9b180b5398d23aa4c3ef6ae010aae68f88a4b6b58a4b62fad9bec6e1df88172b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Size

180KB
MD5

fe60fcadf4e3c6769a49f86cd633cb50
SHA1

3e164f0f6a72811aed6daa3b55ebd2f2a9370df3
SHA256

9b180b5398d23aa4c3ef6ae010aae68f88a4b6b58a4b62fad9bec6e1df88172b
SHA512

db0f817793d193b0157dd04fa0ceda9d1111bf6e6914df4f0b48d72a905205564b99f84919aa192ccf4b2ffaa075d71aae9853fe273601c8d60ec18d7a14c55e
SSDEEP

3072:jEGh0oDlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B83766E3-5823-41e4-B2D7-8F653834A474}	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B83766E3-5823-41e4-B2D7-8F653834A474}\stubpath = "C:\\Windows\\{B83766E3-5823-41e4-B2D7-8F653834A474}.exe"	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC6A5F37-9724-4aed-9FA5-353659AF25E7}\stubpath = "C:\\Windows\\{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe"	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}\stubpath = "C:\\Windows\\{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe"	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D61959-E4C1-4653-99E2-02C57B1BEA86}	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC6A5F37-9724-4aed-9FA5-353659AF25E7}	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}\stubpath = "C:\\Windows\\{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe"	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7383B6BD-45AA-4d93-B32D-2C84D21F771F}\stubpath = "C:\\Windows\\{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe"	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{758E6665-9FAA-453d-8C30-E11DD64236FA}\stubpath = "C:\\Windows\\{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe"	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}\stubpath = "C:\\Windows\\{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe"	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7383B6BD-45AA-4d93-B32D-2C84D21F771F}	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E8B375-8389-4bdb-9D7F-81929016AF99}	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E8B375-8389-4bdb-9D7F-81929016AF99}\stubpath = "C:\\Windows\\{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe"	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{758E6665-9FAA-453d-8C30-E11DD64236FA}	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D61959-E4C1-4653-99E2-02C57B1BEA86}\stubpath = "C:\\Windows\\{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe"	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D17F757-783B-412f-9092-3E136B3B7EF2}	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D17F757-783B-412f-9092-3E136B3B7EF2}\stubpath = "C:\\Windows\\{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe"	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{440F4F55-E632-4342-A96C-736CDC89E5C3}	{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{440F4F55-E632-4342-A96C-736CDC89E5C3}\stubpath = "C:\\Windows\\{440F4F55-E632-4342-A96C-736CDC89E5C3}.exe"	{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}\stubpath = "C:\\Windows\\{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe"	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe

Executes dropped EXE 12 IoCs

pid	Process
1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe
3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe
5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe
4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe
4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe
4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe
4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe
1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe
4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe
964	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe
512	{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe
2416	{440F4F55-E632-4342-A96C-736CDC89E5C3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe
File created	C:\Windows\{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe
File created	C:\Windows\{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe
File created	C:\Windows\{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe
File created	C:\Windows\{B83766E3-5823-41e4-B2D7-8F653834A474}.exe	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe
File created	C:\Windows\{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe
File created	C:\Windows\{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe
File created	C:\Windows\{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe
File created	C:\Windows\{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe
File created	C:\Windows\{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
File created	C:\Windows\{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe
File created	C:\Windows\{440F4F55-E632-4342-A96C-736CDC89E5C3}.exe	{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe
Token: SeIncBasePriorityPrivilege	3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe
Token: SeIncBasePriorityPrivilege	5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe
Token: SeIncBasePriorityPrivilege	4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe
Token: SeIncBasePriorityPrivilege	4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe
Token: SeIncBasePriorityPrivilege	4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe
Token: SeIncBasePriorityPrivilege	4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe
Token: SeIncBasePriorityPrivilege	1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe
Token: SeIncBasePriorityPrivilege	4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe
Token: SeIncBasePriorityPrivilege	964	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe
Token: SeIncBasePriorityPrivilege	512	{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1476	2756	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	94
PID 2756 wrote to memory of 1476	2756	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	94
PID 2756 wrote to memory of 1476	2756	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	94
PID 2756 wrote to memory of 1756	2756	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	95
PID 2756 wrote to memory of 1756	2756	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	95
PID 2756 wrote to memory of 1756	2756	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	95
PID 1476 wrote to memory of 3264	1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe	96
PID 1476 wrote to memory of 3264	1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe	96
PID 1476 wrote to memory of 3264	1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe	96
PID 1476 wrote to memory of 4752	1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe	97
PID 1476 wrote to memory of 4752	1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe	97
PID 1476 wrote to memory of 4752	1476	{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe	97
PID 3264 wrote to memory of 5044	3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe	101
PID 3264 wrote to memory of 5044	3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe	101
PID 3264 wrote to memory of 5044	3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe	101
PID 3264 wrote to memory of 3592	3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe	102
PID 3264 wrote to memory of 3592	3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe	102
PID 3264 wrote to memory of 3592	3264	{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe	102
PID 5044 wrote to memory of 4172	5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe	103
PID 5044 wrote to memory of 4172	5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe	103
PID 5044 wrote to memory of 4172	5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe	103
PID 5044 wrote to memory of 4928	5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe	104
PID 5044 wrote to memory of 4928	5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe	104
PID 5044 wrote to memory of 4928	5044	{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe	104
PID 4172 wrote to memory of 4736	4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe	106
PID 4172 wrote to memory of 4736	4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe	106
PID 4172 wrote to memory of 4736	4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe	106
PID 4172 wrote to memory of 1320	4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe	107
PID 4172 wrote to memory of 1320	4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe	107
PID 4172 wrote to memory of 1320	4172	{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe	107
PID 4736 wrote to memory of 4988	4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe	108
PID 4736 wrote to memory of 4988	4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe	108
PID 4736 wrote to memory of 4988	4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe	108
PID 4736 wrote to memory of 4768	4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe	109
PID 4736 wrote to memory of 4768	4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe	109
PID 4736 wrote to memory of 4768	4736	{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe	109
PID 4988 wrote to memory of 4068	4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe	110
PID 4988 wrote to memory of 4068	4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe	110
PID 4988 wrote to memory of 4068	4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe	110
PID 4988 wrote to memory of 4424	4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe	111
PID 4988 wrote to memory of 4424	4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe	111
PID 4988 wrote to memory of 4424	4988	{B83766E3-5823-41e4-B2D7-8F653834A474}.exe	111
PID 4068 wrote to memory of 1736	4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe	118
PID 4068 wrote to memory of 1736	4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe	118
PID 4068 wrote to memory of 1736	4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe	118
PID 4068 wrote to memory of 2620	4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe	119
PID 4068 wrote to memory of 2620	4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe	119
PID 4068 wrote to memory of 2620	4068	{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe	119
PID 1736 wrote to memory of 4884	1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe	120
PID 1736 wrote to memory of 4884	1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe	120
PID 1736 wrote to memory of 4884	1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe	120
PID 1736 wrote to memory of 4088	1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe	121
PID 1736 wrote to memory of 4088	1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe	121
PID 1736 wrote to memory of 4088	1736	{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe	121
PID 4884 wrote to memory of 964	4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe	122
PID 4884 wrote to memory of 964	4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe	122
PID 4884 wrote to memory of 964	4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe	122
PID 4884 wrote to memory of 3624	4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe	123
PID 4884 wrote to memory of 3624	4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe	123
PID 4884 wrote to memory of 3624	4884	{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe	123
PID 964 wrote to memory of 512	964	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe	127
PID 964 wrote to memory of 512	964	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe	127
PID 964 wrote to memory of 512	964	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe	127
PID 964 wrote to memory of 696	964	{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe
  C:\Windows\{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe
    C:\Windows\{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe
      C:\Windows\{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe
        
        C:\Windows\{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
      - C:\Windows\{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe
        
        C:\Windows\{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{B83766E3-5823-41e4-B2D7-8F653834A474}.exe
        
        C:\Windows\{B83766E3-5823-41e4-B2D7-8F653834A474}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe
        
        C:\Windows\{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe
        
        C:\Windows\{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe
        
        C:\Windows\{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe
        
        C:\Windows\{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe
        
        C:\Windows\{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
        
        C:\Windows\{440F4F55-E632-4342-A96C-736CDC89E5C3}.exe
        
        C:\Windows\{440F4F55-E632-4342-A96C-736CDC89E5C3}.exe
        13⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF7F4~1.EXE > nul
        13⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C001A~1.EXE > nul
        12⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FE0C~1.EXE > nul
        11⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC6A5~1.EXE > nul
        10⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{758E6~1.EXE > nul
        9⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8376~1.EXE > nul
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17E8B~1.EXE > nul
        7⤵
        
        PID:4768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7383B~1.EXE > nul
        6⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD139~1.EXE > nul
        5⤵
        
        PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3D17F~1.EXE > nul
      4⤵
      PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D61~1.EXE > nul
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17E8B375-8389-4bdb-9D7F-81929016AF99}.exe

Filesize
180KB

MD5
91b151ffeb9af4c8082887c08672df4f

SHA1
29dabf797866a57873e716819059c67e0ba84805

SHA256
eebbbe656b9b8b1c7b531361de9e44c4683791367ab24a9527f6bc51984fd1ce

SHA512
6e48e626deb25145ca31f660bfa1dc24b2c2c00e09147b3f44efae7211448554ac7e0870208a79ddb899b811ab582e92c8768fa35fe647a178b1e10d09e11e57

Download Submit
C:\Windows\{3D17F757-783B-412f-9092-3E136B3B7EF2}.exe

Filesize
180KB

MD5
98dbcc66413e1dc016486fd56f126b4a

SHA1
6ea69f1770a9bb1841a7647401b1457e745329b0

SHA256
2e09ddce22179c177e3691aca3c77d9cdf1cc24e0815a9f1c72581b3f7e35e4f

SHA512
2b098c445eca5149345406b0def8c2569557ca5452a35a1c0789f3b587278df59b0bad03106503331abbaa32dc9784ae136cc0fc813cd9d5859da855dda3f977

Download Submit
C:\Windows\{440F4F55-E632-4342-A96C-736CDC89E5C3}.exe

Filesize
180KB

MD5
5b5be423a1f5779127a7effe8d49fbc8

SHA1
3b9516c976cd1bb7903918afdc4bce57aad0222a

SHA256
2313fba9b545236d1fa95bd30c757711e4ab5af20c3f68f0fcaa555eb1e4bd66

SHA512
655cf2e8417df9f36794cddb188cf8e208c5318acec272f3028bf14c60ac71cf07e9ca7b4b6c72d900169a84fd901800e39b496fd739332ca99dda2fd2c58e48

Download Submit
C:\Windows\{4FE0C79B-50AA-48f2-A4EF-D01687A3F6ED}.exe

Filesize
180KB

MD5
d6589ea81af819b71246db6f19ab2650

SHA1
57b6de1f4338e5a78cee14a54ea020a24d027865

SHA256
12a99a80e0b53fdcdb95d7bbbf74e154baeec4f8dcaa2033a7c7eb03202fe3f5

SHA512
06a091b414175bf65ff3e8bf3e3958a6a9a4265933293321b7aa6329270d221bfb892fa0d83dd7ef28363c3bed9f8cf4823d2af92127e66c6803e4b5c0f79c4f

Download Submit
C:\Windows\{7383B6BD-45AA-4d93-B32D-2C84D21F771F}.exe

Filesize
180KB

MD5
80b39c8b99815f1a69e1bf4ca9e31dd1

SHA1
7ddd08a4b05bd312255a2d4e6fdf471c538ad06f

SHA256
ba197c30c96b161c25e737e793afb58d1cd3d929d30769aa09b68c28b3f7e986

SHA512
9ea86dc202aee3f556bfb9663c579c4bea9dbf8b68bb97082d5a86671bbd03d7ee50edab5b7f1b97056d575d50953e631c5c6ed9acfbda211a6861dfecb16510

Download Submit
C:\Windows\{758E6665-9FAA-453d-8C30-E11DD64236FA}.exe

Filesize
180KB

MD5
5e3191800fda088cccefcdad55f5808e

SHA1
2c6612f29fb5aa2ce2f1576538c91f113c58fba0

SHA256
0697f504bf184d6783566bf3bf305103426360d16043aa5b0dd1f2f3a3e35227

SHA512
bc59e0919463f9dd6266cf79bdd4df1e0b8376cc9bc82eb26375d0530c2f25fa847db03fe9d4da0d25240796d8467e66b7b213bffd2ba1cabb33aa05c7aa0555

Download Submit
C:\Windows\{B6D61959-E4C1-4653-99E2-02C57B1BEA86}.exe

Filesize
180KB

MD5
56989dae337dd9464a755ebbab583c28

SHA1
839302063ee825f1c5df6d044b232e5978182c33

SHA256
8d640bde6e02334aa56d8a621dd46a3d55e62f6f45a6e3aa7ff932b64c5e44aa

SHA512
897831c08bbe72fbb05d6a4aeca0ccd3bd25ab73df433194331f6f54d158901397452a43c91d43195d5e53f401ea24eab8b60b72416c6da404ab430a5859ec71

Download Submit
C:\Windows\{B83766E3-5823-41e4-B2D7-8F653834A474}.exe

Filesize
180KB

MD5
d6e0f626955ac0031531ca1c2a13d775

SHA1
ccf24b6e00b58b56b379a91fa34a595a34815caa

SHA256
43f4e02280a84cff304306e305a27a8f0c25682affc7f62ac94a25e0f6a5fd05

SHA512
3b9531ddeb6d01014985abe4a5599eca446adcce4110fde54bca2c5df87de222715c79c27c6bfbc038c2eb16e529e7859b454b3c0a9cbd95d89b9f23a1fd3266

Download Submit
C:\Windows\{BD139DE3-B34A-4cbc-89EE-3E5856423DC3}.exe

Filesize
180KB

MD5
e65c263c0764f5672e0e7b7e27224f96

SHA1
1e9ed9d0c0ed35a0f3154e59826d69f8fa82fe3a

SHA256
7d1fb940a655df1d7e83fc1a18051e5e192a262b8ea3e0d7ed195ebc1078191b

SHA512
1050eca9b69fc32f23f3d6af9ed47b3fb26842ff9f5ed6e8b4a53504c19b54f618c3c544869e0b17c2181b9dd3a9efa50ddb94d1d62428f4a10a5f39cef9d479

Download Submit
C:\Windows\{C001AEBE-E4E6-4a12-A5AA-7822D0FF74A4}.exe

Filesize
180KB

MD5
74d2c8a08ccd16281277fb3b24e53120

SHA1
4b759cc0df8293efff0c889d3f5b2dff1feca8fc

SHA256
e30eeb1c92988ed660a35a7021610301b750bfeeb135e8313b63fa5f77eedd5c

SHA512
5bf517f9ff38e81bd982bdbaa2fd223d22e60ed1ba2a7f28b4cf4f0fbb4f5da80768f472b728ba97b90fa8d2fa6e9e18b3ff6cf6bc6223cec123e0de0a350771

Download Submit
C:\Windows\{CC6A5F37-9724-4aed-9FA5-353659AF25E7}.exe

Filesize
180KB

MD5
03eedc0eb9582c0a69d03e6f4070ea8b

SHA1
a7f4e6b950f6ecec3aa9b1d500f502ac41076f2a

SHA256
44a7542e34b83b790e9c15cc14289d18f88c1d73bf23838871dc59a26a16993d

SHA512
7502fc0210a271b53888a95cac5d89be58faf73c25f35fd9c210adb9afcc729167d06ecacaf83f3d4f26263d9e886eb7742a744dde9a5b333218204b3262476d

Download Submit
C:\Windows\{DF7F4287-9E74-40aa-97A7-24EEBABCFD0C}.exe

Filesize
180KB

MD5
978e96e411e9aa05b62fb5f7ec91a2dc

SHA1
e2c843c4a4cfb2719f6ef91b38b609c3ee97bf45

SHA256
fda3842bc901aec6a98ace696ede1c2f4ee8ce4a487f9caab351e98d0479db81

SHA512
f7a6395cb2b3260bc5269bd5c3739049329cf9fa6e54febcc130a51559c872e0ceac79831858e3f244f264a777135b92dc5a7f237de0964de802f743ba73cc17

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads