6973f1fe8f83b2053e3a8ed244f19f7d0e66ed2822db4ba4f92b287264167ade

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Size

192KB
MD5

7a7b1c5b219538dcc2561feee8b58d96
SHA1

43317d85521fe9fa1c30fe175090e101d99b3b60
SHA256

6973f1fe8f83b2053e3a8ed244f19f7d0e66ed2822db4ba4f92b287264167ade
SHA512

ef2869187af30bf64a7d3c51a07bf48bc2e2382947109b9581cb5744dd29a78723c6869f50b806d2b38b639d72c6b440c7648f24597717dfdbf26d8b7ecd064b
SSDEEP

1536:1EGh0oEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oEl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCE7A59C-DC36-4929-BF43-3454A0334D69}\stubpath = "C:\\Windows\\{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe"	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0F3030-72FC-4800-B77C-7A026A6D970B}\stubpath = "C:\\Windows\\{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe"	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{521730E6-AC64-4e32-B467-11654710B901}\stubpath = "C:\\Windows\\{521730E6-AC64-4e32-B467-11654710B901}.exe"	{BD499852-071E-4d34-A119-4906D1B8682C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61C47753-53E1-4d8d-8759-4890D2142B11}	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56DE8216-0378-42a9-B6ED-5685B7401012}\stubpath = "C:\\Windows\\{56DE8216-0378-42a9-B6ED-5685B7401012}.exe"	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6911651-4E6A-4df3-BCB0-2D77317A9B71}\stubpath = "C:\\Windows\\{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe"	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD499852-071E-4d34-A119-4906D1B8682C}	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}	{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}\stubpath = "C:\\Windows\\{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}.exe"	{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C70E9E7-8592-4a18-8B04-7934B1304EF0}	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61C47753-53E1-4d8d-8759-4890D2142B11}\stubpath = "C:\\Windows\\{61C47753-53E1-4d8d-8759-4890D2142B11}.exe"	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCE7A59C-DC36-4929-BF43-3454A0334D69}	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6911651-4E6A-4df3-BCB0-2D77317A9B71}	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}\stubpath = "C:\\Windows\\{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe"	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{521730E6-AC64-4e32-B467-11654710B901}	{BD499852-071E-4d34-A119-4906D1B8682C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C70E9E7-8592-4a18-8B04-7934B1304EF0}\stubpath = "C:\\Windows\\{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe"	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}\stubpath = "C:\\Windows\\{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe"	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0F3030-72FC-4800-B77C-7A026A6D970B}	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD499852-071E-4d34-A119-4906D1B8682C}\stubpath = "C:\\Windows\\{BD499852-071E-4d34-A119-4906D1B8682C}.exe"	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C49F524-6F1A-4547-8431-B06D0390B5DD}	{521730E6-AC64-4e32-B467-11654710B901}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C49F524-6F1A-4547-8431-B06D0390B5DD}\stubpath = "C:\\Windows\\{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe"	{521730E6-AC64-4e32-B467-11654710B901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56DE8216-0378-42a9-B6ED-5685B7401012}	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe

Executes dropped EXE 12 IoCs

pid	Process
3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe
1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe
4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe
1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe
1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe
4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe
4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe
4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe
5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe
1416	{521730E6-AC64-4e32-B467-11654710B901}.exe
3824	{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe
4964	{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe
File created	C:\Windows\{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe
File created	C:\Windows\{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe
File created	C:\Windows\{56DE8216-0378-42a9-B6ED-5685B7401012}.exe	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe
File created	C:\Windows\{61C47753-53E1-4d8d-8759-4890D2142B11}.exe	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe
File created	C:\Windows\{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe
File created	C:\Windows\{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe
File created	C:\Windows\{BD499852-071E-4d34-A119-4906D1B8682C}.exe	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe
File created	C:\Windows\{521730E6-AC64-4e32-B467-11654710B901}.exe	{BD499852-071E-4d34-A119-4906D1B8682C}.exe
File created	C:\Windows\{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe	{521730E6-AC64-4e32-B467-11654710B901}.exe
File created	C:\Windows\{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}.exe	{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe
File created	C:\Windows\{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4648	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe
Token: SeIncBasePriorityPrivilege	1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe
Token: SeIncBasePriorityPrivilege	4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe
Token: SeIncBasePriorityPrivilege	1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe
Token: SeIncBasePriorityPrivilege	1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe
Token: SeIncBasePriorityPrivilege	4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe
Token: SeIncBasePriorityPrivilege	4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe
Token: SeIncBasePriorityPrivilege	4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe
Token: SeIncBasePriorityPrivilege	5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe
Token: SeIncBasePriorityPrivilege	1416	{521730E6-AC64-4e32-B467-11654710B901}.exe
Token: SeIncBasePriorityPrivilege	3824	{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 3288	4648	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	85
PID 4648 wrote to memory of 3288	4648	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	85
PID 4648 wrote to memory of 3288	4648	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	85
PID 4648 wrote to memory of 4644	4648	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	86
PID 4648 wrote to memory of 4644	4648	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	86
PID 4648 wrote to memory of 4644	4648	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	86
PID 3288 wrote to memory of 1300	3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe	87
PID 3288 wrote to memory of 1300	3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe	87
PID 3288 wrote to memory of 1300	3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe	87
PID 3288 wrote to memory of 3036	3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe	88
PID 3288 wrote to memory of 3036	3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe	88
PID 3288 wrote to memory of 3036	3288	{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe	88
PID 1300 wrote to memory of 4660	1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe	92
PID 1300 wrote to memory of 4660	1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe	92
PID 1300 wrote to memory of 4660	1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe	92
PID 1300 wrote to memory of 3996	1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe	93
PID 1300 wrote to memory of 3996	1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe	93
PID 1300 wrote to memory of 3996	1300	{56DE8216-0378-42a9-B6ED-5685B7401012}.exe	93
PID 4660 wrote to memory of 1876	4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe	94
PID 4660 wrote to memory of 1876	4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe	94
PID 4660 wrote to memory of 1876	4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe	94
PID 4660 wrote to memory of 4472	4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe	95
PID 4660 wrote to memory of 4472	4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe	95
PID 4660 wrote to memory of 4472	4660	{61C47753-53E1-4d8d-8759-4890D2142B11}.exe	95
PID 1876 wrote to memory of 1152	1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe	96
PID 1876 wrote to memory of 1152	1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe	96
PID 1876 wrote to memory of 1152	1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe	96
PID 1876 wrote to memory of 4080	1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe	97
PID 1876 wrote to memory of 4080	1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe	97
PID 1876 wrote to memory of 4080	1876	{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe	97
PID 1152 wrote to memory of 4784	1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe	98
PID 1152 wrote to memory of 4784	1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe	98
PID 1152 wrote to memory of 4784	1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe	98
PID 1152 wrote to memory of 3680	1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe	99
PID 1152 wrote to memory of 3680	1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe	99
PID 1152 wrote to memory of 3680	1152	{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe	99
PID 4784 wrote to memory of 4900	4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe	100
PID 4784 wrote to memory of 4900	4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe	100
PID 4784 wrote to memory of 4900	4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe	100
PID 4784 wrote to memory of 2056	4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe	101
PID 4784 wrote to memory of 2056	4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe	101
PID 4784 wrote to memory of 2056	4784	{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe	101
PID 4900 wrote to memory of 4896	4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe	102
PID 4900 wrote to memory of 4896	4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe	102
PID 4900 wrote to memory of 4896	4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe	102
PID 4900 wrote to memory of 2532	4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe	103
PID 4900 wrote to memory of 2532	4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe	103
PID 4900 wrote to memory of 2532	4900	{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe	103
PID 4896 wrote to memory of 5056	4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe	104
PID 4896 wrote to memory of 5056	4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe	104
PID 4896 wrote to memory of 5056	4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe	104
PID 4896 wrote to memory of 2696	4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe	105
PID 4896 wrote to memory of 2696	4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe	105
PID 4896 wrote to memory of 2696	4896	{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe	105
PID 5056 wrote to memory of 1416	5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe	106
PID 5056 wrote to memory of 1416	5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe	106
PID 5056 wrote to memory of 1416	5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe	106
PID 5056 wrote to memory of 1680	5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe	107
PID 5056 wrote to memory of 1680	5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe	107
PID 5056 wrote to memory of 1680	5056	{BD499852-071E-4d34-A119-4906D1B8682C}.exe	107
PID 1416 wrote to memory of 3824	1416	{521730E6-AC64-4e32-B467-11654710B901}.exe	108
PID 1416 wrote to memory of 3824	1416	{521730E6-AC64-4e32-B467-11654710B901}.exe	108
PID 1416 wrote to memory of 3824	1416	{521730E6-AC64-4e32-B467-11654710B901}.exe	108
PID 1416 wrote to memory of 4072	1416	{521730E6-AC64-4e32-B467-11654710B901}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe
  C:\Windows\{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\{56DE8216-0378-42a9-B6ED-5685B7401012}.exe
    C:\Windows\{56DE8216-0378-42a9-B6ED-5685B7401012}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\{61C47753-53E1-4d8d-8759-4890D2142B11}.exe
      C:\Windows\{61C47753-53E1-4d8d-8759-4890D2142B11}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe
        
        C:\Windows\{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe
        
        C:\Windows\{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe
        
        C:\Windows\{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe
        
        C:\Windows\{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe
        
        C:\Windows\{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{BD499852-071E-4d34-A119-4906D1B8682C}.exe
        
        C:\Windows\{BD499852-071E-4d34-A119-4906D1B8682C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{521730E6-AC64-4e32-B467-11654710B901}.exe
        
        C:\Windows\{521730E6-AC64-4e32-B467-11654710B901}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe
        
        C:\Windows\{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}.exe
        
        C:\Windows\{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}.exe
        13⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C49F~1.EXE > nul
        13⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52173~1.EXE > nul
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD499~1.EXE > nul
        11⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A46B~1.EXE > nul
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6911~1.EXE > nul
        9⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF0F3~1.EXE > nul
        8⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C158~1.EXE > nul
        7⤵
        
        PID:3680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCE7A~1.EXE > nul
        6⤵
        
        PID:4080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61C47~1.EXE > nul
        5⤵
        
        PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56DE8~1.EXE > nul
      4⤵
      PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7C70E~1.EXE > nul
    3⤵
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C49F524-6F1A-4547-8431-B06D0390B5DD}.exe

Filesize
192KB

MD5
59ba0751d1f46d4eb9be3c6382f5dd9e

SHA1
12008204f13e376ddae5bd681a95bbfb1a0561f7

SHA256
1c4de9502be87dae14986721df13aa7e26a7fcb4e3c6a12caabdbb21a3c4e5f1

SHA512
675a6a31e9ca7bf8194e6a46a672091a6d160466630087cb9bb48681c7b092222376ca0cbfb7d03273fcf02ab1ed4343f9b57423761db6a67af71e5c89e669db

Download Submit
C:\Windows\{4A46BF95-58CC-41b7-BE9E-04D340E5DC03}.exe

Filesize
192KB

MD5
00196136032ce828b5bd231f582e18b3

SHA1
76bb426ea1d8b57aab6f64d95aec787612326ca0

SHA256
f2eac0a5ae72be7f9fbba452153dc05865b5bb5f4c18c2a0405a4c04a1e20412

SHA512
b02f52a0b5354ce838edfc3bd7f40f4e950cfd9fa5dcbf42cd5810292f6f13c8d30f43db9d9e040a3128c5f20e682c2c264d742323910fd2dfa11f7351d6ef75

Download Submit
C:\Windows\{521730E6-AC64-4e32-B467-11654710B901}.exe

Filesize
192KB

MD5
5546dd4bbbb40401b4965c64e79982c0

SHA1
ecf751adba49fa363e9720f5e896de3102e728c6

SHA256
73b56d7c2f35f0c0dc31303ac4e09e09e78c88850f12afbdf9b87e72003ef2bb

SHA512
dc1a754a15bb7a0695d92078dfafc69d6b2556ca1ae7e9509008babc53c61e5bdfb18743ca7ce31f7bb8452be644773802b23b3e531814e6176cd3ee753850ee

Download Submit
C:\Windows\{56DE8216-0378-42a9-B6ED-5685B7401012}.exe

Filesize
192KB

MD5
79094d7568a234dce4054dde9dca2151

SHA1
5014d60fca3120fdc7d794714bdf7fa8a431a119

SHA256
aa8bebd33d51e58cb9fc2749fe6f0707d5d57928162f5e21dafacf7802deb83d

SHA512
c039ea6ce17dca14c7ceae6cdef6eb9a214c45fdbfaac5fb7340eafdc8be0b945717162c802a0355775d5be2a5db8f3e92570a34b8c2b6db578ec9bb72c9c4f0

Download Submit
C:\Windows\{61C47753-53E1-4d8d-8759-4890D2142B11}.exe

Filesize
192KB

MD5
e87ff2025730ecf31ce8f62cdf0f4c70

SHA1
ab70ac2eca51f9bf337748f911fa39a62870ee51

SHA256
329eaecaf284e9be07fdad827e6eacbad8d2ec1c1c90466cfe4e375cac1b561c

SHA512
3bd1fb280f22dfa3045ee01cc9574ff5e547b6385d1ae8bb8f87f45923067ad23c4d7876abc15b5a07715f38b5acb719849af51553866f794c1dff2708b940e9

Download Submit
C:\Windows\{7C70E9E7-8592-4a18-8B04-7934B1304EF0}.exe

Filesize
192KB

MD5
8a467ed54b5ec7594e6f47abc02e7207

SHA1
23344fcd830a7c3751572c3cc7e47223802bf45e

SHA256
d98fd72ab66621dc14a7fde7893501de1cfb1e3f89c5ea21623d0af538b02719

SHA512
f333a7f3237bbbc6c1597c2ed5dffe5e9bcb1eb56001c67620c195e496fc8cafa0f35b829710113869f84794875d011d53755bd1024247a124147c76613a9f11

Download Submit
C:\Windows\{9C1585C5-4D1F-44d4-BB6C-420ED6BD3D93}.exe

Filesize
192KB

MD5
6c108360d3c27fdc1ae7c3779d56ad60

SHA1
5a41df2ff377d8812863204f4e6e458c81cb5d24

SHA256
87737607834e9715c30843dbdf738d6b5cdda72826f068a6e68c4cf2753f2beb

SHA512
a5933247f905e0e3d4850cef85e12b6f92889e64b677f6b9d360ba209d416ddc0dc697f31330d80819750c34325810517d5724d46b224616fd0df4ee9affbec7

Download Submit
C:\Windows\{BD499852-071E-4d34-A119-4906D1B8682C}.exe

Filesize
192KB

MD5
62c4dda0131bf96404d67799edae7590

SHA1
182156c2d2bfc0787c1e22b59b80f67b003e611a

SHA256
81047a5c46d8d87e373a4050b8ad9911dad366f865cafd26b30fc4aee4b3e5ce

SHA512
13ff4297f8bdbdb6bf3ae43f2f819141f3703532215a2f335853c278e5af68080c7fcdcde5b02e43d246fd87fdfc20c6312ff010cdcb0f48cd46e2a5e5800840

Download Submit
C:\Windows\{CF0F3030-72FC-4800-B77C-7A026A6D970B}.exe

Filesize
192KB

MD5
697889a216afb410f54b0cc3ac19ac0b

SHA1
691c63d85e3ecd121a2325d69249607c3793f267

SHA256
4f06e3352e103fe26d851ee7fbd9512047975527342c69792f27361cd8bcecb5

SHA512
a0022966f35a28cf5ce2baa2242230127db5a59cabb32d9e4d694333846bf7c5dbd3db5d26471f56e766fb83af7f169b5899b4b5c369e0272cfc244d92873245

Download Submit
C:\Windows\{D7F5BAE9-1E44-462d-8306-A91FDFA63FC4}.exe

Filesize
192KB

MD5
5fa855a92e4732ead0e0690f892a6365

SHA1
e624da779bce877575118d03681a9e631bbe8eb7

SHA256
8798dbf19d6c0b972edef39185b074fcfdfb4aba9db990968c5237177536062f

SHA512
267b4ad3f3225d7944e5b969ddbd7c6f12fda50aaf4c027572182fbd87bd1767572eb1b8c8c7bea44a8a0b18903c57d4cf685f1d29f1e962a833c250bb2867bf

Download Submit
C:\Windows\{DCE7A59C-DC36-4929-BF43-3454A0334D69}.exe

Filesize
192KB

MD5
dc6f01c87816736625057afbec3d481b

SHA1
7da26d333c19d0c96d6f0e3ffa1be680642261aa

SHA256
9a6e46bb1435f86c9c1202a157caa745a3e20f04308cea60e60911ebdca1e0a1

SHA512
3797e407e6760d9faad5f3026e314d608331c28b1c51564872e76160913ec8e662f4225ed9bcb68427fce8685d2fc7c140c264ade8b7c94acba180b797129257

Download Submit
C:\Windows\{E6911651-4E6A-4df3-BCB0-2D77317A9B71}.exe

Filesize
192KB

MD5
84d155579f764a0b4da0a6f8d4353317

SHA1
a7f74452543c5ec7cc4f66904d2033f6e7044fca

SHA256
be14c07d755a92dcba8a5927ccaa15ac42d662aa5f1a2bb972582bbb7a34a0b4

SHA512
229cfee028f0f9b91ed15bf81f6157cab0c8ce72c62cf89d6337b157c66ec64c80453f93cc5a04ab8a971dde26e78502ef67ddbf2440fdef9c0efe93ca36ae38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads