77811f7bdc11884f24f64188d461081d4c58f17f013e776a496cc8cca62349a9

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Size

168KB
MD5

374d929c471ff39e76dfe4f703391113
SHA1

85b3369fc68ab23fc7a5a32aa4d5dea235499a88
SHA256

77811f7bdc11884f24f64188d461081d4c58f17f013e776a496cc8cca62349a9
SHA512

e2715e21b9de25337b2c669c8da774025b074b9742defd605d3dddb9c4b923803fda5041ad14d4585a61dc7288f6995de5bd6e84e708d37ef8e7b464932c96fd
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}\stubpath = "C:\\Windows\\{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe"	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9279796B-7EDE-4919-A2A0-A1E242A5D656}\stubpath = "C:\\Windows\\{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe"	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78512682-38F1-409e-B57A-E8A68FC9C718}	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}\stubpath = "C:\\Windows\\{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe"	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C00222A-B54D-46e1-B23C-4427BB43471F}\stubpath = "C:\\Windows\\{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe"	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE862E85-ADE1-41e4-BF85-92174C1D59CB}\stubpath = "C:\\Windows\\{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe"	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{213F9CB5-5B22-43fe-8339-A06BFB45A40A}	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77283168-D245-45e9-B624-F5E87E4D456C}	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77283168-D245-45e9-B624-F5E87E4D456C}\stubpath = "C:\\Windows\\{77283168-D245-45e9-B624-F5E87E4D456C}.exe"	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5BA6560-DF88-4e84-BF4B-745241B14DAA}	{77283168-D245-45e9-B624-F5E87E4D456C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0368232-AFFC-4a32-B2DE-1F387EA3F921}	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4719912D-531D-43c7-A58F-30F4CB1C92A8}	{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27C0400C-E3DE-444e-BA42-610F914AFD7D}\stubpath = "C:\\Windows\\{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe"	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE862E85-ADE1-41e4-BF85-92174C1D59CB}	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9279796B-7EDE-4919-A2A0-A1E242A5D656}	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5BA6560-DF88-4e84-BF4B-745241B14DAA}\stubpath = "C:\\Windows\\{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe"	{77283168-D245-45e9-B624-F5E87E4D456C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0368232-AFFC-4a32-B2DE-1F387EA3F921}\stubpath = "C:\\Windows\\{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe"	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4719912D-531D-43c7-A58F-30F4CB1C92A8}\stubpath = "C:\\Windows\\{4719912D-531D-43c7-A58F-30F4CB1C92A8}.exe"	{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27C0400C-E3DE-444e-BA42-610F914AFD7D}	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{213F9CB5-5B22-43fe-8339-A06BFB45A40A}\stubpath = "C:\\Windows\\{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe"	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78512682-38F1-409e-B57A-E8A68FC9C718}\stubpath = "C:\\Windows\\{78512682-38F1-409e-B57A-E8A68FC9C718}.exe"	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C00222A-B54D-46e1-B23C-4427BB43471F}	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe

Executes dropped EXE 12 IoCs

pid	Process
1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe
4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe
4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe
2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe
4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe
4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe
4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe
4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe
4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe
1340	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe
4280	{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe
1372	{4719912D-531D-43c7-A58F-30F4CB1C92A8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe
File created	C:\Windows\{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe
File created	C:\Windows\{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe
File created	C:\Windows\{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe
File created	C:\Windows\{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe
File created	C:\Windows\{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe
File created	C:\Windows\{77283168-D245-45e9-B624-F5E87E4D456C}.exe	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe
File created	C:\Windows\{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe	{77283168-D245-45e9-B624-F5E87E4D456C}.exe
File created	C:\Windows\{78512682-38F1-409e-B57A-E8A68FC9C718}.exe	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe
File created	C:\Windows\{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe
File created	C:\Windows\{4719912D-531D-43c7-A58F-30F4CB1C92A8}.exe	{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe
File created	C:\Windows\{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	456	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe
Token: SeIncBasePriorityPrivilege	4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe
Token: SeIncBasePriorityPrivilege	4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe
Token: SeIncBasePriorityPrivilege	2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe
Token: SeIncBasePriorityPrivilege	4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe
Token: SeIncBasePriorityPrivilege	4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe
Token: SeIncBasePriorityPrivilege	4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe
Token: SeIncBasePriorityPrivilege	4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe
Token: SeIncBasePriorityPrivilege	4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe
Token: SeIncBasePriorityPrivilege	1340	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe
Token: SeIncBasePriorityPrivilege	4280	{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1996	456	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	86
PID 456 wrote to memory of 1996	456	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	86
PID 456 wrote to memory of 1996	456	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	86
PID 456 wrote to memory of 1876	456	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	87
PID 456 wrote to memory of 1876	456	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	87
PID 456 wrote to memory of 1876	456	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	87
PID 1996 wrote to memory of 4876	1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe	90
PID 1996 wrote to memory of 4876	1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe	90
PID 1996 wrote to memory of 4876	1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe	90
PID 1996 wrote to memory of 2432	1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe	91
PID 1996 wrote to memory of 2432	1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe	91
PID 1996 wrote to memory of 2432	1996	{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe	91
PID 4876 wrote to memory of 4296	4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe	94
PID 4876 wrote to memory of 4296	4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe	94
PID 4876 wrote to memory of 4296	4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe	94
PID 4876 wrote to memory of 4732	4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe	95
PID 4876 wrote to memory of 4732	4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe	95
PID 4876 wrote to memory of 4732	4876	{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe	95
PID 4296 wrote to memory of 2416	4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe	96
PID 4296 wrote to memory of 2416	4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe	96
PID 4296 wrote to memory of 2416	4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe	96
PID 4296 wrote to memory of 4304	4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe	97
PID 4296 wrote to memory of 4304	4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe	97
PID 4296 wrote to memory of 4304	4296	{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe	97
PID 2416 wrote to memory of 4092	2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe	98
PID 2416 wrote to memory of 4092	2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe	98
PID 2416 wrote to memory of 4092	2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe	98
PID 2416 wrote to memory of 940	2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe	99
PID 2416 wrote to memory of 940	2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe	99
PID 2416 wrote to memory of 940	2416	{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe	99
PID 4092 wrote to memory of 4920	4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe	100
PID 4092 wrote to memory of 4920	4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe	100
PID 4092 wrote to memory of 4920	4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe	100
PID 4092 wrote to memory of 1668	4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe	101
PID 4092 wrote to memory of 1668	4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe	101
PID 4092 wrote to memory of 1668	4092	{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe	101
PID 4920 wrote to memory of 4940	4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe	102
PID 4920 wrote to memory of 4940	4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe	102
PID 4920 wrote to memory of 4940	4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe	102
PID 4920 wrote to memory of 4032	4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe	103
PID 4920 wrote to memory of 4032	4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe	103
PID 4920 wrote to memory of 4032	4920	{77283168-D245-45e9-B624-F5E87E4D456C}.exe	103
PID 4940 wrote to memory of 4432	4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe	104
PID 4940 wrote to memory of 4432	4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe	104
PID 4940 wrote to memory of 4432	4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe	104
PID 4940 wrote to memory of 3700	4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe	105
PID 4940 wrote to memory of 3700	4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe	105
PID 4940 wrote to memory of 3700	4940	{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe	105
PID 4432 wrote to memory of 4820	4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe	106
PID 4432 wrote to memory of 4820	4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe	106
PID 4432 wrote to memory of 4820	4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe	106
PID 4432 wrote to memory of 4668	4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe	107
PID 4432 wrote to memory of 4668	4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe	107
PID 4432 wrote to memory of 4668	4432	{78512682-38F1-409e-B57A-E8A68FC9C718}.exe	107
PID 4820 wrote to memory of 1340	4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe	108
PID 4820 wrote to memory of 1340	4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe	108
PID 4820 wrote to memory of 1340	4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe	108
PID 4820 wrote to memory of 2112	4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe	109
PID 4820 wrote to memory of 2112	4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe	109
PID 4820 wrote to memory of 2112	4820	{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe	109
PID 1340 wrote to memory of 4280	1340	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe	110
PID 1340 wrote to memory of 4280	1340	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe	110
PID 1340 wrote to memory of 4280	1340	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe	110
PID 1340 wrote to memory of 556	1340	{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe
  C:\Windows\{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe
    C:\Windows\{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe
      C:\Windows\{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe
        
        C:\Windows\{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe
        
        C:\Windows\{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{77283168-D245-45e9-B624-F5E87E4D456C}.exe
        
        C:\Windows\{77283168-D245-45e9-B624-F5E87E4D456C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe
        
        C:\Windows\{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{78512682-38F1-409e-B57A-E8A68FC9C718}.exe
        
        C:\Windows\{78512682-38F1-409e-B57A-E8A68FC9C718}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe
        
        C:\Windows\{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe
        
        C:\Windows\{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe
        
        C:\Windows\{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\{4719912D-531D-43c7-A58F-30F4CB1C92A8}.exe
        
        C:\Windows\{4719912D-531D-43c7-A58F-30F4CB1C92A8}.exe
        13⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C002~1.EXE > nul
        13⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0368~1.EXE > nul
        12⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEF42~1.EXE > nul
        11⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78512~1.EXE > nul
        10⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5BA6~1.EXE > nul
        9⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77283~1.EXE > nul
        8⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92797~1.EXE > nul
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{213F9~1.EXE > nul
        6⤵
        
        PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8AB0~1.EXE > nul
        5⤵
        
        PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE862~1.EXE > nul
      4⤵
      PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27C04~1.EXE > nul
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{213F9CB5-5B22-43fe-8339-A06BFB45A40A}.exe

Filesize
168KB

MD5
d42fd5fe841486a75efb07b272bc25b4

SHA1
03392e0f81d0961a90d6fb7e6ed519c7cd7ce9d6

SHA256
282bb5ef0e01643bb949434989ba6a685921a5a987f752964fbe6e5016001602

SHA512
b9c0675af8a9b59b59bfb7d3f894c15b67697377641e4fa410a18faa44f10d5ff13099f9eb69e6f5425b02eaa6d489c8f79af303997ae28bf223f7b3a5bb1913

Download Submit
C:\Windows\{27C0400C-E3DE-444e-BA42-610F914AFD7D}.exe

Filesize
168KB

MD5
e728e5e8e7e17812403591e8cd88161e

SHA1
4d2a6f8db11cc832d1f1d527ee9be832f67aa406

SHA256
c1fe644a6fac360972dd6f775ea2a3412eae8ef60a5ba01ff6292edc604829af

SHA512
7e6480293a3eab6d63956a6126476a51aa96195926d1b5c6204130988f41b33287ac2ec1fe0a75cd73c960979e1367e7a36bc727666210053a13ab0c327ad04e

Download Submit
C:\Windows\{4719912D-531D-43c7-A58F-30F4CB1C92A8}.exe

Filesize
168KB

MD5
5f4a4b10c43bd031a6e5d272165d44d2

SHA1
c1de608ddf8067c8502955020a4fe28d2c256654

SHA256
b30aaabdfb823a41d46e83a04a6c6449a42ba0d0d9d268d76e54c1ecb2919b14

SHA512
3a68049a2261e8a09b0ba3eb34765ba66697409a31d893bb90b50b50fe7d2232db18e3f6bc4b49ebd87f63e0e5ef76f4563f67f06ed12951a1d5ba11df891e4a

Download Submit
C:\Windows\{5C00222A-B54D-46e1-B23C-4427BB43471F}.exe

Filesize
168KB

MD5
8ce32a3a48768f581b407ed3e532e97d

SHA1
ea507d8ee70ed566d575360d4da213038bbfd864

SHA256
001a414931b1162a2527590811ff6acb5395463b9c07cf92b16b49fd1b46cc99

SHA512
14905f667ad014404073d382e5b3c9a56b843f0e3afcb72e615b17229125818666d1b43952dc09ac1c2e690dbf4c33fe3dd22f3940ece170d751e01d84134094

Download Submit
C:\Windows\{77283168-D245-45e9-B624-F5E87E4D456C}.exe

Filesize
168KB

MD5
2e26d4385b2aa41dd222375059050a60

SHA1
da1e56e217bcd4c59d46b038c08817bcf9aacc17

SHA256
51df4e81fd01804c6d07641a42f22e50b27e3741fedb7c302afa9f1b1b3d99a5

SHA512
9ffdb39b0daeeec700e889a570d0442a0495fdc2e0b32295442b70dd0fa3e77567a97dc7414ec6965674dfe0882f96ec9a898c759c3cb17c7184d12457548326

Download Submit
C:\Windows\{78512682-38F1-409e-B57A-E8A68FC9C718}.exe

Filesize
168KB

MD5
9d1c415a0137fae92d3fa5868decaa83

SHA1
ae143a56aa541434099225c649430ac6e047f8e6

SHA256
a6ea8309b403637d4e0057c68c9edeec8956312fd35e870ff1c2cb8e331402d3

SHA512
56be79de1a6b48bc0fe7dc1eade52dbd898303caa144cf915da3c432c23feeab0451ab8160b20fa9792ead2398c2da0c234ae7b9ba2a69a348bf5872bf0963b5

Download Submit
C:\Windows\{9279796B-7EDE-4919-A2A0-A1E242A5D656}.exe

Filesize
168KB

MD5
85111b95d3f2d9a3ec9f96e81f2f0e13

SHA1
78cae300eead8cdb1bd5363fa91e355c9d8e1359

SHA256
38eeba0f8516a91c8f533ea3095e8ce63ff8e326572f59648ed861ea574f0bf0

SHA512
deacd581335d0a84d82c8b0a2be1843445fcb0e24015e039ee3511dffa05d454a8c4186d7fe26252ef60804b783aea4c30bc2140980f03e6a1ec4bd7318e541d

Download Submit
C:\Windows\{A8AB05E6-21D1-4abd-AB4B-65C86018A26B}.exe

Filesize
168KB

MD5
6c4f85a4db7b29816ee88486bca5bf22

SHA1
e9bf6e3c0987e1a6178c90688396144be8532735

SHA256
1d6b798a6498422fa6261d82125f54b50f178a5191301275b34598e13bac01be

SHA512
a7dcf4496454d9878eba376e8e168d19e09236e065732b57bef40c2c0886a0e6b42c1a20d914029e7ef17b573a91b296fa2fedec7beb7279636efbb148013ffb

Download Submit
C:\Windows\{AE862E85-ADE1-41e4-BF85-92174C1D59CB}.exe

Filesize
168KB

MD5
9c0cf70ae2fffbe56597d20f61f33c72

SHA1
cd57d90c1e05f48441405fd74c565fe9a2d16592

SHA256
29db6b44e3cc2b150a8a8091e9a22036a51b86b7955034d700ad82c35fa9bb84

SHA512
d42c4ae170f26dc79eadcaccc46399e26d50b91e8dba0199a99c478499b3f27e334fbb4cbfcdb346160d072c1473d7646f5333123f9941d99add756399d886f4

Download Submit
C:\Windows\{C0368232-AFFC-4a32-B2DE-1F387EA3F921}.exe

Filesize
168KB

MD5
d71df8aeb37218629f4fe01a33014126

SHA1
e84aaf83e0edeecac9b1df435e26a92d85464053

SHA256
9c3417bc722a565f3ea19da169ee393807b281cbfefc7fa184903dac9e9674ae

SHA512
0edecbd47c106b29961577e3483c3efc99ac422d63c0bbb0a49052a0983cd186553b953eed5b0927150dbfff50a29c6925a0db0f99debb50f264e72c4f59f285

Download Submit
C:\Windows\{DEF42B61-995F-492e-9CB7-1DFBE28D46DD}.exe

Filesize
168KB

MD5
bd4f27e0cdcdb924c4c3756af729e937

SHA1
6d28af542e94ba7785fb64a2287995c1acf479f4

SHA256
ce336de64adfa712bffd22c48b8fe9e24bcb5e066e8fb78996be14338c57c9f4

SHA512
12a262e0021f479c0c0e2f5501818857965af8b8d716e8a0b4b3fbaa2643c2fb16a60bf10e82709477ac893b3d75316cadf67d2339c7586629df3afd24c4f2f5

Download Submit
C:\Windows\{F5BA6560-DF88-4e84-BF4B-745241B14DAA}.exe

Filesize
168KB

MD5
ee91732aa02fb5e8ffefd4ed2dfa339b

SHA1
8ce8bb1b86fbd175701fd1580a0c2a3131d1b4a5

SHA256
2fd954b17403519d670637659fe61670ea67deb44b371e59129ab1fc0e6fdcf5

SHA512
e7500f5108c3526a500986c279a6ef9e9d46646b1edee86787c875755d56f8d1bd0faa3dda41e695b22f3f616820c45d2b60ec9fca9c8f7a06dacd9550b671f5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads