Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 11:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
-
Size
408KB
-
MD5
a88c678467be4c4b663e3428ad3d1070
-
SHA1
0bda26dd5b0abd8d177e5bd8561f9651141fbf9a
-
SHA256
f6cf2feff6978c3e63c9c343ecf87d42d279cf95d6cf3010b8507bd9ad02e33d
-
SHA512
6e2a1bd160a8e5e3fa226d7fb313963a2d80800a1d222ca347d717598db9bdf79a9f00789aea651fa56829c76ee4fd9be2aa9f699be7227f94785fd4091eb458
-
SSDEEP
3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}\stubpath = "C:\\Windows\\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe" {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}\stubpath = "C:\\Windows\\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe" {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E123FD95-232A-4d22-8658-F6CE94C5A234}\stubpath = "C:\\Windows\\{E123FD95-232A-4d22-8658-F6CE94C5A234}.exe" {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464} {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}\stubpath = "C:\\Windows\\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe" {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}\stubpath = "C:\\Windows\\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe" {1B474D77-B42D-4177-99C7-898073405DE2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D} {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86} {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52878C40-96B3-45a0-8DD0-C5DB35BAA561} {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5} {52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E123FD95-232A-4d22-8658-F6CE94C5A234} {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B474D77-B42D-4177-99C7-898073405DE2} {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4450F73E-4A5A-4364-8846-DB18D03F9A9D} {1B474D77-B42D-4177-99C7-898073405DE2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6} {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}\stubpath = "C:\\Windows\\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe" {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8919068-EB43-4cc9-8571-9423EBEA5251} {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8919068-EB43-4cc9-8571-9423EBEA5251}\stubpath = "C:\\Windows\\{A8919068-EB43-4cc9-8571-9423EBEA5251}.exe" {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}\stubpath = "C:\\Windows\\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe" {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0727AEF6-2006-431d-8FF2-08D6413AFCF3} 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}\stubpath = "C:\\Windows\\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe" 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B474D77-B42D-4177-99C7-898073405DE2}\stubpath = "C:\\Windows\\{1B474D77-B42D-4177-99C7-898073405DE2}.exe" {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D} {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}\stubpath = "C:\\Windows\\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe" {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}\stubpath = "C:\\Windows\\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exe" {52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe -
Executes dropped EXE 12 IoCs
pid Process 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe 1212 {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe 224 {52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe 4076 {B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe File created C:\Windows\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe File created C:\Windows\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe File created C:\Windows\{E123FD95-232A-4d22-8658-F6CE94C5A234}.exe {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe File created C:\Windows\{1B474D77-B42D-4177-99C7-898073405DE2}.exe {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe File created C:\Windows\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe File created C:\Windows\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe File created C:\Windows\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe {1B474D77-B42D-4177-99C7-898073405DE2}.exe File created C:\Windows\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe File created C:\Windows\{A8919068-EB43-4cc9-8571-9423EBEA5251}.exe {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe File created C:\Windows\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe File created C:\Windows\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exe {52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4776 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe Token: SeIncBasePriorityPrivilege 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe Token: SeIncBasePriorityPrivilege 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe Token: SeIncBasePriorityPrivilege 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe Token: SeIncBasePriorityPrivilege 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe Token: SeIncBasePriorityPrivilege 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe Token: SeIncBasePriorityPrivilege 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe Token: SeIncBasePriorityPrivilege 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe Token: SeIncBasePriorityPrivilege 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe Token: SeIncBasePriorityPrivilege 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe Token: SeIncBasePriorityPrivilege 1212 {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe Token: SeIncBasePriorityPrivilege 224 {52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4776 wrote to memory of 856 4776 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe 94 PID 4776 wrote to memory of 856 4776 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe 94 PID 4776 wrote to memory of 856 4776 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe 94 PID 4776 wrote to memory of 3680 4776 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe 95 PID 4776 wrote to memory of 3680 4776 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe 95 PID 4776 wrote to memory of 3680 4776 2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe 95 PID 856 wrote to memory of 4408 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 98 PID 856 wrote to memory of 4408 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 98 PID 856 wrote to memory of 4408 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 98 PID 856 wrote to memory of 2484 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 99 PID 856 wrote to memory of 2484 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 99 PID 856 wrote to memory of 2484 856 {0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe 99 PID 4408 wrote to memory of 2372 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe 102 PID 4408 wrote to memory of 2372 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe 102 PID 4408 wrote to memory of 2372 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe 102 PID 4408 wrote to memory of 3320 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe 103 PID 4408 wrote to memory of 3320 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe 103 PID 4408 wrote to memory of 3320 4408 {E123FD95-232A-4d22-8658-F6CE94C5A234}.exe 103 PID 2372 wrote to memory of 2888 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe 104 PID 2372 wrote to memory of 2888 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe 104 PID 2372 wrote to memory of 2888 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe 104 PID 2372 wrote to memory of 4936 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe 105 PID 2372 wrote to memory of 4936 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe 105 PID 2372 wrote to memory of 4936 2372 {1B474D77-B42D-4177-99C7-898073405DE2}.exe 105 PID 2888 wrote to memory of 2360 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe 106 PID 2888 wrote to memory of 2360 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe 106 PID 2888 wrote to memory of 2360 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe 106 PID 2888 wrote to memory of 3712 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe 107 PID 2888 wrote to memory of 3712 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe 107 PID 2888 wrote to memory of 3712 2888 {4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe 107 PID 2360 wrote to memory of 4516 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe 108 PID 2360 wrote to memory of 4516 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe 108 PID 2360 wrote to memory of 4516 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe 108 PID 2360 wrote to memory of 1032 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe 109 PID 2360 wrote to memory of 1032 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe 109 PID 2360 wrote to memory of 1032 2360 {0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe 109 PID 4516 wrote to memory of 3252 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe 110 PID 4516 wrote to memory of 3252 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe 110 PID 4516 wrote to memory of 3252 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe 110 PID 4516 wrote to memory of 1096 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe 111 PID 4516 wrote to memory of 1096 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe 111 PID 4516 wrote to memory of 1096 4516 {4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe 111 PID 3252 wrote to memory of 3564 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe 112 PID 3252 wrote to memory of 3564 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe 112 PID 3252 wrote to memory of 3564 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe 112 PID 3252 wrote to memory of 1164 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe 113 PID 3252 wrote to memory of 1164 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe 113 PID 3252 wrote to memory of 1164 3252 {A8919068-EB43-4cc9-8571-9423EBEA5251}.exe 113 PID 3564 wrote to memory of 3748 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe 114 PID 3564 wrote to memory of 3748 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe 114 PID 3564 wrote to memory of 3748 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe 114 PID 3564 wrote to memory of 5028 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe 115 PID 3564 wrote to memory of 5028 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe 115 PID 3564 wrote to memory of 5028 3564 {9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe 115 PID 3748 wrote to memory of 1212 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe 116 PID 3748 wrote to memory of 1212 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe 116 PID 3748 wrote to memory of 1212 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe 116 PID 3748 wrote to memory of 4600 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe 117 PID 3748 wrote to memory of 4600 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe 117 PID 3748 wrote to memory of 4600 3748 {7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe 117 PID 1212 wrote to memory of 224 1212 {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe 118 PID 1212 wrote to memory of 224 1212 {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe 118 PID 1212 wrote to memory of 224 1212 {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe 118 PID 1212 wrote to memory of 3240 1212 {9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exeC:\Windows\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\{E123FD95-232A-4d22-8658-F6CE94C5A234}.exeC:\Windows\{E123FD95-232A-4d22-8658-F6CE94C5A234}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\{1B474D77-B42D-4177-99C7-898073405DE2}.exeC:\Windows\{1B474D77-B42D-4177-99C7-898073405DE2}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exeC:\Windows\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exeC:\Windows\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exeC:\Windows\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\{A8919068-EB43-4cc9-8571-9423EBEA5251}.exeC:\Windows\{A8919068-EB43-4cc9-8571-9423EBEA5251}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exeC:\Windows\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exeC:\Windows\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exeC:\Windows\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exeC:\Windows\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exeC:\Windows\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exe13⤵
- Executes dropped EXE
PID:4076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{52878~1.EXE > nul13⤵PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F006~1.EXE > nul12⤵PID:3240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A7C4~1.EXE > nul11⤵PID:4600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DA26~1.EXE > nul10⤵PID:5028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8919~1.EXE > nul9⤵PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E478~1.EXE > nul8⤵PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0BC8C~1.EXE > nul7⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4450F~1.EXE > nul6⤵PID:3712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1B474~1.EXE > nul5⤵PID:4936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E123F~1.EXE > nul4⤵PID:3320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0727A~1.EXE > nul3⤵PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3628,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:81⤵PID:4868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5125665738a3bb9be5f58e75d2e1cbef8
SHA1391aac03cd27be32e04d6f013b9b13088a1361b0
SHA256688424dbf856960702125983934bba8f0f5efae8dffb3c02bd81c99e818e16b0
SHA5126dea41958c22480f91c4487aa10079fab94a8937cb706636ff1f939de0386b2033e8a076f03ecccd2b000fb24b6fc36f68721dece6e010c646b0465036be04f3
-
Filesize
408KB
MD5865714edd091a588fef4ba1e76ea4148
SHA126753b2e9d4786ac8cfc02d8d63e509089bdb50c
SHA2562d7408be6b3590049e25ce38586febcae86294dc8fd8e7933ecd823cba336ddb
SHA512bc34b35f15000b032d0c4749d19ab61ade69ce2deffb6afca0c53bdbfe05ebd5b9b6f886ed7c085097039b6796cd290f816d5a6cbea594658d90325eca9c8a71
-
Filesize
408KB
MD54fabccad7c0cddc59355a28920d20151
SHA1de59b80ca6a15e533bbbd2c354ba2af4db15b51c
SHA256cc3642ede63aa79a0400bec8d612e7603f1f28482fe0a71a549a59bb64c04f56
SHA512fbd6f0fb35c1da23e64ccd29ecf0a0cd8060d26b816d01e3907c5f6c28ec138b83369c510a6d88c7cb30fd091152ee1a7e48ed9efdb5dfc70856301d7ff04a05
-
Filesize
408KB
MD5b273c4deacc84d5adae7a007e32db81a
SHA1a431bed8865594e66043893f0e0c2d22966689f0
SHA256bd65611108c664928c8854410d4a0f4c362b5b1ba726bff657e5223c2550f76b
SHA51277c245a8135ccf5deaca6aa26d18fa97ddf1bd433d5b1b378db926f7141e861079e2e52e19272b6556e045d5195b57b5e94ca2f6c0143e11f568b1e543e33623
-
Filesize
408KB
MD5732a1d86cbfae1dea8327b0325036ef0
SHA1ab9f8259c2c7d44edd1da0cb43e0055c90873d93
SHA2564bedf0da2d6a08ae7512229c7f4cae3b6cd846055b56d4d56caa6a0ac7ccae70
SHA5129169845d04d93b2d6abd5e77ceb51375e4c7ffd5c1e7eaa7330f3c7d222d59ae065ac994e1136c4d4b15a8d01915fbbb8e7ebd346ab70f49038b5ddab7eb2eb2
-
Filesize
408KB
MD59a3e0f0b60b2f2d37650a5d65b230f4b
SHA1fed2cbefcc7ea314e7bff8d4cb562b9d1107f74b
SHA2566327842216a626b9527ec23e1dae99afc4c12f69718e68519d989e59a61add4f
SHA5127812c329b034c4a95852ccdaa2a98498e2c04d29e998ab08486f5588872026031f6a23e7d3daf424bd67594294b0049256d64220f8566f6edfb997aae4605e18
-
Filesize
408KB
MD5462d65d0a59201d241df78637eccc577
SHA18a05f61a1d9ff124c613b5857900f62e5eee1d32
SHA256e53796f1c5d851ef618fd0d4b91c4cac0ee75b7dd97e3f918915bf4578869772
SHA512757c09d244e150a0960b1689cea9d9cd57407269de00ad3f0cfe32ded9334d94f0f8cce487aa082010327694856ce25999d4910b777f8e6173e27a986fc0baa6
-
Filesize
408KB
MD5173856c862bcb9e0679124a101e9dbc4
SHA1cd9a6a2d256aee97499e598bfd2c80199983220b
SHA2562aa25ba3ba0a73531c489f2447568888da2c374ba482d687af4a014dcfdaa647
SHA512fbb186896ce240bcd361242c9eee23389b4b39bf82a10fc4d9cd8c4a4d81c77126cd52f5c871d4954518c8884fb8c633db8c60b28ddd8b07e0f6d175c72533c1
-
Filesize
408KB
MD52848b45c47fc759a3e4c0bc34c89c14e
SHA18e935b3f0dec74294ddf9a4e2ed0143273335b52
SHA256fadb8f38a0ba8f3258e86d87caf94db755af8dfa991c99531f88758d7574fb44
SHA51226f4034dcc8165adebcd3ff1f1059902dc4ac338e4e38349fb28796a65b015de4486eada535c173f9896ce1c5ef22ab85ad41ad8953b73924d2afc48935bdc13
-
Filesize
408KB
MD56a364a2a4b427a92c7be2e3572cb3199
SHA143961cfd84aea75c4f0e481d8b66226e820541fd
SHA2567bd3b0b0e361ad2d6d09f35010417083f42f95844958e334ba7132873042b3b1
SHA5124c8ad17d1564d6ca902cf7c35f6e42c5c3c423b47c22688909ebfd37d0af9930778e5c5aa1520b9a178d173150323370f55f63ee1a8920c264d5dc348abc6668
-
Filesize
408KB
MD5e88646964794e9e544c911b68bbff935
SHA15fa561dc62f7efc30a138769505dd21b505b9035
SHA25660dbbc56314f0e2106866671120b853c66eb50e36103f1542a3fcb1cddc82d89
SHA5124c109f9edeb390f028fc1097d175e9e787b0b75c40b7eecb4f4fbd756b4aab37eabb8462325c967a98247cef0667a0ec8dd8242e0f5a1b1fed207aa6cbf286af
-
Filesize
408KB
MD5f7c94a1ca82af1f5c22901562ea0e2d1
SHA13d55f2ce6ea56eadab8e82707e1904cf94abcdfc
SHA25610f7f9343dd202d78fb71061e09d0ea5b4b6377ba0ce8f02306e9ebb2109f358
SHA51281b6edad9b685f6d7a9be5486bebe8e2792d57f2bd72a89e7cf083bee2852a70fda20934d501ffd90810db42c659e3724e04ba70bc0ba9eeb8a007e8038aa97f