75c24b96246d6d2bdadb156dd016eb074f385d4e0202ebaaf921c70386ec0d6f

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe
Size

344KB
MD5

ac6d097a7ee1bc5ff400524795841f7b
SHA1

3666d002e81ea908db03a74fe69ddf58e43eeea2
SHA256

75c24b96246d6d2bdadb156dd016eb074f385d4e0202ebaaf921c70386ec0d6f
SHA512

0b9b26840f8b28d43ae12c0e7129a092a5228722355e82d32631cfda39101668b5cb64c81ebf48c63fca1f636cdfe438df5ff3f6f2df61d703bec4c88f31a84b
SSDEEP

3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7470C46B-28BC-43e0-8DB3-16325B30CDD6}\stubpath = "C:\\Windows\\{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe"	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}	{96090492-831F-435d-A25F-9251DDCF44DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3478381-35EA-4435-88C1-865D4F43335E}\stubpath = "C:\\Windows\\{C3478381-35EA-4435-88C1-865D4F43335E}.exe"	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD95BE26-1B83-49f2-8E1E-71779330B210}	{C3478381-35EA-4435-88C1-865D4F43335E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD7AE36E-F39A-409d-889C-995F952893FF}\stubpath = "C:\\Windows\\{FD7AE36E-F39A-409d-889C-995F952893FF}.exe"	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}\stubpath = "C:\\Windows\\{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe"	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}\stubpath = "C:\\Windows\\{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe"	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96090492-831F-435d-A25F-9251DDCF44DF}	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96090492-831F-435d-A25F-9251DDCF44DF}\stubpath = "C:\\Windows\\{96090492-831F-435d-A25F-9251DDCF44DF}.exe"	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}\stubpath = "C:\\Windows\\{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe"	{96090492-831F-435d-A25F-9251DDCF44DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}\stubpath = "C:\\Windows\\{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe"	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}\stubpath = "C:\\Windows\\{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe"	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A451C924-A00A-4a06-98F9-2D20B788C50D}	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A451C924-A00A-4a06-98F9-2D20B788C50D}\stubpath = "C:\\Windows\\{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe"	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}\stubpath = "C:\\Windows\\{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe"	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7470C46B-28BC-43e0-8DB3-16325B30CDD6}	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD7AE36E-F39A-409d-889C-995F952893FF}	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3478381-35EA-4435-88C1-865D4F43335E}	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD95BE26-1B83-49f2-8E1E-71779330B210}\stubpath = "C:\\Windows\\{FD95BE26-1B83-49f2-8E1E-71779330B210}.exe"	{C3478381-35EA-4435-88C1-865D4F43335E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe
3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe
3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe
3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe
1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe
3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe
376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe
4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe
2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe
3744	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe
1632	{C3478381-35EA-4435-88C1-865D4F43335E}.exe
3564	{FD95BE26-1B83-49f2-8E1E-71779330B210}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe
File created	C:\Windows\{C3478381-35EA-4435-88C1-865D4F43335E}.exe	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe
File created	C:\Windows\{FD95BE26-1B83-49f2-8E1E-71779330B210}.exe	{C3478381-35EA-4435-88C1-865D4F43335E}.exe
File created	C:\Windows\{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe
File created	C:\Windows\{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe	{96090492-831F-435d-A25F-9251DDCF44DF}.exe
File created	C:\Windows\{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe
File created	C:\Windows\{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe
File created	C:\Windows\{96090492-831F-435d-A25F-9251DDCF44DF}.exe	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe
File created	C:\Windows\{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe
File created	C:\Windows\{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe
File created	C:\Windows\{FD7AE36E-F39A-409d-889C-995F952893FF}.exe	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe
File created	C:\Windows\{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3804	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe
Token: SeIncBasePriorityPrivilege	3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe
Token: SeIncBasePriorityPrivilege	3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe
Token: SeIncBasePriorityPrivilege	3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe
Token: SeIncBasePriorityPrivilege	1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe
Token: SeIncBasePriorityPrivilege	3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe
Token: SeIncBasePriorityPrivilege	376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe
Token: SeIncBasePriorityPrivilege	4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe
Token: SeIncBasePriorityPrivilege	2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe
Token: SeIncBasePriorityPrivilege	3744	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe
Token: SeIncBasePriorityPrivilege	1632	{C3478381-35EA-4435-88C1-865D4F43335E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4316	3804	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe	85
PID 3804 wrote to memory of 4316	3804	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe	85
PID 3804 wrote to memory of 4316	3804	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe	85
PID 3804 wrote to memory of 244	3804	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe	86
PID 3804 wrote to memory of 244	3804	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe	86
PID 3804 wrote to memory of 244	3804	2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe	86
PID 4316 wrote to memory of 3112	4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe	87
PID 4316 wrote to memory of 3112	4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe	87
PID 4316 wrote to memory of 3112	4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe	87
PID 4316 wrote to memory of 3756	4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe	88
PID 4316 wrote to memory of 3756	4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe	88
PID 4316 wrote to memory of 3756	4316	{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe	88
PID 3112 wrote to memory of 3916	3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe	92
PID 3112 wrote to memory of 3916	3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe	92
PID 3112 wrote to memory of 3916	3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe	92
PID 3112 wrote to memory of 372	3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe	93
PID 3112 wrote to memory of 372	3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe	93
PID 3112 wrote to memory of 372	3112	{FD7AE36E-F39A-409d-889C-995F952893FF}.exe	93
PID 3916 wrote to memory of 3732	3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe	94
PID 3916 wrote to memory of 3732	3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe	94
PID 3916 wrote to memory of 3732	3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe	94
PID 3916 wrote to memory of 2088	3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe	95
PID 3916 wrote to memory of 2088	3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe	95
PID 3916 wrote to memory of 2088	3916	{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe	95
PID 3732 wrote to memory of 1392	3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe	96
PID 3732 wrote to memory of 1392	3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe	96
PID 3732 wrote to memory of 1392	3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe	96
PID 3732 wrote to memory of 3152	3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe	97
PID 3732 wrote to memory of 3152	3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe	97
PID 3732 wrote to memory of 3152	3732	{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe	97
PID 1392 wrote to memory of 3680	1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe	98
PID 1392 wrote to memory of 3680	1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe	98
PID 1392 wrote to memory of 3680	1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe	98
PID 1392 wrote to memory of 1364	1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe	99
PID 1392 wrote to memory of 1364	1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe	99
PID 1392 wrote to memory of 1364	1392	{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe	99
PID 3680 wrote to memory of 376	3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe	100
PID 3680 wrote to memory of 376	3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe	100
PID 3680 wrote to memory of 376	3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe	100
PID 3680 wrote to memory of 3844	3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe	101
PID 3680 wrote to memory of 3844	3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe	101
PID 3680 wrote to memory of 3844	3680	{96090492-831F-435d-A25F-9251DDCF44DF}.exe	101
PID 376 wrote to memory of 4988	376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe	102
PID 376 wrote to memory of 4988	376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe	102
PID 376 wrote to memory of 4988	376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe	102
PID 376 wrote to memory of 4852	376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe	103
PID 376 wrote to memory of 4852	376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe	103
PID 376 wrote to memory of 4852	376	{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe	103
PID 4988 wrote to memory of 2120	4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe	104
PID 4988 wrote to memory of 2120	4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe	104
PID 4988 wrote to memory of 2120	4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe	104
PID 4988 wrote to memory of 1532	4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe	105
PID 4988 wrote to memory of 1532	4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe	105
PID 4988 wrote to memory of 1532	4988	{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe	105
PID 2120 wrote to memory of 3744	2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe	106
PID 2120 wrote to memory of 3744	2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe	106
PID 2120 wrote to memory of 3744	2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe	106
PID 2120 wrote to memory of 5100	2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe	107
PID 2120 wrote to memory of 5100	2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe	107
PID 2120 wrote to memory of 5100	2120	{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe	107
PID 3744 wrote to memory of 1632	3744	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe	108
PID 3744 wrote to memory of 1632	3744	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe	108
PID 3744 wrote to memory of 1632	3744	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe	108
PID 3744 wrote to memory of 4960	3744	{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_ac6d097a7ee1bc5ff400524795841f7b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe
  C:\Windows\{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\{FD7AE36E-F39A-409d-889C-995F952893FF}.exe
    C:\Windows\{FD7AE36E-F39A-409d-889C-995F952893FF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe
      C:\Windows\{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe
        
        C:\Windows\{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe
        
        C:\Windows\{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{96090492-831F-435d-A25F-9251DDCF44DF}.exe
        
        C:\Windows\{96090492-831F-435d-A25F-9251DDCF44DF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe
        
        C:\Windows\{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe
        
        C:\Windows\{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe
        
        C:\Windows\{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe
        
        C:\Windows\{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{C3478381-35EA-4435-88C1-865D4F43335E}.exe
        
        C:\Windows\{C3478381-35EA-4435-88C1-865D4F43335E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\{FD95BE26-1B83-49f2-8E1E-71779330B210}.exe
        
        C:\Windows\{FD95BE26-1B83-49f2-8E1E-71779330B210}.exe
        13⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3478~1.EXE > nul
        13⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A573E~1.EXE > nul
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A451C~1.EXE > nul
        11⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{562CC~1.EXE > nul
        10⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5965~1.EXE > nul
        9⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96090~1.EXE > nul
        8⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61A90~1.EXE > nul
        7⤵
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06021~1.EXE > nul
        6⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED8FC~1.EXE > nul
        5⤵
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FD7AE~1.EXE > nul
      4⤵
      PID:372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7470C~1.EXE > nul
    3⤵
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{060218E1-E4C3-48a8-9C5B-E3C5D8487F6E}.exe

Filesize
344KB

MD5
a9bd703702cdabed09e1731c0f71675a

SHA1
6c0aa4945657bf1782881a17bf91df88a5f8a2e3

SHA256
96160780ce033ecb6924fd2ad86b2dbb651534f4c8b5c8c5f8d29f6307ebf7ba

SHA512
2eaf518295b3ad1bd4a764ef457e05584a2aa07124a2329b47b1a199d36e8638b7dc525444b215402d6cc574abd9cc1c49aef81d20656f21eeba7f41c4d59d23

Download Submit
C:\Windows\{562CCE46-BF2F-402b-BEAB-555D7A0D8DDF}.exe

Filesize
344KB

MD5
1595c1d9da11ba3b40840b6ec646748d

SHA1
958b3e49e9add98003afb9aeebe7aca949b7b254

SHA256
6a413c20b8330fa5414533f71d527ec94ac4dfd0f9ba8afbf61209099e4d5c36

SHA512
2acc96ebcfd134e847f284c688ddc8e044de53d137f8ea516570d1663530dd8240d2ac1c537bda79cb96d449719cb28d11d9b4e1fae4b3172ddc7713f6d9848d

Download Submit
C:\Windows\{61A9008A-D00A-4bc8-8A4C-F0488D3C999A}.exe

Filesize
344KB

MD5
6f5462aa3722e3623a36408d9b373292

SHA1
56073f1110fe17e2dfbd6f300f6bf618b8595421

SHA256
2524928b6d91355952423f46d9c0e21f66b445c6715609fed4ce4c322d6ec9cc

SHA512
1e4a8b65e581030de86a72031fdf80b68cdfd59430b5f4972542c899b43b52dfeebd8d477a4c4895922cef2d448a7c1e67a59058973c20a3a894ad14d70dbf3f

Download Submit
C:\Windows\{7470C46B-28BC-43e0-8DB3-16325B30CDD6}.exe

Filesize
344KB

MD5
2ae3651ea463fbb2f3bf431fa82daaf5

SHA1
1c56d35399b6f2c7011f5ca8a6004cbccd14aeb1

SHA256
cef77092c004d42f7b2597cf9555c1322df3f35329953c404fff9d70d1641c6a

SHA512
800b3d839200d3b3008268186f18192055a98a8db0c5c02f6708d3168095402b93158a792b89c85cb1e7ae2d8a85d833ed7024a56aed1453a5ca9dd4b4c06c2a

Download Submit
C:\Windows\{96090492-831F-435d-A25F-9251DDCF44DF}.exe

Filesize
344KB

MD5
6436a182543bfd4debbf4b3aaf43d2dd

SHA1
fb78222d72088b4badab28a7f18920903cff300c

SHA256
6ada582cef47845a631d4576dad775090b07247140df41640713d8be2646a7bc

SHA512
625ca50ad7d72c1c9ac976dd75b59d25f4b5a1307c261df09d8e9d91df6af8536c9d99b7b9dd55a383c86a37919486794b2f3d3fcc363fc5fc5b450468e42993

Download Submit
C:\Windows\{A451C924-A00A-4a06-98F9-2D20B788C50D}.exe

Filesize
344KB

MD5
036147bc3d8af106b55eb6e03806a134

SHA1
607203b9f73e23a24461245d6124cd7d33c95260

SHA256
0f8e3d7cf0174c0fcb5f7a6adcddf3eaa466174b485cd322908d2062061a38ac

SHA512
929881c43a51b568a04198aa85eb9b73267064c4d5388aa1d9f43e99afbcf87448c05e29f6cd0baba438df39a9d9006974ebec3b428e29917e639220ce6db6dc

Download Submit
C:\Windows\{A573ED5B-5FAD-49c1-9DBC-0F1F98A60CB7}.exe

Filesize
344KB

MD5
9254d26fb98d86ecef63cb581d0d021a

SHA1
5b427f251c8f3d7036d05a6a5c41893b3bc837c9

SHA256
7ea81e95fc02b3effad884f89431c83d163da45063d97e538257424cd5d3917c

SHA512
2b1a3d3d5338d10972983969b28957bd3c9d61da4a18158eda19841412f5306c774719c1223be95fccb81b26acccdb04c8a5169051c6a016cbd7508fb1317017

Download Submit
C:\Windows\{B5965CCB-305B-4dba-A0E1-E08A80EA14EE}.exe

Filesize
344KB

MD5
c7781969fe976e40b69db0a17ed5cfec

SHA1
3570d959ee1cfaca3676b88bda09e58f3b478eeb

SHA256
b3adeae4529a8f649690ed297eeee6ba1bbf9a49119f1112681711f021cc49b6

SHA512
1ef064008575f0e1e5b50697d0e132a81c4395e9127c420ef807df13e48b60e3234c4df2d1f0830a80d3015ae70e6cbbbf431ad28f4a57341532e5e2ec643039

Download Submit
C:\Windows\{C3478381-35EA-4435-88C1-865D4F43335E}.exe

Filesize
344KB

MD5
08b3313a57e905e80ce2c903e78ea5e1

SHA1
e174651bd74492589361334033fe2ac6277a60ff

SHA256
7eb1ece2612bf84b1ca427ea30919e4076a96703b06882b68fa5f0534bd8e890

SHA512
356b0bc051b21b3d58fd1c4d66a965a12c537b8c799518dbbf1f01fe12eca2701d015403b4c9e8eb67e84c1fc0bdef6cd73b5b8b28d0780eb106d69d59102195

Download Submit
C:\Windows\{ED8FCFA4-3D8A-497b-A150-75ED1E83A628}.exe

Filesize
344KB

MD5
1215458fb54f5d479e773ac70f4092bc

SHA1
b00e8515558b45a15ea29d67b39f47062fd6091e

SHA256
9cbbd7435eaa741f1574e8d1e999ae08b47d4b5eafb6c8d53cfa24d97ad52dd0

SHA512
782b13882ba133a35b7ceeebf5b967e4090a0679d328882df3e1bea0c1db442cb11b6cc065b648aa474370efbb4c76f9ba08393672cce9d21a1654098f1430d2

Download Submit
C:\Windows\{FD7AE36E-F39A-409d-889C-995F952893FF}.exe

Filesize
344KB

MD5
1708477f3aff7c8480a6de27aae8e69a

SHA1
1883a6ec4efb66a14d44868b09efd109dde3b539

SHA256
762f6eb98eeb64679f9209c3a7f21fa5476a6ec843d80b4c4fe01f52532d3548

SHA512
92dd929f09893fd9253631fe157b94aaa04edff2691fe4ae1e15912473f9f4c444f66f6e46f1765c33132c6fa5673707dbf8f6e1c5e6a534292279d0591414e5

Download Submit
C:\Windows\{FD95BE26-1B83-49f2-8E1E-71779330B210}.exe

Filesize
344KB

MD5
a004d142cd3334550c69737948aa9943

SHA1
528aa4dde7c24d8936ecba737f04fde6530b790f

SHA256
8a22bafeb60173ccc762fd2dae758560911683117d8277e59db75906bdedb578

SHA512
506c9a5baff72339ba3505c7d103f02da36231de95ab0576650a058eaa87c4264f3e157154c435b48aa551006446769ae11de88bb32085962087514a2cabfdb4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads