5fe1bd8fce9fc2feaa72e48eed713bfcff5bb1693abcce21c3252baa3c3e1f48

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Size

372KB
MD5

0c8dfa629cee1f786d593781e00e990f
SHA1

a76792116d3d59ad26f7eff68849468f8907cf0f
SHA256

5fe1bd8fce9fc2feaa72e48eed713bfcff5bb1693abcce21c3252baa3c3e1f48
SHA512

029c853a0385b3ddb90511167af59c30bd3078e69be332012bffc605b3f8946f6be38a078aa4f447eba3da590c10d7e70e55a49dbe3790c351e8d657214d3c0c
SSDEEP

3072:CEGh0oElMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGelkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C5D095-3298-41a3-919C-90283E1EA442}	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}\stubpath = "C:\\Windows\\{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe"	{67C5D095-3298-41a3-919C-90283E1EA442}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D97B5D-0735-4252-A5DD-43819FDD87B0}	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}\stubpath = "C:\\Windows\\{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe"	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}\stubpath = "C:\\Windows\\{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe"	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86272EFC-0B72-492b-99BF-97781ADF09C4}	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86272EFC-0B72-492b-99BF-97781ADF09C4}\stubpath = "C:\\Windows\\{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe"	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7E4EB8-134C-4a0d-B919-2BA53911465B}	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7E4EB8-134C-4a0d-B919-2BA53911465B}\stubpath = "C:\\Windows\\{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe"	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491A44C9-6290-49df-851D-16B69C4CD42F}\stubpath = "C:\\Windows\\{491A44C9-6290-49df-851D-16B69C4CD42F}.exe"	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8981704F-84E8-44ed-8E19-46BA46F4F24F}	{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665F57A2-50DD-4ff5-B752-E93D027DCBC1}	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C5D095-3298-41a3-919C-90283E1EA442}\stubpath = "C:\\Windows\\{67C5D095-3298-41a3-919C-90283E1EA442}.exe"	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}	{67C5D095-3298-41a3-919C-90283E1EA442}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D97B5D-0735-4252-A5DD-43819FDD87B0}\stubpath = "C:\\Windows\\{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe"	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8981704F-84E8-44ed-8E19-46BA46F4F24F}\stubpath = "C:\\Windows\\{8981704F-84E8-44ed-8E19-46BA46F4F24F}.exe"	{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665F57A2-50DD-4ff5-B752-E93D027DCBC1}\stubpath = "C:\\Windows\\{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe"	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}\stubpath = "C:\\Windows\\{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe"	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3253285F-16F6-430d-9CA5-62ABD9A1471B}	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3253285F-16F6-430d-9CA5-62ABD9A1471B}\stubpath = "C:\\Windows\\{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe"	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491A44C9-6290-49df-851D-16B69C4CD42F}	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe
4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe
2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe
4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe
4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe
2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe
4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe
2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe
1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe
2304	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe
3940	{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe
1336	{8981704F-84E8-44ed-8E19-46BA46F4F24F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe
File created	C:\Windows\{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe
File created	C:\Windows\{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe
File created	C:\Windows\{491A44C9-6290-49df-851D-16B69C4CD42F}.exe	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe
File created	C:\Windows\{8981704F-84E8-44ed-8E19-46BA46F4F24F}.exe	{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe
File created	C:\Windows\{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
File created	C:\Windows\{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe	{67C5D095-3298-41a3-919C-90283E1EA442}.exe
File created	C:\Windows\{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe
File created	C:\Windows\{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe
File created	C:\Windows\{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe
File created	C:\Windows\{67C5D095-3298-41a3-919C-90283E1EA442}.exe	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe
File created	C:\Windows\{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3612	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe
Token: SeIncBasePriorityPrivilege	4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe
Token: SeIncBasePriorityPrivilege	2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe
Token: SeIncBasePriorityPrivilege	4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe
Token: SeIncBasePriorityPrivilege	4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe
Token: SeIncBasePriorityPrivilege	2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe
Token: SeIncBasePriorityPrivilege	4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe
Token: SeIncBasePriorityPrivilege	2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe
Token: SeIncBasePriorityPrivilege	1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe
Token: SeIncBasePriorityPrivilege	2304	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe
Token: SeIncBasePriorityPrivilege	3940	{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4972	3612	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	85
PID 3612 wrote to memory of 4972	3612	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	85
PID 3612 wrote to memory of 4972	3612	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	85
PID 3612 wrote to memory of 3740	3612	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	86
PID 3612 wrote to memory of 3740	3612	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	86
PID 3612 wrote to memory of 3740	3612	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	86
PID 4972 wrote to memory of 4696	4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe	87
PID 4972 wrote to memory of 4696	4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe	87
PID 4972 wrote to memory of 4696	4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe	87
PID 4972 wrote to memory of 1632	4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe	88
PID 4972 wrote to memory of 1632	4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe	88
PID 4972 wrote to memory of 1632	4972	{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe	88
PID 4696 wrote to memory of 2288	4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe	91
PID 4696 wrote to memory of 2288	4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe	91
PID 4696 wrote to memory of 2288	4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe	91
PID 4696 wrote to memory of 4316	4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe	92
PID 4696 wrote to memory of 4316	4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe	92
PID 4696 wrote to memory of 4316	4696	{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe	92
PID 2288 wrote to memory of 4984	2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe	94
PID 2288 wrote to memory of 4984	2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe	94
PID 2288 wrote to memory of 4984	2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe	94
PID 2288 wrote to memory of 3284	2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe	95
PID 2288 wrote to memory of 3284	2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe	95
PID 2288 wrote to memory of 3284	2288	{67C5D095-3298-41a3-919C-90283E1EA442}.exe	95
PID 4984 wrote to memory of 4412	4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe	96
PID 4984 wrote to memory of 4412	4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe	96
PID 4984 wrote to memory of 4412	4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe	96
PID 4984 wrote to memory of 1020	4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe	97
PID 4984 wrote to memory of 1020	4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe	97
PID 4984 wrote to memory of 1020	4984	{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe	97
PID 4412 wrote to memory of 2456	4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe	98
PID 4412 wrote to memory of 2456	4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe	98
PID 4412 wrote to memory of 2456	4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe	98
PID 4412 wrote to memory of 620	4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe	99
PID 4412 wrote to memory of 620	4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe	99
PID 4412 wrote to memory of 620	4412	{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe	99
PID 2456 wrote to memory of 4724	2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe	100
PID 2456 wrote to memory of 4724	2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe	100
PID 2456 wrote to memory of 4724	2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe	100
PID 2456 wrote to memory of 2920	2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe	101
PID 2456 wrote to memory of 2920	2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe	101
PID 2456 wrote to memory of 2920	2456	{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe	101
PID 4724 wrote to memory of 2200	4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe	102
PID 4724 wrote to memory of 2200	4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe	102
PID 4724 wrote to memory of 2200	4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe	102
PID 4724 wrote to memory of 4380	4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe	103
PID 4724 wrote to memory of 4380	4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe	103
PID 4724 wrote to memory of 4380	4724	{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe	103
PID 2200 wrote to memory of 1880	2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe	104
PID 2200 wrote to memory of 1880	2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe	104
PID 2200 wrote to memory of 1880	2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe	104
PID 2200 wrote to memory of 1408	2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe	105
PID 2200 wrote to memory of 1408	2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe	105
PID 2200 wrote to memory of 1408	2200	{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe	105
PID 1880 wrote to memory of 2304	1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe	106
PID 1880 wrote to memory of 2304	1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe	106
PID 1880 wrote to memory of 2304	1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe	106
PID 1880 wrote to memory of 1908	1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe	107
PID 1880 wrote to memory of 1908	1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe	107
PID 1880 wrote to memory of 1908	1880	{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe	107
PID 2304 wrote to memory of 3940	2304	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe	108
PID 2304 wrote to memory of 3940	2304	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe	108
PID 2304 wrote to memory of 3940	2304	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe	108
PID 2304 wrote to memory of 3032	2304	{491A44C9-6290-49df-851D-16B69C4CD42F}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe
  C:\Windows\{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe
    C:\Windows\{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\{67C5D095-3298-41a3-919C-90283E1EA442}.exe
      C:\Windows\{67C5D095-3298-41a3-919C-90283E1EA442}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe
        
        C:\Windows\{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Windows\{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe
        
        C:\Windows\{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe
        
        C:\Windows\{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe
        
        C:\Windows\{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe
        
        C:\Windows\{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe
        
        C:\Windows\{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{491A44C9-6290-49df-851D-16B69C4CD42F}.exe
        
        C:\Windows\{491A44C9-6290-49df-851D-16B69C4CD42F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe
        
        C:\Windows\{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\{8981704F-84E8-44ed-8E19-46BA46F4F24F}.exe
        
        C:\Windows\{8981704F-84E8-44ed-8E19-46BA46F4F24F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC1C~1.EXE > nul
        13⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{491A4~1.EXE > nul
        12⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A7E4~1.EXE > nul
        11⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8CF4~1.EXE > nul
        10⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86272~1.EXE > nul
        9⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94D97~1.EXE > nul
        8⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32532~1.EXE > nul
        7⤵
        
        PID:620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B9A8~1.EXE > nul
        6⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67C5D~1.EXE > nul
        5⤵
        
        PID:3284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0BB6~1.EXE > nul
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{665F5~1.EXE > nul
    3⤵
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3253285F-16F6-430d-9CA5-62ABD9A1471B}.exe

Filesize
372KB

MD5
15791ad2f7636b92f683a5497dbe2560

SHA1
8faeb7a7c1f38c23e36d7fea236a3c4f58ed493e

SHA256
179825a7e510128fa2d0d137ee7e9fcc0a9c99970c4eed1fbeddeb45f5331b78

SHA512
dcbba67b8a7e911cd0c35444188bcb35cbc2f8d61f513ac47538809b8545f8316946ce4ea5e46618acc647d42675dacfb9ee1ee6b50ac2b2ad441d59be8dbc17

Download Submit
C:\Windows\{3B9A8EFD-9FDD-4bec-B64F-1176A25C9858}.exe

Filesize
372KB

MD5
7aca9900b2cac626cc019e20b1adc61e

SHA1
14c2fe95ad8aa0d324b5f32581bba80dbbe0e83c

SHA256
3ddf5bc0b9d6075fdaf03d9dd9f65e0f7975ec2b05ce62edbdb90a6c0aa3e69b

SHA512
092f96bcc28e65ded8fda1d81983cd28d08b51024508f9789349a9ad91f7b05abf152b4b6093f1e6fe3b457c927e95e7069f7c0bfdf34df32c9b6e541562f1e0

Download Submit
C:\Windows\{491A44C9-6290-49df-851D-16B69C4CD42F}.exe

Filesize
372KB

MD5
63e70bea9b4b74cecd9895351d3e9519

SHA1
b2eb2a7c42ccfb5a0cdc716fd4817a3ed2c4874e

SHA256
f4b30837538053159d0a7beaca42372fb6fab3fe4c5fd4448b126ac00abb5c01

SHA512
e306deba9c9f23fae036ae40b9c7b4b20e8f3d99e15389f094ace10f29c5a1bf162e2f111bac4fd6b8a3596d250653f9ac626479c3f8067d5ecd6a7028906a79

Download Submit
C:\Windows\{665F57A2-50DD-4ff5-B752-E93D027DCBC1}.exe

Filesize
372KB

MD5
ec4c783d2877be2c53bb7dad255a5bee

SHA1
a93a9196682f75e6072b129050c52a5754c7f106

SHA256
5cca480b4d1fbd36f25386da2687a8f991370daf2c16538ab15425b0978fcb9b

SHA512
7c2f8d5d17d936bc38f94546e2201554998f17d40951e1ad0b5349213bc508bb86d49f505a06e10510273239b6d6e295f2d4a22e8eb330af049939d51d56d386

Download Submit
C:\Windows\{67C5D095-3298-41a3-919C-90283E1EA442}.exe

Filesize
372KB

MD5
552995dd6da9162ca351649f99f5bc53

SHA1
a05ce6053c9ba624856d9c9cbbb57ac179353976

SHA256
f368ce0bd9d4da056142f3b085c97475e45d7049bb339452b2095b04f2e133de

SHA512
963c1f31c9f23482ce8a800725774c9035647ff6adf1713701b5beed78b820100878f0fa5c261877b34b1e98cf97980212cc7559fb1cdb4673ace3cf295ce586

Download Submit
C:\Windows\{6A7E4EB8-134C-4a0d-B919-2BA53911465B}.exe

Filesize
372KB

MD5
39357b3afb8c7aaa4f70803c3ce688ef

SHA1
0e7495c7d90db9f97569749f01c4afae926af3f9

SHA256
fa6e92c96d54471d42fe63ecfd0bf9e2620d84fb9d53d40261a0659654777a73

SHA512
bc5db02d11ac2fbdf00272a0707943b1415e342a39ad4b82d7a548d31b8daa50b974977b6b9c8b3a248a8599f6430e6fd754204a0b623dcc6d691848c782e669

Download Submit
C:\Windows\{86272EFC-0B72-492b-99BF-97781ADF09C4}.exe

Filesize
372KB

MD5
a4fc14399a97c5f6fb094c5f49aa7c4d

SHA1
16a6c2a9d3d29ccd57595e242ef2c86d0292f77f

SHA256
e222c8a2bae8aa996d38d439cd06b732a616ab64aca01082d6c67802c6a87191

SHA512
538fb2ef594ee655694341e0f85b4b429850e83c0f5b211fefc17f2896e55940fdfe1481d40df4089e28109a2feb90add5db8ef2b60eac818c66d15e89992604

Download Submit
C:\Windows\{8981704F-84E8-44ed-8E19-46BA46F4F24F}.exe

Filesize
372KB

MD5
b1d1aa50eacb55752e09d7eb4b22909e

SHA1
3fe06a9c77012bdff04c59fb664f1527fb8c51d8

SHA256
de266b0f2d26214006b9f5d5a674880e9485eb549c977a90e5ebb7cb0b295398

SHA512
db5bf2a184555f85178cd3b2ff4099f2f3c9df142798e342f491dd5d73c1081080a6f1b2c18edcc3eefd5aa113ce43fd720cc7e5ed9cc677a7de491c309d4b4b

Download Submit
C:\Windows\{94D97B5D-0735-4252-A5DD-43819FDD87B0}.exe

Filesize
372KB

MD5
06754bea6c6aff4e417161a8f7315d94

SHA1
47d1e1ecd047e234e676d4e28cfdc0f87fd63f09

SHA256
df214837d3d0b8210817efb8ce9ddb14b200709456266599235caf50f405d2b1

SHA512
7196cb076a35b04daa16dc3b787764e4d619d04b187d5bb2b09270d45024b2fa0e21fef4138858c416c7b88070fdff8e0c1c83f05bd07e5088a65ec91dae0615

Download Submit
C:\Windows\{9EC1C37D-B52E-477a-9CC4-620CECB28BF6}.exe

Filesize
372KB

MD5
7d036d38e698cca50c0cc3c8b868245e

SHA1
f8bb0d8b49fa3a6cc60d51bf061160e4e48d6199

SHA256
298459ac1a9e956c8d4b11362bcf1b583c7c14e3fa46460a99ab9b9f19268d77

SHA512
47552c9e5792efc8b0739ba27b20345af6b009109047c68125461e09ffa11417f2a42e857647cafa94e866df3cdba81f93c0b1a8220ec7e584d6101fafd39901

Download Submit
C:\Windows\{A8CF49D8-C16F-49ba-9B41-4F012AE00C60}.exe

Filesize
372KB

MD5
389aa9a6a4810cc9a82c43d530aa6af4

SHA1
b97c756684b216a166e1844728fa3469dc637b5b

SHA256
c4e0ec73013634808b3b326a4600a7d9a216568b9c5d36d0e2c9a1aec31b2f69

SHA512
1e09740208cd1217058a647469628dd4a1b1d57d399a5fccc71a195f3f3717ba639f46984af60c9a32db5c2ef4c35a13481eac8f22ac0a0e8793523ee37e3546

Download Submit
C:\Windows\{D0BB6F3C-4E1B-45b8-8C32-3C2D623F4AE8}.exe

Filesize
372KB

MD5
2e6eab72db4ad1311f53807c0834e96d

SHA1
2d390b7a034080c8fcf1f74b9f330c89667ff19b

SHA256
b64bbb6a931e275af75b8c17017dc56d005c2597d1147fa8a956a5ad754d037e

SHA512
7c429a9dd7e9f06c4af1d0e2556846535fffe4fabcf191917f86577d93426fc4421e1688606149f3381c779a141a057cc0fbc61d29c79d83109c9adf5fa3f304

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads