948e9189acdf78f1322f86ea95ca77bb45d9f39ec19cdc8cdf3caaf6618123b5

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe
Size

197KB
MD5

636a990fb1e379e3e3040850d4051c85
SHA1

46e15982169a5abece2ef00c8d54f5cb0e97b020
SHA256

948e9189acdf78f1322f86ea95ca77bb45d9f39ec19cdc8cdf3caaf6618123b5
SHA512

6458b541cd286796bf43a70428bdf76301be24d9294c83300a955036d10a486dd54bb6caffc920c3b7754fae09be9f8b38c0be33f575143498132b7c9b2b541d
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGalEeKcAEca

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B83192A9-AB8C-40dd-AD96-97BF65F7372C}	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{788215AD-FEC5-4da1-A363-A097DF3A295A}\stubpath = "C:\\Windows\\{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe"	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07227EB9-2D67-4bfd-970A-86617CF78ECE}	{8B75587E-3207-4305-B020-7619C80F78D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8117A8-64AC-44a8-9F98-778F8A09E32B}\stubpath = "C:\\Windows\\{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe"	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{788215AD-FEC5-4da1-A363-A097DF3A295A}	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE1276B0-BC5B-468e-9107-B5931EF58321}	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C4D6A5-579A-4584-98D8-DA80C6F12181}	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C4D6A5-579A-4584-98D8-DA80C6F12181}\stubpath = "C:\\Windows\\{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe"	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18B6EC8E-A435-4515-AC52-2EB3806178FC}\stubpath = "C:\\Windows\\{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe"	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBAE94A-17C0-463c-9920-23E80D45B6BB}\stubpath = "C:\\Windows\\{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe"	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}\stubpath = "C:\\Windows\\{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}.exe"	{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B75587E-3207-4305-B020-7619C80F78D4}	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07227EB9-2D67-4bfd-970A-86617CF78ECE}\stubpath = "C:\\Windows\\{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe"	{8B75587E-3207-4305-B020-7619C80F78D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}\stubpath = "C:\\Windows\\{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe"	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18B6EC8E-A435-4515-AC52-2EB3806178FC}	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41789FB9-1635-4418-B6A1-0B419906FA0A}	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41789FB9-1635-4418-B6A1-0B419906FA0A}\stubpath = "C:\\Windows\\{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe"	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}	{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B83192A9-AB8C-40dd-AD96-97BF65F7372C}\stubpath = "C:\\Windows\\{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe"	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE1276B0-BC5B-468e-9107-B5931EF58321}\stubpath = "C:\\Windows\\{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe"	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B75587E-3207-4305-B020-7619C80F78D4}\stubpath = "C:\\Windows\\{8B75587E-3207-4305-B020-7619C80F78D4}.exe"	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8117A8-64AC-44a8-9F98-778F8A09E32B}	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBAE94A-17C0-463c-9920-23E80D45B6BB}	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe
4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe
568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe
3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe
312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe
2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe
4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe
2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe
2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe
536	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe
1896	{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe
2464	{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe
File created	C:\Windows\{8B75587E-3207-4305-B020-7619C80F78D4}.exe	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe
File created	C:\Windows\{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe
File created	C:\Windows\{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe
File created	C:\Windows\{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}.exe	{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe
File created	C:\Windows\{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe
File created	C:\Windows\{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe
File created	C:\Windows\{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe	{8B75587E-3207-4305-B020-7619C80F78D4}.exe
File created	C:\Windows\{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe
File created	C:\Windows\{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe
File created	C:\Windows\{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe
File created	C:\Windows\{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe
Token: SeIncBasePriorityPrivilege	4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe
Token: SeIncBasePriorityPrivilege	568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe
Token: SeIncBasePriorityPrivilege	3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe
Token: SeIncBasePriorityPrivilege	312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe
Token: SeIncBasePriorityPrivilege	2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe
Token: SeIncBasePriorityPrivilege	4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe
Token: SeIncBasePriorityPrivilege	2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe
Token: SeIncBasePriorityPrivilege	2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe
Token: SeIncBasePriorityPrivilege	536	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe
Token: SeIncBasePriorityPrivilege	1896	{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3676	2972	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe	93
PID 2972 wrote to memory of 3676	2972	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe	93
PID 2972 wrote to memory of 3676	2972	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe	93
PID 2972 wrote to memory of 3696	2972	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe	94
PID 2972 wrote to memory of 3696	2972	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe	94
PID 2972 wrote to memory of 3696	2972	2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe	94
PID 3676 wrote to memory of 4300	3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe	96
PID 3676 wrote to memory of 4300	3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe	96
PID 3676 wrote to memory of 4300	3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe	96
PID 3676 wrote to memory of 1624	3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe	97
PID 3676 wrote to memory of 1624	3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe	97
PID 3676 wrote to memory of 1624	3676	{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe	97
PID 4300 wrote to memory of 568	4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe	101
PID 4300 wrote to memory of 568	4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe	101
PID 4300 wrote to memory of 568	4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe	101
PID 4300 wrote to memory of 5104	4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe	102
PID 4300 wrote to memory of 5104	4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe	102
PID 4300 wrote to memory of 5104	4300	{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe	102
PID 568 wrote to memory of 3780	568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe	103
PID 568 wrote to memory of 3780	568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe	103
PID 568 wrote to memory of 3780	568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe	103
PID 568 wrote to memory of 1484	568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe	104
PID 568 wrote to memory of 1484	568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe	104
PID 568 wrote to memory of 1484	568	{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe	104
PID 3780 wrote to memory of 312	3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe	105
PID 3780 wrote to memory of 312	3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe	105
PID 3780 wrote to memory of 312	3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe	105
PID 3780 wrote to memory of 2480	3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe	106
PID 3780 wrote to memory of 2480	3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe	106
PID 3780 wrote to memory of 2480	3780	{8B75587E-3207-4305-B020-7619C80F78D4}.exe	106
PID 312 wrote to memory of 2416	312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe	108
PID 312 wrote to memory of 2416	312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe	108
PID 312 wrote to memory of 2416	312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe	108
PID 312 wrote to memory of 3648	312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe	109
PID 312 wrote to memory of 3648	312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe	109
PID 312 wrote to memory of 3648	312	{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe	109
PID 2416 wrote to memory of 4868	2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe	110
PID 2416 wrote to memory of 4868	2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe	110
PID 2416 wrote to memory of 4868	2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe	110
PID 2416 wrote to memory of 2388	2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe	111
PID 2416 wrote to memory of 2388	2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe	111
PID 2416 wrote to memory of 2388	2416	{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe	111
PID 4868 wrote to memory of 2588	4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe	115
PID 4868 wrote to memory of 2588	4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe	115
PID 4868 wrote to memory of 2588	4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe	115
PID 4868 wrote to memory of 3312	4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe	116
PID 4868 wrote to memory of 3312	4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe	116
PID 4868 wrote to memory of 3312	4868	{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe	116
PID 2588 wrote to memory of 2472	2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe	121
PID 2588 wrote to memory of 2472	2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe	121
PID 2588 wrote to memory of 2472	2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe	121
PID 2588 wrote to memory of 4972	2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe	122
PID 2588 wrote to memory of 4972	2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe	122
PID 2588 wrote to memory of 4972	2588	{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe	122
PID 2472 wrote to memory of 536	2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe	123
PID 2472 wrote to memory of 536	2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe	123
PID 2472 wrote to memory of 536	2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe	123
PID 2472 wrote to memory of 2404	2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe	124
PID 2472 wrote to memory of 2404	2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe	124
PID 2472 wrote to memory of 2404	2472	{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe	124
PID 536 wrote to memory of 1896	536	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe	125
PID 536 wrote to memory of 1896	536	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe	125
PID 536 wrote to memory of 1896	536	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe	125
PID 536 wrote to memory of 768	536	{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe
  C:\Windows\{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe
    C:\Windows\{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe
      C:\Windows\{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\{8B75587E-3207-4305-B020-7619C80F78D4}.exe
        
        C:\Windows\{8B75587E-3207-4305-B020-7619C80F78D4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe
        
        C:\Windows\{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe
        
        C:\Windows\{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe
        
        C:\Windows\{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe
        
        C:\Windows\{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe
        
        C:\Windows\{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe
        
        C:\Windows\{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe
        
        C:\Windows\{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}.exe
        
        C:\Windows\{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}.exe
        13⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EBAE~1.EXE > nul
        13⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41789~1.EXE > nul
        12⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D811~1.EXE > nul
        11⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18B6E~1.EXE > nul
        10⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C4D~1.EXE > nul
        9⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1FC8~1.EXE > nul
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07227~1.EXE > nul
        7⤵
        
        PID:3648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B755~1.EXE > nul
        6⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE127~1.EXE > nul
        5⤵
        
        PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{78821~1.EXE > nul
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8319~1.EXE > nul
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07227EB9-2D67-4bfd-970A-86617CF78ECE}.exe

Filesize
197KB

MD5
976f40776b758fccf16f32c7c9090fa6

SHA1
6ca0ee6c8cc9eb8cb64b5bf90791d28afe5da6b2

SHA256
fcce8aad288c2db5f92b467c5bc0ced8317ccd2d28b04de5d681bcb5a04eb6ba

SHA512
44e32601865109c2f53abf60b0fe7ce16c9c22145040f97cef21069d291ce8382ec25f430bb92778dfb12853f249764df449e698ee439530a954b29ccc531c46

Download Submit
C:\Windows\{0EBAE94A-17C0-463c-9920-23E80D45B6BB}.exe

Filesize
197KB

MD5
eee4d2f046c763b90d7d208965d3cba3

SHA1
3d58061b25de7e357c8c5a04692611d2a28753a6

SHA256
8f78de7f33c4ab387e7c985d181ba6501975917d85c3afde6036ff6bd865ea62

SHA512
d94c01858557dd822321ca3faf930032561740810639b5daa124dcec624be9639f44ac812a31c6acd45c4c2eb6bfb1c9a46f7373097b2ccecbae6410889f7c72

Download Submit
C:\Windows\{18B6EC8E-A435-4515-AC52-2EB3806178FC}.exe

Filesize
197KB

MD5
9dedb41ef8debcc65613a78f56a074a6

SHA1
cb0c08141f9501a7f834203623aafd60823da83a

SHA256
7d3f1e39413c5f69c85ff0afd9f2c93d29f7dc7b7e0d946f4fe21508abb64171

SHA512
ed94b803b5a587a6bb8f586a22cea466586c3a5f3103514920a755a084ef9419136760cc3003f7674c243697f294c037ad13224aafbbc2faef06955979891681

Download Submit
C:\Windows\{35C4D6A5-579A-4584-98D8-DA80C6F12181}.exe

Filesize
197KB

MD5
af08074388517d9980b684927785cbfc

SHA1
aa70efe2678ab3a90d5be24d6c9e066f8254d9ed

SHA256
d35e26ca6f192d053f2bf377c4164a2fe5913f8ba986caa51907b0f551fb6b96

SHA512
e7f82d42b0b858029a04b6bf4da9bc545ca298f84dbe0c9e826939f84ca697bc1918515d356ae175c152ee1a594ca7b0479aa33fe7b16fedb0f68373aa3e4e50

Download Submit
C:\Windows\{3A52E92B-6C5B-4481-A773-C5EBA2E50A81}.exe

Filesize
197KB

MD5
94dfa5c1b237671c9c6b2063af469e61

SHA1
723ca6721b97b7a24936b1397fa366253231cffa

SHA256
4b4e15107c3feb64b536675c4c35f69cc6574a63a904a000cdddd1ce6fa0e07d

SHA512
70a5e4c2328b0dbe808ef7c3e7b78885b72b7ba40fca3fdb7e55d3ee079649e57f5cb76be5f38676fc4f643c61ca1bb90453a630c0276d6ce2b1138d9ff8b0f7

Download Submit
C:\Windows\{41789FB9-1635-4418-B6A1-0B419906FA0A}.exe

Filesize
197KB

MD5
d9a3a5054c2727ad3e6b91da36275569

SHA1
d4e401260c71717cbb0780992925e006f36d4b4f

SHA256
0f42a568630ea4176d77595bb75c14f26771bfa1997228bdc7f83922160faedf

SHA512
551cee679185fd88b8696f3298f1b752cdfe2c4e96da098af2e9ef0a04b5e8c8f15af4699775be0b7d48b36bc336cff4886fee8846ef948c5e68820bc45f0fd1

Download Submit
C:\Windows\{6D8117A8-64AC-44a8-9F98-778F8A09E32B}.exe

Filesize
197KB

MD5
c5be94e53319ec533815c861a1799168

SHA1
d8ea144d9a8f18375498edb279bfbde7aec561da

SHA256
a90db46ca91af37b890951bfa74c93941c05e9370a874fbeb81550b0264becd8

SHA512
2d1a98bd0c7ee7a635415e3053a2796af8294ee3965d90dcc324151359c4dc0c1183a202a1edd800679d8b49c2c59adabf5130dc5b5ea34c68d8f2119b17ad6d

Download Submit
C:\Windows\{788215AD-FEC5-4da1-A363-A097DF3A295A}.exe

Filesize
197KB

MD5
e17e6c35c7ff0c37aad4ff98a11bb9c6

SHA1
3da840d49158be3c4c25f0b390e27f5967505d4a

SHA256
454a2d75ffc7219b5f7ff1f803cd7aefed029034caa8fd894016f4f0aaafe414

SHA512
8b280e8ce24904b6e9fb266850c6b319e5b2a2ab737870dc86e18385e97401ee2a00cebc9fc1ac72262bdcafb633ad2118e215a18c6d82203542294e01622d09

Download Submit
C:\Windows\{8B75587E-3207-4305-B020-7619C80F78D4}.exe

Filesize
197KB

MD5
dc3922e7efb1f69471bb4148641f2f58

SHA1
cda65b7a7e528d85f73c3e2330297f657e172ab5

SHA256
828fcefec801076b4e05d621453a976ebd6c0ce8cce9df54cfb6944d1373876a

SHA512
c97e7b8df44a23c407226741b7b16d739cfdd8cb32489de3c5af43fe757acdf5bf71a32dad3e726c1b08e65eb2a9dcdf30bc500c4cf1765d682fdb3523a918e5

Download Submit
C:\Windows\{B83192A9-AB8C-40dd-AD96-97BF65F7372C}.exe

Filesize
197KB

MD5
a7c836fb254dea506bf6dafa6904f3b5

SHA1
e1d78064a6e047b43e3454081b564f30b8281b0c

SHA256
94c6400881284d7a9ea0641593bbb3c08e5922205abb6b73cf413bf3f2f85593

SHA512
4b1cdb6c843fb3f6267167e360e93e0a341b274f5d0ce185871619d67cab357c3d84eeee5e90ca677609ccdd081ac60fc587da4d5bead4d858967cdf7235e6db

Download Submit
C:\Windows\{BE1276B0-BC5B-468e-9107-B5931EF58321}.exe

Filesize
197KB

MD5
9ada373b3ed85d1e5cac5a88ce49b5c2

SHA1
cb9d0d6b8578ccca84a17bfe83c53e21166d1a1f

SHA256
84507c3335e71eaa1eb948a6340f6a90e780d735d80ff110a0a18ec66103bba1

SHA512
8851ef8c785949867f17e1ee0600d0557119eec37172437d6e47469d77112edaea6fddfa783541850dc82d963c864d5e79ed626ca9686560b23f1f24f116658d

Download Submit
C:\Windows\{E1FC8C7E-9DA2-4b5c-8245-5E6CB7929F5D}.exe

Filesize
197KB

MD5
59abf3baeae8c1f0154c89c320243fe1

SHA1
e0293b8ff992ce2a9efcac4fd83f08a2f7d6177a

SHA256
3daddfacdb246e7a5c6fcf31896736465ebe13c29b46bf758f70e32387b59794

SHA512
b07cc3f658753cfca42559b4e3f412d562047e03e8f478c1e3d64d27d78f09272fe05cfc7b5c5bf5c18b61dba006acd67ff0a1897d6659b1daf1399d595ce2f9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads