b6df3313da36f5b1e8a8e416d19a6bee860e0085e75d7ed08fdeb0e8adca210d

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe
Size

380KB
MD5

90e54695531eba5215c967820591dc9a
SHA1

1c94d8640f8eaa6b79b272d0ac2036c59638f7c7
SHA256

b6df3313da36f5b1e8a8e416d19a6bee860e0085e75d7ed08fdeb0e8adca210d
SHA512

8deb9af8495d8d04a06a361e9c3a7c49dcc7d17a4338340d8e0465bb25e60432faccd2cddbbd6f764e84998b9104cfc48ec3632b77900f665efc1609843b7e32
SSDEEP

3072:mEGh0owlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB69939F-E78F-460e-891F-5D8E766A5666}\stubpath = "C:\\Windows\\{BB69939F-E78F-460e-891F-5D8E766A5666}.exe"	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}	{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E74C3F-295F-4be3-887C-89B102C8F8BA}\stubpath = "C:\\Windows\\{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe"	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB69939F-E78F-460e-891F-5D8E766A5666}	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2326FB-2B4B-4ed0-8D15-68F852531A11}\stubpath = "C:\\Windows\\{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe"	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}\stubpath = "C:\\Windows\\{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe"	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F86CA0-CD65-4a71-8B60-7928B199D337}\stubpath = "C:\\Windows\\{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe"	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140E9D5B-8684-4229-9042-BB140EC61B67}\stubpath = "C:\\Windows\\{140E9D5B-8684-4229-9042-BB140EC61B67}.exe"	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}\stubpath = "C:\\Windows\\{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe"	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}\stubpath = "C:\\Windows\\{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe"	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20382950-B539-4657-BCAB-1A0D1222CFFD}	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20382950-B539-4657-BCAB-1A0D1222CFFD}\stubpath = "C:\\Windows\\{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe"	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140E9D5B-8684-4229-9042-BB140EC61B67}	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38E74C3F-295F-4be3-887C-89B102C8F8BA}	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F86CA0-CD65-4a71-8B60-7928B199D337}	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}\stubpath = "C:\\Windows\\{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe"	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}\stubpath = "C:\\Windows\\{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}.exe"	{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}\stubpath = "C:\\Windows\\{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe"	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2326FB-2B4B-4ed0-8D15-68F852531A11}	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe

Executes dropped EXE 12 IoCs

pid	Process
3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe
3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe
3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe
716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe
1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe
4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe
4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe
4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe
740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe
4124	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe
2444	{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe
4868	{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe
File created	C:\Windows\{140E9D5B-8684-4229-9042-BB140EC61B67}.exe	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe
File created	C:\Windows\{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe
File created	C:\Windows\{BB69939F-E78F-460e-891F-5D8E766A5666}.exe	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe
File created	C:\Windows\{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe
File created	C:\Windows\{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}.exe	{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe
File created	C:\Windows\{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe
File created	C:\Windows\{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe
File created	C:\Windows\{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe
File created	C:\Windows\{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe
File created	C:\Windows\{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe
File created	C:\Windows\{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2268	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe
Token: SeIncBasePriorityPrivilege	3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe
Token: SeIncBasePriorityPrivilege	3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe
Token: SeIncBasePriorityPrivilege	716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe
Token: SeIncBasePriorityPrivilege	1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe
Token: SeIncBasePriorityPrivilege	4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe
Token: SeIncBasePriorityPrivilege	4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe
Token: SeIncBasePriorityPrivilege	4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe
Token: SeIncBasePriorityPrivilege	740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe
Token: SeIncBasePriorityPrivilege	4124	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe
Token: SeIncBasePriorityPrivilege	2444	{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3096	2268	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe	81
PID 2268 wrote to memory of 3096	2268	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe	81
PID 2268 wrote to memory of 3096	2268	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe	81
PID 2268 wrote to memory of 2984	2268	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe	82
PID 2268 wrote to memory of 2984	2268	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe	82
PID 2268 wrote to memory of 2984	2268	2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe	82
PID 3096 wrote to memory of 3700	3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe	83
PID 3096 wrote to memory of 3700	3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe	83
PID 3096 wrote to memory of 3700	3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe	83
PID 3096 wrote to memory of 3728	3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe	84
PID 3096 wrote to memory of 3728	3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe	84
PID 3096 wrote to memory of 3728	3096	{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe	84
PID 3700 wrote to memory of 3908	3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe	87
PID 3700 wrote to memory of 3908	3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe	87
PID 3700 wrote to memory of 3908	3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe	87
PID 3700 wrote to memory of 2640	3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe	88
PID 3700 wrote to memory of 2640	3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe	88
PID 3700 wrote to memory of 2640	3700	{140E9D5B-8684-4229-9042-BB140EC61B67}.exe	88
PID 3908 wrote to memory of 716	3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe	89
PID 3908 wrote to memory of 716	3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe	89
PID 3908 wrote to memory of 716	3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe	89
PID 3908 wrote to memory of 3544	3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe	90
PID 3908 wrote to memory of 3544	3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe	90
PID 3908 wrote to memory of 3544	3908	{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe	90
PID 716 wrote to memory of 1340	716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe	91
PID 716 wrote to memory of 1340	716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe	91
PID 716 wrote to memory of 1340	716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe	91
PID 716 wrote to memory of 3184	716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe	92
PID 716 wrote to memory of 3184	716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe	92
PID 716 wrote to memory of 3184	716	{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe	92
PID 1340 wrote to memory of 4232	1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe	93
PID 1340 wrote to memory of 4232	1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe	93
PID 1340 wrote to memory of 4232	1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe	93
PID 1340 wrote to memory of 5060	1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe	94
PID 1340 wrote to memory of 5060	1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe	94
PID 1340 wrote to memory of 5060	1340	{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe	94
PID 4232 wrote to memory of 4444	4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe	95
PID 4232 wrote to memory of 4444	4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe	95
PID 4232 wrote to memory of 4444	4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe	95
PID 4232 wrote to memory of 1072	4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe	96
PID 4232 wrote to memory of 1072	4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe	96
PID 4232 wrote to memory of 1072	4232	{BB69939F-E78F-460e-891F-5D8E766A5666}.exe	96
PID 4444 wrote to memory of 4280	4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe	97
PID 4444 wrote to memory of 4280	4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe	97
PID 4444 wrote to memory of 4280	4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe	97
PID 4444 wrote to memory of 3864	4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe	98
PID 4444 wrote to memory of 3864	4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe	98
PID 4444 wrote to memory of 3864	4444	{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe	98
PID 4280 wrote to memory of 740	4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe	99
PID 4280 wrote to memory of 740	4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe	99
PID 4280 wrote to memory of 740	4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe	99
PID 4280 wrote to memory of 1000	4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe	100
PID 4280 wrote to memory of 1000	4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe	100
PID 4280 wrote to memory of 1000	4280	{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe	100
PID 740 wrote to memory of 4124	740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe	101
PID 740 wrote to memory of 4124	740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe	101
PID 740 wrote to memory of 4124	740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe	101
PID 740 wrote to memory of 4912	740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe	102
PID 740 wrote to memory of 4912	740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe	102
PID 740 wrote to memory of 4912	740	{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe	102
PID 4124 wrote to memory of 2444	4124	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe	103
PID 4124 wrote to memory of 2444	4124	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe	103
PID 4124 wrote to memory of 2444	4124	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe	103
PID 4124 wrote to memory of 1680	4124	{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_90e54695531eba5215c967820591dc9a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe
  C:\Windows\{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\{140E9D5B-8684-4229-9042-BB140EC61B67}.exe
    C:\Windows\{140E9D5B-8684-4229-9042-BB140EC61B67}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe
      C:\Windows\{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe
        
        C:\Windows\{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:716
      - C:\Windows\{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe
        
        C:\Windows\{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{BB69939F-E78F-460e-891F-5D8E766A5666}.exe
        
        C:\Windows\{BB69939F-E78F-460e-891F-5D8E766A5666}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe
        
        C:\Windows\{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe
        
        C:\Windows\{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe
        
        C:\Windows\{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe
        
        C:\Windows\{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe
        
        C:\Windows\{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}.exe
        
        C:\Windows\{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}.exe
        13⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DF71~1.EXE > nul
        13⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20382~1.EXE > nul
        12⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81F86~1.EXE > nul
        11⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{155DB~1.EXE > nul
        10⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED232~1.EXE > nul
        9⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB699~1.EXE > nul
        8⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7009F~1.EXE > nul
        7⤵
        
        PID:5060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA1AC~1.EXE > nul
        6⤵
        
        PID:3184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38E74~1.EXE > nul
        5⤵
        
        PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{140E9~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1976D~1.EXE > nul
    3⤵
    PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{140E9D5B-8684-4229-9042-BB140EC61B67}.exe

Filesize
380KB

MD5
e9fbd9e232c42e77a811a85ad680f35b

SHA1
48c36b1f9b377de31219f8a9ab14100c2bbf104d

SHA256
48a19ea987c48b386cbd2dbb8209c49323bd0c8bfe12ed7fb25058db8dc1c4c5

SHA512
c54263a2b99d68a34451b991b454f7a9d43786b39a612a01b5cce065f1916f41d208b6b2a293e0a27df6cdc821a77470d1a1177a5483293ea428731639817c2c

Download Submit
C:\Windows\{155DB1AB-3675-465f-87CB-FAEE8B56E8F6}.exe

Filesize
380KB

MD5
477f3e128255be0b6aef33aaef65a2eb

SHA1
3a1d5ba1aa197b5b2f5732c3dcf8fa00c055df51

SHA256
73c2a9c53112de60cc9ba91fd5d6652708af6f0beeedebedbc64680676b51d07

SHA512
6b2cecfb454243a4f91382388056bacdde4c6c08b36f54b0abcc7eb64807876e91a3236a4756579730aff1c90dbe300f8e7dbc245f9f38a519794d5245c89cee

Download Submit
C:\Windows\{1976D2C5-AE3A-4d05-832B-1D142AF6CB34}.exe

Filesize
380KB

MD5
48e8a8c5fc5e148997a95fb565bdcab4

SHA1
d6debd74d2b150e1ffd9c4ecbf6caa382244d2fb

SHA256
32ef1ba274ccfb195ccfcbcd1c8a71f35a84f27b8d373340b292eddbe0f4f3c8

SHA512
8b8f053c4cc6f475ced2655689cb42acb9d7641d4d25084adf76365c68d2b26cf73033d181f1fb42ab375744da62a49e35cc288cda9edc4121f2f9355f81890e

Download Submit
C:\Windows\{1DF71063-D9B4-4aec-9475-FC1F6C8768A1}.exe

Filesize
380KB

MD5
225a69186c99f861155bacbc13ec3045

SHA1
0f1142b5d7db5e5a75a34718b034446d5929e8a0

SHA256
6c80fd69910d79dfa627dba8f59c6ec9cdf6dd171c991b88e257bde6c048df3a

SHA512
8e80b73124f18cc547f632009770c52f30fbeb535fcbc5f796727b79203065a6615b2a62658d7dd3f1a1188436bd1cb7d482987e7f15223d63dcdf7df1dc145e

Download Submit
C:\Windows\{20382950-B539-4657-BCAB-1A0D1222CFFD}.exe

Filesize
380KB

MD5
9fe6c6cd13ea59b23978efde65778e08

SHA1
a2d7f2a213add381b991e00b1ee305e9091876ec

SHA256
5c87d4c380786dd79342c9c6ab4b1be801898f8592fd5e07e82672502cfb5a7b

SHA512
67ddf08b445c2ffec1f6ba7533ac0b378e1a04c48928efc657ab56fa7ea3612c672ffa6bdd9f94ac8bec6eb7bac4a2dcbfe968e08e7c293e72883be2b75e5399

Download Submit
C:\Windows\{38E74C3F-295F-4be3-887C-89B102C8F8BA}.exe

Filesize
380KB

MD5
57e0e8ec3bae256b120ad8e96681e44d

SHA1
70de7ed970992c4a7bf6da36fc5827d813654507

SHA256
12eb9340c431f9a70f352cc7ed6a02686d8f6cd8f547b10f078d8813b283136d

SHA512
f5f9d104b0290342e1a8cfec3b951a7d5ded604cee3e760375b56663893593560300aa8f4c14c56db3f42959cc355a8da88fabb09136dfb441cf0f1a9a9fefa4

Download Submit
C:\Windows\{7009FA6C-FADC-48b3-8F55-BAF4B871D3D2}.exe

Filesize
380KB

MD5
be7df93ca4b16d40fe8444eb1a0c2a3d

SHA1
4cee48a92e78942cba5e45b103d0fa9c49b7e233

SHA256
cced4ed1be80fab05b7cf95703931f7abdc81a1cc0f2a7e4f00030f3c04d953a

SHA512
7745632cdd31bb49a785f2df4c061748e68f49c578c4e8ec0ed938879435948ad8dba3f406a2b8a346599df6d649d13f0b6b4d37bb9c19daf403d85ec5928e28

Download Submit
C:\Windows\{81F86CA0-CD65-4a71-8B60-7928B199D337}.exe

Filesize
380KB

MD5
63d0d41d77e5d446dfeca23f7b426ee9

SHA1
519c769e5dcc355ab136786fd0379f5129f0b3ab

SHA256
6cee06f0f5326da56fdcbb63336e75f8ef4c0e824077d125b1239b7a36293524

SHA512
5e86046c15d9a36c281e172984f53b36c25d5e913769a37a8434d4e5abb47c35adfa19e785371b3900cf392d8fd92e217b55401f3658cbbae0c5da7c3cdb25a2

Download Submit
C:\Windows\{A1CE01FA-5AA2-47c0-AB65-FA3B31CE9F53}.exe

Filesize
380KB

MD5
66f4a1680dcba78933da5f2ed26bd5e5

SHA1
6788bc419b059e6dbdf756c56f7746c2fb29d0ae

SHA256
00d1ab56e9fa5bc2605e95c18ed06d4c4d4bb2ae4c8abcc373e3f42801f7195f

SHA512
eb414a794aba409b4e83570d378d3dc1eca48e67400dfac07827b8031031e75a4fc50ad9dcd7c5dc572ab9041d749af1c49a7237d7dff9488012acbe1ec9f8ea

Download Submit
C:\Windows\{AA1AC04E-95BF-4189-BD5E-D0277B23BD7B}.exe

Filesize
380KB

MD5
c15b8d3b00ad44df7f2063c0561addeb

SHA1
fa6564890923ffc9a208bd7c74c2f41a750a3136

SHA256
0411ac5e6da93eb999ba71180306f0ad8d420b3364e0da2de2505df99f5f87a3

SHA512
d60be92e98b205e7bfe481202a782dc5a9e25a84726ae61f7627bcea89e43ff182e2ae1d123be74711695cee94e313b0a32cd008a48563073ed644a7f1b887d3

Download Submit
C:\Windows\{BB69939F-E78F-460e-891F-5D8E766A5666}.exe

Filesize
380KB

MD5
ce361fbbe5de072c6f168dd6e243d6c1

SHA1
ef55d542c6d04c2a858bf590aec09bd74edbf07d

SHA256
f2d877f6a1818051626b2b19d12dcd5db9a8df29211f921b3587e9bb46a2fdd2

SHA512
c7411008b0aa679012d786900202915163d8226b3a152d6c99216935d3361ed5efec604b0ba2cd289c1118a2a1d70e89d5ac719d95b351050971349470138ed8

Download Submit
C:\Windows\{ED2326FB-2B4B-4ed0-8D15-68F852531A11}.exe

Filesize
380KB

MD5
683ffdc743185b555b22faa4cbbb049a

SHA1
cb72f0e341ca80a54468b4e00b36c486a6d8bb6f

SHA256
a0201364ca79eac7c68febe5ddee4e0ef7da4f3cf5ecaae4d64914b31e310f8c

SHA512
8034806fa468c18aebd9c33ae6faad47ec5ba395c856a707ede462a0c97e3cd2422d5fb95e59d3cd5017a2096be1415ef11d774a6c87a9af7cf0c0d14dcc58ef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads