de3f78fbc8965be3a6c1b5de310d76b6ef8bc622c2f124a91531d8816a7093b8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Size

344KB
MD5

5a4391a560fdb980b144143891e788c8
SHA1

d4ae6706a59d6a77fdcf7a7d111c15d4bf474880
SHA256

de3f78fbc8965be3a6c1b5de310d76b6ef8bc622c2f124a91531d8816a7093b8
SHA512

7a72a4a7de7d8ef6e6731f261f408f1168354fd3929eeb6dcb76f686cd4727043b9a86cd7382cedfb1a2fe6e24c59b4658e07b762f38d3f50874ec930b91e2ac
SSDEEP

3072:mEGh0oflEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7950D2DD-A406-4714-B82A-9BF155DDC1BC}\stubpath = "C:\\Windows\\{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe"	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}\stubpath = "C:\\Windows\\{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe"	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}\stubpath = "C:\\Windows\\{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe"	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0F6DB8-2239-474b-B231-20B145FAB7D1}	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE10209B-D7F9-439d-8F52-A63D15253B6B}\stubpath = "C:\\Windows\\{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe"	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B48A6DF-A989-47b8-916D-FC22570FC9E8}	{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19F10546-1B1B-4167-A231-FB5CE855F170}\stubpath = "C:\\Windows\\{19F10546-1B1B-4167-A231-FB5CE855F170}.exe"	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0F6DB8-2239-474b-B231-20B145FAB7D1}\stubpath = "C:\\Windows\\{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe"	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE10209B-D7F9-439d-8F52-A63D15253B6B}	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}\stubpath = "C:\\Windows\\{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe"	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}\stubpath = "C:\\Windows\\{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe"	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19F10546-1B1B-4167-A231-FB5CE855F170}	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E88A99-D767-46d2-BB3F-BC14B51C3148}	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E88A99-D767-46d2-BB3F-BC14B51C3148}\stubpath = "C:\\Windows\\{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe"	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}\stubpath = "C:\\Windows\\{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe"	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7950D2DD-A406-4714-B82A-9BF155DDC1BC}	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}\stubpath = "C:\\Windows\\{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe"	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B48A6DF-A989-47b8-916D-FC22570FC9E8}\stubpath = "C:\\Windows\\{8B48A6DF-A989-47b8-916D-FC22570FC9E8}.exe"	{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe

Executes dropped EXE 12 IoCs

pid	Process
4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe
4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe
5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe
1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe
5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe
1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe
4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe
1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe
4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe
4500	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe
4088	{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe
4476	{8B48A6DF-A989-47b8-916D-FC22570FC9E8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe
File created	C:\Windows\{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe
File created	C:\Windows\{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
File created	C:\Windows\{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe
File created	C:\Windows\{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe
File created	C:\Windows\{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe
File created	C:\Windows\{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe
File created	C:\Windows\{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe
File created	C:\Windows\{19F10546-1B1B-4167-A231-FB5CE855F170}.exe	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe
File created	C:\Windows\{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe
File created	C:\Windows\{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe
File created	C:\Windows\{8B48A6DF-A989-47b8-916D-FC22570FC9E8}.exe	{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4920	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe
Token: SeIncBasePriorityPrivilege	4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe
Token: SeIncBasePriorityPrivilege	5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe
Token: SeIncBasePriorityPrivilege	1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe
Token: SeIncBasePriorityPrivilege	5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe
Token: SeIncBasePriorityPrivilege	1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe
Token: SeIncBasePriorityPrivilege	4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe
Token: SeIncBasePriorityPrivilege	1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe
Token: SeIncBasePriorityPrivilege	4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe
Token: SeIncBasePriorityPrivilege	4500	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe
Token: SeIncBasePriorityPrivilege	4088	{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4912	4920	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	81
PID 4920 wrote to memory of 4912	4920	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	81
PID 4920 wrote to memory of 4912	4920	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	81
PID 4920 wrote to memory of 3624	4920	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	82
PID 4920 wrote to memory of 3624	4920	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	82
PID 4920 wrote to memory of 3624	4920	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	82
PID 4912 wrote to memory of 4404	4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe	83
PID 4912 wrote to memory of 4404	4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe	83
PID 4912 wrote to memory of 4404	4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe	83
PID 4912 wrote to memory of 216	4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe	84
PID 4912 wrote to memory of 216	4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe	84
PID 4912 wrote to memory of 216	4912	{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe	84
PID 4404 wrote to memory of 5048	4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe	90
PID 4404 wrote to memory of 5048	4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe	90
PID 4404 wrote to memory of 5048	4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe	90
PID 4404 wrote to memory of 4816	4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe	91
PID 4404 wrote to memory of 4816	4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe	91
PID 4404 wrote to memory of 4816	4404	{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe	91
PID 5048 wrote to memory of 1460	5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe	94
PID 5048 wrote to memory of 1460	5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe	94
PID 5048 wrote to memory of 1460	5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe	94
PID 5048 wrote to memory of 1472	5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe	95
PID 5048 wrote to memory of 1472	5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe	95
PID 5048 wrote to memory of 1472	5048	{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe	95
PID 1460 wrote to memory of 5052	1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe	96
PID 1460 wrote to memory of 5052	1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe	96
PID 1460 wrote to memory of 5052	1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe	96
PID 1460 wrote to memory of 1680	1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe	97
PID 1460 wrote to memory of 1680	1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe	97
PID 1460 wrote to memory of 1680	1460	{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe	97
PID 5052 wrote to memory of 1128	5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe	98
PID 5052 wrote to memory of 1128	5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe	98
PID 5052 wrote to memory of 1128	5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe	98
PID 5052 wrote to memory of 428	5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe	99
PID 5052 wrote to memory of 428	5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe	99
PID 5052 wrote to memory of 428	5052	{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe	99
PID 1128 wrote to memory of 4188	1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe	100
PID 1128 wrote to memory of 4188	1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe	100
PID 1128 wrote to memory of 4188	1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe	100
PID 1128 wrote to memory of 4440	1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe	101
PID 1128 wrote to memory of 4440	1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe	101
PID 1128 wrote to memory of 4440	1128	{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe	101
PID 4188 wrote to memory of 1672	4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe	102
PID 4188 wrote to memory of 1672	4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe	102
PID 4188 wrote to memory of 1672	4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe	102
PID 4188 wrote to memory of 336	4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe	103
PID 4188 wrote to memory of 336	4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe	103
PID 4188 wrote to memory of 336	4188	{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe	103
PID 1672 wrote to memory of 4508	1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe	104
PID 1672 wrote to memory of 4508	1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe	104
PID 1672 wrote to memory of 4508	1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe	104
PID 1672 wrote to memory of 2456	1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe	105
PID 1672 wrote to memory of 2456	1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe	105
PID 1672 wrote to memory of 2456	1672	{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe	105
PID 4508 wrote to memory of 4500	4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe	106
PID 4508 wrote to memory of 4500	4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe	106
PID 4508 wrote to memory of 4500	4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe	106
PID 4508 wrote to memory of 4948	4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe	107
PID 4508 wrote to memory of 4948	4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe	107
PID 4508 wrote to memory of 4948	4508	{19F10546-1B1B-4167-A231-FB5CE855F170}.exe	107
PID 4500 wrote to memory of 4088	4500	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe	108
PID 4500 wrote to memory of 4088	4500	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe	108
PID 4500 wrote to memory of 4088	4500	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe	108
PID 4500 wrote to memory of 3944	4500	{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe
  C:\Windows\{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe
    C:\Windows\{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe
      C:\Windows\{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Windows\{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe
        
        C:\Windows\{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe
        
        C:\Windows\{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe
        
        C:\Windows\{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe
        
        C:\Windows\{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe
        
        C:\Windows\{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{19F10546-1B1B-4167-A231-FB5CE855F170}.exe
        
        C:\Windows\{19F10546-1B1B-4167-A231-FB5CE855F170}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe
        
        C:\Windows\{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe
        
        C:\Windows\{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\Windows\{8B48A6DF-A989-47b8-916D-FC22570FC9E8}.exe
        
        C:\Windows\{8B48A6DF-A989-47b8-916D-FC22570FC9E8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB3E~1.EXE > nul
        13⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E88~1.EXE > nul
        12⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19F10~1.EXE > nul
        11⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5A3~1.EXE > nul
        10⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC6C~1.EXE > nul
        9⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C78~1.EXE > nul
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87C2E~1.EXE > nul
        7⤵
        
        PID:428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7950D~1.EXE > nul
        6⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9683F~1.EXE > nul
        5⤵
        
        PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE102~1.EXE > nul
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0F6~1.EXE > nul
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19F10546-1B1B-4167-A231-FB5CE855F170}.exe

Filesize
344KB

MD5
e8bffe06915767f868a2e39efd65ca5b

SHA1
18c419a8b0fae73e0249361b56062e28544c82a1

SHA256
f59e53c60a93626b6a7be73ff924340ec431ab2eb82bd63d6966e689bd6afda3

SHA512
226e9bdcdbce4abe7d5ceebf2de60007abfff96fba910cf9453aa7f5365b346dce5cd48b8bb8d6cf650975d3db82051f9dde953f0fb379656f1e2cd6b38c81b7

Download Submit
C:\Windows\{1AB3E690-3794-4c5f-BBBA-B5DABEB5D813}.exe

Filesize
344KB

MD5
b149fbcb35060e2db9a1cc28dbb1e705

SHA1
00518d117c3823c49337c9ef16b5f8c35f9dd76d

SHA256
e3d7ed1d346bd857a82637d5b2375ad5e54d4e5c0f809224769583ed24bfaf64

SHA512
62958f1fd906a6bc50f7087a7999f7c5af4d911f9f148b1b57fa704188d27200d3e1ee52188275a2b90cec06012682492e90e80362bd67bb2c9e42f24b4efce9

Download Submit
C:\Windows\{2B0F6DB8-2239-474b-B231-20B145FAB7D1}.exe

Filesize
344KB

MD5
4ec06a45042b377c492545e96e85c2c4

SHA1
b017ed2014e521af5ece2807a3f3a2384592a4c0

SHA256
0e265db96b58107bd05f8518f61e2ad4a1c589781693e31bca1bd0e00cb62269

SHA512
2b10d93d0df35e52416015c5a6b3b7b44d6ea77ed9e4905ca4bb2a67f0ea5e2abc1a0008ec4fe4fb47ecde2c9180d5988ddea5123958c052ef775235223ec55e

Download Submit
C:\Windows\{7950D2DD-A406-4714-B82A-9BF155DDC1BC}.exe

Filesize
344KB

MD5
af656c63cad08e5b8115f140306a3c3c

SHA1
972bc7bb33d488e5d7950db5151e8d0182b67815

SHA256
931bc00405543732ab6ba6c7644e30ea014b68e92644cbd605fcfb8a42c76c99

SHA512
395d4b7d72e57c070bb032be7ce8172099d2ee5025ce1fbc3fa82600143a03fcb883058ded27f625beca21e7af36d40ed8887304b7d884ecccee8e5a09964c70

Download Submit
C:\Windows\{87C2E7E0-B3B6-4f13-A2A4-92E6C331EFE1}.exe

Filesize
344KB

MD5
a86b11f5dce622cd2f719cae696c9dc2

SHA1
91a1895b3bb90f19b82eaef3c9bcb4874e86d5f5

SHA256
6213a0b8c94f500008aff134f06a73fbe31799e4b0b9d3da1a48cf06e00b18a7

SHA512
1b49d474b74855c6ad8689678a95746f28e3a89fff1b0cfeed6a42b95b0dbe2b0056cb2609b06c170777c5a213a89c708be71b82407f4627b6bbf4a8a1f154e0

Download Submit
C:\Windows\{8B48A6DF-A989-47b8-916D-FC22570FC9E8}.exe

Filesize
344KB

MD5
c4fa527c382c1d3be3416a7bbe09aaca

SHA1
1e4f4b216567c773203cd961b34915c81b57b3da

SHA256
a9db43b8c83c51ae85c595481fa1fd11e8b542fe63dc8ffd1fd52ac6c1d3c57d

SHA512
3a4158c760c91c244d558043e5687c97babdd830c0c83d8ebd2b4d5ed2c7a0f997cbab0aeaf2d8c8784bb103c82977b4b5e9a8eccb17acc38830de55da58faf6

Download Submit
C:\Windows\{9683F09B-ADEF-4077-ABA6-C7EF2D69401B}.exe

Filesize
344KB

MD5
7f32cec8a8adbb9ba3b61d04cd9e92cc

SHA1
d31cba26f659334c7b31f51e592e1bf70d95f8aa

SHA256
404aa95d9a8d016e5ffd84d71203ba1798e38938891372630a97c70df6f55d09

SHA512
d131bc387eb3085a92fb2b154f233b63a5ceeaf9562a09e1096b6387700980189ad638031a5e36f3f45677815a1e4151f34f2d515fb5e4a5de3bfb1f8f93cade

Download Submit
C:\Windows\{AC5A349F-F993-44a5-99E1-8A41CCFEB5C6}.exe

Filesize
344KB

MD5
fa882f2896e085c55fcd566197216833

SHA1
85921c0c01aadbfaa04053a656715ba90d3c42cb

SHA256
0ab4f7d6516e9f0222f630574d8fa48c42cb98bf57b80506b058fe70ae6f049d

SHA512
93db19015c793ec948ea21f0244f333bf152c2f2ef68012d57a8414668068580e972f387cfe092f51c76d65f8ed2f2280248b14141ef742b3bf4fc17f56cbe54

Download Submit
C:\Windows\{B8E88A99-D767-46d2-BB3F-BC14B51C3148}.exe

Filesize
344KB

MD5
2f5631163dc06f49999e55a4705397a5

SHA1
84e76d26e841420f70b887f093e47017f0141228

SHA256
77ac44eee80efb0b052e88cbd10c74a23806a5918ba6996c7b373e555a5271cf

SHA512
4ad8c697a47b10e74012d0065d0f4dd28438a421ba67f94ecfca4f1b62e55bab58f5fc618a1a91d2c4f66c80f065e521ba2ae30a9363797b2756227bea01ae83

Download Submit
C:\Windows\{BCC6C154-15EA-4a64-A9DF-DD9134DFE14F}.exe

Filesize
344KB

MD5
a646f129c041ecfaef03bd0c73723cc4

SHA1
c3cb2774cfcf7b1a614a5358343782092e5d93ed

SHA256
a45af78290da7eb7ac20abf96fac404cd23a0e5156f3fe18ecc512180781e6e1

SHA512
fa96f706a6013c3699639cdf14c310afdb36955e772b7e98c98d93194b49ddcf1e7e635932e779338cbb652d444a877dc9e743f2585b58650df76aa1713f6437

Download Submit
C:\Windows\{C3C78EC3-C0F6-43d0-A59F-2168D80B64E8}.exe

Filesize
344KB

MD5
d027201a05acd95a60f3e988f7003553

SHA1
e5ce855ac338cff0c3b7610dd868060025ff5d8c

SHA256
ca68b264aeeaf8b004e0aa447895600040ab2f1117026eeef726758771f2c322

SHA512
c792df3e199650cee15e22219f3b758ebb1243750c916e4c76838830bb090b5ebdff33aafc5a5cdb6da4bc3e6786be15baa5307bfb489b602df9aacdb97aa623

Download Submit
C:\Windows\{EE10209B-D7F9-439d-8F52-A63D15253B6B}.exe

Filesize
344KB

MD5
4a2695304908427804a3b54a67dca0b4

SHA1
be1315987e3f6190f0eae0117be92b941079841e

SHA256
2b7401b79ff31de529d59ff7c1ce1ff08684b51252eda97fdbbe99aed206e66b

SHA512
d566108473196ae8c04623e490c22be4b98bceef4caab009e0af91ec787872cd24cb39ff9a4e755dc24c5da110c08924de11bf05e53c0fb079d8c3d3066dd3cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads