aeb532a6244392e31cf40dea4aaae945f86c50b3b47ef33b93b7b43acb277202

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
Size

408KB
MD5

d1e7f8f4936c32dc3bcf7b0a7467907d
SHA1

b9ffda553e52a9e5a1a516487af36641e08239c5
SHA256

aeb532a6244392e31cf40dea4aaae945f86c50b3b47ef33b93b7b43acb277202
SHA512

e52580d8e4afaa3ba6c06a7e8f50163f24937d26e8f2552ced5f3e195ca0f4d4789ede517b3dc60dd3295c48274d20dbec3b28427b6c885e434d3f8b2148426a
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGVldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5914A5AD-4199-4f98-9F6C-F89751953D78}\stubpath = "C:\\Windows\\{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe"	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870CA07E-8866-40ae-A01D-0B081EC1CEF1}	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870CA07E-8866-40ae-A01D-0B081EC1CEF1}\stubpath = "C:\\Windows\\{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe"	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}\stubpath = "C:\\Windows\\{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe"	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{830A97E9-CD5E-4c8b-9B09-A1370D87D533}	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{685A5908-B7F0-43ad-8353-8CC4F081FF1D}	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F31A13-3AFF-446b-9009-55B04965CE3D}\stubpath = "C:\\Windows\\{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe"	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8805BA38-0F9F-46e3-8973-78EFC0156174}\stubpath = "C:\\Windows\\{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe"	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5892138B-E733-4a9f-A505-0A3FC8DD369A}	{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{360054C5-3AEF-4489-842B-C29F898A6C56}	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AB8FD59-6629-4692-B2D2-43A403AF293C}\stubpath = "C:\\Windows\\{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe"	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5914A5AD-4199-4f98-9F6C-F89751953D78}	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}\stubpath = "C:\\Windows\\{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe"	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{830A97E9-CD5E-4c8b-9B09-A1370D87D533}\stubpath = "C:\\Windows\\{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe"	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5892138B-E733-4a9f-A505-0A3FC8DD369A}\stubpath = "C:\\Windows\\{5892138B-E733-4a9f-A505-0A3FC8DD369A}.exe"	{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C9011C4-1DAF-42ce-8209-89AE28E3823B}	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{685A5908-B7F0-43ad-8353-8CC4F081FF1D}\stubpath = "C:\\Windows\\{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe"	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AB8FD59-6629-4692-B2D2-43A403AF293C}	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{360054C5-3AEF-4489-842B-C29F898A6C56}\stubpath = "C:\\Windows\\{360054C5-3AEF-4489-842B-C29F898A6C56}.exe"	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F31A13-3AFF-446b-9009-55B04965CE3D}	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8805BA38-0F9F-46e3-8973-78EFC0156174}	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C9011C4-1DAF-42ce-8209-89AE28E3823B}\stubpath = "C:\\Windows\\{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe"	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe
2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe
2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe
548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe
1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe
2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe
1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe
1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe
2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe
3236	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe
2812	{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe
3392	{5892138B-E733-4a9f-A505-0A3FC8DD369A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe
File created	C:\Windows\{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe
File created	C:\Windows\{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe
File created	C:\Windows\{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe
File created	C:\Windows\{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe
File created	C:\Windows\{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
File created	C:\Windows\{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe
File created	C:\Windows\{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe
File created	C:\Windows\{360054C5-3AEF-4489-842B-C29F898A6C56}.exe	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe
File created	C:\Windows\{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe
File created	C:\Windows\{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe
File created	C:\Windows\{5892138B-E733-4a9f-A505-0A3FC8DD369A}.exe	{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1500	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe
Token: SeIncBasePriorityPrivilege	2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe
Token: SeIncBasePriorityPrivilege	2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe
Token: SeIncBasePriorityPrivilege	548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe
Token: SeIncBasePriorityPrivilege	1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe
Token: SeIncBasePriorityPrivilege	2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe
Token: SeIncBasePriorityPrivilege	1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe
Token: SeIncBasePriorityPrivilege	1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe
Token: SeIncBasePriorityPrivilege	2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe
Token: SeIncBasePriorityPrivilege	3236	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe
Token: SeIncBasePriorityPrivilege	2812	{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2852	1500	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	85
PID 1500 wrote to memory of 2852	1500	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	85
PID 1500 wrote to memory of 2852	1500	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	85
PID 1500 wrote to memory of 3704	1500	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	86
PID 1500 wrote to memory of 3704	1500	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	86
PID 1500 wrote to memory of 3704	1500	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	86
PID 2852 wrote to memory of 2880	2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe	87
PID 2852 wrote to memory of 2880	2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe	87
PID 2852 wrote to memory of 2880	2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe	87
PID 2852 wrote to memory of 4972	2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe	88
PID 2852 wrote to memory of 4972	2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe	88
PID 2852 wrote to memory of 4972	2852	{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe	88
PID 2880 wrote to memory of 2328	2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe	92
PID 2880 wrote to memory of 2328	2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe	92
PID 2880 wrote to memory of 2328	2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe	92
PID 2880 wrote to memory of 4044	2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe	93
PID 2880 wrote to memory of 4044	2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe	93
PID 2880 wrote to memory of 4044	2880	{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe	93
PID 2328 wrote to memory of 548	2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe	94
PID 2328 wrote to memory of 548	2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe	94
PID 2328 wrote to memory of 548	2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe	94
PID 2328 wrote to memory of 4856	2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe	95
PID 2328 wrote to memory of 4856	2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe	95
PID 2328 wrote to memory of 4856	2328	{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe	95
PID 548 wrote to memory of 1136	548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe	96
PID 548 wrote to memory of 1136	548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe	96
PID 548 wrote to memory of 1136	548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe	96
PID 548 wrote to memory of 2680	548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe	97
PID 548 wrote to memory of 2680	548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe	97
PID 548 wrote to memory of 2680	548	{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe	97
PID 1136 wrote to memory of 2324	1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe	98
PID 1136 wrote to memory of 2324	1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe	98
PID 1136 wrote to memory of 2324	1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe	98
PID 1136 wrote to memory of 2620	1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe	99
PID 1136 wrote to memory of 2620	1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe	99
PID 1136 wrote to memory of 2620	1136	{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe	99
PID 2324 wrote to memory of 1028	2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe	100
PID 2324 wrote to memory of 1028	2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe	100
PID 2324 wrote to memory of 1028	2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe	100
PID 2324 wrote to memory of 4572	2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe	101
PID 2324 wrote to memory of 4572	2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe	101
PID 2324 wrote to memory of 4572	2324	{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe	101
PID 1028 wrote to memory of 1652	1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe	102
PID 1028 wrote to memory of 1652	1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe	102
PID 1028 wrote to memory of 1652	1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe	102
PID 1028 wrote to memory of 760	1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe	103
PID 1028 wrote to memory of 760	1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe	103
PID 1028 wrote to memory of 760	1028	{360054C5-3AEF-4489-842B-C29F898A6C56}.exe	103
PID 1652 wrote to memory of 2452	1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe	104
PID 1652 wrote to memory of 2452	1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe	104
PID 1652 wrote to memory of 2452	1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe	104
PID 1652 wrote to memory of 1892	1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe	105
PID 1652 wrote to memory of 1892	1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe	105
PID 1652 wrote to memory of 1892	1652	{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe	105
PID 2452 wrote to memory of 3236	2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe	106
PID 2452 wrote to memory of 3236	2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe	106
PID 2452 wrote to memory of 3236	2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe	106
PID 2452 wrote to memory of 1092	2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe	107
PID 2452 wrote to memory of 1092	2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe	107
PID 2452 wrote to memory of 1092	2452	{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe	107
PID 3236 wrote to memory of 2812	3236	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe	108
PID 3236 wrote to memory of 2812	3236	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe	108
PID 3236 wrote to memory of 2812	3236	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe	108
PID 3236 wrote to memory of 3400	3236	{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe
  C:\Windows\{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe
    C:\Windows\{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe
      C:\Windows\{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe
        
        C:\Windows\{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe
        
        C:\Windows\{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe
        
        C:\Windows\{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{360054C5-3AEF-4489-842B-C29F898A6C56}.exe
        
        C:\Windows\{360054C5-3AEF-4489-842B-C29F898A6C56}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe
        
        C:\Windows\{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe
        
        C:\Windows\{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe
        
        C:\Windows\{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe
        
        C:\Windows\{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{5892138B-E733-4a9f-A505-0A3FC8DD369A}.exe
        
        C:\Windows\{5892138B-E733-4a9f-A505-0A3FC8DD369A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8805B~1.EXE > nul
        13⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{830A9~1.EXE > nul
        12⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F31~1.EXE > nul
        11⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1F5A~1.EXE > nul
        10⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36005~1.EXE > nul
        9⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{138EC~1.EXE > nul
        8⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{870CA~1.EXE > nul
        7⤵
        
        PID:2620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5914A~1.EXE > nul
        6⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB8F~1.EXE > nul
        5⤵
        
        PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{685A5~1.EXE > nul
      4⤵
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C901~1.EXE > nul
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{138ECD46-2DB5-4b03-BDB6-0EF6E78C5FA5}.exe

Filesize
408KB

MD5
7b43f96b2eb5c65e0de5c025f0795282

SHA1
59fe98816425245b7b2c749052829e8d21620d0a

SHA256
cb80247a7d441f9da414c908cf48eeffc9a806bcb1fd4d6daaaf2b949ebb55ea

SHA512
4e710b97dc7cdf22ffbd05eec62a4f9d7dde42567ef696c7064140075008c34c7885c64207f0d3c6aba70f304474c01c4bfadd5fa4e28b6feba1a7fe7964dc81

Download Submit
C:\Windows\{360054C5-3AEF-4489-842B-C29F898A6C56}.exe

Filesize
408KB

MD5
dc7dd15c2ce3cea6b3e2753d63320689

SHA1
373d49e60927ddbe8f6327dc99615af271996697

SHA256
309dcc5bcdbdf0d0c6c48a90220b26a4d22a255e8d09aaaa5ed6936353971e43

SHA512
94209a4cf289e2ac23d81073c59bb8e459fee63d0b1ef0d0d1b01ae855aeb63457cff127cd3df99b1f9db05302d7067d09cda801b81c70cf25a9a2b89bef117d

Download Submit
C:\Windows\{5892138B-E733-4a9f-A505-0A3FC8DD369A}.exe

Filesize
408KB

MD5
394759bbe3544d175084f76e9cc12ebb

SHA1
be8a8a6c5f4cdbcded0b87d63f21d9d8e35aec5f

SHA256
39613b705638000312df5ad3b715022bcbbef6472523f1443ed9c705e10464a7

SHA512
14af4ac6d92e31fd33d452db69ad1b941bb29128057186bd96a46d1e8eb0b398a51f16ae40396b63603f3347d6882c29188de1943a13c043dd55295514415ba3

Download Submit
C:\Windows\{5914A5AD-4199-4f98-9F6C-F89751953D78}.exe

Filesize
408KB

MD5
82f3cb459583bf25b0c650fb469e7f4d

SHA1
68c2b2e94278b130d289d48ae493760d872c43f8

SHA256
1859b4b0df427bdf77a8ac6e7927fc3c7192aa2fe6732d73a2899e4d0cb2fffb

SHA512
5eab93b8892a7ca56ce0d8046f2ae52c85d4ef5479820f68cd13bd1a91b1b3fe0a86f2f9fd0f497decb2df205da6b71f360670992595e6b4428c7b1838fc361d

Download Submit
C:\Windows\{685A5908-B7F0-43ad-8353-8CC4F081FF1D}.exe

Filesize
408KB

MD5
827c40aa5ad36e8f2ee35431d43b9ab1

SHA1
8d18efd64eaef6a21bb6a77ed611ec9b26e1f336

SHA256
e434ca2eb52cf3062bc2dc3480060ff2673ea61e2d1953d86a776fcb1d37467a

SHA512
d6f9ff92a6b8e6c573fb5ad64117d222ad1f55419d8b8bb97e3f3d10239b6eb3d6086c9ac307572ecb314f47e80e60b84e23e13033945bb624e0c83f0ef916e2

Download Submit
C:\Windows\{6AB8FD59-6629-4692-B2D2-43A403AF293C}.exe

Filesize
408KB

MD5
7130fd60c00102abf5d07b36b30e57a5

SHA1
164b4060d26f972c9b626c059e9bed42e6db01e5

SHA256
c56f13881c0154b4189a371d6d092170b30f15c955b7d53c27dddb5c9de97371

SHA512
c333778568e420bba35950d7736520018c7721b5b9ea6f9fb51ee699c02b0a12fee25621748cdafa36ecc2dc56c17528502fd1ac0bb1c10945d70f05964d726b

Download Submit
C:\Windows\{830A97E9-CD5E-4c8b-9B09-A1370D87D533}.exe

Filesize
408KB

MD5
b66dc19f0ecc43b71ed91d694512b095

SHA1
d6afdf0c6e04b22fac8aea4800ec5b07e2fd2ef3

SHA256
97022377792f227981973b03e07c4d6824ec180f5714e0ed6abe75a59953e6e1

SHA512
8e1ec414d9e70cd5a7e60ad7cbf07fe83c54198a24883573176b783a27bd4b7e8b7ac889a65acb04838aee6e1e9b1711b8184e6a3a28ee86e777a2d8f377c1bd

Download Submit
C:\Windows\{870CA07E-8866-40ae-A01D-0B081EC1CEF1}.exe

Filesize
408KB

MD5
66eac76311cde8ce2b57d01a36d66c9c

SHA1
52f947d26b4a815c9f6ecf08fb4106ae257cd384

SHA256
18914a4556d8ae9fcc3ccc8c5ca6efe80b927d58c689e096e12daeb6c646258d

SHA512
0957215a60c54929869e1c6bf5673bb6ba2f22817f03caac12c91c0b27e2a0ed593881209f4fae64a7925963c7c7938e45cff7880da96d22eea23c46eade4fdd

Download Submit
C:\Windows\{8805BA38-0F9F-46e3-8973-78EFC0156174}.exe

Filesize
408KB

MD5
deb393e88cb1588d173dbe5a2d5d8000

SHA1
35f85a90036e0365659bd84c589b910bc7e44ca7

SHA256
7fefb033d90b345f3750c12475decbff99ea96a95d257a5fa618fa37ea3dc00a

SHA512
7e1c4e644e231e026e4aabc22738df8d5ee2130165328866b930f08bf17db1d86eaeeb19cbf54d39c189a51883f6c44a94bb0f5b7e103f1bc4cf2a5f58829623

Download Submit
C:\Windows\{8C9011C4-1DAF-42ce-8209-89AE28E3823B}.exe

Filesize
408KB

MD5
fa09c33a926137ae5353d4170c99ebf7

SHA1
8d61879898a58d9b8e4139c24c7497fea99aee7c

SHA256
1c0a2f43bfe609bc0abc0463892fb1878b610bce600f32558ac75a227da6f75c

SHA512
42a5bbae989ceb56453b94ae1bc3ec1342beb61617fdbdbea53131a1b172d19ab1cae1ece385d87959f4155b05e88cc58c8362d8b6b576afaf08bce0df767304

Download Submit
C:\Windows\{A5F31A13-3AFF-446b-9009-55B04965CE3D}.exe

Filesize
408KB

MD5
a814c5a593e721fdf1a1ff47647f52c4

SHA1
b38965cf27042829cbd2f61a67cc2fe3f335756f

SHA256
59d59d1e0a274d74ff3c041e75bccc9bdb128ef9117d953a28e2c940f7e9ccfc

SHA512
01d6f5d5960f3eccbee7654d1547a3c86a04e4a16bf1ab46741a0fbd943df10413c9dd3187fe2236edc7862de2ab96746c654a0ee47e74a90273859da0478c68

Download Submit
C:\Windows\{D1F5A8C7-419B-4437-9AFF-AED6D93C75E4}.exe

Filesize
408KB

MD5
87778bca0017485e1701115926ee2c99

SHA1
38fa8bdab5809593662981ae656d364296f468bd

SHA256
e541a399c31b3978eb7fc8cbc21872ccda06e96cecccf709f0d2b8fc20724a4e

SHA512
a1ebd411027e76c39207d761a5f4fb303f83be7d6a8f9f6c1cf90f4ec5461005a5fbeb4cb8afb02c7185e1dc74b42be0c2f367b1ddef63ede555f5fe2d37b8c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads