6db2d81b0d23ed111057fb42d57ecb157a79ce83d76eb1f3a4a4eb99e3765838

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Size

380KB
MD5

ae4c37ada9f62ea4a4aac066ec6a5938
SHA1

1922ae90de1682a43ba936eb2e2c02526a67d1f0
SHA256

6db2d81b0d23ed111057fb42d57ecb157a79ce83d76eb1f3a4a4eb99e3765838
SHA512

ac1b0dad598b44a0442b44659990bb24583e4c4f7035cef597c327fd2abc4c5c56668bb536caf9bd6e1350a5f21ab8498e252bcde29d19b5f8828be26ef969be
SSDEEP

3072:mEGh0oPlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B62085B-3206-4159-83F2-AD0DBFC751EC}	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B62085B-3206-4159-83F2-AD0DBFC751EC}\stubpath = "C:\\Windows\\{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe"	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62236864-04BA-4671-A8B2-9EAAD7E59619}\stubpath = "C:\\Windows\\{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe"	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C98E301-016D-4d1c-8262-528FFC97FB3B}\stubpath = "C:\\Windows\\{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe"	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}\stubpath = "C:\\Windows\\{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe"	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B506132B-62F7-487f-8CFB-920AC35EF243}	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B506132B-62F7-487f-8CFB-920AC35EF243}\stubpath = "C:\\Windows\\{B506132B-62F7-487f-8CFB-920AC35EF243}.exe"	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{107C1DAF-0C83-4a57-A796-7C0476D71AE4}	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62236864-04BA-4671-A8B2-9EAAD7E59619}	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}\stubpath = "C:\\Windows\\{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe"	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}\stubpath = "C:\\Windows\\{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe"	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C2C22BB-049F-47ac-98A6-A2198D7C704E}	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C2C22BB-049F-47ac-98A6-A2198D7C704E}\stubpath = "C:\\Windows\\{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe"	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0970858-E434-4133-8A0F-AFCD1362A7FD}\stubpath = "C:\\Windows\\{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe"	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}\stubpath = "C:\\Windows\\{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe"	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C98E301-016D-4d1c-8262-528FFC97FB3B}	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}	{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{107C1DAF-0C83-4a57-A796-7C0476D71AE4}\stubpath = "C:\\Windows\\{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe"	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0970858-E434-4133-8A0F-AFCD1362A7FD}	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}\stubpath = "C:\\Windows\\{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}.exe"	{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe

Executes dropped EXE 12 IoCs

pid	Process
3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe
4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe
4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe
2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe
4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe
960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe
680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe
540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe
3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe
4500	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe
1096	{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe
4876	{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe
File created	C:\Windows\{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}.exe	{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe
File created	C:\Windows\{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
File created	C:\Windows\{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe
File created	C:\Windows\{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe
File created	C:\Windows\{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe
File created	C:\Windows\{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe
File created	C:\Windows\{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe
File created	C:\Windows\{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe
File created	C:\Windows\{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe
File created	C:\Windows\{B506132B-62F7-487f-8CFB-920AC35EF243}.exe	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe
File created	C:\Windows\{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	804	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe
Token: SeIncBasePriorityPrivilege	4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe
Token: SeIncBasePriorityPrivilege	4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe
Token: SeIncBasePriorityPrivilege	2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe
Token: SeIncBasePriorityPrivilege	4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe
Token: SeIncBasePriorityPrivilege	960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe
Token: SeIncBasePriorityPrivilege	680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe
Token: SeIncBasePriorityPrivilege	540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe
Token: SeIncBasePriorityPrivilege	3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe
Token: SeIncBasePriorityPrivilege	4500	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe
Token: SeIncBasePriorityPrivilege	1096	{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 3904	804	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	85
PID 804 wrote to memory of 3904	804	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	85
PID 804 wrote to memory of 3904	804	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	85
PID 804 wrote to memory of 2460	804	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	86
PID 804 wrote to memory of 2460	804	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	86
PID 804 wrote to memory of 2460	804	2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe	86
PID 3904 wrote to memory of 4352	3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe	87
PID 3904 wrote to memory of 4352	3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe	87
PID 3904 wrote to memory of 4352	3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe	87
PID 3904 wrote to memory of 2100	3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe	88
PID 3904 wrote to memory of 2100	3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe	88
PID 3904 wrote to memory of 2100	3904	{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe	88
PID 4352 wrote to memory of 4768	4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe	92
PID 4352 wrote to memory of 4768	4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe	92
PID 4352 wrote to memory of 4768	4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe	92
PID 4352 wrote to memory of 2500	4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe	93
PID 4352 wrote to memory of 2500	4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe	93
PID 4352 wrote to memory of 2500	4352	{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe	93
PID 4768 wrote to memory of 2444	4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe	94
PID 4768 wrote to memory of 2444	4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe	94
PID 4768 wrote to memory of 2444	4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe	94
PID 4768 wrote to memory of 2788	4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe	95
PID 4768 wrote to memory of 2788	4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe	95
PID 4768 wrote to memory of 2788	4768	{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe	95
PID 2444 wrote to memory of 4896	2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe	96
PID 2444 wrote to memory of 4896	2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe	96
PID 2444 wrote to memory of 4896	2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe	96
PID 2444 wrote to memory of 1480	2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe	97
PID 2444 wrote to memory of 1480	2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe	97
PID 2444 wrote to memory of 1480	2444	{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe	97
PID 4896 wrote to memory of 960	4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe	98
PID 4896 wrote to memory of 960	4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe	98
PID 4896 wrote to memory of 960	4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe	98
PID 4896 wrote to memory of 4692	4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe	99
PID 4896 wrote to memory of 4692	4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe	99
PID 4896 wrote to memory of 4692	4896	{B506132B-62F7-487f-8CFB-920AC35EF243}.exe	99
PID 960 wrote to memory of 680	960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe	100
PID 960 wrote to memory of 680	960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe	100
PID 960 wrote to memory of 680	960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe	100
PID 960 wrote to memory of 512	960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe	101
PID 960 wrote to memory of 512	960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe	101
PID 960 wrote to memory of 512	960	{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe	101
PID 680 wrote to memory of 540	680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe	102
PID 680 wrote to memory of 540	680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe	102
PID 680 wrote to memory of 540	680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe	102
PID 680 wrote to memory of 2884	680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe	103
PID 680 wrote to memory of 2884	680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe	103
PID 680 wrote to memory of 2884	680	{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe	103
PID 540 wrote to memory of 3672	540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe	104
PID 540 wrote to memory of 3672	540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe	104
PID 540 wrote to memory of 3672	540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe	104
PID 540 wrote to memory of 4276	540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe	105
PID 540 wrote to memory of 4276	540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe	105
PID 540 wrote to memory of 4276	540	{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe	105
PID 3672 wrote to memory of 4500	3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe	106
PID 3672 wrote to memory of 4500	3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe	106
PID 3672 wrote to memory of 4500	3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe	106
PID 3672 wrote to memory of 2568	3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe	107
PID 3672 wrote to memory of 2568	3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe	107
PID 3672 wrote to memory of 2568	3672	{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe	107
PID 4500 wrote to memory of 1096	4500	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe	108
PID 4500 wrote to memory of 1096	4500	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe	108
PID 4500 wrote to memory of 1096	4500	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe	108
PID 4500 wrote to memory of 4796	4500	{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_ae4c37ada9f62ea4a4aac066ec6a5938_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe
  C:\Windows\{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe
    C:\Windows\{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe
      C:\Windows\{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe
        
        C:\Windows\{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\{B506132B-62F7-487f-8CFB-920AC35EF243}.exe
        
        C:\Windows\{B506132B-62F7-487f-8CFB-920AC35EF243}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe
        
        C:\Windows\{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe
        
        C:\Windows\{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe
        
        C:\Windows\{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe
        
        C:\Windows\{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe
        
        C:\Windows\{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe
        
        C:\Windows\{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}.exe
        
        C:\Windows\{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C98E~1.EXE > nul
        13⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E0AD~1.EXE > nul
        12⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58FE0~1.EXE > nul
        11⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62236~1.EXE > nul
        10⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0970~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{107C1~1.EXE > nul
        8⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5061~1.EXE > nul
        7⤵
        
        PID:4692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C2C2~1.EXE > nul
        6⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B620~1.EXE > nul
        5⤵
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF91~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DA2C9~1.EXE > nul
    3⤵
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{107C1DAF-0C83-4a57-A796-7C0476D71AE4}.exe

Filesize
380KB

MD5
41dafc6371d6b7db918648b97480f03e

SHA1
5fe9fa7f259481e6001f2d923f18a86643c56e63

SHA256
08f59d939ac1af6cd52eb448201bc5814e51ba99b923b213d1bd9a9df5b04965

SHA512
e60d5336a6b62a553bbc9e402c59817213e7f3d2342398ef6b6bb6515e96003b5694f8aa18e7a0c5e5a9c487ab6ead420009c16e95bcf89ef756f0bcf6adf6ee

Download Submit
C:\Windows\{3C2C22BB-049F-47ac-98A6-A2198D7C704E}.exe

Filesize
380KB

MD5
21b3b61bf563d6109689e717bca7cca1

SHA1
a1efd9e20650feb61673779301f9e15cffb3921a

SHA256
0f56c50275e7e672fb8a4142875346c39356f111c12a03560eeb2ac2e8a30e37

SHA512
9830e36fecfcbbfde5c22b3880b0e9c9296c53f60e14682271f72894407fb81c1133209a25f207b8b7e9265c5b147ceed38234e79ed5868f4c6d2ea89cb1c425

Download Submit
C:\Windows\{58FE0649-1D2C-4be0-A2B3-1086E81FF0E3}.exe

Filesize
380KB

MD5
a31f380a2405aac7c7220207ad56fa16

SHA1
8fb4fbe5aeb19e8c61eeb5060aeb51ef1ad8a3ed

SHA256
d0897685776d73f58747a9181c2e3be62fa3150c76f1d73284304f0b463baa89

SHA512
24f3706974a91e334f231c48156ba1e9d31e0ce872e74bb02ca1ed137857515ce73265f93d6a102b787780e31ad8ad965b8c030d3675cb24e7d4b712efbbe321

Download Submit
C:\Windows\{5FF91927-02E3-4ce7-8150-7EFBA29A6CB2}.exe

Filesize
380KB

MD5
c4892955836b09b4bc971274dfee1386

SHA1
bcd0b3bf5b850afbe70f736b008e625f40cc473f

SHA256
0f2d5948331b6aae99a9cf619357b4ba29a32ca1cae3f6e9975f2aff4dd3583c

SHA512
271fc6e0cbcde2650cb28f073b9bce3f13e4c5a0967a324af2590be3d35718596a007be580b252f38287a04be72ef15bb1a1721cb1ccf08f42f541c7e8f3b7fb

Download Submit
C:\Windows\{62236864-04BA-4671-A8B2-9EAAD7E59619}.exe

Filesize
380KB

MD5
447dcede21a38d86071c69c0715c5898

SHA1
1e700c01ea3d4fd784113583b31b28901c524c2d

SHA256
6bebf6e8df5332da53f157e251eec5b52bfc10a48a9bd1be3b85fe3a364abd68

SHA512
9f81845374b0f3a00cbf42e586fb464db534b553e814de0c8fc2ab947ba01f0f72c17c42624997725a7151b9a1138a6a1a778b5a066b25ed65b341f511a1247c

Download Submit
C:\Windows\{8B62085B-3206-4159-83F2-AD0DBFC751EC}.exe

Filesize
380KB

MD5
178cf63a17392b3113d8a8f6a590236d

SHA1
f099cc86579f2afbb69835d1576f431067a7a269

SHA256
778430f07d1516858a8c5c4d7117e6e2624f8a261b15c4d3a6fe0f296fe86fd7

SHA512
8ad2c42d67347b50328c293025dbbde3f9bd1947550b9e2f44bcb424ec9b08b18daa364004263a16dd2c646329a85d1506371aa36e0ea9d2e5dcb671897dd653

Download Submit
C:\Windows\{8C98E301-016D-4d1c-8262-528FFC97FB3B}.exe

Filesize
380KB

MD5
6d46b2b95420797b68b23a31dc880edd

SHA1
8d0edcff3375ad547225ef23b8b4ac8519c85b8e

SHA256
314ad73d48e08249c6671c14b317e27eb5f14f1dbf164eb6ff2de5d9ed068b99

SHA512
02a0558caee10f54636be2c33903f6080fa20639bd56c9ec70667ac11faffca8bd3dc36d8e41591c23f84178b5aaf99c65807e2d2c0945712e0ca4be7710a12c

Download Submit
C:\Windows\{8E0AD8F4-F0AA-4c52-929A-2B74B604CD17}.exe

Filesize
380KB

MD5
41527e5c000108a75cac93ee9b8bc7cd

SHA1
adc108720d3199f776e8c591942a0a016b89ce9e

SHA256
a5054d751182b827de29e702abdf280d843412d481a7d1fe5536eb69474a5554

SHA512
8d59344c8f6de26d2298587a80f98a28493ccc31bf32cbffc1a59b904eb0cb1f450c4a4110eadaaa3b443f99e9fcf76dc256ae85a0ec2001831ba283e1f6fe0a

Download Submit
C:\Windows\{A0970858-E434-4133-8A0F-AFCD1362A7FD}.exe

Filesize
380KB

MD5
b80676462aa302447e42f7152568a6b2

SHA1
fe5bad63a6a7fd4c1283bd370fb432d4bbc82cdf

SHA256
67e769ffba3b44fbb440a27befae4f3ec71495718b2eda6b63668610e3f7cb72

SHA512
00f207b81f6483e28d21142fe5819542bf4db4bdb68f65bf38ff33667186fea04512e0c135bd3cd6b7ceee9cc265726186bea188ad21a2cb1d8ff719ba683633

Download Submit
C:\Windows\{B506132B-62F7-487f-8CFB-920AC35EF243}.exe

Filesize
380KB

MD5
c9b692c0c62e9616b654bb4ba03b0465

SHA1
99186454526c186a002fe35e536decf3d72e7324

SHA256
efbccae9e228aa83fff1c6de26c08c78a851f936270ea19ecec8503183e2c263

SHA512
e6a48e98bd2eb46adbd5117c70100a42c979cce9274f2fa16f146283a85ca6a5ca55a2a245c6a3f8f53dbd74dff20ce3da4ecaa004a08f8a4926399c0c01ba25

Download Submit
C:\Windows\{DA2C94AA-4CA3-4201-BA5B-05F4B675E709}.exe

Filesize
380KB

MD5
530f582fc52a76afa223e1301d3a6502

SHA1
06ed1a42ac283611863b06589ded9f15a0a02ed6

SHA256
e0190fd4b7e597cfed47adc93b55a75bc2c5cbfdb9ab97d306bff0ac2b14fb78

SHA512
d50b564d152998e89cc371d4eb1c6d150eaa30e4544158fdab36b59c56ffaf7448df16004f5d0280bfe0fb9227712a9e8f21287f937e1873b4f2de2b460cf9cc

Download Submit
C:\Windows\{E84EC6F8-1DC1-4244-A7E9-797ED47B4C4C}.exe

Filesize
380KB

MD5
7d558ff887c258cdaf9205501045b5b8

SHA1
208124be3850a2c407e16020e7a0833c295ca158

SHA256
57ff79adbeab5dd17ca2ae374d86c8fa2a78a631a8ddb329c8225319eb4ee87c

SHA512
c2943f10bf1a1ec4ae664c10385b84f32e8f71c22fb96cdfcfbc9f025e06a26d6c64c3a47ad97749c531e6699577992ea16544502d2c709ea5d2b1b618b1c099

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads