68df4e960d069175b6d658da810bc3363d35423f07322039782f15203dd8fa57

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Size

380KB
MD5

b67c2368c4ac0ad5f2c198aa01350a52
SHA1

2abf1dd1360ce8429fc419d3b3939ebed549d9d6
SHA256

68df4e960d069175b6d658da810bc3363d35423f07322039782f15203dd8fa57
SHA512

1da0db321a7c3ea5ab350aadcccffbaf0a18eac933063b5aa13265837365014388af6a09b02a6c4ce82b5331716b1e61bb4077c1be92d349d9e5e13c8b7bf21a
SSDEEP

3072:mEGh0oIlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{421E6097-A9E6-4f6a-9729-827B4F02089C}	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BE6452-82AF-490c-AC2E-CD50047D5541}\stubpath = "C:\\Windows\\{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe"	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5617E5CC-EB86-4b32-B1E7-E43866F46604}	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7027408A-ED10-49ef-82CF-433778A95292}	{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7027408A-ED10-49ef-82CF-433778A95292}\stubpath = "C:\\Windows\\{7027408A-ED10-49ef-82CF-433778A95292}.exe"	{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}\stubpath = "C:\\Windows\\{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe"	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24BDF881-91B4-4584-8F2B-FE5FD9E96420}\stubpath = "C:\\Windows\\{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe"	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9A8A277-81FB-47ce-8334-A138F72F8F26}	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07343E85-739F-4ab9-AE8E-1C757B3BD79C}	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07343E85-739F-4ab9-AE8E-1C757B3BD79C}\stubpath = "C:\\Windows\\{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe"	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BE6452-82AF-490c-AC2E-CD50047D5541}	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5617E5CC-EB86-4b32-B1E7-E43866F46604}\stubpath = "C:\\Windows\\{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe"	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9A8A277-81FB-47ce-8334-A138F72F8F26}\stubpath = "C:\\Windows\\{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe"	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}\stubpath = "C:\\Windows\\{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe"	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}\stubpath = "C:\\Windows\\{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe"	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AD07C8-1CA9-4263-9640-06E966579AED}	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AD07C8-1CA9-4263-9640-06E966579AED}\stubpath = "C:\\Windows\\{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe"	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24BDF881-91B4-4584-8F2B-FE5FD9E96420}	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{421E6097-A9E6-4f6a-9729-827B4F02089C}\stubpath = "C:\\Windows\\{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe"	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}\stubpath = "C:\\Windows\\{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe"	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe

Executes dropped EXE 12 IoCs

pid	Process
1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe
1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe
2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe
1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe
4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe
3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe
4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe
2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe
2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe
3724	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe
764	{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe
2636	{7027408A-ED10-49ef-82CF-433778A95292}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe
File created	C:\Windows\{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe
File created	C:\Windows\{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe
File created	C:\Windows\{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe
File created	C:\Windows\{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe
File created	C:\Windows\{7027408A-ED10-49ef-82CF-433778A95292}.exe	{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe
File created	C:\Windows\{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
File created	C:\Windows\{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe
File created	C:\Windows\{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe
File created	C:\Windows\{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe
File created	C:\Windows\{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe
File created	C:\Windows\{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4076	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe
Token: SeIncBasePriorityPrivilege	1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe
Token: SeIncBasePriorityPrivilege	2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe
Token: SeIncBasePriorityPrivilege	1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe
Token: SeIncBasePriorityPrivilege	4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe
Token: SeIncBasePriorityPrivilege	3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe
Token: SeIncBasePriorityPrivilege	4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe
Token: SeIncBasePriorityPrivilege	2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe
Token: SeIncBasePriorityPrivilege	2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe
Token: SeIncBasePriorityPrivilege	3724	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe
Token: SeIncBasePriorityPrivilege	764	{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1468	4076	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 1468	4076	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 1468	4076	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	91
PID 4076 wrote to memory of 1088	4076	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	92
PID 4076 wrote to memory of 1088	4076	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	92
PID 4076 wrote to memory of 1088	4076	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	92
PID 1468 wrote to memory of 1148	1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe	100
PID 1468 wrote to memory of 1148	1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe	100
PID 1468 wrote to memory of 1148	1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe	100
PID 1468 wrote to memory of 1376	1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe	101
PID 1468 wrote to memory of 1376	1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe	101
PID 1468 wrote to memory of 1376	1468	{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe	101
PID 1148 wrote to memory of 2636	1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe	103
PID 1148 wrote to memory of 2636	1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe	103
PID 1148 wrote to memory of 2636	1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe	103
PID 1148 wrote to memory of 764	1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe	104
PID 1148 wrote to memory of 764	1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe	104
PID 1148 wrote to memory of 764	1148	{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe	104
PID 2636 wrote to memory of 1408	2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe	106
PID 2636 wrote to memory of 1408	2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe	106
PID 2636 wrote to memory of 1408	2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe	106
PID 2636 wrote to memory of 872	2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe	107
PID 2636 wrote to memory of 872	2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe	107
PID 2636 wrote to memory of 872	2636	{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe	107
PID 1408 wrote to memory of 4060	1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe	108
PID 1408 wrote to memory of 4060	1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe	108
PID 1408 wrote to memory of 4060	1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe	108
PID 1408 wrote to memory of 2656	1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe	109
PID 1408 wrote to memory of 2656	1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe	109
PID 1408 wrote to memory of 2656	1408	{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe	109
PID 4060 wrote to memory of 3780	4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe	110
PID 4060 wrote to memory of 3780	4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe	110
PID 4060 wrote to memory of 3780	4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe	110
PID 4060 wrote to memory of 1104	4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe	111
PID 4060 wrote to memory of 1104	4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe	111
PID 4060 wrote to memory of 1104	4060	{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe	111
PID 3780 wrote to memory of 4672	3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe	112
PID 3780 wrote to memory of 4672	3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe	112
PID 3780 wrote to memory of 4672	3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe	112
PID 3780 wrote to memory of 940	3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe	113
PID 3780 wrote to memory of 940	3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe	113
PID 3780 wrote to memory of 940	3780	{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe	113
PID 4672 wrote to memory of 2960	4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe	114
PID 4672 wrote to memory of 2960	4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe	114
PID 4672 wrote to memory of 2960	4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe	114
PID 4672 wrote to memory of 4768	4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe	115
PID 4672 wrote to memory of 4768	4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe	115
PID 4672 wrote to memory of 4768	4672	{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe	115
PID 2960 wrote to memory of 2400	2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe	116
PID 2960 wrote to memory of 2400	2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe	116
PID 2960 wrote to memory of 2400	2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe	116
PID 2960 wrote to memory of 208	2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe	117
PID 2960 wrote to memory of 208	2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe	117
PID 2960 wrote to memory of 208	2960	{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe	117
PID 2400 wrote to memory of 3724	2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe	118
PID 2400 wrote to memory of 3724	2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe	118
PID 2400 wrote to memory of 3724	2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe	118
PID 2400 wrote to memory of 2596	2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe	119
PID 2400 wrote to memory of 2596	2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe	119
PID 2400 wrote to memory of 2596	2400	{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe	119
PID 3724 wrote to memory of 764	3724	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe	120
PID 3724 wrote to memory of 764	3724	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe	120
PID 3724 wrote to memory of 764	3724	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe	120
PID 3724 wrote to memory of 1148	3724	{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe	121

C:\Users\Admin\AppData\Local\Temp\20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe
  C:\Windows\{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe
    C:\Windows\{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe
      C:\Windows\{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe
        
        C:\Windows\{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe
        
        C:\Windows\{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe
        
        C:\Windows\{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe
        
        C:\Windows\{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe
        
        C:\Windows\{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe
        
        C:\Windows\{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe
        
        C:\Windows\{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe
        
        C:\Windows\{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\{7027408A-ED10-49ef-82CF-433778A95292}.exe
        
        C:\Windows\{7027408A-ED10-49ef-82CF-433778A95292}.exe
        13⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5617E~1.EXE > nul
        13⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07343~1.EXE > nul
        12⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA29~1.EXE > nul
        11⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF773~1.EXE > nul
        10⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7BE6~1.EXE > nul
        9⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9A8A~1.EXE > nul
        8⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{421E6~1.EXE > nul
        7⤵
        
        PID:1104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24BDF~1.EXE > nul
        6⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB8DB~1.EXE > nul
        5⤵
        
        PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4AD0~1.EXE > nul
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC6FF~1.EXE > nul
    3⤵
    PID:1376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202405~1.EXE > nul
  2⤵
  PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07343E85-739F-4ab9-AE8E-1C757B3BD79C}.exe

Filesize
380KB

MD5
335f7737c6141c995e84f1c0fa6e0d88

SHA1
d843dad87c45b7d21aeb8307630b8b6770235ba6

SHA256
cbb5c583c2dfcddb074d7b889101f2fabc92693ad258dd51cb7067e055f9be02

SHA512
27f913a5efe80a1d18b849b23aa222dc288428f90b81181774ac7f42e08b4becf1d9907f890e14f9d92b6e37eb46a2bf255f6b0af07b6377c8ba1e99530588b1

Download Submit
C:\Windows\{24BDF881-91B4-4584-8F2B-FE5FD9E96420}.exe

Filesize
380KB

MD5
003878acb44aac8997d6707d36e17cd7

SHA1
30e59b554977f23477e37e2cb6d6b0018f6908e0

SHA256
52692d7b1e6ea9fdcb5fb07d234850034a49134af278163a3b809057f82993cd

SHA512
9e4f0cfa429706e7273b74d20f54858bdce427c88771fce3f37f05b4571b7e81e42eb3cd28823be4710f8f9f4476573c4984a2b3deb3fec1531d0dbb5a605034

Download Submit
C:\Windows\{421E6097-A9E6-4f6a-9729-827B4F02089C}.exe

Filesize
380KB

MD5
ca0d8afac57615deee304e3785ab5005

SHA1
9bd1696785ab841e79eaf4364f95e272686a4d4c

SHA256
baa2d3a96199d9b5694cc014978cfddf6b3250105e5a4f23e37d0e1f6e2c3d92

SHA512
7c32da3cef0d69a2ffa1efd408cad12507b1cf71df710fc230e32ab3f77c14da988ad40b3f18178d906c921ed072eb921f41a71ae058913da8c8991e26814302

Download Submit
C:\Windows\{5617E5CC-EB86-4b32-B1E7-E43866F46604}.exe

Filesize
380KB

MD5
14b78991b813f24d49e01d3355c834c6

SHA1
a3eda4c95d7bb73cdf41bb53f9e85887caa233b1

SHA256
ec3970277d298bb20219b5507eb66bf2b9fe549974a219261a3dea51ca1e5bd2

SHA512
7999d6d91aec88a0ebb7c0de1ec5dd43b09570e7228010abc1eb7997d8000f84c0e509e4ff2d7e301c2f9bccf70035eed7cbdb46bf6c7ddd65fa3d8c3a5b0d5a

Download Submit
C:\Windows\{7027408A-ED10-49ef-82CF-433778A95292}.exe

Filesize
380KB

MD5
136c7fbc08f8522119846b28c719f366

SHA1
a5a399d89044f06c4f25dab20ccdd50db9f857e1

SHA256
bc61eafcaee633d696d43eddd2765b3fa8166a80377ac0a71842c3cb481f0152

SHA512
cf0241d232fe94a04b24656fed03e011cdaf520d89a3d2d1b88c31d3a0b5f273050da2b45c8a259ac59419e4ca73477a733ad36e9b375b866ee4469c58ca3afd

Download Submit
C:\Windows\{AB8DB0B8-49E5-4750-AA60-FC42EB67CDA3}.exe

Filesize
380KB

MD5
a8bffd03e550a1b1abf458cc126a9634

SHA1
327e957bf9ecc7037c86c03593388a467f0029a4

SHA256
7fc6ef437c9f297ee88e0c11f95dd8e5fcca1160a86866eab78db92c06e1f585

SHA512
6f29a175ebb16a51245ba7f558f2cafd38b09f69aa363ab8f0eaae7ed46b0e1eb052190fbabc3a2c0ac86d1761325402de10f392132e2dde8203470276c5b291

Download Submit
C:\Windows\{B4AD07C8-1CA9-4263-9640-06E966579AED}.exe

Filesize
380KB

MD5
f8152a8e60dcd41c138b22ffbec5f8e7

SHA1
7515bf730cc9cbff7bc96c9dc238a4e962a240af

SHA256
868e488dc24c97d1d35f6752a7032800f51892779bbd60e4332603f69a589709

SHA512
e17fbb6f15e2fa06642b855620668686a33889f9845b48823d3fc80645d2c39786a10cda2c432870ddbbb37aa194bbb7b024cb421ffbf17ceda9099e2e937f0d

Download Submit
C:\Windows\{BF7735F5-C84C-4fdc-B0F9-2ED179EECBA3}.exe

Filesize
380KB

MD5
e9d8635f84ae3e5b49e29fc28d0c88d7

SHA1
22fd2f1742e0c283806cd7e2592c17a40e226d3a

SHA256
699024469a9686c9f5b5c1265e74c84cc7465bab6157be2365a77de2b2c4e748

SHA512
a962f0b3d282e56e0b7e01208e8c4939a3f03df914061fcef2371e68fef94d9066606e23d95a84a8c132ae814a45ad897cc6b658f6e4c17dba3cead92803387d

Download Submit
C:\Windows\{DEA29A0A-5F2C-4d6b-8FCC-F5DAC507B035}.exe

Filesize
380KB

MD5
eaacc13b8c76ccc17c1afb396b7731d2

SHA1
ca8465863eeb9de2d66ff4b830cba8f4b4ea476b

SHA256
c4f33cafece11a00ac6c975373b14134036216f3e6f4b5aad6e441bee58a1ac2

SHA512
26b876ad68b1ae9f75c66e5ec7d99b58222998a22d76f8ca698686a185d93e92c7e95ead39ecb3ec6e9fef571434a4b959c7967dd3f2524c7a18ea9744f3e1ea

Download Submit
C:\Windows\{E9A8A277-81FB-47ce-8334-A138F72F8F26}.exe

Filesize
380KB

MD5
afe96a92af1c3ea24656856bf085760e

SHA1
ab614eca3b3e9fa703ba3ad0fc6720265ea38510

SHA256
38694cbba83bccb342d0e4d548fafc794fbabf2b85433e118fabef103d03146d

SHA512
15ce77d13329ffda312764eb54ea4bb362e46ab470c8abbf7e80d2053181a606feda71622149b9af160673651763c36410ced48eda73de29778d22793a6f5846

Download Submit
C:\Windows\{F7BE6452-82AF-490c-AC2E-CD50047D5541}.exe

Filesize
380KB

MD5
9ff3f968a3b600cd9ba706fdfa47537f

SHA1
9f2097c8f84ac4635392b86e015a736c704d526d

SHA256
84a3b079cb1beef183452c21ecc9bf1ffe35db50cbd68a75e25947f2762c89e9

SHA512
6d17f440aabff0ca5eeb1858c77ccb8fa518bffdc688fea87655e226196f1e05d284fb596d2867ba848e9bee4d69d7e9e1bddb6456152c7c766060933a9ce2b9

Download Submit
C:\Windows\{FC6FFA84-CFE7-497a-819B-9A5CFC35DFC3}.exe

Filesize
380KB

MD5
3ff085b3db06e6371021f4a7b205e1c2

SHA1
8386dad3fb298dc3789f8539eba9ebd955a9e2b0

SHA256
97a2b9547f3963a240293fd27fe08616678b0a521f9257cbc51de2103ef8c9fe

SHA512
6932140725e71c77960bd8593ec622c465b4370da8d0dab871a0e5cab103981fe3945fe6a8674d556f53caa4cff9bc1bb8439f008ce064679674c0b888c0f6e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads