0c8fe5a1429cd694cb15844741f0a4a1bf7becce914eec97fd203fbbaca496c7

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Size

408KB
MD5

0da0106d0e42f6d3197596e84859fcad
SHA1

5ef5b60fda6b4b357fb9ed74d09f39ae7bf5ddc4
SHA256

0c8fe5a1429cd694cb15844741f0a4a1bf7becce914eec97fd203fbbaca496c7
SHA512

1c2ae21ea0d66d3fe27ca7ac039eec544944924906f0e776fc0027eaa2392cca37cec13e6860d778f8b7bf3ca84bff6071ddb767b48ef34f1dd94fca5c925d7b
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808E2BDF-2222-4b3b-8625-2A752C42B384}	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{229732F2-2B23-4ebf-85AE-25805226481C}	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01AC54F-331A-4b12-866D-429885A51965}	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808E2BDF-2222-4b3b-8625-2A752C42B384}\stubpath = "C:\\Windows\\{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe"	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296050EC-715B-4a48-AC46-6DD4A8E49364}	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296050EC-715B-4a48-AC46-6DD4A8E49364}\stubpath = "C:\\Windows\\{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe"	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{998E8933-33EF-4df7-9C05-7D798304A154}\stubpath = "C:\\Windows\\{998E8933-33EF-4df7-9C05-7D798304A154}.exe"	{229732F2-2B23-4ebf-85AE-25805226481C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FEBC340-108E-40bd-894A-73656EC301FF}	{998E8933-33EF-4df7-9C05-7D798304A154}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}	{6923103C-A550-47ec-9DE6-D709F86724B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}\stubpath = "C:\\Windows\\{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe"	{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}\stubpath = "C:\\Windows\\{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}.exe"	{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{229732F2-2B23-4ebf-85AE-25805226481C}\stubpath = "C:\\Windows\\{229732F2-2B23-4ebf-85AE-25805226481C}.exe"	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{998E8933-33EF-4df7-9C05-7D798304A154}	{229732F2-2B23-4ebf-85AE-25805226481C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1324B41E-D396-42b2-9113-F0F0CCC5778A}\stubpath = "C:\\Windows\\{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe"	{F01AC54F-331A-4b12-866D-429885A51965}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6923103C-A550-47ec-9DE6-D709F86724B3}\stubpath = "C:\\Windows\\{6923103C-A550-47ec-9DE6-D709F86724B3}.exe"	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}	{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}	{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FEBC340-108E-40bd-894A-73656EC301FF}\stubpath = "C:\\Windows\\{0FEBC340-108E-40bd-894A-73656EC301FF}.exe"	{998E8933-33EF-4df7-9C05-7D798304A154}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F01AC54F-331A-4b12-866D-429885A51965}\stubpath = "C:\\Windows\\{F01AC54F-331A-4b12-866D-429885A51965}.exe"	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1324B41E-D396-42b2-9113-F0F0CCC5778A}	{F01AC54F-331A-4b12-866D-429885A51965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6923103C-A550-47ec-9DE6-D709F86724B3}	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}\stubpath = "C:\\Windows\\{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe"	{6923103C-A550-47ec-9DE6-D709F86724B3}.exe

Deletes itself 1 IoCs

pid	Process
1108	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe
2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe
2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe
2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe
2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe
1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe
1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe
2520	{6923103C-A550-47ec-9DE6-D709F86724B3}.exe
1584	{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe
2588	{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe
2184	{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	{998E8933-33EF-4df7-9C05-7D798304A154}.exe
File created	C:\Windows\{6923103C-A550-47ec-9DE6-D709F86724B3}.exe	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe
File created	C:\Windows\{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe
File created	C:\Windows\{998E8933-33EF-4df7-9C05-7D798304A154}.exe	{229732F2-2B23-4ebf-85AE-25805226481C}.exe
File created	C:\Windows\{F01AC54F-331A-4b12-866D-429885A51965}.exe	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe
File created	C:\Windows\{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	{F01AC54F-331A-4b12-866D-429885A51965}.exe
File created	C:\Windows\{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe	{6923103C-A550-47ec-9DE6-D709F86724B3}.exe
File created	C:\Windows\{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe	{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe
File created	C:\Windows\{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}.exe	{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe
File created	C:\Windows\{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
File created	C:\Windows\{229732F2-2B23-4ebf-85AE-25805226481C}.exe	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe
Token: SeIncBasePriorityPrivilege	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe
Token: SeIncBasePriorityPrivilege	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe
Token: SeIncBasePriorityPrivilege	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe
Token: SeIncBasePriorityPrivilege	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe
Token: SeIncBasePriorityPrivilege	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe
Token: SeIncBasePriorityPrivilege	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe
Token: SeIncBasePriorityPrivilege	2520	{6923103C-A550-47ec-9DE6-D709F86724B3}.exe
Token: SeIncBasePriorityPrivilege	1584	{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe
Token: SeIncBasePriorityPrivilege	2588	{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2800	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	29
PID 2528 wrote to memory of 2800	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	29
PID 2528 wrote to memory of 2800	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	29
PID 2528 wrote to memory of 2800	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	29
PID 2528 wrote to memory of 1108	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	30
PID 2528 wrote to memory of 1108	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	30
PID 2528 wrote to memory of 1108	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	30
PID 2528 wrote to memory of 1108	2528	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	30
PID 2800 wrote to memory of 2752	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	31
PID 2800 wrote to memory of 2752	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	31
PID 2800 wrote to memory of 2752	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	31
PID 2800 wrote to memory of 2752	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	31
PID 2800 wrote to memory of 2020	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	32
PID 2800 wrote to memory of 2020	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	32
PID 2800 wrote to memory of 2020	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	32
PID 2800 wrote to memory of 2020	2800	{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe	32
PID 2752 wrote to memory of 2636	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	33
PID 2752 wrote to memory of 2636	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	33
PID 2752 wrote to memory of 2636	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	33
PID 2752 wrote to memory of 2636	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	33
PID 2752 wrote to memory of 2872	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	34
PID 2752 wrote to memory of 2872	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	34
PID 2752 wrote to memory of 2872	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	34
PID 2752 wrote to memory of 2872	2752	{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe	34
PID 2636 wrote to memory of 2628	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	35
PID 2636 wrote to memory of 2628	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	35
PID 2636 wrote to memory of 2628	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	35
PID 2636 wrote to memory of 2628	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	35
PID 2636 wrote to memory of 2688	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	36
PID 2636 wrote to memory of 2688	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	36
PID 2636 wrote to memory of 2688	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	36
PID 2636 wrote to memory of 2688	2636	{229732F2-2B23-4ebf-85AE-25805226481C}.exe	36
PID 2628 wrote to memory of 2504	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	37
PID 2628 wrote to memory of 2504	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	37
PID 2628 wrote to memory of 2504	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	37
PID 2628 wrote to memory of 2504	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	37
PID 2628 wrote to memory of 1140	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	38
PID 2628 wrote to memory of 1140	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	38
PID 2628 wrote to memory of 1140	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	38
PID 2628 wrote to memory of 1140	2628	{998E8933-33EF-4df7-9C05-7D798304A154}.exe	38
PID 2504 wrote to memory of 1772	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	39
PID 2504 wrote to memory of 1772	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	39
PID 2504 wrote to memory of 1772	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	39
PID 2504 wrote to memory of 1772	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	39
PID 2504 wrote to memory of 2100	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	40
PID 2504 wrote to memory of 2100	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	40
PID 2504 wrote to memory of 2100	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	40
PID 2504 wrote to memory of 2100	2504	{0FEBC340-108E-40bd-894A-73656EC301FF}.exe	40
PID 1772 wrote to memory of 1892	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	41
PID 1772 wrote to memory of 1892	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	41
PID 1772 wrote to memory of 1892	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	41
PID 1772 wrote to memory of 1892	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	41
PID 1772 wrote to memory of 1964	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	42
PID 1772 wrote to memory of 1964	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	42
PID 1772 wrote to memory of 1964	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	42
PID 1772 wrote to memory of 1964	1772	{F01AC54F-331A-4b12-866D-429885A51965}.exe	42
PID 1892 wrote to memory of 2520	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	43
PID 1892 wrote to memory of 2520	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	43
PID 1892 wrote to memory of 2520	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	43
PID 1892 wrote to memory of 2520	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	43
PID 1892 wrote to memory of 900	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	44
PID 1892 wrote to memory of 900	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	44
PID 1892 wrote to memory of 900	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	44
PID 1892 wrote to memory of 900	1892	{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe
  C:\Windows\{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe
    C:\Windows\{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{229732F2-2B23-4ebf-85AE-25805226481C}.exe
      C:\Windows\{229732F2-2B23-4ebf-85AE-25805226481C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{998E8933-33EF-4df7-9C05-7D798304A154}.exe
        
        C:\Windows\{998E8933-33EF-4df7-9C05-7D798304A154}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{0FEBC340-108E-40bd-894A-73656EC301FF}.exe
        
        C:\Windows\{0FEBC340-108E-40bd-894A-73656EC301FF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{F01AC54F-331A-4b12-866D-429885A51965}.exe
        
        C:\Windows\{F01AC54F-331A-4b12-866D-429885A51965}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe
        
        C:\Windows\{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{6923103C-A550-47ec-9DE6-D709F86724B3}.exe
        
        C:\Windows\{6923103C-A550-47ec-9DE6-D709F86724B3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe
        
        C:\Windows\{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe
        
        C:\Windows\{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}.exe
        
        C:\Windows\{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}.exe
        12⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53FEB~1.EXE > nul
        12⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42CAE~1.EXE > nul
        11⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69231~1.EXE > nul
        10⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1324B~1.EXE > nul
        9⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F01AC~1.EXE > nul
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FEBC~1.EXE > nul
        7⤵
        
        PID:2100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{998E8~1.EXE > nul
        6⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22973~1.EXE > nul
        5⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29605~1.EXE > nul
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{808E2~1.EXE > nul
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FEBC340-108E-40bd-894A-73656EC301FF}.exe

Filesize
408KB

MD5
9e310a5f794bd56bd00aaf7de95cbefd

SHA1
b445a8d24c74d90db55126bcfc68758956303fdc

SHA256
f776342a7743f3eef6f87ce662865568a6fb4850c2ee80664efce306bd4ec5f6

SHA512
5b4946005457a6154d3dd77d1e164c7fb68080c3dc3d03b7f6090ece71355a4da342da07a5e8ca0ffca93ba9de24d8b508c38d21c6d37216ec8cdebfbfba94fe

Download Submit
C:\Windows\{1324B41E-D396-42b2-9113-F0F0CCC5778A}.exe

Filesize
408KB

MD5
d5d37cae0a89a2c66ae7669807670b01

SHA1
219e01f9c6462269a5af5ba944594ca6db37729c

SHA256
180e9fc4961526c27fb6db0e0c72aa3b0ea3cd4fc85076156f654c3e9d77d4ba

SHA512
333bafe1c28b592791c6283602e61158b7e0c111fe1f21df796e3365d3622226807a221ef00239959911f3ef34e1789dbc831d8e71867cf95e2a047663b9d84c

Download Submit
C:\Windows\{229732F2-2B23-4ebf-85AE-25805226481C}.exe

Filesize
408KB

MD5
719eeed05f0e9ad8d0b702a3bd227e95

SHA1
b9df3b3e9529bf8ef675a1d736fcd6aae8fc8c4a

SHA256
8c1752bdfad85b488dcccb38ba008fbc4777353e7249286a2a432a1c979b9c20

SHA512
e4ae6031b5c88099cd0e973bb41a900581aeabec2af8e888c6f4eeb64e27eb90fbcd482b1bfadb96034f23ed6019ab328f6a4024413308436354b905d1eac934

Download Submit
C:\Windows\{296050EC-715B-4a48-AC46-6DD4A8E49364}.exe

Filesize
408KB

MD5
9517902c67da3835d29941d691078efd

SHA1
251dc14c29d6fd6a20d937e6ffafe196d3d26eee

SHA256
e3c7895670e1a85d2e9c2fe50318804157236afb30329df5f414ebd299716ac7

SHA512
a7b43ad3e4e22eabac5d34407bd156be5edc96490f27854713b7780ca0a3899eaef4a46e737eed9ad0ae2a4748a5a7b0123b12a21d86f0d597d12870682645d7

Download Submit
C:\Windows\{42CAE9E0-5C02-46da-8F8B-A97D5CC54D05}.exe

Filesize
408KB

MD5
3f63e5d83ed261de5240a6786fc9042e

SHA1
3622600aba939d9ef694251bec819d35c174d084

SHA256
9432d9eda48c1e9af50142ce9ef130cb327e1603cd0d561d27df970b9f0c97a7

SHA512
3a91e0ecd706735befe0784e52a5c9c94468ffb4b2337c70cb0692637fb3aa258fae8279788f9a8f8c1d9897ae2225fceecf496db190547d0cb76b91002b0b86

Download Submit
C:\Windows\{4C39DEEA-87E1-450a-9989-73A85E0AAEFB}.exe

Filesize
408KB

MD5
8eb4f8b63858d1b9856b4cc511150bf8

SHA1
c048834d705541574c974c68a072db09ac105392

SHA256
d6ce831fb1fc48f53d315c64aff0f04c36399478747a7f60547800782c1988e2

SHA512
c30a5f8559e480545cf2df0478216504beead1b307472215cb547a68368e36460a1cf357252ec91f9aaea3e6c12686aaaa434581e97bbcfcc4cee14e6feffa9d

Download Submit
C:\Windows\{53FEB120-BD1B-4afb-BDBB-882E7D05DA76}.exe

Filesize
408KB

MD5
c57233ee2395693c3cd5ecca59292f35

SHA1
892d32ebe3f586b68a96623a7318c88db6a0d096

SHA256
a7ad2b4b88271c0f942415910514fd36dd26608bee39f4fb95f5628046f8b189

SHA512
42ee9a4a1e2818c1bc6cd9423cc9d00e44e2530777cabbdeadcf2e46db800394928d0ec024db06552a5a45bd91527998ad1a8d2616def31ad5fdc0682a69d70a

Download Submit
C:\Windows\{6923103C-A550-47ec-9DE6-D709F86724B3}.exe

Filesize
408KB

MD5
0a2723d8501760a9f66c4a564c9e7f45

SHA1
3a407ed4774abc415a676262c950b9991342ce00

SHA256
5d6408e07920b86b4c13bc1ba30833fa19727b301742413e9a38f2eeedd3c695

SHA512
7ed7439e4081aa27f8e23b1e37f6bf460732fd1bd5449315284edfd46953c89ebcb843809af3b79f31753032d7786e3c434e91d2ee7b74983339a3c202d59069

Download Submit
C:\Windows\{808E2BDF-2222-4b3b-8625-2A752C42B384}.exe

Filesize
408KB

MD5
d4d67bad348a33954648daa6beac918a

SHA1
0d0f7d49a806b03971dc6ab65ce9f7af1591a175

SHA256
9c643c22db55e6430a60ba131d7fcfc20755aa63e74813ee313f6683670f2cd6

SHA512
e585a2e78f60bdf082bc8ebac64f2a20c73b6600720105f1e618812d6ef2545e33fcb8c756d855e6430fd3d9570b4b079ff7328a44a9870dab1c222b2318a8d3

Download Submit
C:\Windows\{998E8933-33EF-4df7-9C05-7D798304A154}.exe

Filesize
408KB

MD5
4a33cfe4b406d2267446afc76562b12d

SHA1
cf5b1c8af096e62aa942dc069de71a1fc060b37a

SHA256
2dfecf74904e91164fdaad6f3e454c195f223249ad90b0369a4c450b2f96010f

SHA512
1463d8a72ed0162c5b13c9e549aae93bb8f3ed095d495a14e9dec031067e1708e0b15fbbfa27ace0a5e53f8f20c9d49476dd0c12eda3d0db4f80f30a78e76e9b

Download Submit
C:\Windows\{F01AC54F-331A-4b12-866D-429885A51965}.exe

Filesize
408KB

MD5
675bcaa65d6fdb96d96679b15ba15021

SHA1
c32d8403c7198d8b686fb31573aad5bf0dbf2536

SHA256
055b600e3ddea492d12143ed2d3bfdecc9053529eb8675108481b5f0f5abfb6a

SHA512
22147b82fb547f5f4281a4a4cedf862cd222b7f16218b5274d2ab31ab72c8c257b50af50034876df6afac066c85940e1319498cdcdf0e69f0ad02dd009c11864

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads