63ccdf58e2cdbeddc3c52dc4f66afa9c45fbe07957f19ac47a65565022d74ca3

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe
Size

197KB
MD5

ae183909c9fab8157c870a246653268d
SHA1

e9d95d0ec9565d8f862c4fe0b8a4a3b435174d6c
SHA256

63ccdf58e2cdbeddc3c52dc4f66afa9c45fbe07957f19ac47a65565022d74ca3
SHA512

5fc4a877a43533c5f53d33cd63b091a5b91924b3420035d9f9b4d94d6bd3d4e0d8b71c00c799ee5745757cfcef5afcba21f86102feecd9386c1f596c695e1d08
SSDEEP

3072:jEGh0oWl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}\stubpath = "C:\\Windows\\{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe"	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E4ECE8-B10E-4cde-9799-D371A8D75638}	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}	{90313E00-E807-4277-A33B-70EBC01731A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860F1E4E-06C7-4498-98AD-FCF251B0E593}	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C87864A-120D-45e0-AD16-82EF2953FE55}\stubpath = "C:\\Windows\\{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe"	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}\stubpath = "C:\\Windows\\{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe"	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63566AD2-1A13-4b0d-A7DB-3537B9087846}	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}\stubpath = "C:\\Windows\\{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe"	{90313E00-E807-4277-A33B-70EBC01731A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F74046E6-FC8E-495b-91B8-46AFD1497141}	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}	{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D98710-3E47-4fc3-885B-7222C7AF2582}	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}\stubpath = "C:\\Windows\\{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe"	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E4ECE8-B10E-4cde-9799-D371A8D75638}\stubpath = "C:\\Windows\\{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe"	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90313E00-E807-4277-A33B-70EBC01731A7}\stubpath = "C:\\Windows\\{90313E00-E807-4277-A33B-70EBC01731A7}.exe"	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C87864A-120D-45e0-AD16-82EF2953FE55}	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63566AD2-1A13-4b0d-A7DB-3537B9087846}\stubpath = "C:\\Windows\\{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe"	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90313E00-E807-4277-A33B-70EBC01731A7}	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F74046E6-FC8E-495b-91B8-46AFD1497141}\stubpath = "C:\\Windows\\{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe"	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}\stubpath = "C:\\Windows\\{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}.exe"	{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860F1E4E-06C7-4498-98AD-FCF251B0E593}\stubpath = "C:\\Windows\\{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe"	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D98710-3E47-4fc3-885B-7222C7AF2582}\stubpath = "C:\\Windows\\{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe"	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe

Executes dropped EXE 12 IoCs

pid	Process
2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe
1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe
3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe
4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe
3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe
4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe
440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe
2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe
2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe
1712	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe
1884	{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe
1748	{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe
File created	C:\Windows\{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe
File created	C:\Windows\{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe
File created	C:\Windows\{90313E00-E807-4277-A33B-70EBC01731A7}.exe	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe
File created	C:\Windows\{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe	{90313E00-E807-4277-A33B-70EBC01731A7}.exe
File created	C:\Windows\{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}.exe	{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe
File created	C:\Windows\{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe
File created	C:\Windows\{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe
File created	C:\Windows\{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe
File created	C:\Windows\{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe
File created	C:\Windows\{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe
File created	C:\Windows\{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	212	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe
Token: SeIncBasePriorityPrivilege	1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe
Token: SeIncBasePriorityPrivilege	3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe
Token: SeIncBasePriorityPrivilege	4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe
Token: SeIncBasePriorityPrivilege	3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe
Token: SeIncBasePriorityPrivilege	4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe
Token: SeIncBasePriorityPrivilege	440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe
Token: SeIncBasePriorityPrivilege	2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe
Token: SeIncBasePriorityPrivilege	2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe
Token: SeIncBasePriorityPrivilege	1712	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe
Token: SeIncBasePriorityPrivilege	1884	{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2992	212	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe	98
PID 212 wrote to memory of 2992	212	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe	98
PID 212 wrote to memory of 2992	212	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe	98
PID 212 wrote to memory of 3248	212	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe	99
PID 212 wrote to memory of 3248	212	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe	99
PID 212 wrote to memory of 3248	212	2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe	99
PID 2992 wrote to memory of 1276	2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe	100
PID 2992 wrote to memory of 1276	2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe	100
PID 2992 wrote to memory of 1276	2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe	100
PID 2992 wrote to memory of 4516	2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe	101
PID 2992 wrote to memory of 4516	2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe	101
PID 2992 wrote to memory of 4516	2992	{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe	101
PID 1276 wrote to memory of 3708	1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe	103
PID 1276 wrote to memory of 3708	1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe	103
PID 1276 wrote to memory of 3708	1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe	103
PID 1276 wrote to memory of 100	1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe	104
PID 1276 wrote to memory of 100	1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe	104
PID 1276 wrote to memory of 100	1276	{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe	104
PID 3708 wrote to memory of 4828	3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe	106
PID 3708 wrote to memory of 4828	3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe	106
PID 3708 wrote to memory of 4828	3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe	106
PID 3708 wrote to memory of 1744	3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe	107
PID 3708 wrote to memory of 1744	3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe	107
PID 3708 wrote to memory of 1744	3708	{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe	107
PID 4828 wrote to memory of 3244	4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe	108
PID 4828 wrote to memory of 3244	4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe	108
PID 4828 wrote to memory of 3244	4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe	108
PID 4828 wrote to memory of 224	4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe	109
PID 4828 wrote to memory of 224	4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe	109
PID 4828 wrote to memory of 224	4828	{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe	109
PID 3244 wrote to memory of 4732	3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe	110
PID 3244 wrote to memory of 4732	3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe	110
PID 3244 wrote to memory of 4732	3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe	110
PID 3244 wrote to memory of 1632	3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe	111
PID 3244 wrote to memory of 1632	3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe	111
PID 3244 wrote to memory of 1632	3244	{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe	111
PID 4732 wrote to memory of 440	4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe	112
PID 4732 wrote to memory of 440	4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe	112
PID 4732 wrote to memory of 440	4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe	112
PID 4732 wrote to memory of 512	4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe	113
PID 4732 wrote to memory of 512	4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe	113
PID 4732 wrote to memory of 512	4732	{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe	113
PID 440 wrote to memory of 2724	440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe	114
PID 440 wrote to memory of 2724	440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe	114
PID 440 wrote to memory of 2724	440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe	114
PID 440 wrote to memory of 4276	440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe	115
PID 440 wrote to memory of 4276	440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe	115
PID 440 wrote to memory of 4276	440	{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe	115
PID 2724 wrote to memory of 2976	2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe	116
PID 2724 wrote to memory of 2976	2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe	116
PID 2724 wrote to memory of 2976	2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe	116
PID 2724 wrote to memory of 4320	2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe	117
PID 2724 wrote to memory of 4320	2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe	117
PID 2724 wrote to memory of 4320	2724	{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe	117
PID 2976 wrote to memory of 1712	2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe	118
PID 2976 wrote to memory of 1712	2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe	118
PID 2976 wrote to memory of 1712	2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe	118
PID 2976 wrote to memory of 4468	2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe	119
PID 2976 wrote to memory of 4468	2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe	119
PID 2976 wrote to memory of 4468	2976	{90313E00-E807-4277-A33B-70EBC01731A7}.exe	119
PID 1712 wrote to memory of 1884	1712	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe	120
PID 1712 wrote to memory of 1884	1712	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe	120
PID 1712 wrote to memory of 1884	1712	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe	120
PID 1712 wrote to memory of 3188	1712	{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_ae183909c9fab8157c870a246653268d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe
  C:\Windows\{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe
    C:\Windows\{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe
      C:\Windows\{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe
        
        C:\Windows\{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe
        
        C:\Windows\{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe
        
        C:\Windows\{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe
        
        C:\Windows\{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe
        
        C:\Windows\{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{90313E00-E807-4277-A33B-70EBC01731A7}.exe
        
        C:\Windows\{90313E00-E807-4277-A33B-70EBC01731A7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe
        
        C:\Windows\{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe
        
        C:\Windows\{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}.exe
        
        C:\Windows\{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}.exe
        13⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7404~1.EXE > nul
        13⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E9B~1.EXE > nul
        12⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90313~1.EXE > nul
        11⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63566~1.EXE > nul
        10⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41E4E~1.EXE > nul
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{575AD~1.EXE > nul
        8⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{659B2~1.EXE > nul
        7⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C878~1.EXE > nul
        6⤵
        
        PID:224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A4B0~1.EXE > nul
        5⤵
        
        PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D98~1.EXE > nul
      4⤵
      PID:100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{860F1~1.EXE > nul
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{41E4ECE8-B10E-4cde-9799-D371A8D75638}.exe

Filesize
197KB

MD5
82378175554be1a4de15b6ab2b2d08ad

SHA1
d2f0e3a02787ec2d73ef98acda4f5bed9a2ea405

SHA256
75f64176511c292e430f92538a23056e9039d49cf6fae6136fca34534c50ada6

SHA512
a1fb23d7410fe1bb4d251a9d6d98ac861f24829b3d470489efb94da7e06b37cefadacfade4d236a7d266d4464cce7840a70905b88017f0710f43b0b7bf83b89a

Download Submit
C:\Windows\{575AD8D6-F50A-4f66-A80E-AB4BA3B27111}.exe

Filesize
197KB

MD5
f009ee4114676cf22248a44ee0a49b54

SHA1
69b1b848b59b728d6c0729a25b527c3fc44d35bb

SHA256
663f1e183556ace340714cee0b763b8bdd1489c00f5d7fd1fa1a9b79b4447289

SHA512
c55f059d8e9cda7fc7854e6f809678eebbc536296ae1c19cb7f4cf82270136135f56ef9db0fed16fd69426665618ee292841567701a448d9e68e609f9b704b56

Download Submit
C:\Windows\{63566AD2-1A13-4b0d-A7DB-3537B9087846}.exe

Filesize
197KB

MD5
c20447040cb607c041a4f3b18ce84723

SHA1
5df93dc4465999ecff8c28d4dadfd01374586463

SHA256
bb0604ed54b04fc22841220dca8f3aa2cc4c67890490807c0757f4d1dcf4604c

SHA512
91d560387273a6bb36c09b83e5cf61a12b1ec43cadbaa456fd032262ce8036bdfebd1bee5462e069c78a59e56db5c53f17d69235c093d52e737eb441e4c9dc9f

Download Submit
C:\Windows\{659B2B5D-7B7F-414b-AF2A-9AFC6C834D1C}.exe

Filesize
197KB

MD5
18cd77d6145c5d7bc21c19cd77e6b80f

SHA1
142546d3c10c02b7b5763b07a48b5f7dfd011f90

SHA256
7be0ac486523bc9835c80e8e4aeacf40b39bca91585808e752ab9b3b8f9e600c

SHA512
796fe5c2244390cb644753778f2759e442ed31018e6b788093529e78739bff1e39b8b34d4fb30cf043730d7477736e741368f8b02a43f8ef44a79081daa561c4

Download Submit
C:\Windows\{6C87864A-120D-45e0-AD16-82EF2953FE55}.exe

Filesize
197KB

MD5
5141e9255ffb0e0ac881c74990da118a

SHA1
e8674c4d0ded309d1ce8a626e7ad1aa4a3efb443

SHA256
608b1d420d339b369a29154aa6494b1b38a73fda713324d48e7f739ef18604e5

SHA512
bf1b6e4179051fd6ed5f0abb5ce5051f6205c0400190df0128eed8b16c5b172d67c481e3b921569813a57a05575656ca1d726dc5d884b2432bbcc71580ee736e

Download Submit
C:\Windows\{6E50DE6F-3179-4e4a-9B36-2B38C64EB8B9}.exe

Filesize
197KB

MD5
9944a7cecd8d7c2d4055b6bc050f1147

SHA1
a2cf1f0f2121a886b34be5d47fc8fe6c9bed2fd0

SHA256
e3b216f30762636cb4777d8402ebba88c90bc1ea276f97d70e1c8f4b61edd752

SHA512
65e85b4934b1194f8cca0e172de994c5cfc8589f1479f5a72a5e44384993dc503d264254b0ee93f0d15601910267ae24d28f51c48a707badf9e4e9b04aea7490

Download Submit
C:\Windows\{7A4B0C59-4F12-4ab2-A5BB-4535DB2F537F}.exe

Filesize
197KB

MD5
7f15e8dfa4856d5da36f1cb301bf586e

SHA1
67c885a1618c02a024fd96a62ce1af598eb00de2

SHA256
52ca4946fa6efe5934b4f13b0321b1c047dce91756b7eaa763af41a270a9d5ed

SHA512
eefea788cda626a65bac3c0e8a9d5357b6bdc764db698474f92088e55735373474c8251fb6062e3b3e8e093464349e0887f865426f922f99d076bc7454fb377e

Download Submit
C:\Windows\{860F1E4E-06C7-4498-98AD-FCF251B0E593}.exe

Filesize
197KB

MD5
0e364dd6f158b58cf85debd4b8ea5193

SHA1
d6e95f394b3dafcf1c3a5f0437e79f666556078b

SHA256
ecb6f2faa0f428d1b06688a7df6c779b1cf89f17c19b361a2d06da1ba7512f04

SHA512
494a70646ee50a7917a9baf9c13170949491834d80fc4bfa59f1baa702f14ef392c43ce1a9995f439383e2b9842fdbe80108342b1037ac0f80979c8d6da1c304

Download Submit
C:\Windows\{90313E00-E807-4277-A33B-70EBC01731A7}.exe

Filesize
197KB

MD5
de8c92517811151da581f7ae41065c27

SHA1
119da99ae987d29782fd780a5e80f4491d2f949a

SHA256
206e246dfd0bdcc89c169fde7200222a19a0031fb5a58c3b92e9542e64c2ea31

SHA512
518e7dd1ce79e7867290953f9408a43b9be85f1e63b306a24df27c2c93d1daafb4b010d53186c436f527039fedb44d8a35c3298e32e99becef547a0d9e2ad204

Download Submit
C:\Windows\{C3D98710-3E47-4fc3-885B-7222C7AF2582}.exe

Filesize
197KB

MD5
a4b10f2287f88e2c1141d52b84e3f2bb

SHA1
d2376a6589dc6c0b3a07c2be7131d2142a401496

SHA256
12cb946f1563cf1d85dcee8f46150a7bd67c4c26c45277b7bc0d7d28676b459e

SHA512
9f1db09ff099fae0c315978bb40e4c5a3d39de8e2f0153cae3a8b2dc5a2752897b1959907c60363e02d1752f322a3e5d65418b2ac7867f2416ea425d2b380f7c

Download Submit
C:\Windows\{C9E9B0D9-E57A-4b26-9170-AC3626097BC8}.exe

Filesize
197KB

MD5
25c09f5e2886d4d4c5c7f8bf3e1ab4b2

SHA1
6be11932b4425ad23feeee70703351cbc3517440

SHA256
5b66bc434cba1fe09237a722bceffe64e47c33bc428ff7023da0e67eabe2b849

SHA512
d65b3b3480de33ecf7add0cc9921de2edeebbf14217219b147d9fee7be6131738424aceaa617b0ab8174ff7b6ed814aab04f4d91caa10d46e9fccb520f961f55

Download Submit
C:\Windows\{F74046E6-FC8E-495b-91B8-46AFD1497141}.exe

Filesize
197KB

MD5
4caa9bd6d011a106e6a5046f6504758c

SHA1
bec9896132a43ecfe3895e988e3fe0a2b11dc043

SHA256
39954de8c039fa399745586046d970a02fe7f43261e7ed19c1de08f5a9da083b

SHA512
29c6b74a74692de772fdb0f48e6c74ed05e1392745e334836993526d0c48dfbe7800194cdc841d977963748aad7406cd93de555cb270d06b6e2ffb2005e84549

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads