271e0453fcb4e24725aaf858df346f54c20692c7604699ce06f5827a27ce0aa4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Size

192KB
MD5

c58873152ec073b71a11658e07beab75
SHA1

88af8356929ea6ac4f02a18994b3510b38f00cca
SHA256

271e0453fcb4e24725aaf858df346f54c20692c7604699ce06f5827a27ce0aa4
SHA512

bd7e7887c01112edd833e237e43a031a562ab840fcc51ee8cdfdaa3bcb2b6bb4de473e7dd7ac54d49c267065c61a4584c783f78821048a1e5f24fccaad5306e8
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o8l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}\stubpath = "C:\\Windows\\{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}.exe"	{28F17B5B-4346-483e-9C31-89633C96C487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB99FB7D-86A0-418d-A565-444F41170C3F}\stubpath = "C:\\Windows\\{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe"	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1622C7-DC54-4cdb-8817-B14DF018795F}\stubpath = "C:\\Windows\\{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe"	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{463A71B8-030A-4264-B88A-50FA37D329DE}	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28F17B5B-4346-483e-9C31-89633C96C487}	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}\stubpath = "C:\\Windows\\{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe"	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}\stubpath = "C:\\Windows\\{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe"	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A1A7C9-5555-4e16-B305-81E497EE6A2F}	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE25345-11B3-41dc-881C-944A35E911C3}\stubpath = "C:\\Windows\\{1FE25345-11B3-41dc-881C-944A35E911C3}.exe"	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28F17B5B-4346-483e-9C31-89633C96C487}\stubpath = "C:\\Windows\\{28F17B5B-4346-483e-9C31-89633C96C487}.exe"	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}\stubpath = "C:\\Windows\\{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe"	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB421963-2814-4e7d-89AF-C270BE1DC760}	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB421963-2814-4e7d-89AF-C270BE1DC760}\stubpath = "C:\\Windows\\{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe"	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB99FB7D-86A0-418d-A565-444F41170C3F}	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}	{28F17B5B-4346-483e-9C31-89633C96C487}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A1A7C9-5555-4e16-B305-81E497EE6A2F}\stubpath = "C:\\Windows\\{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe"	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619DE4BA-F603-4074-8FB4-C8A014443A4A}	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{619DE4BA-F603-4074-8FB4-C8A014443A4A}\stubpath = "C:\\Windows\\{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe"	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1622C7-DC54-4cdb-8817-B14DF018795F}	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FE25345-11B3-41dc-881C-944A35E911C3}	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{463A71B8-030A-4264-B88A-50FA37D329DE}\stubpath = "C:\\Windows\\{463A71B8-030A-4264-B88A-50FA37D329DE}.exe"	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe

Executes dropped EXE 12 IoCs

pid	Process
5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe
1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe
2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe
3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe
876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe
3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe
3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe
4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe
3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe
3960	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe
1548	{28F17B5B-4346-483e-9C31-89633C96C487}.exe
1480	{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1FE25345-11B3-41dc-881C-944A35E911C3}.exe	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe
File created	C:\Windows\{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe
File created	C:\Windows\{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}.exe	{28F17B5B-4346-483e-9C31-89633C96C487}.exe
File created	C:\Windows\{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
File created	C:\Windows\{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe
File created	C:\Windows\{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe
File created	C:\Windows\{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe
File created	C:\Windows\{463A71B8-030A-4264-B88A-50FA37D329DE}.exe	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe
File created	C:\Windows\{28F17B5B-4346-483e-9C31-89633C96C487}.exe	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe
File created	C:\Windows\{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe
File created	C:\Windows\{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe
File created	C:\Windows\{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4844	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe
Token: SeIncBasePriorityPrivilege	1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe
Token: SeIncBasePriorityPrivilege	2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe
Token: SeIncBasePriorityPrivilege	3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe
Token: SeIncBasePriorityPrivilege	876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe
Token: SeIncBasePriorityPrivilege	3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe
Token: SeIncBasePriorityPrivilege	3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe
Token: SeIncBasePriorityPrivilege	4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe
Token: SeIncBasePriorityPrivilege	3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe
Token: SeIncBasePriorityPrivilege	3960	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe
Token: SeIncBasePriorityPrivilege	1548	{28F17B5B-4346-483e-9C31-89633C96C487}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 5020	4844	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	85
PID 4844 wrote to memory of 5020	4844	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	85
PID 4844 wrote to memory of 5020	4844	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	85
PID 4844 wrote to memory of 4428	4844	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	86
PID 4844 wrote to memory of 4428	4844	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	86
PID 4844 wrote to memory of 4428	4844	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	86
PID 5020 wrote to memory of 1864	5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe	87
PID 5020 wrote to memory of 1864	5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe	87
PID 5020 wrote to memory of 1864	5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe	87
PID 5020 wrote to memory of 2988	5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe	88
PID 5020 wrote to memory of 2988	5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe	88
PID 5020 wrote to memory of 2988	5020	{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe	88
PID 1864 wrote to memory of 2024	1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe	92
PID 1864 wrote to memory of 2024	1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe	92
PID 1864 wrote to memory of 2024	1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe	92
PID 1864 wrote to memory of 5088	1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe	93
PID 1864 wrote to memory of 5088	1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe	93
PID 1864 wrote to memory of 5088	1864	{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe	93
PID 2024 wrote to memory of 3736	2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe	94
PID 2024 wrote to memory of 3736	2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe	94
PID 2024 wrote to memory of 3736	2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe	94
PID 2024 wrote to memory of 464	2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe	95
PID 2024 wrote to memory of 464	2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe	95
PID 2024 wrote to memory of 464	2024	{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe	95
PID 3736 wrote to memory of 876	3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe	96
PID 3736 wrote to memory of 876	3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe	96
PID 3736 wrote to memory of 876	3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe	96
PID 3736 wrote to memory of 3424	3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe	97
PID 3736 wrote to memory of 3424	3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe	97
PID 3736 wrote to memory of 3424	3736	{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe	97
PID 876 wrote to memory of 3192	876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe	98
PID 876 wrote to memory of 3192	876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe	98
PID 876 wrote to memory of 3192	876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe	98
PID 876 wrote to memory of 3588	876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe	99
PID 876 wrote to memory of 3588	876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe	99
PID 876 wrote to memory of 3588	876	{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe	99
PID 3192 wrote to memory of 3456	3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe	100
PID 3192 wrote to memory of 3456	3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe	100
PID 3192 wrote to memory of 3456	3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe	100
PID 3192 wrote to memory of 5004	3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe	101
PID 3192 wrote to memory of 5004	3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe	101
PID 3192 wrote to memory of 5004	3192	{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe	101
PID 3456 wrote to memory of 4692	3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe	102
PID 3456 wrote to memory of 4692	3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe	102
PID 3456 wrote to memory of 4692	3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe	102
PID 3456 wrote to memory of 224	3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe	103
PID 3456 wrote to memory of 224	3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe	103
PID 3456 wrote to memory of 224	3456	{1FE25345-11B3-41dc-881C-944A35E911C3}.exe	103
PID 4692 wrote to memory of 3804	4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe	104
PID 4692 wrote to memory of 3804	4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe	104
PID 4692 wrote to memory of 3804	4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe	104
PID 4692 wrote to memory of 4372	4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe	105
PID 4692 wrote to memory of 4372	4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe	105
PID 4692 wrote to memory of 4372	4692	{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe	105
PID 3804 wrote to memory of 3960	3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe	106
PID 3804 wrote to memory of 3960	3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe	106
PID 3804 wrote to memory of 3960	3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe	106
PID 3804 wrote to memory of 2208	3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe	107
PID 3804 wrote to memory of 2208	3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe	107
PID 3804 wrote to memory of 2208	3804	{463A71B8-030A-4264-B88A-50FA37D329DE}.exe	107
PID 3960 wrote to memory of 1548	3960	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe	108
PID 3960 wrote to memory of 1548	3960	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe	108
PID 3960 wrote to memory of 1548	3960	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe	108
PID 3960 wrote to memory of 2776	3960	{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe
  C:\Windows\{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe
    C:\Windows\{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe
      C:\Windows\{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe
        
        C:\Windows\{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe
        
        C:\Windows\{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe
        
        C:\Windows\{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\{1FE25345-11B3-41dc-881C-944A35E911C3}.exe
        
        C:\Windows\{1FE25345-11B3-41dc-881C-944A35E911C3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe
        
        C:\Windows\{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{463A71B8-030A-4264-B88A-50FA37D329DE}.exe
        
        C:\Windows\{463A71B8-030A-4264-B88A-50FA37D329DE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe
        
        C:\Windows\{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{28F17B5B-4346-483e-9C31-89633C96C487}.exe
        
        C:\Windows\{28F17B5B-4346-483e-9C31-89633C96C487}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}.exe
        
        C:\Windows\{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}.exe
        13⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28F17~1.EXE > nul
        13⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51A1A~1.EXE > nul
        12⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{463A7~1.EXE > nul
        11⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDB87~1.EXE > nul
        10⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FE25~1.EXE > nul
        9⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F162~1.EXE > nul
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{619DE~1.EXE > nul
        7⤵
        
        PID:3588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB99F~1.EXE > nul
        6⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB421~1.EXE > nul
        5⤵
        
        PID:464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE9A4~1.EXE > nul
      4⤵
      PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0210E~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0210E5F2-1644-4fc4-BEB5-B339CB9646EB}.exe

Filesize
192KB

MD5
6690d080dd2f25e0dea6092db9b35f2d

SHA1
af93740bee68c65cc460ba8ba77eebddaad3b20a

SHA256
a51bb406d02ed2ffc93f38bb064f45956208076562154b21bdad72fad28a2e79

SHA512
99c3bd4f9fb58da6fdc61c9e3ab394fe6a77eaa75f6a545b60456c367cf30fe57f1431eacf2c6b7b9094f5f2fdc0a77683418283bd236c27c2a831c3a9c82270

Download Submit
C:\Windows\{1FE25345-11B3-41dc-881C-944A35E911C3}.exe

Filesize
192KB

MD5
4955cdc9003f04e2088c67478fd4cc21

SHA1
a9abc29869eead2aec786fdbfc00cdd24b02c5a6

SHA256
8a2f90232a205916aca90a343128269bba089b7afde31a90f1189c2029a5a0bf

SHA512
89d58351df56ea29d34f3d53cf89ebbc8e409a5dbcfa9ae43b37ce77e73666d8f5ba285ed80a383d2b23ea3edd8a7cd43f0195b1dc313307d06a8ba9b80900e1

Download Submit
C:\Windows\{28F17B5B-4346-483e-9C31-89633C96C487}.exe

Filesize
192KB

MD5
7b218f509a6de7d4465abd5ce3c75a08

SHA1
d796c41bff6060042f98feaace4602d331d704ad

SHA256
f890fe56ca4e99e003b144d1f118d0f5ff27a9bffe071aed8d6bd1834afa978c

SHA512
7bb94879d870c5a4c86040cfb9fa01ddebdd44305500a211e660c95923cc9cb854740ff3133645dea59a51ae3ca2c5bb51da61174a38350102200ab8033d8113

Download Submit
C:\Windows\{2F1622C7-DC54-4cdb-8817-B14DF018795F}.exe

Filesize
192KB

MD5
3644b206258cc6214b937eefdbcc7233

SHA1
f6e5e3961990dc46577b56c0cd89d53c13083196

SHA256
e6271a6fc9f90622e856bc31b14284dc80bba9a2f0fed3b5dea21e39159d931c

SHA512
d9045f5c049e8b330b38fc7448da8ba2ec7c14d38e3c89ce3b7c5e9d7eaa89f66d48cf0b3d14c781a4dd5d9cf9397bb5a00487f22c5cbe859e067c867232a95f

Download Submit
C:\Windows\{463A71B8-030A-4264-B88A-50FA37D329DE}.exe

Filesize
192KB

MD5
3b49307293a7930df79e0e4fd9ea6d77

SHA1
56f45e9947cb2d247bca60c27d7cb3257bc1ad68

SHA256
007ad66ec31e67300eb015158db7f221b57ad5887a28fba914fc6b3a49611143

SHA512
6afaf5e94894c7192927497fda622d1f238f9e7e09e777660c92133464db299d78e5da4032b974c301c656769e2dbe78ff046bd45c72a2d4f614dd0786250aa8

Download Submit
C:\Windows\{51A1A7C9-5555-4e16-B305-81E497EE6A2F}.exe

Filesize
192KB

MD5
b73fdbc98429d2daeff49a40ad97131d

SHA1
7db746c7a9dc122f3793d29402457086a8ce4fe4

SHA256
48028352572c62e9e8953a78f5f5019dbabbca8ed4674e3c1a2fe99145fe77ce

SHA512
66c6300cc22cac18f7b6ded8b9d946bc124afca90b7420d59c84b33401dcef98357d33cbedb9b4a5b761b2efab3c4af96c9a8fa52b6f26d4832bc7401ac17fbf

Download Submit
C:\Windows\{619DE4BA-F603-4074-8FB4-C8A014443A4A}.exe

Filesize
192KB

MD5
f63bea31e4b7ccc68f3dee436bf5c555

SHA1
d3be28c2078e779d4f71a648ab1274b8eb1ebf65

SHA256
12b52f42793f1efe9708574803d5776c0e9744ed9072a8d2c2b4d5c2b627099e

SHA512
cb589317eda1a70b195add340ddff7f8056479c24de3e0c36e5c8ea67814d3195b1ffbac0b59f876e98aef6d37cf8cb6dc6844b77832ebf96b808d8ed516d7f2

Download Submit
C:\Windows\{BB421963-2814-4e7d-89AF-C270BE1DC760}.exe

Filesize
192KB

MD5
0d57cd48288306a255594c31fa95875e

SHA1
390b039d78ac3315fa142263d4623d309d85d01a

SHA256
e5bdcf4687f4fcc7afee47bc3c0c1a84b0296f80cec9f58468030b483efc6f82

SHA512
26996de094ecfc2f459fe2244d66405ee2aaff7d7b659476553006139c5301bcfc1e941e684370f4dde01a3f70ddaca55552373a6ed535921f6587e1136a6fc7

Download Submit
C:\Windows\{DB99FB7D-86A0-418d-A565-444F41170C3F}.exe

Filesize
192KB

MD5
a8bc6f9076891febf8c5935c9661e8a7

SHA1
1ee6a072ec2a316940164e3f54fe6a78b0cf6898

SHA256
c42bb776c00fd14483273690ab22b00db33a86a94905427fa4d1bbb0989263dc

SHA512
4119dc61dc173896c91afc0ba62465629a517ed5c31821ebc44dde0d78a083089b25d252de9f2ef7dbe134ba594511ffb71dbdede3a5a3be490ea329fc8b1cef

Download Submit
C:\Windows\{EE9A4840-AFB1-4f94-AD0C-94B9659B3755}.exe

Filesize
192KB

MD5
96ae5faa6d7757250a7a7190eba1ee0f

SHA1
cfb9162f9576d16d307f9cb318af2f4efe8e55c4

SHA256
1347762a222a45b9bb8965de626d4baef413d2b20db2e2bfc48fbe1cd34f79f0

SHA512
ee8b5d0f7fbc05eef0422f977c88dd13bbec43688b31188c4f5140aea028e23683e5680204d7e51577d9bb62a72f1cc9295237ffb919351617ce0467b2f9cd39

Download Submit
C:\Windows\{FA9491A4-88DB-4f76-B81D-B3527BD97ECB}.exe

Filesize
192KB

MD5
faf9301fa2043713d788d024b23dad2b

SHA1
b3dd0ad88a8d4ea7f2b324c8ae569bd21d7676a6

SHA256
a8e0ae17db414f36c203637b4415136d10cfd5f83b7f146f49e82206220f786b

SHA512
caed3422b97b2b7c0759bc9c55d6a81b58c8920768a0b29f3e7d1b431dad923372bccbf3e8b18aeac4cbdc332afc8f00a7123f05ed9f82180f4867a8306d1431

Download Submit
C:\Windows\{FDB87012-28CF-4eb4-A97B-DBE2E7BFC940}.exe

Filesize
192KB

MD5
68c0a8e1828808a4fff683ba4f19d303

SHA1
2339f3bd886898b719005fabae871642542bfb64

SHA256
0a3f6c1add3416da3a62b49adc4d437d35d04b535d037943020d154b770d053f

SHA512
7a03bb13034529bd40a3c78d2afb485c400ae450260e3519daf023c135ab3e64539a9bc2f3f6a0109958d8bce2dd14a74d18ef3575dc9f3c9145bf73a701162b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads