bd5874e6e3ecd2e489ba632aff59af53f2aaa539fa458ab0db539519a4f3a225

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Size

408KB
MD5

505da9d6e8a4223951fd5b2165d98895
SHA1

574aded91c55c99ab8aadd7af30db5793c593201
SHA256

bd5874e6e3ecd2e489ba632aff59af53f2aaa539fa458ab0db539519a4f3a225
SHA512

0280b0998b446c5e7344aaceefa86bf7b61c70aa8a00fd75dca2c502a269d3bff392ae224e1f1b3dac6513020f104678047fecb82d849df2695388540442349d
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGOldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B3C708-B463-4417-A1DB-CE7071A53DB4}	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}\stubpath = "C:\\Windows\\{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe"	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA890534-D080-4adc-95C7-9CE81AC909A9}	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA890534-D080-4adc-95C7-9CE81AC909A9}\stubpath = "C:\\Windows\\{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe"	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE75FB43-5F31-4664-8A36-06E98951A623}	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A62327D0-F5BA-4732-B7B0-D79D35086AB9}	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A62327D0-F5BA-4732-B7B0-D79D35086AB9}\stubpath = "C:\\Windows\\{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe"	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36EF9906-AD93-40cb-84EF-94DCB9CC4503}\stubpath = "C:\\Windows\\{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe"	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32941781-8FF3-44d3-9A30-8651BBB33279}	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094BDE35-0F33-4efe-82E1-B48065C4A5A7}\stubpath = "C:\\Windows\\{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe"	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}\stubpath = "C:\\Windows\\{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}.exe"	{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE75FB43-5F31-4664-8A36-06E98951A623}\stubpath = "C:\\Windows\\{FE75FB43-5F31-4664-8A36-06E98951A623}.exe"	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}\stubpath = "C:\\Windows\\{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe"	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762E2F10-A80D-475d-A970-1ED2107517F8}\stubpath = "C:\\Windows\\{762E2F10-A80D-475d-A970-1ED2107517F8}.exe"	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C678885-FE32-417b-9AD2-D67D66885FDA}	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C678885-FE32-417b-9AD2-D67D66885FDA}\stubpath = "C:\\Windows\\{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe"	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}	{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1B3C708-B463-4417-A1DB-CE7071A53DB4}\stubpath = "C:\\Windows\\{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe"	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762E2F10-A80D-475d-A970-1ED2107517F8}	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36EF9906-AD93-40cb-84EF-94DCB9CC4503}	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32941781-8FF3-44d3-9A30-8651BBB33279}\stubpath = "C:\\Windows\\{32941781-8FF3-44d3-9A30-8651BBB33279}.exe"	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094BDE35-0F33-4efe-82E1-B48065C4A5A7}	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe

Executes dropped EXE 12 IoCs

pid	Process
3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe
3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe
3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe
2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe
4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe
5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe
4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe
2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe
5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe
1632	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe
4844	{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe
3740	{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe
File created	C:\Windows\{32941781-8FF3-44d3-9A30-8651BBB33279}.exe	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe
File created	C:\Windows\{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe
File created	C:\Windows\{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}.exe	{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe
File created	C:\Windows\{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
File created	C:\Windows\{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe
File created	C:\Windows\{FE75FB43-5F31-4664-8A36-06E98951A623}.exe	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe
File created	C:\Windows\{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe
File created	C:\Windows\{762E2F10-A80D-475d-A970-1ED2107517F8}.exe	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe
File created	C:\Windows\{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe
File created	C:\Windows\{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe
File created	C:\Windows\{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4408	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe
Token: SeIncBasePriorityPrivilege	3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe
Token: SeIncBasePriorityPrivilege	3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe
Token: SeIncBasePriorityPrivilege	2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe
Token: SeIncBasePriorityPrivilege	4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe
Token: SeIncBasePriorityPrivilege	5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe
Token: SeIncBasePriorityPrivilege	4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe
Token: SeIncBasePriorityPrivilege	2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe
Token: SeIncBasePriorityPrivilege	5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe
Token: SeIncBasePriorityPrivilege	1632	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe
Token: SeIncBasePriorityPrivilege	4844	{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3484	4408	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	85
PID 4408 wrote to memory of 3484	4408	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	85
PID 4408 wrote to memory of 3484	4408	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	85
PID 4408 wrote to memory of 948	4408	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	86
PID 4408 wrote to memory of 948	4408	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	86
PID 4408 wrote to memory of 948	4408	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	86
PID 3484 wrote to memory of 3944	3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe	87
PID 3484 wrote to memory of 3944	3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe	87
PID 3484 wrote to memory of 3944	3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe	87
PID 3484 wrote to memory of 3496	3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe	88
PID 3484 wrote to memory of 3496	3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe	88
PID 3484 wrote to memory of 3496	3484	{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe	88
PID 3944 wrote to memory of 3040	3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe	92
PID 3944 wrote to memory of 3040	3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe	92
PID 3944 wrote to memory of 3040	3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe	92
PID 3944 wrote to memory of 3424	3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe	93
PID 3944 wrote to memory of 3424	3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe	93
PID 3944 wrote to memory of 3424	3944	{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe	93
PID 3040 wrote to memory of 2952	3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe	94
PID 3040 wrote to memory of 2952	3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe	94
PID 3040 wrote to memory of 2952	3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe	94
PID 3040 wrote to memory of 1476	3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe	95
PID 3040 wrote to memory of 1476	3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe	95
PID 3040 wrote to memory of 1476	3040	{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe	95
PID 2952 wrote to memory of 4076	2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe	96
PID 2952 wrote to memory of 4076	2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe	96
PID 2952 wrote to memory of 4076	2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe	96
PID 2952 wrote to memory of 4584	2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe	97
PID 2952 wrote to memory of 4584	2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe	97
PID 2952 wrote to memory of 4584	2952	{FE75FB43-5F31-4664-8A36-06E98951A623}.exe	97
PID 4076 wrote to memory of 5044	4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe	98
PID 4076 wrote to memory of 5044	4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe	98
PID 4076 wrote to memory of 5044	4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe	98
PID 4076 wrote to memory of 920	4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe	99
PID 4076 wrote to memory of 920	4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe	99
PID 4076 wrote to memory of 920	4076	{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe	99
PID 5044 wrote to memory of 4072	5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe	100
PID 5044 wrote to memory of 4072	5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe	100
PID 5044 wrote to memory of 4072	5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe	100
PID 5044 wrote to memory of 2620	5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe	101
PID 5044 wrote to memory of 2620	5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe	101
PID 5044 wrote to memory of 2620	5044	{762E2F10-A80D-475d-A970-1ED2107517F8}.exe	101
PID 4072 wrote to memory of 2820	4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe	102
PID 4072 wrote to memory of 2820	4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe	102
PID 4072 wrote to memory of 2820	4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe	102
PID 4072 wrote to memory of 4068	4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe	103
PID 4072 wrote to memory of 4068	4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe	103
PID 4072 wrote to memory of 4068	4072	{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe	103
PID 2820 wrote to memory of 5016	2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe	104
PID 2820 wrote to memory of 5016	2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe	104
PID 2820 wrote to memory of 5016	2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe	104
PID 2820 wrote to memory of 3448	2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe	105
PID 2820 wrote to memory of 3448	2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe	105
PID 2820 wrote to memory of 3448	2820	{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe	105
PID 5016 wrote to memory of 1632	5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe	106
PID 5016 wrote to memory of 1632	5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe	106
PID 5016 wrote to memory of 1632	5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe	106
PID 5016 wrote to memory of 2868	5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe	107
PID 5016 wrote to memory of 2868	5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe	107
PID 5016 wrote to memory of 2868	5016	{32941781-8FF3-44d3-9A30-8651BBB33279}.exe	107
PID 1632 wrote to memory of 4844	1632	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe	108
PID 1632 wrote to memory of 4844	1632	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe	108
PID 1632 wrote to memory of 4844	1632	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe	108
PID 1632 wrote to memory of 4420	1632	{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe
  C:\Windows\{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe
    C:\Windows\{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe
      C:\Windows\{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\{FE75FB43-5F31-4664-8A36-06E98951A623}.exe
        
        C:\Windows\{FE75FB43-5F31-4664-8A36-06E98951A623}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe
        
        C:\Windows\{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{762E2F10-A80D-475d-A970-1ED2107517F8}.exe
        
        C:\Windows\{762E2F10-A80D-475d-A970-1ED2107517F8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe
        
        C:\Windows\{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe
        
        C:\Windows\{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{32941781-8FF3-44d3-9A30-8651BBB33279}.exe
        
        C:\Windows\{32941781-8FF3-44d3-9A30-8651BBB33279}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe
        
        C:\Windows\{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe
        
        C:\Windows\{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}.exe
        
        C:\Windows\{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{094BD~1.EXE > nul
        13⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C678~1.EXE > nul
        12⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32941~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36EF9~1.EXE > nul
        10⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6232~1.EXE > nul
        9⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{762E2~1.EXE > nul
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{239CD~1.EXE > nul
        7⤵
        
        PID:920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE75F~1.EXE > nul
        6⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA890~1.EXE > nul
        5⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC5A3~1.EXE > nul
      4⤵
      PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1B3C~1.EXE > nul
    3⤵
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{094BDE35-0F33-4efe-82E1-B48065C4A5A7}.exe

Filesize
408KB

MD5
4378d1b6c9e3840fa3797348d1dc70de

SHA1
1971188061635078308bbed5140a88ecf70dfae8

SHA256
507bda294ee2a220155f11d49ca1fdfca9a3629c9fe3051ab36adddd23b6a023

SHA512
9a5439c87234d930601e0e0dc9bcfbc555008d49e6f19a047ddc17f62f9ef9044c861501794969b903d44d6d39d813241b5ae64f97967014f115e0148014bff0

Download Submit
C:\Windows\{142A7051-74B3-47ca-8FF8-1FDAF39B13AB}.exe

Filesize
408KB

MD5
1f6a3fd73295895fb80178743f2194d3

SHA1
f3e14b613f0805eee459387718121d7bc6949c8a

SHA256
90d7740ba36096e3dc2d9eb94b4aa1b1789a551872f82b448e407766ccad2937

SHA512
d77ed5415ba631c7eeb1e4fd49e67feb1cfe801265b47ceaf8d17cdddcb8678ed77017be546453c1d0eb80275f3b9041bc86d62711b97ff1ea4e500f35c56790

Download Submit
C:\Windows\{239CDB82-8CD9-4e7b-8B40-6E5BF373D35B}.exe

Filesize
408KB

MD5
f5cfa25cf17c008d38dbaadd5691794c

SHA1
cbab194aaead03b9df595f688b6315e1dbccfc19

SHA256
cda948ea21aa067be68bb07363776282c99303a73253e8ed076e2d90afd2d667

SHA512
b386fc8255bf59e9195ae21184a0c124f3ae38857f1f794cd04dc3a5b54aee253a06e8f752ef5471d290d2a23e459ea297d6ea2e14e0ef52d767d38212fc3c7f

Download Submit
C:\Windows\{32941781-8FF3-44d3-9A30-8651BBB33279}.exe

Filesize
408KB

MD5
d99612e0f7ccf9ee3d094ae154d503cb

SHA1
99a5345e38ee8a598bfb037c370185072dea52ab

SHA256
3e6122cced9e972622e1f5b3f457b7a2cf3197e2ae3fd4c6488a3adb3ac3d984

SHA512
4093f23ef6e28360a60172c4573e679ceafe048ad447d0f23f9577d0f007dd75a35b0c8d169bd2ffc60b80cad7635919d836f441b921a5457026b9b408b10d77

Download Submit
C:\Windows\{36EF9906-AD93-40cb-84EF-94DCB9CC4503}.exe

Filesize
408KB

MD5
9b08308aa74a26986e110c4f47548e72

SHA1
a4af16d665ff59cdd2859df9989425c11f816d10

SHA256
7bedf4c9a81575824bbb1694a587cb41a6614999d141243fe6b108db451f7084

SHA512
74be5beda361dcc88f922488a975a44c2c21fc8b4aeabbb364e97ec89c77a325daea4a1c2fc25af9e6899388f574109f612eb1c50983ebc8656ee422fba8c4a5

Download Submit
C:\Windows\{762E2F10-A80D-475d-A970-1ED2107517F8}.exe

Filesize
408KB

MD5
d00afc1512ab3f56fa683f6f30caa031

SHA1
adac8c2b114c6171cf30e0e39b56813204139ed1

SHA256
4821c509b6312ceb1fe7e9ac5719ac86c8048c6d2af017aba6ecd5fe572ca5ac

SHA512
1b8d4a7f83baf0ca5c14138cb59c894f13f2bee88befc16d4f5fedc6eddc01a978aa4d08739ea0fdfe628df724c78454a80fa34369b44602e39be90e2ed2f874

Download Submit
C:\Windows\{8C678885-FE32-417b-9AD2-D67D66885FDA}.exe

Filesize
408KB

MD5
db207e80343d4d84be14687cf0f64f2a

SHA1
48e8792a9c1bc757bb8f1a8df8365de487bfd81c

SHA256
37a8bf061442aabc7d9255e5ccb9611901a19e4baba2a6a1f7e617a4782bae2e

SHA512
470d653f4125d6e88854fdcb7fe8a67527abfe12f9cbbea994e2076aa05b2d80fc34c2b6068707e6e5fc538e704d8a1fea29af4d5fd6be7ec94ba2dd262ce78b

Download Submit
C:\Windows\{A62327D0-F5BA-4732-B7B0-D79D35086AB9}.exe

Filesize
408KB

MD5
90e3d4f56552b1ac6769f2f1a6cab2c7

SHA1
afefdd7d385c588f9ebb6c000164190fd85a56f9

SHA256
7fe0116841f30a8c3e8e46745060c00684dae59e2b404a21ca0f19dd61092d0d

SHA512
5dc764ebbce6ad9c3c60a17e59baa1b7dd409940fc7a7bb184e035d91dabcbeb49a5e25293bbf2b8bccae82f80481bb8d0a6f531efa3a9ab7ac5730da346fafd

Download Submit
C:\Windows\{C1B3C708-B463-4417-A1DB-CE7071A53DB4}.exe

Filesize
408KB

MD5
279fe2ca004d60320038ed1741544c47

SHA1
77816183df9dabce53dd845dc5b871d8cc86fd0f

SHA256
b7ef8c09fa1470e4f16062b4c80d067043e2a42985e9ad675d1e720cd47cd604

SHA512
7a256eb79232b2b4dcfc09376e8dd53d5c87ee7b742d479589f375211fdbe7a3e2db41bbc2ba850eb0344b539831397abfd8895889f9599754622f2de7f360a2

Download Submit
C:\Windows\{CC5A321C-59E9-4436-A0CE-9FAFEEF538CC}.exe

Filesize
408KB

MD5
53edcce8c01a28ba7df6e19ad16e5516

SHA1
7c11e9d0b4d116f6a441529eab7223f0726b0436

SHA256
5101e876273d00cc197ef83edde773b4d619a3a7918b2e25f55abe0f0d3e1413

SHA512
b61e0b66955b01611724abb639861fdbd92fbdd1a16b0fa14a35cbdfb5975d3d326c76b7ebb73b12efe2dfe96d23e801d3e659228cec0cb02c763324a4da4ffe

Download Submit
C:\Windows\{EA890534-D080-4adc-95C7-9CE81AC909A9}.exe

Filesize
408KB

MD5
2168677a3b3141d58baf37f41c210644

SHA1
777bad13bfb2156017082cdab4c0d45dc10f801b

SHA256
48e1e0ecfb46b0d1755b1138088158d559bc0f1ffec499afb08e9540e4be196c

SHA512
f1bd5319761e1a797b5c019c3e97dd0d87fe269c21bf5be3ae6f3986acc7b9b11ba2b5f6ed6566fb9d9469b68eb8dbf953716343974e1103512b32bb6396b55f

Download Submit
C:\Windows\{FE75FB43-5F31-4664-8A36-06E98951A623}.exe

Filesize
408KB

MD5
2e9af572d0ac912515db13952a6d9d0f

SHA1
4f2a73a7411c3cd420312be5297b7b72d40a12eb

SHA256
0c946fe657071e3eda8e37769bf9038ec8f28054a2cf9a3c79f1071906b76b1b

SHA512
9b1f9d993f57e12b613f0603321787550fadd572750688bc51501647c63d396592a3a55c9853d9abd102ad662b4ce902e30f0f9f41d022a9934591171b0eb70f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads