c6e9bf8c8066e845375adee83c3cace0ae265d5569888b1c2cae983ebc18d809

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe
Size

408KB
MD5

1b41d4db6da40c625c64771281533c80
SHA1

138f71668b7673e842ce4d0459f5dc0da6f00746
SHA256

c6e9bf8c8066e845375adee83c3cace0ae265d5569888b1c2cae983ebc18d809
SHA512

b56aac65d1ac9d1b0e91f4b84772b2b3ddcefeeb8377f2acfe29b7e786f528beb4b1a6d3929c690d58eaf92a3a94e6a29700beefc687f4c4c83c1aadfd1877fd
SSDEEP

3072:CEGh0owl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3651ABA-B757-49ed-950B-8D05D5B7E310}\stubpath = "C:\\Windows\\{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe"	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}\stubpath = "C:\\Windows\\{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe"	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00A3761-FF32-4b72-8157-6D8DFD1E1485}	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}\stubpath = "C:\\Windows\\{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe"	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FFB62C0-1095-4db9-99A7-B74B4794DD44}\stubpath = "C:\\Windows\\{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe"	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{520D6383-EAA8-4d8b-8DF8-917762834D83}\stubpath = "C:\\Windows\\{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe"	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA983730-CE21-4b27-91C5-DDA626DB2B8A}	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FFB62C0-1095-4db9-99A7-B74B4794DD44}	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{520D6383-EAA8-4d8b-8DF8-917762834D83}	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}\stubpath = "C:\\Windows\\{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}.exe"	{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52B1B4A5-059F-47b7-B175-A57DAF310E36}	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA983730-CE21-4b27-91C5-DDA626DB2B8A}\stubpath = "C:\\Windows\\{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe"	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00A3761-FF32-4b72-8157-6D8DFD1E1485}\stubpath = "C:\\Windows\\{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe"	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{006B4001-9793-4367-87F8-210F50E702BC}	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}	{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3651ABA-B757-49ed-950B-8D05D5B7E310}	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}\stubpath = "C:\\Windows\\{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe"	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52B1B4A5-059F-47b7-B175-A57DAF310E36}\stubpath = "C:\\Windows\\{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe"	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{006B4001-9793-4367-87F8-210F50E702BC}\stubpath = "C:\\Windows\\{006B4001-9793-4367-87F8-210F50E702BC}.exe"	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}	{006B4001-9793-4367-87F8-210F50E702BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}\stubpath = "C:\\Windows\\{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe"	{006B4001-9793-4367-87F8-210F50E702BC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe
1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe
2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe
4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe
432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe
4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe
4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe
5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe
960	{006B4001-9793-4367-87F8-210F50E702BC}.exe
4680	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe
972	{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe
1300	{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe
File created	C:\Windows\{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe
File created	C:\Windows\{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe
File created	C:\Windows\{006B4001-9793-4367-87F8-210F50E702BC}.exe	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe
File created	C:\Windows\{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe	{006B4001-9793-4367-87F8-210F50E702BC}.exe
File created	C:\Windows\{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe
File created	C:\Windows\{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}.exe	{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe
File created	C:\Windows\{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe
File created	C:\Windows\{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe
File created	C:\Windows\{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe
File created	C:\Windows\{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe
File created	C:\Windows\{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3012	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe
Token: SeIncBasePriorityPrivilege	1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe
Token: SeIncBasePriorityPrivilege	2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe
Token: SeIncBasePriorityPrivilege	4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe
Token: SeIncBasePriorityPrivilege	432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe
Token: SeIncBasePriorityPrivilege	4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe
Token: SeIncBasePriorityPrivilege	4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe
Token: SeIncBasePriorityPrivilege	5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe
Token: SeIncBasePriorityPrivilege	960	{006B4001-9793-4367-87F8-210F50E702BC}.exe
Token: SeIncBasePriorityPrivilege	4680	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe
Token: SeIncBasePriorityPrivilege	972	{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3068	3012	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe	85
PID 3012 wrote to memory of 3068	3012	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe	85
PID 3012 wrote to memory of 3068	3012	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe	85
PID 3012 wrote to memory of 1660	3012	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe	86
PID 3012 wrote to memory of 1660	3012	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe	86
PID 3012 wrote to memory of 1660	3012	2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe	86
PID 3068 wrote to memory of 1008	3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe	87
PID 3068 wrote to memory of 1008	3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe	87
PID 3068 wrote to memory of 1008	3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe	87
PID 3068 wrote to memory of 1956	3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe	88
PID 3068 wrote to memory of 1956	3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe	88
PID 3068 wrote to memory of 1956	3068	{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe	88
PID 1008 wrote to memory of 2348	1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe	92
PID 1008 wrote to memory of 2348	1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe	92
PID 1008 wrote to memory of 2348	1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe	92
PID 1008 wrote to memory of 2932	1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe	93
PID 1008 wrote to memory of 2932	1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe	93
PID 1008 wrote to memory of 2932	1008	{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe	93
PID 2348 wrote to memory of 4136	2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe	94
PID 2348 wrote to memory of 4136	2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe	94
PID 2348 wrote to memory of 4136	2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe	94
PID 2348 wrote to memory of 5048	2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe	95
PID 2348 wrote to memory of 5048	2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe	95
PID 2348 wrote to memory of 5048	2348	{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe	95
PID 4136 wrote to memory of 432	4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe	96
PID 4136 wrote to memory of 432	4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe	96
PID 4136 wrote to memory of 432	4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe	96
PID 4136 wrote to memory of 4232	4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe	97
PID 4136 wrote to memory of 4232	4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe	97
PID 4136 wrote to memory of 4232	4136	{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe	97
PID 432 wrote to memory of 4888	432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe	98
PID 432 wrote to memory of 4888	432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe	98
PID 432 wrote to memory of 4888	432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe	98
PID 432 wrote to memory of 632	432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe	99
PID 432 wrote to memory of 632	432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe	99
PID 432 wrote to memory of 632	432	{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe	99
PID 4888 wrote to memory of 4084	4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe	100
PID 4888 wrote to memory of 4084	4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe	100
PID 4888 wrote to memory of 4084	4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe	100
PID 4888 wrote to memory of 3864	4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe	101
PID 4888 wrote to memory of 3864	4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe	101
PID 4888 wrote to memory of 3864	4888	{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe	101
PID 4084 wrote to memory of 5016	4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe	102
PID 4084 wrote to memory of 5016	4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe	102
PID 4084 wrote to memory of 5016	4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe	102
PID 4084 wrote to memory of 2964	4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe	103
PID 4084 wrote to memory of 2964	4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe	103
PID 4084 wrote to memory of 2964	4084	{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe	103
PID 5016 wrote to memory of 960	5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe	104
PID 5016 wrote to memory of 960	5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe	104
PID 5016 wrote to memory of 960	5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe	104
PID 5016 wrote to memory of 852	5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe	105
PID 5016 wrote to memory of 852	5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe	105
PID 5016 wrote to memory of 852	5016	{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe	105
PID 960 wrote to memory of 4680	960	{006B4001-9793-4367-87F8-210F50E702BC}.exe	106
PID 960 wrote to memory of 4680	960	{006B4001-9793-4367-87F8-210F50E702BC}.exe	106
PID 960 wrote to memory of 4680	960	{006B4001-9793-4367-87F8-210F50E702BC}.exe	106
PID 960 wrote to memory of 2616	960	{006B4001-9793-4367-87F8-210F50E702BC}.exe	107
PID 960 wrote to memory of 2616	960	{006B4001-9793-4367-87F8-210F50E702BC}.exe	107
PID 960 wrote to memory of 2616	960	{006B4001-9793-4367-87F8-210F50E702BC}.exe	107
PID 4680 wrote to memory of 972	4680	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe	108
PID 4680 wrote to memory of 972	4680	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe	108
PID 4680 wrote to memory of 972	4680	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe	108
PID 4680 wrote to memory of 3380	4680	{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_1b41d4db6da40c625c64771281533c80_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe
  C:\Windows\{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe
    C:\Windows\{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe
      C:\Windows\{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe
        
        C:\Windows\{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\Windows\{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe
        
        C:\Windows\{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe
        
        C:\Windows\{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe
        
        C:\Windows\{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe
        
        C:\Windows\{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{006B4001-9793-4367-87F8-210F50E702BC}.exe
        
        C:\Windows\{006B4001-9793-4367-87F8-210F50E702BC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe
        
        C:\Windows\{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe
        
        C:\Windows\{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}.exe
        
        C:\Windows\{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}.exe
        13⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{520D6~1.EXE > nul
        13⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29BAB~1.EXE > nul
        12⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{006B4~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FFB6~1.EXE > nul
        10⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4179~1.EXE > nul
        9⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B00A3~1.EXE > nul
        8⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA983~1.EXE > nul
        7⤵
        
        PID:632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52B1B~1.EXE > nul
        6⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60FDF~1.EXE > nul
        5⤵
        
        PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BB3C5~1.EXE > nul
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E3651~1.EXE > nul
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{006B4001-9793-4367-87F8-210F50E702BC}.exe

Filesize
408KB

MD5
1507ac9c3bf5d29daa818b3eb5359e1d

SHA1
82e491f9f2f80775bd10c096b3f7d0f5b758301f

SHA256
7f4ee7f9b3a879647fe7f6fbcc56c9637bfa080564e85e451b49fa523be25403

SHA512
29ee809103a376b6d7fdb70a308e0b031c5225cc1bb7ac8916c9be6ec3567a4d1279ae1b73a8d2bb08c42c6051a0baafd0ead84fc0002f76566f40e8c6c1f912

Download Submit
C:\Windows\{0FFB62C0-1095-4db9-99A7-B74B4794DD44}.exe

Filesize
408KB

MD5
05dd0e737da5b9fe68af8e9730930a39

SHA1
2190c518112736f172912ab0e4bcb19a50aaf0a3

SHA256
18ee990de2d3af76cd7f39c82642a1bbfce62acac7dc2f32ae4f3ae90c03ede8

SHA512
b33ca7919d53baf510e96442799963584286b27a24dea8c3fac54d37db96da306ef846883560e97192b4ba7de3ba5b2554318eb11affecce8b794f563e55c3d1

Download Submit
C:\Windows\{1F6C7BAD-9F4E-4c87-851F-A2F619F09E47}.exe

Filesize
408KB

MD5
01807eb93f605374c3ff1e36376ec145

SHA1
97f8c88f1dee1da6a1bc68a1a1e27ab55981bba6

SHA256
1681823daf734900821d3ff28ee88c2b37f4b373bad848f1f0cdf9e0c138cbd6

SHA512
4c3a0bda397cc84f7f567cd942150d3390f79adabc160924146998322e2891f9d8d520b1f0185775d768bf47baba9df0a45d3a982c5510d6cb6a3ad8cf6b5288

Download Submit
C:\Windows\{29BAB8CD-4555-48f0-A66D-AF34EC39FC1A}.exe

Filesize
408KB

MD5
5de2a3ccdeba2dbbacaf687380175727

SHA1
f202dd535a4cf65a23b25cc52fce15e8929cb238

SHA256
752d7b6391874be263e8204599eb2e74f0a5707b897914e71e68342e5a02da58

SHA512
95ae535ab717afa3e2bb654d8f3d24fa305c0589331fbd966cb8cca156d925b7b84471e612fe8fed0ea17b241f5d40541c1205a75d590b29ae8017192f501395

Download Submit
C:\Windows\{520D6383-EAA8-4d8b-8DF8-917762834D83}.exe

Filesize
408KB

MD5
6f02227528defbf435349f58bae191bb

SHA1
03f6fdce2692dfb1efc7f9e2c1448477579d4e4a

SHA256
2706da6989f5a965125c9be64def8843fe2a53f07418160ea93001eef3b3bb65

SHA512
778a5f087474494937f5ca2e10198c96d59fed476b684c3a4f9e77d38a080996ba60aaa7b2257cbe7bc866c7a6ad091c7fa65b5bcc9807d7a9f02b196b9a5ff6

Download Submit
C:\Windows\{52B1B4A5-059F-47b7-B175-A57DAF310E36}.exe

Filesize
408KB

MD5
3552d0808618a022fa2933d197b5b3e4

SHA1
ec52f08fc4e1586932d934b6f4726292e0287038

SHA256
9cb438c6016cf0f67040cb9fe20ad402cbc58b6ff0b28fceda37b07e6fdd4ee0

SHA512
06e8d435db0a016647377d555e3d66a0e4f3e1e23158b4c8f31d3912b0c3f2d356e272ab8d5f2bdddf68250c80cd391d342bd288d0afab4e3be2da74ec409f45

Download Submit
C:\Windows\{60FDF2F4-0FC6-4b6c-B3C2-62BBA4137F8A}.exe

Filesize
408KB

MD5
85f9a4f35735f6d0b065bd040191186d

SHA1
e17075a5ecf35ec84d557f7610788a3dcad5315e

SHA256
f67aceb832ded172696a58af857ee05ea95ce0a62ff4ce233f73a49476f91227

SHA512
1a3b9aa938683a3ee148db7fa9f1ecfcec10f60a3763c6fff6184c804d18a56a26952e5b57739e9286d343fb3e34b641c0be8f5af54d3cc047aaafbc09cdf0aa

Download Submit
C:\Windows\{B00A3761-FF32-4b72-8157-6D8DFD1E1485}.exe

Filesize
408KB

MD5
f1a318e733430c1fff957070c1b65743

SHA1
126e386f5e888a86e6d49abfb16fd3a9e8ece9d6

SHA256
710e4d423f9f5f7410b2d5098de1901fd65be99ec7c1d038ed5714b9fb84038f

SHA512
e12f4d8d0a4f12481bf87d526b26a1b2798cbf4502dc7b2c5f418cd664bff4533cea4abbee14f1977322db87f63e4a42dc93474416fa084c86b7e5406a068549

Download Submit
C:\Windows\{B4179313-F2F8-4fc5-BFA2-CAF6234BC677}.exe

Filesize
408KB

MD5
26ace81c5e52b912fb05d1cbb2c8d154

SHA1
40f424dafc613c2e3ff4a02f8d237c78a1dc7ec6

SHA256
dd141cc0cec37d721c8b6ca94c56e7f329ca0e81a69f4054d04184d80f575915

SHA512
b75868b2765c4c3c1d0e34fac7df0d207dcea9b451b32dfa2f7f33411cdef7762dd04133e2790095c3cf5f01bb763396228e63a7cd8112f312f610b1d6bb4d0e

Download Submit
C:\Windows\{BB3C5D8C-73C5-4b48-8399-1A5993E3409C}.exe

Filesize
408KB

MD5
88d6add87fd78f38632fc279baef09af

SHA1
746e667255b739fd3a1796eed358b24f6dd405a2

SHA256
800d778f618ad38e77e5e6ff5354df55e577be2db753354b5ac9cbeb3f154a11

SHA512
10fb566590713677ca130134e60ee57e5f821305c9e7308de15103fd5844c6742b67bfb19e8945ba68a930098495474487b196a31434aeea927b8f7b9747fff6

Download Submit
C:\Windows\{DA983730-CE21-4b27-91C5-DDA626DB2B8A}.exe

Filesize
408KB

MD5
051dc7ceb36c71821fb519e71c9a0876

SHA1
ff2d88d85da9cd0d1671b2db8c72d1be1cefdcef

SHA256
4f6c804ee96a0172bbd5941d138ad021073f63c7f6b9f98302492527089624f0

SHA512
be75fcf8ac87fe351b38cb60491ad9f8f91297b2419107e3af82761a8d783def2cd9330f30632539ac794e04330e058f819c34f129baec8914e4e5f55435bb82

Download Submit
C:\Windows\{E3651ABA-B757-49ed-950B-8D05D5B7E310}.exe

Filesize
408KB

MD5
4f3acb3773f9fccff22dd7832c9b04d7

SHA1
f47065ab320e086e599eb3979332ac02a8f58d44

SHA256
5aa666953f73b721f8a1d8229766651c9cd052e22b553d750671d5934e354e36

SHA512
9b127ebc5abe0737d31e39c5973547a7556cd034e4d49f815faf9007db6643b2f6394b89dfef4810b553e471c2dfc1ed75376e3843f4c2e96166117492e95410

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads