512
b58a9552985105c4da1fff1ce0780d44c075839b481c347e07313359f1a0ebd987d7efc869ce0bbab860c52141b8d77a010c9f159f29998c7ac50a100037a670

Download Submit
C:\Windows\{1AE036EA-6DCA-4301-9646-3EB97768C06D}.exe

Filesize
192KB

MD5
c4152ac1d0dbabd6770143f55305192b

SHA1
d3bafaca96a4ca05d648a49cd52afb1cdf16eee8

SHA256
8387e2e52886ad1ef942e2dc5d8e039ac4ee16a9cce873ef1e0ba356ce90492b

SHA512
ce66a3c75c783e47e06db39e66262720fa1370e3be91519948a42abdb8e48aeec0959550f852f41647f76c79cbeb67ab74e28cebb92db4573464919e1c1cc519

Download Submit
C:\Windows\{703D63F8-919F-465d-99A7-A1221C755FE8}.exe

Filesize
192KB

MD5
85b3227412e8f626eed05ebcc7346df4

SHA1
5bc322f01488ce1993d09f485f43b02e4d801a32

SHA256
e52834c1dfc1451823c0678470fa0b5511aed78dab9a4245de0377e744ad9092

SHA512
a3e1fa94045d48783ebd99f56861eeb3f5dd469ff315bee16938bcc34d5cd0e34dc4dde59fd9c28e5e926241012f39f8e821a07cb489275afefbe7f5ab9d08be

Download Submit
C:\Windows\{82EC7A6A-129F-45b2-A890-4F47E95957B0}.exe

Filesize
192KB

MD5
ffda93eaedf037a228da0b81cb649563

SHA1
faeae0735688f89438bcebbdf9d0b96fe2c7350a

SHA256
a6b0baba620da75e5cc85f09c4847050275a07ca30088a503f41c16c8e5cb9c6

SHA512
444c8c6da3767aac966c0d1466799853c7178374cf9e91b48b6364ed8ce94c4d7595297d454ea8c290e9f41c85a084bfd9abe8a06a4b162b6291e8bba6791541

Download Submit
C:\Windows\{8A8FE9E1-D3B0-4bfb-AD68-6185D68913C9}.exe

Filesize
192KB

MD5
4dacee73396f6540654c0d624e0fc2ff

SHA1
05b8a339850b9b13d250da06c6f01bc26e100bf7

SHA256
1d3ba5de77c1b1b454133fbf584cfb87b8b3fcedfb2b0b4ab2f65baddcc46599

SHA512
418265edcfe6fe2f1660886d45ae19f2eb652f1bf9c1e85b23a9e802fd7915addb79dde0e8377bcad5535bb99a527568b4e9fd9d91499653851bb4eaafa55136

Download Submit
C:\Windows\{911E6D7E-91A1-44f4-8A85-224B22D0DF96}.exe

Filesize
192KB

MD5
f7e4e4c99bacc3bab78c5908f112bf5d

SHA1
22423617d0ceb663e6dfecd2ddff0d79aa0006ef

SHA256
e7f2df557614f6ed511db3399513b91aa522371bc99a8b988c22e3f3afa5fb8a

SHA512
af7e3714faab2db12b974c367b51ab9b113c4b2eb848244a3a6e5d8c511f12baea6a5ea7b408a0e2d8dc7c0548137d887b86a460ce7d3723941b9c4b7e0aacae

Download Submit
C:\Windows\{A983F957-0541-4e08-A5D2-382D8F1D1781}.exe

Filesize
192KB

MD5
d5e097ebcd37cbf107d71ee54a856053

SHA1
9a2166f1cf2446587d25eb57a95d63da88072001

SHA256
232e71b3a6a1c8a87147dabe9e6824e71eca3db1a6591590b01624f3927dbfb0

SHA512
e4e385561adbabd039bbad234cac61a714b18acd2be2d15dad4b547c30de849411181c97e4da98bc956fe73ae20bc34cad9388c9a160427afd750b29ae0f156b

Download Submit
C:\Windows\{ACD1EAB8-3C44-4b6b-9137-7B86E260A434}.exe

Filesize
192KB

MD5
da64b70e92bfeb779d484de189dce235

SHA1
cb36361240ac4d77c6972f71f072160566e7a3e2

SHA256
2aa258730656b0208253d65330ec9a7d33863230cd8cab9e52507ff1e1c7d890

SHA512
f5b8f0579c6c8d5a467aa0e59611089c1fdbfad76583abf72a10942e4d47390c59eead7e4937b67705a0f9911ac3e9352b9284ccf873c482bd701b575746cca1

Download Submit
C:\Windows\{BB670B6B-E9E2-4256-9A8E-5C633D1E8E5D}.exe

Filesize
192KB

MD5
378ce1649c0094ad5d68de809185099f

SHA1
ec322ac55e12ac0bb50d113e5a234248a9324112

SHA256
09b3a9a363770e3ef5c84adbcb4f671c3fdde91004acc0c4ebc171869e4e2831

SHA512
27322a957f831f44dc28f13f3e88984b337ff15c27604dc45f36b101e31d6dfe0964a44ad28c47c55e259a098961bcef527667f06a862b9d3580483757495b5f

Download Submit
C:\Windows\{D6B52577-0930-43b8-AB95-B2B4D5201E4D}.exe

Filesize
192KB

MD5
7b7e7e224a703e9d05d645c67b403da1

SHA1
0d5c1b029adab8b33bedaf3ffc4a9506f564d8c2

SHA256
f6f696c03b0392049cd52b7edce3c5f42d3d8cc2edc45b6584a18d5de71c86bf

SHA512
13df070fc271feba057a5c1c22e7b2cbf025e6d2d2333147547c82ffe715f2133aac6aa9e6a20923d16f066bdb6acf672310bdad92c31457063aa9b4cdcd1cfd

Download Submit
C:\Windows\{E37E9124-B45D-485b-A823-F283794B4E6E}.exe

Filesize
192KB

MD5
faa4ec11a8a44bfa85640cfc613b9e3e

SHA1
474ad1faf13e957a70745692473fc09dbac4fb9d

SHA256
2e5697dc9d6d9e309777eec57ef75a2ebe2cb097f3767cee5e500873fccbd2f0

SHA512
4824ee5a7a1884832d4401163f50fa7fb8703335fc7ab90c257df15d4e553de48379960caaefbef2a8e006b10b4f7073833b2f73b25dea6e5adf88fe16974077

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads