0c8fe5a1429cd694cb15844741f0a4a1bf7becce914eec97fd203fbbaca496c7

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 09:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Size

408KB
MD5

0da0106d0e42f6d3197596e84859fcad
SHA1

5ef5b60fda6b4b357fb9ed74d09f39ae7bf5ddc4
SHA256

0c8fe5a1429cd694cb15844741f0a4a1bf7becce914eec97fd203fbbaca496c7
SHA512

1c2ae21ea0d66d3fe27ca7ac039eec544944924906f0e776fc0027eaa2392cca37cec13e6860d778f8b7bf3ca84bff6071ddb767b48ef34f1dd94fca5c925d7b
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F99E36D9-8852-451a-9F92-578392A097E1}	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F99E36D9-8852-451a-9F92-578392A097E1}\stubpath = "C:\\Windows\\{F99E36D9-8852-451a-9F92-578392A097E1}.exe"	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076612D2-CA93-491f-8106-D15271EC898C}	{F99E36D9-8852-451a-9F92-578392A097E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}\stubpath = "C:\\Windows\\{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe"	{076612D2-CA93-491f-8106-D15271EC898C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}\stubpath = "C:\\Windows\\{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe"	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}\stubpath = "C:\\Windows\\{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe"	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{788482DA-640F-4107-842A-44B4C82525E7}	{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}	{788482DA-640F-4107-842A-44B4C82525E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}\stubpath = "C:\\Windows\\{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}.exe"	{788482DA-640F-4107-842A-44B4C82525E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2556629B-D94E-4c46-9E4C-C8830F85D0ED}	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}\stubpath = "C:\\Windows\\{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe"	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58F40201-EA49-4efd-A381-6B2688CB368D}\stubpath = "C:\\Windows\\{58F40201-EA49-4efd-A381-6B2688CB368D}.exe"	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{076612D2-CA93-491f-8106-D15271EC898C}\stubpath = "C:\\Windows\\{076612D2-CA93-491f-8106-D15271EC898C}.exe"	{F99E36D9-8852-451a-9F92-578392A097E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}\stubpath = "C:\\Windows\\{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe"	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58F40201-EA49-4efd-A381-6B2688CB368D}	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6191B4A3-6947-4da3-B973-81F7C89D5E72}	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{788482DA-640F-4107-842A-44B4C82525E7}\stubpath = "C:\\Windows\\{788482DA-640F-4107-842A-44B4C82525E7}.exe"	{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2556629B-D94E-4c46-9E4C-C8830F85D0ED}\stubpath = "C:\\Windows\\{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe"	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}	{076612D2-CA93-491f-8106-D15271EC898C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6191B4A3-6947-4da3-B973-81F7C89D5E72}\stubpath = "C:\\Windows\\{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe"	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe

Executes dropped EXE 11 IoCs

pid	Process
1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe
2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe
2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe
2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe
1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe
3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe
376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe
1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe
4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe
3532	{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe
4116	{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe
File created	C:\Windows\{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe
File created	C:\Windows\{58F40201-EA49-4efd-A381-6B2688CB368D}.exe	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe
File created	C:\Windows\{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe	{076612D2-CA93-491f-8106-D15271EC898C}.exe
File created	C:\Windows\{076612D2-CA93-491f-8106-D15271EC898C}.exe	{F99E36D9-8852-451a-9F92-578392A097E1}.exe
File created	C:\Windows\{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe
File created	C:\Windows\{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe
File created	C:\Windows\{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}.exe	{788482DA-640F-4107-842A-44B4C82525E7}.exe
File created	C:\Windows\{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
File created	C:\Windows\{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe
File created	C:\Windows\{F99E36D9-8852-451a-9F92-578392A097E1}.exe	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	324	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe
Token: SeIncBasePriorityPrivilege	2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe
Token: SeIncBasePriorityPrivilege	2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe
Token: SeIncBasePriorityPrivilege	2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe
Token: SeIncBasePriorityPrivilege	1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe
Token: SeIncBasePriorityPrivilege	3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe
Token: SeIncBasePriorityPrivilege	376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe
Token: SeIncBasePriorityPrivilege	1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe
Token: SeIncBasePriorityPrivilege	4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe
Token: SeIncBasePriorityPrivilege	5048	{788482DA-640F-4107-842A-44B4C82525E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 1776	324	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	86
PID 324 wrote to memory of 1776	324	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	86
PID 324 wrote to memory of 1776	324	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	86
PID 324 wrote to memory of 4660	324	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	87
PID 324 wrote to memory of 4660	324	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	87
PID 324 wrote to memory of 4660	324	2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe	87
PID 1776 wrote to memory of 2392	1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe	88
PID 1776 wrote to memory of 2392	1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe	88
PID 1776 wrote to memory of 2392	1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe	88
PID 1776 wrote to memory of 2532	1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe	89
PID 1776 wrote to memory of 2532	1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe	89
PID 1776 wrote to memory of 2532	1776	{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe	89
PID 2392 wrote to memory of 2680	2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe	93
PID 2392 wrote to memory of 2680	2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe	93
PID 2392 wrote to memory of 2680	2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe	93
PID 2392 wrote to memory of 2920	2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe	94
PID 2392 wrote to memory of 2920	2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe	94
PID 2392 wrote to memory of 2920	2392	{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe	94
PID 2680 wrote to memory of 2508	2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe	95
PID 2680 wrote to memory of 2508	2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe	95
PID 2680 wrote to memory of 2508	2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe	95
PID 2680 wrote to memory of 4880	2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe	96
PID 2680 wrote to memory of 4880	2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe	96
PID 2680 wrote to memory of 4880	2680	{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe	96
PID 2508 wrote to memory of 1592	2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe	97
PID 2508 wrote to memory of 1592	2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe	97
PID 2508 wrote to memory of 1592	2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe	97
PID 2508 wrote to memory of 2272	2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe	98
PID 2508 wrote to memory of 2272	2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe	98
PID 2508 wrote to memory of 2272	2508	{58F40201-EA49-4efd-A381-6B2688CB368D}.exe	98
PID 1592 wrote to memory of 3464	1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe	99
PID 1592 wrote to memory of 3464	1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe	99
PID 1592 wrote to memory of 3464	1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe	99
PID 1592 wrote to memory of 3504	1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe	100
PID 1592 wrote to memory of 3504	1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe	100
PID 1592 wrote to memory of 3504	1592	{F99E36D9-8852-451a-9F92-578392A097E1}.exe	100
PID 3464 wrote to memory of 376	3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe	101
PID 3464 wrote to memory of 376	3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe	101
PID 3464 wrote to memory of 376	3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe	101
PID 3464 wrote to memory of 1672	3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe	102
PID 3464 wrote to memory of 1672	3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe	102
PID 3464 wrote to memory of 1672	3464	{076612D2-CA93-491f-8106-D15271EC898C}.exe	102
PID 376 wrote to memory of 1620	376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe	103
PID 376 wrote to memory of 1620	376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe	103
PID 376 wrote to memory of 1620	376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe	103
PID 376 wrote to memory of 4316	376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe	104
PID 376 wrote to memory of 4316	376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe	104
PID 376 wrote to memory of 4316	376	{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe	104
PID 1620 wrote to memory of 4428	1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe	105
PID 1620 wrote to memory of 4428	1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe	105
PID 1620 wrote to memory of 4428	1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe	105
PID 1620 wrote to memory of 3324	1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe	106
PID 1620 wrote to memory of 3324	1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe	106
PID 1620 wrote to memory of 3324	1620	{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe	106
PID 4428 wrote to memory of 3532	4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe	107
PID 4428 wrote to memory of 3532	4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe	107
PID 4428 wrote to memory of 3532	4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe	107
PID 4428 wrote to memory of 2072	4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe	108
PID 4428 wrote to memory of 2072	4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe	108
PID 4428 wrote to memory of 2072	4428	{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe	108
PID 5048 wrote to memory of 4116	5048	{788482DA-640F-4107-842A-44B4C82525E7}.exe	111
PID 5048 wrote to memory of 4116	5048	{788482DA-640F-4107-842A-44B4C82525E7}.exe	111
PID 5048 wrote to memory of 4116	5048	{788482DA-640F-4107-842A-44B4C82525E7}.exe	111
PID 5048 wrote to memory of 4412	5048	{788482DA-640F-4107-842A-44B4C82525E7}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_0da0106d0e42f6d3197596e84859fcad_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe
  C:\Windows\{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe
    C:\Windows\{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe
      C:\Windows\{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{58F40201-EA49-4efd-A381-6B2688CB368D}.exe
        
        C:\Windows\{58F40201-EA49-4efd-A381-6B2688CB368D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{F99E36D9-8852-451a-9F92-578392A097E1}.exe
        
        C:\Windows\{F99E36D9-8852-451a-9F92-578392A097E1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\{076612D2-CA93-491f-8106-D15271EC898C}.exe
        
        C:\Windows\{076612D2-CA93-491f-8106-D15271EC898C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe
        
        C:\Windows\{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe
        
        C:\Windows\{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe
        
        C:\Windows\{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe
        
        C:\Windows\{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\{788482DA-640F-4107-842A-44B4C82525E7}.exe
        
        C:\Windows\{788482DA-640F-4107-842A-44B4C82525E7}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}.exe
        
        C:\Windows\{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}.exe
        13⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78848~1.EXE > nul
        13⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DBC3~1.EXE > nul
        12⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6191B~1.EXE > nul
        11⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E1BF~1.EXE > nul
        10⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68CE7~1.EXE > nul
        9⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07661~1.EXE > nul
        8⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F99E3~1.EXE > nul
        7⤵
        
        PID:3504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58F40~1.EXE > nul
        6⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A75EB~1.EXE > nul
        5⤵
        
        PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B797~1.EXE > nul
      4⤵
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{25566~1.EXE > nul
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{076612D2-CA93-491f-8106-D15271EC898C}.exe

Filesize
408KB

MD5
0a00305c0b9210ce62bece57d554150d

SHA1
a14799d184f3f5d3fd38be22bf8a2b9e6b3667a5

SHA256
cb514e882982677e7b908bf745b550410c6d75655678ed57174c24975b1ffca2

SHA512
65b6a8a344ab946f80bf71eea2f7e76f0f92af9ae4e0de38c6920cfcd908effc63ed75a35cb03dc1f69ddfd13a44517e88cbfd46027c6969cbfed38d785747b1

Download Submit
C:\Windows\{2556629B-D94E-4c46-9E4C-C8830F85D0ED}.exe

Filesize
408KB

MD5
ac7d2540e2b1ae2b29fb30c7a40cc7c0

SHA1
6b6ef5d45333e80c6860e9cc4356fb9f7e462c92

SHA256
2f751b6e99742d07b8b1f24d77eebf15e8bdcaa549bb91e7085c629ba8a56bdd

SHA512
b1e178acfa837e580bb53aa9086c4f32c041dc434792d1fe60956de50f58da9e0a0d27cfe57bf07a448c6e3596752cf7abe48f6078963da7db3156121b3cdde5

Download Submit
C:\Windows\{4E1BFE2E-5037-470e-9A6E-B6A3488C983F}.exe

Filesize
408KB

MD5
95a5e960dc696625cc9ab4f470315c31

SHA1
c83286e37b43e5667cf2a1d366d457930bc5cb99

SHA256
2debe86a6e79ea0038cdeb6e8e302b00d883ef4268221b0ccb8e9d642dba38a7

SHA512
ff4a142893f267cdd2b4e533cc8c4d99f964438c228eec9383dcf2c63acfac89a8241fdb86f2a1f2bdf84192587fa652a5f083c656bcbdde4192a6b4e32ad4d4

Download Submit
C:\Windows\{58F40201-EA49-4efd-A381-6B2688CB368D}.exe

Filesize
408KB

MD5
8a9579485cb06247cea01420363c8840

SHA1
8820e48909c874c4c084bd0ef50f60025c03c6c8

SHA256
67ef336ab88cd3d9b1db8697a452ac255828411d6306ef01fe0e690cf05868c6

SHA512
f046a08a4a717eba947141ff7ece8661c9f952b72fad72e55cd38de53178cd87622dc889ee27837ca717745f59b2ce2cc955b8a946d44c9e4f53e68571acafec

Download Submit
C:\Windows\{6191B4A3-6947-4da3-B973-81F7C89D5E72}.exe

Filesize
408KB

MD5
7e51fe88cabcae1676dc1f6e951c409f

SHA1
4cfb08cb4510f646e059636cff1f89c7e87861cd

SHA256
c89c2bb778a81cd5ab5f80eca9c9680834da6a7cf3f70b5d2e1cfdf745ce6d02

SHA512
5a1d776dda6adc8e75a0ea72cca8a78358291aa168c1b28da756b612979dab8a040e6b0e92691315af4695bf5ff2535509a2f247d21361b0a23b9261f3485f9f

Download Submit
C:\Windows\{68CE7327-B376-4e40-B0D8-23D7BDDE0FB1}.exe

Filesize
408KB

MD5
7d6fd983664834914dceeaffe80740f9

SHA1
8dfcaf5ead7c98fdae3b6c3a4ff23e12b7bc47c7

SHA256
31bce794c2025a5992840cd95460d47709dc42229eb4615e3165c157eab9c3da

SHA512
44c002ab286736f10931a27ca1cac24ced3bbe342037ecd0400f3a3c05176e4a9ca49418b608d5bca7cb824b6bfc1b5a1a956286bd1d48146c9ced6c40c7adeb

Download Submit
C:\Windows\{7B797DB6-0525-4bfd-8EA4-582BDFFF0270}.exe

Filesize
408KB

MD5
47930697f374cd430c7e4f2d5f1316ab

SHA1
1ec46e2d69d6e94de940b059da1a267f6e95b52c

SHA256
34da7582b44d76bd2e542e381d02938e44dc66ebdf061360ff00c2af4b0f6d6d

SHA512
4d1670c98df789ce079ab7a32a31ecf1293507d8d1807c866c083129c81cebb9cb3bf17bdf445c5c69855ab659f9f28382c63eeed110f8edfc963af2a46fb2b4

Download Submit
C:\Windows\{7DBC371E-8036-4b9f-A7FC-F82FEE47AB69}.exe

Filesize
408KB

MD5
6a59dabe8d72cd4c6276514e834a1f98

SHA1
cff29a93484738d501a7bc9a5648fa2051708b18

SHA256
216b4fe7f5a50646207a83ecb0cccdaeacf0e83fa53403743b5fe38cc6c74e61

SHA512
b03eaf0c8611837bd87faa7be157737d580712848e6d684e3a2fdf7576a44a1dc8a88ec71983e900cba43375187af1e9a43df063b7bc0edde692f2887fc91619

Download Submit
C:\Windows\{A75EBF5F-3646-4173-8CEC-3F31326ECEB9}.exe

Filesize
408KB

MD5
95068b4faa45c8ea1608b50a6dd72bc3

SHA1
214312bbc6b26edec5d58755ef76741f75ac8bd6

SHA256
0cd0a858a9d80f9f91fa4a1bb7faa6fa68558eb0ce57cfb76a2bfd489da57293

SHA512
caa6355edc1ab7460dcb654e6ead29594942456a1934effa936d34fa450a1c24e9befca6ab17a4dbf35793e3dc5b63b863819227f96a9964418a446c44d2853d

Download Submit
C:\Windows\{B1E1CB9A-7F2C-441a-96FD-1A2B53E2D527}.exe

Filesize
408KB

MD5
af5f0043641d2a6af2910a05793150c0

SHA1
4cce353de655335d7a6167eb367226305eac7dc3

SHA256
b1edf7d74f6f36e6337fe7ae189402b70ab86008e3d31883550f90cea1e2ba49

SHA512
3af3091cb378d200b43bb7affec610dfd050f358a116cc042030ae68603c3a03c1c619f82626cc04ab7cb5f41cd864ee0efabbdd3137391532a2b9c743da7021

Download Submit
C:\Windows\{F99E36D9-8852-451a-9F92-578392A097E1}.exe

Filesize
408KB

MD5
5598d35ceb87ed0ab41f0da0108a1e4a

SHA1
9133abac39040ed8dbd86ca0e6a2d715dfc9c362

SHA256
c857bdd7b8ca7b4d2f7c039c75c7a3aa05c32ee8c3942794a72a3ec110318873

SHA512
2007990576e4c3ece37355b9c911059f1acae3cd65edfa4c117f977db22b35d1b3db08c36c5bcd2dcf1d8b0a608bc7b8a5fe91fe49ae86327baa4c77d48691a2

Download Submit
memory/3532-39-0x00000000039B0000-0x0000000003A8B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads