3b8867d57509ce2f4f1290338302fa2154d040bf528f8fdfd4862c13c539653f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe
Size

380KB
MD5

ba39050cbb908240e27952f537b98452
SHA1

4da6daa7b51a11c92f431263bcc210135ccb0c2d
SHA256

3b8867d57509ce2f4f1290338302fa2154d040bf528f8fdfd4862c13c539653f
SHA512

02a89ad486e7388946491224af70e8d1f12e244b711f661f00182a6829b06181e68e46a449b74c58b523cfd71ac2405974234355758f192cfeea467fcdfea9e5
SSDEEP

3072:mEGh0o+lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8EE8BB-6396-4e98-8888-D27F5485FF30}\stubpath = "C:\\Windows\\{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe"	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A7054A-2015-456a-8F47-975BD9DC6382}	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A7054A-2015-456a-8F47-975BD9DC6382}\stubpath = "C:\\Windows\\{09A7054A-2015-456a-8F47-975BD9DC6382}.exe"	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C559C2BD-3326-47c0-8B23-386662AF42E4}\stubpath = "C:\\Windows\\{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe"	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B1FE08D-48B7-4a69-9168-53890B7DB633}	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F6F0D10-BDC7-4d6f-8671-196157D9B180}\stubpath = "C:\\Windows\\{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe"	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}\stubpath = "C:\\Windows\\{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe"	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}\stubpath = "C:\\Windows\\{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe"	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C378F21-2731-43d1-AB94-D2D255D4F804}\stubpath = "C:\\Windows\\{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe"	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F685EADF-477C-4e27-9373-BED49FB4D715}	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8EE8BB-6396-4e98-8888-D27F5485FF30}	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B1FE08D-48B7-4a69-9168-53890B7DB633}\stubpath = "C:\\Windows\\{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe"	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}\stubpath = "C:\\Windows\\{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe"	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C378F21-2731-43d1-AB94-D2D255D4F804}	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F685EADF-477C-4e27-9373-BED49FB4D715}\stubpath = "C:\\Windows\\{F685EADF-477C-4e27-9373-BED49FB4D715}.exe"	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F6F0D10-BDC7-4d6f-8671-196157D9B180}	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C559C2BD-3326-47c0-8B23-386662AF42E4}	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}\stubpath = "C:\\Windows\\{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe"	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC412DFD-7715-406d-8FAA-0FC17248C27F}	{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC412DFD-7715-406d-8FAA-0FC17248C27F}\stubpath = "C:\\Windows\\{BC412DFD-7715-406d-8FAA-0FC17248C27F}.exe"	{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe

Executes dropped EXE 12 IoCs

pid	Process
812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe
4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe
2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe
4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe
1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe
4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe
1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe
1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe
5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe
2124	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe
4700	{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe
1092	{BC412DFD-7715-406d-8FAA-0FC17248C27F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe
File created	C:\Windows\{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe
File created	C:\Windows\{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe
File created	C:\Windows\{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe
File created	C:\Windows\{BC412DFD-7715-406d-8FAA-0FC17248C27F}.exe	{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe
File created	C:\Windows\{09A7054A-2015-456a-8F47-975BD9DC6382}.exe	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe
File created	C:\Windows\{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe
File created	C:\Windows\{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe
File created	C:\Windows\{F685EADF-477C-4e27-9373-BED49FB4D715}.exe	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe
File created	C:\Windows\{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe
File created	C:\Windows\{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe
File created	C:\Windows\{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	924	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe
Token: SeIncBasePriorityPrivilege	812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe
Token: SeIncBasePriorityPrivilege	4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe
Token: SeIncBasePriorityPrivilege	2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe
Token: SeIncBasePriorityPrivilege	4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe
Token: SeIncBasePriorityPrivilege	1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe
Token: SeIncBasePriorityPrivilege	4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe
Token: SeIncBasePriorityPrivilege	1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe
Token: SeIncBasePriorityPrivilege	1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe
Token: SeIncBasePriorityPrivilege	5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe
Token: SeIncBasePriorityPrivilege	2124	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe
Token: SeIncBasePriorityPrivilege	4700	{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 812	924	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe	81
PID 924 wrote to memory of 812	924	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe	81
PID 924 wrote to memory of 812	924	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe	81
PID 924 wrote to memory of 4980	924	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe	82
PID 924 wrote to memory of 4980	924	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe	82
PID 924 wrote to memory of 4980	924	2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe	82
PID 812 wrote to memory of 4124	812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe	83
PID 812 wrote to memory of 4124	812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe	83
PID 812 wrote to memory of 4124	812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe	83
PID 812 wrote to memory of 1968	812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe	84
PID 812 wrote to memory of 1968	812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe	84
PID 812 wrote to memory of 1968	812	{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe	84
PID 4124 wrote to memory of 2252	4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe	87
PID 4124 wrote to memory of 2252	4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe	87
PID 4124 wrote to memory of 2252	4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe	87
PID 4124 wrote to memory of 2096	4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe	88
PID 4124 wrote to memory of 2096	4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe	88
PID 4124 wrote to memory of 2096	4124	{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe	88
PID 2252 wrote to memory of 4452	2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe	93
PID 2252 wrote to memory of 4452	2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe	93
PID 2252 wrote to memory of 4452	2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe	93
PID 2252 wrote to memory of 3032	2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe	94
PID 2252 wrote to memory of 3032	2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe	94
PID 2252 wrote to memory of 3032	2252	{09A7054A-2015-456a-8F47-975BD9DC6382}.exe	94
PID 4452 wrote to memory of 1912	4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe	96
PID 4452 wrote to memory of 1912	4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe	96
PID 4452 wrote to memory of 1912	4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe	96
PID 4452 wrote to memory of 4920	4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe	97
PID 4452 wrote to memory of 4920	4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe	97
PID 4452 wrote to memory of 4920	4452	{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe	97
PID 1912 wrote to memory of 4340	1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe	98
PID 1912 wrote to memory of 4340	1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe	98
PID 1912 wrote to memory of 4340	1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe	98
PID 1912 wrote to memory of 2136	1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe	99
PID 1912 wrote to memory of 2136	1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe	99
PID 1912 wrote to memory of 2136	1912	{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe	99
PID 4340 wrote to memory of 1856	4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe	100
PID 4340 wrote to memory of 1856	4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe	100
PID 4340 wrote to memory of 1856	4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe	100
PID 4340 wrote to memory of 4928	4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe	101
PID 4340 wrote to memory of 4928	4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe	101
PID 4340 wrote to memory of 4928	4340	{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe	101
PID 1856 wrote to memory of 1792	1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe	102
PID 1856 wrote to memory of 1792	1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe	102
PID 1856 wrote to memory of 1792	1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe	102
PID 1856 wrote to memory of 4884	1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe	103
PID 1856 wrote to memory of 4884	1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe	103
PID 1856 wrote to memory of 4884	1856	{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe	103
PID 1792 wrote to memory of 5056	1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe	104
PID 1792 wrote to memory of 5056	1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe	104
PID 1792 wrote to memory of 5056	1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe	104
PID 1792 wrote to memory of 5068	1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe	105
PID 1792 wrote to memory of 5068	1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe	105
PID 1792 wrote to memory of 5068	1792	{F685EADF-477C-4e27-9373-BED49FB4D715}.exe	105
PID 5056 wrote to memory of 2124	5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe	106
PID 5056 wrote to memory of 2124	5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe	106
PID 5056 wrote to memory of 2124	5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe	106
PID 5056 wrote to memory of 3972	5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe	107
PID 5056 wrote to memory of 3972	5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe	107
PID 5056 wrote to memory of 3972	5056	{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe	107
PID 2124 wrote to memory of 4700	2124	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe	108
PID 2124 wrote to memory of 4700	2124	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe	108
PID 2124 wrote to memory of 4700	2124	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe	108
PID 2124 wrote to memory of 1068	2124	{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_ba39050cbb908240e27952f537b98452_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe
  C:\Windows\{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe
    C:\Windows\{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\{09A7054A-2015-456a-8F47-975BD9DC6382}.exe
      C:\Windows\{09A7054A-2015-456a-8F47-975BD9DC6382}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe
        
        C:\Windows\{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe
        
        C:\Windows\{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe
        
        C:\Windows\{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe
        
        C:\Windows\{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{F685EADF-477C-4e27-9373-BED49FB4D715}.exe
        
        C:\Windows\{F685EADF-477C-4e27-9373-BED49FB4D715}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe
        
        C:\Windows\{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe
        
        C:\Windows\{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe
        
        C:\Windows\{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\{BC412DFD-7715-406d-8FAA-0FC17248C27F}.exe
        
        C:\Windows\{BC412DFD-7715-406d-8FAA-0FC17248C27F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4932~1.EXE > nul
        13⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C559C~1.EXE > nul
        12⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F6F0~1.EXE > nul
        11⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F685E~1.EXE > nul
        10⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C378~1.EXE > nul
        9⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8AAD~1.EXE > nul
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCA4F~1.EXE > nul
        7⤵
        
        PID:2136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B1FE~1.EXE > nul
        6⤵
        
        PID:4920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09A70~1.EXE > nul
        5⤵
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA8EE~1.EXE > nul
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9992A~1.EXE > nul
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A7054A-2015-456a-8F47-975BD9DC6382}.exe

Filesize
380KB

MD5
19fe89b2228b2cc14b277d8d4aaee52e

SHA1
b39199a061bd05ac3ed34b8d3c77991cda53a86e

SHA256
a8cd62b01ba1885867d960e93b52b4af885f70d08561be63f9cda6dfca845daf

SHA512
817f074c4681d6a4bed7038ad536f0b94de3a8ae3b934f97d6c761bb4d5d142a1ca3fc3ef02c7db89b4860974d164133154d6188637f05cc2829b66a8b916cd6

Download Submit
C:\Windows\{2C378F21-2731-43d1-AB94-D2D255D4F804}.exe

Filesize
380KB

MD5
e66eb65979255e7c6f0f5720ebe0c92d

SHA1
349049f8e427bfc4104ccebbd1b0a7e2ddbd0dec

SHA256
b040e65010f97a361fce76fe9ff0159baa2dc810a1bfcf59e7ccfbadb7c1af72

SHA512
a6c6fee311fa7815c9d7d9f90e3e7517fc202884ae34563ac03510a290feee398a87b4716918199327df0a53b2e9e0a52b3f179788d696450b73221c46ac8fed

Download Submit
C:\Windows\{4F6F0D10-BDC7-4d6f-8671-196157D9B180}.exe

Filesize
380KB

MD5
ae5fa730c6bceb81782cc91f091e644c

SHA1
cb9294bd18ecf256c5355b105f8ac6912b865181

SHA256
2b9fb4e5b38f5fc29824c2c27e4b80b5cd2da4f27cd9e9418d3855629ae66826

SHA512
c66148e6982e83fc50c5e471c6f548375568042f0c4edd22e8906ca1df0f93ab51014567b1211bbda63a8d1b20cc4a68daa66ed3a09d6d3558d17d93b4e5f22d

Download Submit
C:\Windows\{6B1FE08D-48B7-4a69-9168-53890B7DB633}.exe

Filesize
380KB

MD5
5f2eb9fa425c008ef84e3fcbf8ed9855

SHA1
a2fff856fb6807c30d8d7b55203859fa8854a13b

SHA256
ffe768be35b4c2a111dfe54e026ac50a28d8df11e835339c594b90b720d39eb6

SHA512
e1a4c180d3e2d5d03ce20f2ebf1ab61a043c1c1d616dd3372533a3d5b89615f18b33b7d9d45488b4dcb679c77d5d87a089b402885e9a679747a5a86338612d64

Download Submit
C:\Windows\{9992A812-AA2F-45a4-A0D8-0E9D1C4ED52E}.exe

Filesize
380KB

MD5
285fcf0534e57ca86d84d1ffda4a5fe9

SHA1
b6ef85f571ff4c04bc0f93a38859063140e2618d

SHA256
e64b61b222ba8b3117e541ad87b995005d10af1da9297076c7d45981af322cce

SHA512
fdc0b6797c21173cdc99d034a56b0e516fd737f2fd6c87bb82eb0febc1a0911ec008016f4fb826cae45ca483b223c98198e0a49d98feabf7c2b7ea21530bdff2

Download Submit
C:\Windows\{AA8EE8BB-6396-4e98-8888-D27F5485FF30}.exe

Filesize
380KB

MD5
e5df41d14f7cb8af99f3bc92de37d901

SHA1
08de36d33d7b8a38695bacf86e3f2f435e386609

SHA256
f1fc5a812d3d2abfa30ea7c798d10e216a6cbdfa5817fa0b4dd3d45a0b78b0e4

SHA512
62f1504fe2bd5afd588a9934fbd09c6bff0160f2c63133c7058963e513932a6c4cf8b65dece05afefc12f8e0df4f0ec5286a1fb8a2a03a02b5be1af41f318633

Download Submit
C:\Windows\{BC412DFD-7715-406d-8FAA-0FC17248C27F}.exe

Filesize
380KB

MD5
335eecb723bb7dfe180491a613af01fc

SHA1
347002462e296a5221f32f86acecb464b863e6bb

SHA256
8bb60cf6e0a6b259880c9c44abc2b11b2b7c41ba14d45e5fd3b89996fa3be074

SHA512
091cb06d21ab9241cfcd734942da98052c73077fff7390fd4d221d9d91418ba566f470ffc94377ee7ff11855df4cb1bc3d4459ac66bae378adaf03c4b59ba99e

Download Submit
C:\Windows\{C559C2BD-3326-47c0-8B23-386662AF42E4}.exe

Filesize
380KB

MD5
be3e469ed3c2412f6233c64fbf01da43

SHA1
f9ba086eed0b7e8a942517f3593e66ae226c162c

SHA256
2e64ac1865eb9fee4f57c87c1e48cba91bd2d2a34942c8a340a8f27c77b50546

SHA512
555bc9b0a8908b3fa16ed5c034b5d7e265a40d95ea1b4c327dd6f51ffe74b91db227fef16f1fb98672c97a269f391b878f0c819dffb4b133d1197f3f8485c57c

Download Submit
C:\Windows\{CCA4F22E-C74F-4dc0-BEB1-B7185F7A5B76}.exe

Filesize
380KB

MD5
4959958f9931d7ec0806097b57f0806d

SHA1
ae40bf6b28cd50cb06c12624750f17c174006b06

SHA256
187025646d515681468bb50cd104334c0f37f2b47fd8e40897f7aca37d65cc25

SHA512
46f0d0fb2cf60dd9148cebdcab4b636da748693e4c26653821446fc4a3444d7cd03544822e7e59b95dfeea9e3b6457e3308b982d7aa46173b2b431e937125fe1

Download Submit
C:\Windows\{D4932C8C-5450-4f74-B9E7-CBF54D7CBD56}.exe

Filesize
380KB

MD5
054a04c81e78194b2c071698c5177c9b

SHA1
5b577f59372d2b6e23c6228a0b4e448a66830bca

SHA256
23f51a344a360a913785736317743a5e252d46e1606adf16043aae2cc9974dd2

SHA512
f6786552e67c9e952c16341bb9db61d43bd2f8069fe010c234c0f1564466724cc1fa9475d8acc8b6a9357e92f73a07e571c1754bae1c110071a8bc2a4611b3a9

Download Submit
C:\Windows\{E8AADB2F-BEE3-49e4-B8D6-58B99886EFA0}.exe

Filesize
380KB

MD5
ae9f860622545682fb34ebed0df51c4a

SHA1
beab9b5c837d9a44ea69e0bab48b3266f7653b27

SHA256
085611af986357a12a0f8bd543ce5a09766382fd51360290fcf5d9b137c1853d

SHA512
d3ef8b6ffb90261309a5b6ef5c78ebe934a4e731a82c7ad59d48bd31a8d59eadc89bc332bf5575ad1e73bd65e6926ebc9761fa2c88145fdc5385f5aa7a7f0539

Download Submit
C:\Windows\{F685EADF-477C-4e27-9373-BED49FB4D715}.exe

Filesize
380KB

MD5
bad92a72e51f32b2d671072a94d5c56c

SHA1
3b80ce4c3e39c94b3fd78c25e022d96d62b46687

SHA256
cfe4ddf64149ed5f318dafb60a7780a834bb06ad0b3eb08d5aff56b5e6396344

SHA512
36dcf8e1d2bef5ee974c2aab97f62c7945045278bde2e0b19d9d0706c007715f8c984f21afa4ad72e32145b55645e61c91a61df7b807b3f223f0dceed6f583ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads