a876ee5b4e29c4bbb44ea04b02cabc8ce223cb295d5e9946c5f1ff42bb7ca985

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe
Size

344KB
MD5

916d19585ed6bfa33106ff81925c9c92
SHA1

1ef461f571c041c5d828a502eecce4f443afc08a
SHA256

a876ee5b4e29c4bbb44ea04b02cabc8ce223cb295d5e9946c5f1ff42bb7ca985
SHA512

c17ffa3833044f72ac791746a1060670edae9d7bd08f29594d67b7292eeebfa28467e6d0cc02b81a0bbacc98e15635dfcd8bef2e176d6dbeb3b9c4ab04dc0995
SSDEEP

3072:mEGh0ollEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGTlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3D507A-9493-4287-9DCA-81B4E76D176F}	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3D507A-9493-4287-9DCA-81B4E76D176F}\stubpath = "C:\\Windows\\{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe"	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}\stubpath = "C:\\Windows\\{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe"	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}\stubpath = "C:\\Windows\\{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe"	{A642A619-BA59-4872-BB57-D493FE624C60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEE6128A-B9E1-480a-8741-C6250874EE4C}\stubpath = "C:\\Windows\\{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe"	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E65EACD-7758-4d36-98CE-A0FB96F68E37}	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A642A619-BA59-4872-BB57-D493FE624C60}\stubpath = "C:\\Windows\\{A642A619-BA59-4872-BB57-D493FE624C60}.exe"	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}	{A642A619-BA59-4872-BB57-D493FE624C60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}\stubpath = "C:\\Windows\\{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe"	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62FF500-F19C-42ba-814A-0A02DE77D32C}	{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}\stubpath = "C:\\Windows\\{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe"	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{037B44C5-A4C4-4017-A1B7-9AF79961D94F}	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{037B44C5-A4C4-4017-A1B7-9AF79961D94F}\stubpath = "C:\\Windows\\{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe"	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A642A619-BA59-4872-BB57-D493FE624C60}	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEE6128A-B9E1-480a-8741-C6250874EE4C}	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E329DEC-907B-4c05-B06C-2CF4F5290205}\stubpath = "C:\\Windows\\{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe"	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}\stubpath = "C:\\Windows\\{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe"	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E65EACD-7758-4d36-98CE-A0FB96F68E37}\stubpath = "C:\\Windows\\{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe"	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62FF500-F19C-42ba-814A-0A02DE77D32C}\stubpath = "C:\\Windows\\{B62FF500-F19C-42ba-814A-0A02DE77D32C}.exe"	{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E329DEC-907B-4c05-B06C-2CF4F5290205}	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe
5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe
5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe
1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe
1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe
928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe
3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe
5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe
4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe
824	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe
4420	{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe
5004	{B62FF500-F19C-42ba-814A-0A02DE77D32C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe
File created	C:\Windows\{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe	{A642A619-BA59-4872-BB57-D493FE624C60}.exe
File created	C:\Windows\{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe
File created	C:\Windows\{B62FF500-F19C-42ba-814A-0A02DE77D32C}.exe	{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe
File created	C:\Windows\{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe
File created	C:\Windows\{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe
File created	C:\Windows\{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe
File created	C:\Windows\{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe
File created	C:\Windows\{A642A619-BA59-4872-BB57-D493FE624C60}.exe	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe
File created	C:\Windows\{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe
File created	C:\Windows\{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe
File created	C:\Windows\{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1068	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe
Token: SeIncBasePriorityPrivilege	5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe
Token: SeIncBasePriorityPrivilege	5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe
Token: SeIncBasePriorityPrivilege	1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe
Token: SeIncBasePriorityPrivilege	1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe
Token: SeIncBasePriorityPrivilege	928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe
Token: SeIncBasePriorityPrivilege	3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe
Token: SeIncBasePriorityPrivilege	5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe
Token: SeIncBasePriorityPrivilege	4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe
Token: SeIncBasePriorityPrivilege	824	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe
Token: SeIncBasePriorityPrivilege	4420	{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 4308	1068	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe	91
PID 1068 wrote to memory of 4308	1068	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe	91
PID 1068 wrote to memory of 4308	1068	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe	91
PID 1068 wrote to memory of 2376	1068	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe	92
PID 1068 wrote to memory of 2376	1068	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe	92
PID 1068 wrote to memory of 2376	1068	2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe	92
PID 4308 wrote to memory of 5912	4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe	94
PID 4308 wrote to memory of 5912	4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe	94
PID 4308 wrote to memory of 5912	4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe	94
PID 4308 wrote to memory of 5908	4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe	95
PID 4308 wrote to memory of 5908	4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe	95
PID 4308 wrote to memory of 5908	4308	{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe	95
PID 5912 wrote to memory of 5764	5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe	99
PID 5912 wrote to memory of 5764	5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe	99
PID 5912 wrote to memory of 5764	5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe	99
PID 5912 wrote to memory of 4088	5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe	100
PID 5912 wrote to memory of 4088	5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe	100
PID 5912 wrote to memory of 4088	5912	{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe	100
PID 5764 wrote to memory of 1260	5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe	101
PID 5764 wrote to memory of 1260	5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe	101
PID 5764 wrote to memory of 1260	5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe	101
PID 5764 wrote to memory of 1264	5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe	102
PID 5764 wrote to memory of 1264	5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe	102
PID 5764 wrote to memory of 1264	5764	{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe	102
PID 1260 wrote to memory of 1104	1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe	103
PID 1260 wrote to memory of 1104	1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe	103
PID 1260 wrote to memory of 1104	1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe	103
PID 1260 wrote to memory of 684	1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe	104
PID 1260 wrote to memory of 684	1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe	104
PID 1260 wrote to memory of 684	1260	{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe	104
PID 1104 wrote to memory of 928	1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe	106
PID 1104 wrote to memory of 928	1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe	106
PID 1104 wrote to memory of 928	1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe	106
PID 1104 wrote to memory of 4880	1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe	107
PID 1104 wrote to memory of 4880	1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe	107
PID 1104 wrote to memory of 4880	1104	{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe	107
PID 928 wrote to memory of 3712	928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe	108
PID 928 wrote to memory of 3712	928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe	108
PID 928 wrote to memory of 3712	928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe	108
PID 928 wrote to memory of 4460	928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe	109
PID 928 wrote to memory of 4460	928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe	109
PID 928 wrote to memory of 4460	928	{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe	109
PID 3712 wrote to memory of 5044	3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe	114
PID 3712 wrote to memory of 5044	3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe	114
PID 3712 wrote to memory of 5044	3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe	114
PID 3712 wrote to memory of 4708	3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe	115
PID 3712 wrote to memory of 4708	3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe	115
PID 3712 wrote to memory of 4708	3712	{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe	115
PID 5044 wrote to memory of 4508	5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe	119
PID 5044 wrote to memory of 4508	5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe	119
PID 5044 wrote to memory of 4508	5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe	119
PID 5044 wrote to memory of 1476	5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe	120
PID 5044 wrote to memory of 1476	5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe	120
PID 5044 wrote to memory of 1476	5044	{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe	120
PID 4508 wrote to memory of 824	4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe	121
PID 4508 wrote to memory of 824	4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe	121
PID 4508 wrote to memory of 824	4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe	121
PID 4508 wrote to memory of 5500	4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe	122
PID 4508 wrote to memory of 5500	4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe	122
PID 4508 wrote to memory of 5500	4508	{A642A619-BA59-4872-BB57-D493FE624C60}.exe	122
PID 824 wrote to memory of 4420	824	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe	123
PID 824 wrote to memory of 4420	824	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe	123
PID 824 wrote to memory of 4420	824	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe	123
PID 824 wrote to memory of 1124	824	{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_916d19585ed6bfa33106ff81925c9c92_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe
  C:\Windows\{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe
    C:\Windows\{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5912
  - - C:\Windows\{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe
      C:\Windows\{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5764
    - - C:\Windows\{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe
        
        C:\Windows\{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe
        
        C:\Windows\{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe
        
        C:\Windows\{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe
        
        C:\Windows\{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe
        
        C:\Windows\{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{A642A619-BA59-4872-BB57-D493FE624C60}.exe
        
        C:\Windows\{A642A619-BA59-4872-BB57-D493FE624C60}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe
        
        C:\Windows\{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe
        
        C:\Windows\{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\{B62FF500-F19C-42ba-814A-0A02DE77D32C}.exe
        
        C:\Windows\{B62FF500-F19C-42ba-814A-0A02DE77D32C}.exe
        13⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ABD8~1.EXE > nul
        13⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEADC~1.EXE > nul
        12⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A642A~1.EXE > nul
        11⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F8F4~1.EXE > nul
        10⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{037B4~1.EXE > nul
        9⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E65E~1.EXE > nul
        8⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{977FA~1.EXE > nul
        7⤵
        
        PID:4880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEE61~1.EXE > nul
        6⤵
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B3D5~1.EXE > nul
        5⤵
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E329~1.EXE > nul
      4⤵
      PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{02214~1.EXE > nul
    3⤵
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022149A5-DD06-4ee4-B0CC-ACA7AC63F4C0}.exe

Filesize
344KB

MD5
1748ec4268ade3a225c7d297534d2481

SHA1
9bb7f60b5fb8682b03d944ea1410e0cd1cd57b61

SHA256
0ed9fee5435035cd6c140915136b50c096d2a86f778df504b7145cea55c36322

SHA512
950e155d347751cbd65f15a986f3c258aca46667a4dce1c55ee55a3a5f9438b65ec758900348dc2bd2b17f350f4a362ac290f88f1e79ed1a9e438fb2a452acf8

Download Submit
C:\Windows\{037B44C5-A4C4-4017-A1B7-9AF79961D94F}.exe

Filesize
344KB

MD5
1cc88bcc5ded8c769f13d6b04df9fde8

SHA1
87ec4d89817b7e081c863d68b5eee49cded2a8da

SHA256
ad4f38f8c0da255fab553af70bd23b655f2592edf0d8f7dfd311956d972c1016

SHA512
d030b944bba658990c436933d7ffd7565bd9f452058527c590cc2b3cfa70b505711b7e180877b66c51d9c4b9689521d71444c35e5874326f0c7d4ffa31048ca4

Download Submit
C:\Windows\{2ABD8BBA-9304-4e87-8454-8FB67AA29E1C}.exe

Filesize
344KB

MD5
25835fd5e68e352ee61499585467240b

SHA1
0782e1c86d2b98cacc6857f681fdfb2346e03a8e

SHA256
0e647faf8cfef00c7f6e76ae99b6ee67825d22075e826380e4d033e1ecf24ce1

SHA512
d9f4552be4a79ecf9ae24b4d89f650adecd2b411b996b5e2e35476b756bab9c9047bf9201ca27794328337c04b1b698e2f7d1a4e76cb8ed2d8f1083298ec694f

Download Submit
C:\Windows\{2E65EACD-7758-4d36-98CE-A0FB96F68E37}.exe

Filesize
344KB

MD5
79178fa77549a14c1f3bdaa8cb1d4db9

SHA1
803bd5ecbb8dbc1902faf99b09ca1954ff7354cf

SHA256
92ce64e390ee4bdf06c9efcdd037f1e65f0f421a2d7b73248939b630bb8b1fa0

SHA512
0247361c2735e965baebeace3c01762aef90f9d15b3b96521cd21d35c7c6db1abb8f4c5a1668ded85ecf63dd5ec1ac4b9f150a2ba6005823a4c0534946513ff5

Download Submit
C:\Windows\{4F8F41FF-24E7-437b-8E30-C4988B5DFB1B}.exe

Filesize
344KB

MD5
c3e8dfe3df8d1565f18e0038f93da12e

SHA1
43f9ddcfc5e5fe6c7c7705a870b2dbf5c4fb4341

SHA256
4b78c248cb10d2f072362b50e890eee4f1a85dc12a6004d4c98adc13f8994a13

SHA512
52839501a2b84d4120f5cb02a5bd4635a5f01d76fd93acdd9a28109fe69a9b4a59d643e1e543d872cadd456a7f7751985c738c03f9801bee2a18bad55c55578e

Download Submit
C:\Windows\{7E329DEC-907B-4c05-B06C-2CF4F5290205}.exe

Filesize
344KB

MD5
ceb68aefafd27596234f726506fdc520

SHA1
c3df02dd8367335efab4e4e47d6fdf299fb656ac

SHA256
badec3b162499b87eb8a720276f66ae40200dfc625d8f2c81bec05544f2d2600

SHA512
0352da2a6a5600ebc00361928f705351980776b5388f888561d76a9ff92fcd914439e5450c1eb5b2cc875341be96bba42f378340fc26dc4d531c281befaf6afd

Download Submit
C:\Windows\{8B3D507A-9493-4287-9DCA-81B4E76D176F}.exe

Filesize
344KB

MD5
1d013e503da873783aeeb671fa96cf54

SHA1
65cc29522382ff5f8fb6a9b949d744b2055e2685

SHA256
60a981359010f5641329bd158a7dd0ee97f7f59e658c21a54446df18e8efe969

SHA512
97a86479c1b74a1cd84d6924a57f8a6246facf5ef2d2229a9d6e6b0628034612992a8806fce61eaae731944c5a079a39dadaf46ad5fd24714ec78afcfe4eb47b

Download Submit
C:\Windows\{977FAFCC-2710-4d8a-9D07-0EEB7AF21709}.exe

Filesize
344KB

MD5
8047cfd8db46b19f03d3983d59a6b881

SHA1
7cf9fb6c925a1910d6f52415a6cc95426395cf13

SHA256
28767ba683d34ea1013bc627c015cf159d8b494c5512f83fdbc6b31a3c6a715b

SHA512
89db897ab5a96626413d1a325e6f3dea4ef8769c922420f82081f14ef19dc066e315e303bae35bc9884084f1cad54dcc4527f557d3525ec5fe7604699ba2e640

Download Submit
C:\Windows\{A642A619-BA59-4872-BB57-D493FE624C60}.exe

Filesize
344KB

MD5
044ada5eee833ab4f74813c199585b6b

SHA1
de804d864fc109ddf493c33e60a9836fca9e253d

SHA256
193646b42090c5bdf814cbcc7fa1d1b060c7ed5ae256786c5d3191412e0e56e8

SHA512
3a0454ccf170f45b1b43e7e48985f25465cfea718b694286edb2163d21af3f74de1ec795741584d2c395a5fc29d31ebb7a2d4a29d8cdd0586f18727909581b94

Download Submit
C:\Windows\{AEADCE7F-E90B-46a4-8BEA-F1E7280E5699}.exe

Filesize
344KB

MD5
ca49472e91b323418da0b7033b544ec4

SHA1
101a32cfdd21bae9fc1f9b504b6053cad8bfe753

SHA256
83a6e7fc7c4aa9d2b49b3218923f714fc6b01d991a8e3046ddad1b3c98c883bd

SHA512
6528f1d1c092ab6d563006869f58883378b4a01dc16dcbbf69dfc0f2ae4222bdccbb789cfd842cf312e222e8ae094acf1925d4ca98c5afe03aad8b0d28c71adf

Download Submit
C:\Windows\{B62FF500-F19C-42ba-814A-0A02DE77D32C}.exe

Filesize
344KB

MD5
e9ae4b527f35d08a02965625ff34c8ed

SHA1
48e1c69b4bbb72a8a081a554297a35397842eb18

SHA256
438dc6ffb93f844def0598b1ab01026ec37819abf516af3ff9bb9c729576b9b6

SHA512
e2c20b16e112d7e2b84048820bc88bcfa744ef62a59f2d33fef83e9d72bf451e9819b52d76defcd7cc1896ad8e481110db14a985733c5e5aabf2f95c0411661d

Download Submit
C:\Windows\{BEE6128A-B9E1-480a-8741-C6250874EE4C}.exe

Filesize
344KB

MD5
4a7ae95c74ddc4a2fc1208e4f0b21c4a

SHA1
faa418151789bd7c80ea6fc60b136c1df0841958

SHA256
ba65451bd48b821c505cb3d09f919398f396c408a42160d7f56fae6546e7d919

SHA512
078eb509f6e94e5015663b462f8853d7418bcf18160fde723a67687cb085b72d27e9bc93f7d854e25f9a7a3ce70c0b2489d6eb89ba663ac2d370a7b4b1ff8942

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads