6db2d81b0d23ed111057fb42d57ecb157a79ce83d76eb1f3a4a4eb99e3765838

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Size

380KB
MD5

ae4c37ada9f62ea4a4aac066ec6a5938
SHA1

1922ae90de1682a43ba936eb2e2c02526a67d1f0
SHA256

6db2d81b0d23ed111057fb42d57ecb157a79ce83d76eb1f3a4a4eb99e3765838
SHA512

ac1b0dad598b44a0442b44659990bb24583e4c4f7035cef597c327fd2abc4c5c56668bb536caf9bd6e1350a5f21ab8498e252bcde29d19b5f8828be26ef969be
SSDEEP

3072:mEGh0oPlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}\stubpath = "C:\\Windows\\{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe"	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}\stubpath = "C:\\Windows\\{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe"	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD193281-FF78-4101-AA49-CE920C4D795A}\stubpath = "C:\\Windows\\{BD193281-FF78-4101-AA49-CE920C4D795A}.exe"	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}\stubpath = "C:\\Windows\\{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe"	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA2132B1-E2D6-4038-83BF-4AD342925D4B}	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA2132B1-E2D6-4038-83BF-4AD342925D4B}\stubpath = "C:\\Windows\\{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe"	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED610E0-1072-4620-BDA7-74981FBF814D}	{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C99297F0-B059-462a-B216-F2F1FBD2E872}	{EED610E0-1072-4620-BDA7-74981FBF814D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C99297F0-B059-462a-B216-F2F1FBD2E872}\stubpath = "C:\\Windows\\{C99297F0-B059-462a-B216-F2F1FBD2E872}.exe"	{EED610E0-1072-4620-BDA7-74981FBF814D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A53F987C-0E75-4259-B4F1-8839AE4BB57A}	{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A53F987C-0E75-4259-B4F1-8839AE4BB57A}\stubpath = "C:\\Windows\\{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe"	{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}\stubpath = "C:\\Windows\\{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe"	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD193281-FF78-4101-AA49-CE920C4D795A}	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}\stubpath = "C:\\Windows\\{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe"	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}\stubpath = "C:\\Windows\\{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe"	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED610E0-1072-4620-BDA7-74981FBF814D}\stubpath = "C:\\Windows\\{EED610E0-1072-4620-BDA7-74981FBF814D}.exe"	{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe
2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe
2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe
2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe
2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe
316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe
2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe
1628	{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe
684	{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe
2168	{EED610E0-1072-4620-BDA7-74981FBF814D}.exe
2180	{C99297F0-B059-462a-B216-F2F1FBD2E872}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe
File created	C:\Windows\{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe
File created	C:\Windows\{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe
File created	C:\Windows\{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe
File created	C:\Windows\{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe
File created	C:\Windows\{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe
File created	C:\Windows\{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe	{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe
File created	C:\Windows\{C99297F0-B059-462a-B216-F2F1FBD2E872}.exe	{EED610E0-1072-4620-BDA7-74981FBF814D}.exe
File created	C:\Windows\{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
File created	C:\Windows\{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe
File created	C:\Windows\{EED610E0-1072-4620-BDA7-74981FBF814D}.exe	{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe
Token: SeIncBasePriorityPrivilege	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe
Token: SeIncBasePriorityPrivilege	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe
Token: SeIncBasePriorityPrivilege	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe
Token: SeIncBasePriorityPrivilege	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe
Token: SeIncBasePriorityPrivilege	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe
Token: SeIncBasePriorityPrivilege	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe
Token: SeIncBasePriorityPrivilege	1628	{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe
Token: SeIncBasePriorityPrivilege	684	{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe
Token: SeIncBasePriorityPrivilege	2168	{EED610E0-1072-4620-BDA7-74981FBF814D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1976	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	29
PID 2468 wrote to memory of 1976	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	29
PID 2468 wrote to memory of 1976	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	29
PID 2468 wrote to memory of 1976	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	29
PID 2468 wrote to memory of 2768	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	30
PID 2468 wrote to memory of 2768	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	30
PID 2468 wrote to memory of 2768	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	30
PID 2468 wrote to memory of 2768	2468	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	30
PID 1976 wrote to memory of 2632	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	31
PID 1976 wrote to memory of 2632	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	31
PID 1976 wrote to memory of 2632	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	31
PID 1976 wrote to memory of 2632	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	31
PID 1976 wrote to memory of 2164	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	32
PID 1976 wrote to memory of 2164	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	32
PID 1976 wrote to memory of 2164	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	32
PID 1976 wrote to memory of 2164	1976	{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe	32
PID 2632 wrote to memory of 2664	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	33
PID 2632 wrote to memory of 2664	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	33
PID 2632 wrote to memory of 2664	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	33
PID 2632 wrote to memory of 2664	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	33
PID 2632 wrote to memory of 2672	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	34
PID 2632 wrote to memory of 2672	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	34
PID 2632 wrote to memory of 2672	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	34
PID 2632 wrote to memory of 2672	2632	{BD193281-FF78-4101-AA49-CE920C4D795A}.exe	34
PID 2664 wrote to memory of 2692	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	35
PID 2664 wrote to memory of 2692	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	35
PID 2664 wrote to memory of 2692	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	35
PID 2664 wrote to memory of 2692	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	35
PID 2664 wrote to memory of 2324	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	36
PID 2664 wrote to memory of 2324	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	36
PID 2664 wrote to memory of 2324	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	36
PID 2664 wrote to memory of 2324	2664	{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe	36
PID 2692 wrote to memory of 2940	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	37
PID 2692 wrote to memory of 2940	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	37
PID 2692 wrote to memory of 2940	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	37
PID 2692 wrote to memory of 2940	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	37
PID 2692 wrote to memory of 2724	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	38
PID 2692 wrote to memory of 2724	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	38
PID 2692 wrote to memory of 2724	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	38
PID 2692 wrote to memory of 2724	2692	{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe	38
PID 2940 wrote to memory of 316	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	39
PID 2940 wrote to memory of 316	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	39
PID 2940 wrote to memory of 316	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	39
PID 2940 wrote to memory of 316	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	39
PID 2940 wrote to memory of 648	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	40
PID 2940 wrote to memory of 648	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	40
PID 2940 wrote to memory of 648	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	40
PID 2940 wrote to memory of 648	2940	{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe	40
PID 316 wrote to memory of 2924	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	41
PID 316 wrote to memory of 2924	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	41
PID 316 wrote to memory of 2924	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	41
PID 316 wrote to memory of 2924	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	41
PID 316 wrote to memory of 2984	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	42
PID 316 wrote to memory of 2984	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	42
PID 316 wrote to memory of 2984	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	42
PID 316 wrote to memory of 2984	316	{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe	42
PID 2924 wrote to memory of 1628	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	43
PID 2924 wrote to memory of 1628	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	43
PID 2924 wrote to memory of 1628	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	43
PID 2924 wrote to memory of 1628	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	43
PID 2924 wrote to memory of 3060	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	44
PID 2924 wrote to memory of 3060	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	44
PID 2924 wrote to memory of 3060	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	44
PID 2924 wrote to memory of 3060	2924	{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe
  C:\Windows\{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\{BD193281-FF78-4101-AA49-CE920C4D795A}.exe
    C:\Windows\{BD193281-FF78-4101-AA49-CE920C4D795A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe
      C:\Windows\{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe
        
        C:\Windows\{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe
        
        C:\Windows\{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe
        
        C:\Windows\{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe
        
        C:\Windows\{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe
        
        C:\Windows\{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe
        
        C:\Windows\{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{EED610E0-1072-4620-BDA7-74981FBF814D}.exe
        
        C:\Windows\{EED610E0-1072-4620-BDA7-74981FBF814D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{C99297F0-B059-462a-B216-F2F1FBD2E872}.exe
        
        C:\Windows\{C99297F0-B059-462a-B216-F2F1FBD2E872}.exe
        12⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EED61~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A53F9~1.EXE > nul
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE09~1.EXE > nul
        10⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB8D~1.EXE > nul
        9⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA213~1.EXE > nul
        8⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14433~1.EXE > nul
        7⤵
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19AF8~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{037AA~1.EXE > nul
        5⤵
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BD193~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BA4C0~1.EXE > nul
    3⤵
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{037AAF58-BC34-4015-AF0A-DFCEBE1555B7}.exe

Filesize
380KB

MD5
a5049f3b7c9f0c7c8a3ef879418b2bc9

SHA1
07559118001d5ce2f980e8491310b162b4f94118

SHA256
93708457f5170e3af621dadc8bae3c1e19dc9dd164ae0917addce661838af621

SHA512
d8185a86f9fd5c5ea74209f5361235409dfbb8132a82e9c724420f22fc0eb62cbb14f2002ea441892f3deb133936bb075f010d376e27c86c590a608a4fa2e7e2

Download Submit
C:\Windows\{14433BB6-2554-4b4a-ACEE-A78F8548CDB2}.exe

Filesize
380KB

MD5
5ad5281555fc9907c48b130f6009f9ac

SHA1
3b8a4af60fc748817b5e92a9d7bb0b6aa692be0c

SHA256
7cd7a92a169e4e901e936bd9c8835e7f832fc9e0c719866ddb6a6b7b39b0679b

SHA512
932535cbdbef7c7e8605bf56c62cd966dcf6c14c10de2032fe882f927dc9a97dd831657b38316e58c69710a268a22f8e5667e05b113ae8982c22cf1fffd47750

Download Submit
C:\Windows\{19AF8A53-01DF-4253-8E0C-E02ECF6006C8}.exe

Filesize
380KB

MD5
41218600bdd7fa518f50ba7727e0cc9c

SHA1
e15c2aae31d9710c4084ccf45b5053bda42705f3

SHA256
5434f65a1b130c15a1b38ac4f69d58d066bd4132a3e2641714da53bc571371c0

SHA512
80978ba38c8a6abb106a19cdd3c4b0edb4e5157be02dedd8d95843720916af1ede1ecb3ecd6da40be510c0483a740f775e5f7a48dbbfbbcbc26556eb355acb16

Download Submit
C:\Windows\{4AE09DF8-F146-4d4a-A388-E4068E03B8DD}.exe

Filesize
380KB

MD5
fabec8554c29fc1de9fcd2e928e2c653

SHA1
1977dfb6c0ddee776a55df48dded5325518ab108

SHA256
1631f7c0415be68651bcc1fd7fcab9a891d8d217a2232b31bd9e34d5146e5b0c

SHA512
d0a90c5bcc9b3b77d29abae5f2a2a5faab4a42199d979b5a5b1be8b3c8a189cb65b43a81482c146454875ca8dc824b9e583e9298e708934441807493017e7c21

Download Submit
C:\Windows\{8AB8D96A-AA85-4d32-BAB2-AA4986EE7E9F}.exe

Filesize
380KB

MD5
26c0ef150e51ff042a8b5ccae2986cb8

SHA1
962dd352f68ee2968ede23ed6f13241c38352b49

SHA256
56881640153db509b324acee0b54dbb43a8a42ce5823af53b636c2b15fe74712

SHA512
fe9886b89170ff27f5ba9592a9651dc038cb9d48fc4b1c4da0dc7dd7c486c809d3f0ccc178fed95942c8ba883d8c6877a550d27476bb92244d6190ffe3387d62

Download Submit
C:\Windows\{A53F987C-0E75-4259-B4F1-8839AE4BB57A}.exe

Filesize
380KB

MD5
ed5a5b3ca6429e73200c03721bb78bbf

SHA1
fb09091f5f8b6d829f5fd0b31d6e8b7770be44e0

SHA256
e8400442c440790b24091c1213a314073671adf7dcafd6325b8587765095f890

SHA512
eea67ab7e5c33f8d053f6b826cd00ce44a3bc8b39c97dcbd0f03653589ac202bf860f2351467efe66ebadc7f073e1c782e14992eddfccf61ee0822176f4a22f3

Download Submit
C:\Windows\{BA4C0F7A-4E38-47f3-AFB2-7D81CC750CA0}.exe

Filesize
380KB

MD5
67efd6d0bd0fb860de5704d0ef8c30af

SHA1
2616c880fc29cb3e797deb92c1d39a6fa67bbf0b

SHA256
cf143993d3ae5528fb1f0a5ba4b01390052cbf3fb59fbc8591d62ca0255b10c5

SHA512
13533a261813e8d6c1c081cd5c7c233cccb28bf757cc2107bd7e3940399c42246c1cf183ad8fd5ea578ef9a6c95312a4d56c154eb7efb06f93664f7261ab99f8

Download Submit
C:\Windows\{BD193281-FF78-4101-AA49-CE920C4D795A}.exe

Filesize
380KB

MD5
e94724a8f526fbf2c52360ff04244f55

SHA1
8db2c53e99cfd1bce1a7676a76ea69309311611b

SHA256
bd124610a13a1329eafb295680092fecc058168a7290afd153f6643f7a45bbd0

SHA512
d155feb727fe7da7a15c8ca43f7974d42efb6e596a4bce4d74a845114c9013be125ce34d896bf1f70f29e1ce281a25963c432ca3f6ca3fa8e27e2daa3d6bd2cf

Download Submit
C:\Windows\{C99297F0-B059-462a-B216-F2F1FBD2E872}.exe

Filesize
380KB

MD5
baaf0ee2fcca136dff3cb2ccce8d4a77

SHA1
280816bbb9e22b86163f00996d405316ad9651aa

SHA256
d22425b05a380ae1ffead60cbca941cd75ec98e44d5d44c93f2d3c1e0e8bb54c

SHA512
2cc3c96bd512a7111a135643402c4c2b22830ee636a85fc1bd579f104620a7dee5b626663fcb2063c56804df2bd010f503f104f236b6434bbb4b21e89c4cd083

Download Submit
C:\Windows\{EA2132B1-E2D6-4038-83BF-4AD342925D4B}.exe

Filesize
380KB

MD5
b4013da9fed8c240df38d18bc70be59d

SHA1
8646b0cc0fd686d8d56184daf58fd8bc2e5ef574

SHA256
091b082a2b446ca96881b3701f8c53af52f338177d0ad089fdf38a51afcbd748

SHA512
8ea28939520884df9d49ecdf9095ef5d8124c6d978c335d4236b7910a6bf29d443f8b0217512a0338c6fd2badca3143650f8b7c68fd2e1f39fc80a0b1dca51c3

Download Submit
C:\Windows\{EED610E0-1072-4620-BDA7-74981FBF814D}.exe

Filesize
380KB

MD5
fd2e7f23bc64ff0325e72ef318adc32a

SHA1
21c919124ed19c8b9cb7458114019f6d68698a52

SHA256
e59c8f9d3454c8e236b17b4b1f8df3be01086c569b5b48771ee90d5751399acb

SHA512
f5a59e252e0c6419f5ab9e7c3cc540e5a2b5cb74737d23a00daac9b88d716b8f8bc06b65abb6ab5b1c947ba64f853c00b0f75a055bccb8ebf947dc638fcf5bbe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads