96ceb38679a816db252416022251b050b007617de3e812f0fbcd3f023e44b6ad

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe
Size

408KB
MD5

b392ae62ca2f3c14b2e0ea072f902a68
SHA1

ca788848da39e554c9451897ecfcd7d2996df779
SHA256

96ceb38679a816db252416022251b050b007617de3e812f0fbcd3f023e44b6ad
SHA512

6198f1b00992ef895d3a157595a743d07144586c379f6198c0b2fe18941085d1f745cb34a6db0603db80ea0a9b06179311ae7ae33a76cc42b93fe006a78b3e82
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGsldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}\stubpath = "C:\\Windows\\{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe"	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}\stubpath = "C:\\Windows\\{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe"	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A627D2C4-9E8B-4db4-978F-09E67C3811C5}	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{033C9352-DB9B-42c4-B048-5E8EEA4BF633}\stubpath = "C:\\Windows\\{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe"	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}	{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A627D2C4-9E8B-4db4-978F-09E67C3811C5}\stubpath = "C:\\Windows\\{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe"	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B40CF6-1655-4881-A84F-11E0898923C1}	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1CF0A47-C3CD-477b-877A-3FB65978952A}\stubpath = "C:\\Windows\\{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe"	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2205485D-E374-402a-A1BC-2852F7AAC0B6}\stubpath = "C:\\Windows\\{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe"	{6F57A726-02D7-4543-B852-436F5C433662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{033C9352-DB9B-42c4-B048-5E8EEA4BF633}	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}\stubpath = "C:\\Windows\\{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe"	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}\stubpath = "C:\\Windows\\{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe"	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B40CF6-1655-4881-A84F-11E0898923C1}\stubpath = "C:\\Windows\\{86B40CF6-1655-4881-A84F-11E0898923C1}.exe"	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F57A726-02D7-4543-B852-436F5C433662}	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2205485D-E374-402a-A1BC-2852F7AAC0B6}	{6F57A726-02D7-4543-B852-436F5C433662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}\stubpath = "C:\\Windows\\{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe"	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1CF0A47-C3CD-477b-877A-3FB65978952A}	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F57A726-02D7-4543-B852-436F5C433662}\stubpath = "C:\\Windows\\{6F57A726-02D7-4543-B852-436F5C433662}.exe"	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}\stubpath = "C:\\Windows\\{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}.exe"	{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe

Executes dropped EXE 12 IoCs

pid	Process
2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe
4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe
4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe
3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe
4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe
2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe
4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe
4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe
3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe
412	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe
4532	{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe
4068	{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe
File created	C:\Windows\{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe
File created	C:\Windows\{86B40CF6-1655-4881-A84F-11E0898923C1}.exe	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe
File created	C:\Windows\{6F57A726-02D7-4543-B852-436F5C433662}.exe	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe
File created	C:\Windows\{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe
File created	C:\Windows\{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe
File created	C:\Windows\{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe
File created	C:\Windows\{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe
File created	C:\Windows\{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe
File created	C:\Windows\{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe
File created	C:\Windows\{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe	{6F57A726-02D7-4543-B852-436F5C433662}.exe
File created	C:\Windows\{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}.exe	{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4600	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe
Token: SeIncBasePriorityPrivilege	4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe
Token: SeIncBasePriorityPrivilege	4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe
Token: SeIncBasePriorityPrivilege	3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe
Token: SeIncBasePriorityPrivilege	4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe
Token: SeIncBasePriorityPrivilege	2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe
Token: SeIncBasePriorityPrivilege	4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe
Token: SeIncBasePriorityPrivilege	4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe
Token: SeIncBasePriorityPrivilege	3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe
Token: SeIncBasePriorityPrivilege	412	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe
Token: SeIncBasePriorityPrivilege	4532	{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 2612	4600	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe	93
PID 4600 wrote to memory of 2612	4600	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe	93
PID 4600 wrote to memory of 2612	4600	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe	93
PID 4600 wrote to memory of 4320	4600	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe	94
PID 4600 wrote to memory of 4320	4600	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe	94
PID 4600 wrote to memory of 4320	4600	2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe	94
PID 2612 wrote to memory of 4048	2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe	96
PID 2612 wrote to memory of 4048	2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe	96
PID 2612 wrote to memory of 4048	2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe	96
PID 2612 wrote to memory of 4604	2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe	97
PID 2612 wrote to memory of 4604	2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe	97
PID 2612 wrote to memory of 4604	2612	{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe	97
PID 4048 wrote to memory of 4640	4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe	101
PID 4048 wrote to memory of 4640	4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe	101
PID 4048 wrote to memory of 4640	4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe	101
PID 4048 wrote to memory of 2948	4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe	102
PID 4048 wrote to memory of 2948	4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe	102
PID 4048 wrote to memory of 2948	4048	{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe	102
PID 4640 wrote to memory of 3448	4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe	103
PID 4640 wrote to memory of 3448	4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe	103
PID 4640 wrote to memory of 3448	4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe	103
PID 4640 wrote to memory of 68	4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe	104
PID 4640 wrote to memory of 68	4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe	104
PID 4640 wrote to memory of 68	4640	{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe	104
PID 3448 wrote to memory of 4692	3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe	105
PID 3448 wrote to memory of 4692	3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe	105
PID 3448 wrote to memory of 4692	3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe	105
PID 3448 wrote to memory of 3732	3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe	106
PID 3448 wrote to memory of 3732	3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe	106
PID 3448 wrote to memory of 3732	3448	{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe	106
PID 4692 wrote to memory of 2684	4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe	109
PID 4692 wrote to memory of 2684	4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe	109
PID 4692 wrote to memory of 2684	4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe	109
PID 4692 wrote to memory of 1928	4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe	110
PID 4692 wrote to memory of 1928	4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe	110
PID 4692 wrote to memory of 1928	4692	{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe	110
PID 2684 wrote to memory of 4356	2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe	111
PID 2684 wrote to memory of 4356	2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe	111
PID 2684 wrote to memory of 4356	2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe	111
PID 2684 wrote to memory of 1380	2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe	112
PID 2684 wrote to memory of 1380	2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe	112
PID 2684 wrote to memory of 1380	2684	{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe	112
PID 4356 wrote to memory of 4020	4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe	117
PID 4356 wrote to memory of 4020	4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe	117
PID 4356 wrote to memory of 4020	4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe	117
PID 4356 wrote to memory of 404	4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe	118
PID 4356 wrote to memory of 404	4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe	118
PID 4356 wrote to memory of 404	4356	{86B40CF6-1655-4881-A84F-11E0898923C1}.exe	118
PID 4020 wrote to memory of 3456	4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe	122
PID 4020 wrote to memory of 3456	4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe	122
PID 4020 wrote to memory of 3456	4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe	122
PID 4020 wrote to memory of 312	4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe	123
PID 4020 wrote to memory of 312	4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe	123
PID 4020 wrote to memory of 312	4020	{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe	123
PID 3456 wrote to memory of 412	3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe	124
PID 3456 wrote to memory of 412	3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe	124
PID 3456 wrote to memory of 412	3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe	124
PID 3456 wrote to memory of 1212	3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe	125
PID 3456 wrote to memory of 1212	3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe	125
PID 3456 wrote to memory of 1212	3456	{6F57A726-02D7-4543-B852-436F5C433662}.exe	125
PID 412 wrote to memory of 4532	412	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe	126
PID 412 wrote to memory of 4532	412	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe	126
PID 412 wrote to memory of 4532	412	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe	126
PID 412 wrote to memory of 3496	412	{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-22_b392ae62ca2f3c14b2e0ea072f902a68_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe
  C:\Windows\{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe
    C:\Windows\{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe
      C:\Windows\{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe
        
        C:\Windows\{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe
        
        C:\Windows\{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe
        
        C:\Windows\{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{86B40CF6-1655-4881-A84F-11E0898923C1}.exe
        
        C:\Windows\{86B40CF6-1655-4881-A84F-11E0898923C1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe
        
        C:\Windows\{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\{6F57A726-02D7-4543-B852-436F5C433662}.exe
        
        C:\Windows\{6F57A726-02D7-4543-B852-436F5C433662}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe
        
        C:\Windows\{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe
        
        C:\Windows\{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}.exe
        
        C:\Windows\{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}.exe
        13⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{033C9~1.EXE > nul
        13⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22054~1.EXE > nul
        12⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F57A~1.EXE > nul
        11⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1CF0~1.EXE > nul
        10⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86B40~1.EXE > nul
        9⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75CDC~1.EXE > nul
        8⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76CEF~1.EXE > nul
        7⤵
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A627D~1.EXE > nul
        6⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B85~1.EXE > nul
        5⤵
        
        PID:68
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE6AC~1.EXE > nul
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3BDD6~1.EXE > nul
    3⤵
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{033C9352-DB9B-42c4-B048-5E8EEA4BF633}.exe

Filesize
408KB

MD5
bfa16b688a95fce505146e524604e290

SHA1
6adc8020f802ee577ecdba45c4e58c4ec5e6b9c8

SHA256
d3de955486aff3bc054d42a682b5e1a0e250bd631e1d8e9df4c9fae713a4d710

SHA512
b5b1a92154d6d2258ded4ec31634c8492304e49e8f005c2834468645ac5a0a1f4b4d215bbc9bc04b2881a32e972bb12b8db19acb3d8c98a08826acf6b61581a3

Download Submit
C:\Windows\{2205485D-E374-402a-A1BC-2852F7AAC0B6}.exe

Filesize
408KB

MD5
35797ace4eef102beeee61e626a9cc74

SHA1
1a8eb8b5a15bedd346429eace360c16e943efa25

SHA256
18fcdf84eec85fa48631518452496186b8651574eb1b74a3d32470426118d5db

SHA512
e6b7b65401f7c9f5d9d8506691f3328b6bbf065dc990c27bbe041d196ba9cc933007cbea647dae22d98ed2fd57844728837ec80c7e0782338ebeade095d8e71c

Download Submit
C:\Windows\{2CDBB1CC-6301-47ea-886A-05C8E85B1ECB}.exe

Filesize
408KB

MD5
fc3a715ea2f04f5fc8f1006191318c17

SHA1
02dae125ade601bb99c8a9168288493410ba47ff

SHA256
3c3595757d5c4a6b5b29bb1fdbc5a1769e87ca9cd685eda2ec1eca8de1d39dc1

SHA512
a0105f67ce7c9a6f18d8ea325aa1136257896ea35956a3f314476b55c2f218e77db93906cca9dd5a5a5b3a6b60ac2ff23425b4e37f4200b78e2950acd18df5c8

Download Submit
C:\Windows\{3BDD6960-BEAD-4a9b-BBA4-BB165BE8CDC9}.exe

Filesize
408KB

MD5
3c24244e9dd6f939910b2becea8d0d46

SHA1
970ba319712b687e8d212549e20a233bb3de9749

SHA256
b81375f291bfdbb45ffdb02218df91cb057be71925d923673ee9a71a9a6cfc85

SHA512
7e251e89f35b570e81212217a812e611ad4a0f299e3890267fdf7834bbd044768df9e3da361f9c35731f6ba2e2b9d4dc0a32b234f1b690f943cd49dbdc50c3f5

Download Submit
C:\Windows\{6F57A726-02D7-4543-B852-436F5C433662}.exe

Filesize
408KB

MD5
258ad1e83d0826c2addaefe6c6f6a8bf

SHA1
9524def7c5c3188ecc6142b8b61d029d8e4a5126

SHA256
046d1b78039120c8867b396e12f09db658a4f90a599543a727e2968f4080c46a

SHA512
9793c6d1782b1b5ed4ed1e6198e8ab831ffbe5fbf91a9c5efba6fad6b648094bfff537e6cf8a9b3c22985342ce2fcde9bb11d598bdf2d693c7edba74959562d8

Download Submit
C:\Windows\{75CDC0E4-141C-4010-9B74-20DBA9DC5F12}.exe

Filesize
408KB

MD5
c185759abced26a6ed3a75c4cf2cb13c

SHA1
45f44deec417f2e3d8e3fd7494f5ee99eb1de6aa

SHA256
2f08edeb8786e1f21faef33ae62f04066df0132ea965bbb0a77cb4af5218ccd5

SHA512
0ec34bfe30aef1271ebeb3d36c4c949f24692b1919117b9482c041aec7de52ce1b090f8eec6ed6fe477d9a98627284c9cf413847c7b9578ab5aae02cbb2f37ea

Download Submit
C:\Windows\{76CEF4D5-FEF7-41fc-856A-99B08D7364CA}.exe

Filesize
408KB

MD5
b1a43dbc425723496dfee03da66dc993

SHA1
2b08f7cab0ab3c1dcbf0484be7da9e8e46c2adb5

SHA256
5cafaab4026e92743fba7860405538a0be543727b272ebbfa8123621be1803e2

SHA512
e31f085a920df60d4463ceb3bff6cef5ed7e631b99e6aabc278b3d66f989f0f0742ccf1ad9dc3864cc851c647a2a7878169e26fa82e5f7c03e986efe69d6b33a

Download Submit
C:\Windows\{86B40CF6-1655-4881-A84F-11E0898923C1}.exe

Filesize
408KB

MD5
a0b654f55536fc3ae57e919e09aa35b1

SHA1
c43baa2df82277d22e8cf898015496d7f537e16c

SHA256
733605adf19c8c98ea3e243cbcbfbe57d2c18dbdf09848e0551db43d43be258e

SHA512
c2b048d46b705e0c8fc6438be59ea841f7493196c72a8c753a428d51d24a739438842f774375009c865209d06a991d635c1d9a16c9743bb51d982f45ff1fdf2e

Download Submit
C:\Windows\{A3B8553A-4B5E-4fe3-B7E5-C9FC61505D8A}.exe

Filesize
408KB

MD5
5a76ae52a81f57ace097948730a87242

SHA1
c9e474467211910ea58978c212682fcb3c7bcc1a

SHA256
161075f8ba19970679cb1b1a0177c1091f266e41282826f424e079f8f3731814

SHA512
e0da764ab10392ef10f2ed95bd1d60012ce216def84201a64b7bea2868778f697d08da113dad1d7918def6d4c8108d5ed399fe43cc3030d5cdfe8bf9bc47d092

Download Submit
C:\Windows\{A627D2C4-9E8B-4db4-978F-09E67C3811C5}.exe

Filesize
408KB

MD5
d873765a354b36e926821124e6a39a2a

SHA1
b65d918d27c227268a6a0787d4e3d101165ebdcc

SHA256
1a2a90989591f82026c2fdc979efd9bdbd5af0d3944db08e7f99b104cb44a510

SHA512
5db6dd9cb151ff56e0210f3e4615ca030325096dc66a677539328b7963c06975872faeae0c974589b6bcf5e96dc2f8cf1f92c1f7824c7d12952dd44a6388ed8b

Download Submit
C:\Windows\{F1CF0A47-C3CD-477b-877A-3FB65978952A}.exe

Filesize
408KB

MD5
ab876badc9c1bf47988636f4acf89a38

SHA1
039b3e6cf5d85f8ae1690c62dfb15723a8f97739

SHA256
243094946fc86d06e760d9d2f9b697fa2ad63d88651c4ff648bef4738fe1e480

SHA512
00cd170300748f145609cf142703f054f09e2d8938041ec67a4708523c9ec924111d9dbc83605f79fe9fb9d20146ae08f4f5c41006f2cc02bf21be603efdec2d

Download Submit
C:\Windows\{FE6ACC0D-3C2D-4bbc-AECF-4DB1180E0209}.exe

Filesize
408KB

MD5
a64dec256b2f593599d9ed5b1b4f3e9d

SHA1
f2e7769c2e8c7a0f24f0719a623f05e768a96af7

SHA256
8a313f45f123c5944ba550fbd2c781e640e980402f01d9c68006554b1fbd5c5b

SHA512
a7c1a6369d86fb637e31cf02b1909c51076a437dfb25bd1c980b57fde2e5c5eec0b889b746c432fa8d9c7eb0835220a412fb8261eb5cd2071c1a1f9568d40e04

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads