ac91611cfd6272234d9750476dfeb8bee0476762ce67df1b5c77d78e845e107a

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe
Size

408KB
MD5

d347e93647fb0cb41a7b5329aadc8f5d
SHA1

15c6ff6cb2b501e94ad995e790317385ddb23fe9
SHA256

ac91611cfd6272234d9750476dfeb8bee0476762ce67df1b5c77d78e845e107a
SHA512

fbde6a557a60d8b32c80585914ce9ea64ae1d2b349781db7db3399f3857afe9f7822136d1c74b05d13bb30a99bf2ab97050680d3ef4638af2d335e836d07e713
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG9ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2CAC068-FEAD-485a-A964-B4D633F009A0}	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}\stubpath = "C:\\Windows\\{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe"	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D979D493-E124-455d-866D-FC9E834910E2}\stubpath = "C:\\Windows\\{D979D493-E124-455d-866D-FC9E834910E2}.exe"	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}\stubpath = "C:\\Windows\\{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe"	{D979D493-E124-455d-866D-FC9E834910E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4433199E-264C-4400-83B1-8D6F53354878}	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FDA943E-1EA6-493a-8328-1088A34E7719}\stubpath = "C:\\Windows\\{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe"	{4433199E-264C-4400-83B1-8D6F53354878}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1231663E-B279-4132-9728-8F039EBA0C66}\stubpath = "C:\\Windows\\{1231663E-B279-4132-9728-8F039EBA0C66}.exe"	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}	{D979D493-E124-455d-866D-FC9E834910E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1789219-1FB8-4506-B9B0-2E27B3887395}\stubpath = "C:\\Windows\\{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe"	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4433199E-264C-4400-83B1-8D6F53354878}\stubpath = "C:\\Windows\\{4433199E-264C-4400-83B1-8D6F53354878}.exe"	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC927079-3A83-47b3-898D-51D8121361A3}	{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC927079-3A83-47b3-898D-51D8121361A3}\stubpath = "C:\\Windows\\{DC927079-3A83-47b3-898D-51D8121361A3}.exe"	{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1789219-1FB8-4506-B9B0-2E27B3887395}	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}\stubpath = "C:\\Windows\\{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe"	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A50AA4D9-9EE8-471e-87D7-86299451ED26}	{1231663E-B279-4132-9728-8F039EBA0C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A50AA4D9-9EE8-471e-87D7-86299451ED26}\stubpath = "C:\\Windows\\{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe"	{1231663E-B279-4132-9728-8F039EBA0C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68235059-93D7-40d5-A4DF-93C7DD11C039}\stubpath = "C:\\Windows\\{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe"	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D979D493-E124-455d-866D-FC9E834910E2}	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FDA943E-1EA6-493a-8328-1088A34E7719}	{4433199E-264C-4400-83B1-8D6F53354878}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1231663E-B279-4132-9728-8F039EBA0C66}	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2CAC068-FEAD-485a-A964-B4D633F009A0}\stubpath = "C:\\Windows\\{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe"	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68235059-93D7-40d5-A4DF-93C7DD11C039}	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe
4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe
2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe
1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe
3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe
1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe
3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe
4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe
3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe
3224	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe
4844	{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe
3940	{DC927079-3A83-47b3-898D-51D8121361A3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1231663E-B279-4132-9728-8F039EBA0C66}.exe	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe
File created	C:\Windows\{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe
File created	C:\Windows\{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe
File created	C:\Windows\{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe
File created	C:\Windows\{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe	{D979D493-E124-455d-866D-FC9E834910E2}.exe
File created	C:\Windows\{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe
File created	C:\Windows\{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe	{4433199E-264C-4400-83B1-8D6F53354878}.exe
File created	C:\Windows\{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe
File created	C:\Windows\{DC927079-3A83-47b3-898D-51D8121361A3}.exe	{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe
File created	C:\Windows\{D979D493-E124-455d-866D-FC9E834910E2}.exe	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe
File created	C:\Windows\{4433199E-264C-4400-83B1-8D6F53354878}.exe	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe
File created	C:\Windows\{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe	{1231663E-B279-4132-9728-8F039EBA0C66}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4908	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe
Token: SeIncBasePriorityPrivilege	4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe
Token: SeIncBasePriorityPrivilege	2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe
Token: SeIncBasePriorityPrivilege	1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe
Token: SeIncBasePriorityPrivilege	3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe
Token: SeIncBasePriorityPrivilege	1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe
Token: SeIncBasePriorityPrivilege	3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe
Token: SeIncBasePriorityPrivilege	4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe
Token: SeIncBasePriorityPrivilege	3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe
Token: SeIncBasePriorityPrivilege	3224	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe
Token: SeIncBasePriorityPrivilege	4844	{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4372	4908	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe	96
PID 4908 wrote to memory of 4372	4908	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe	96
PID 4908 wrote to memory of 4372	4908	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe	96
PID 4908 wrote to memory of 3524	4908	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe	97
PID 4908 wrote to memory of 3524	4908	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe	97
PID 4908 wrote to memory of 3524	4908	2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe	97
PID 4372 wrote to memory of 4568	4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe	98
PID 4372 wrote to memory of 4568	4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe	98
PID 4372 wrote to memory of 4568	4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe	98
PID 4372 wrote to memory of 4632	4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe	99
PID 4372 wrote to memory of 4632	4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe	99
PID 4372 wrote to memory of 4632	4372	{D979D493-E124-455d-866D-FC9E834910E2}.exe	99
PID 4568 wrote to memory of 2316	4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe	102
PID 4568 wrote to memory of 2316	4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe	102
PID 4568 wrote to memory of 2316	4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe	102
PID 4568 wrote to memory of 1560	4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe	103
PID 4568 wrote to memory of 1560	4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe	103
PID 4568 wrote to memory of 1560	4568	{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe	103
PID 2316 wrote to memory of 1980	2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe	104
PID 2316 wrote to memory of 1980	2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe	104
PID 2316 wrote to memory of 1980	2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe	104
PID 2316 wrote to memory of 4300	2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe	105
PID 2316 wrote to memory of 4300	2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe	105
PID 2316 wrote to memory of 4300	2316	{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe	105
PID 1980 wrote to memory of 3704	1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe	106
PID 1980 wrote to memory of 3704	1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe	106
PID 1980 wrote to memory of 3704	1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe	106
PID 1980 wrote to memory of 376	1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe	107
PID 1980 wrote to memory of 376	1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe	107
PID 1980 wrote to memory of 376	1980	{4433199E-264C-4400-83B1-8D6F53354878}.exe	107
PID 3704 wrote to memory of 1632	3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe	108
PID 3704 wrote to memory of 1632	3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe	108
PID 3704 wrote to memory of 1632	3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe	108
PID 3704 wrote to memory of 4456	3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe	109
PID 3704 wrote to memory of 4456	3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe	109
PID 3704 wrote to memory of 4456	3704	{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe	109
PID 1632 wrote to memory of 3228	1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe	110
PID 1632 wrote to memory of 3228	1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe	110
PID 1632 wrote to memory of 3228	1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe	110
PID 1632 wrote to memory of 2572	1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe	111
PID 1632 wrote to memory of 2572	1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe	111
PID 1632 wrote to memory of 2572	1632	{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe	111
PID 3228 wrote to memory of 4396	3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe	112
PID 3228 wrote to memory of 4396	3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe	112
PID 3228 wrote to memory of 4396	3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe	112
PID 3228 wrote to memory of 3292	3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe	113
PID 3228 wrote to memory of 3292	3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe	113
PID 3228 wrote to memory of 3292	3228	{1231663E-B279-4132-9728-8F039EBA0C66}.exe	113
PID 4396 wrote to memory of 3060	4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe	114
PID 4396 wrote to memory of 3060	4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe	114
PID 4396 wrote to memory of 3060	4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe	114
PID 4396 wrote to memory of 4312	4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe	115
PID 4396 wrote to memory of 4312	4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe	115
PID 4396 wrote to memory of 4312	4396	{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe	115
PID 3060 wrote to memory of 3224	3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe	116
PID 3060 wrote to memory of 3224	3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe	116
PID 3060 wrote to memory of 3224	3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe	116
PID 3060 wrote to memory of 2020	3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe	117
PID 3060 wrote to memory of 2020	3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe	117
PID 3060 wrote to memory of 2020	3060	{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe	117
PID 3224 wrote to memory of 4844	3224	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe	118
PID 3224 wrote to memory of 4844	3224	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe	118
PID 3224 wrote to memory of 4844	3224	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe	118
PID 3224 wrote to memory of 1160	3224	{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_d347e93647fb0cb41a7b5329aadc8f5d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\{D979D493-E124-455d-866D-FC9E834910E2}.exe
  C:\Windows\{D979D493-E124-455d-866D-FC9E834910E2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe
    C:\Windows\{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe
      C:\Windows\{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\{4433199E-264C-4400-83B1-8D6F53354878}.exe
        
        C:\Windows\{4433199E-264C-4400-83B1-8D6F53354878}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe
        
        C:\Windows\{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe
        
        C:\Windows\{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{1231663E-B279-4132-9728-8F039EBA0C66}.exe
        
        C:\Windows\{1231663E-B279-4132-9728-8F039EBA0C66}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe
        
        C:\Windows\{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe
        
        C:\Windows\{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe
        
        C:\Windows\{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe
        
        C:\Windows\{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\{DC927079-3A83-47b3-898D-51D8121361A3}.exe
        
        C:\Windows\{DC927079-3A83-47b3-898D-51D8121361A3}.exe
        13⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68235~1.EXE > nul
        13⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68C1C~1.EXE > nul
        12⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2CAC~1.EXE > nul
        11⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A50AA~1.EXE > nul
        10⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12316~1.EXE > nul
        9⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{692AE~1.EXE > nul
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FDA9~1.EXE > nul
        7⤵
        
        PID:4456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44331~1.EXE > nul
        6⤵
        
        PID:376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1789~1.EXE > nul
        5⤵
        
        PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9CB1~1.EXE > nul
      4⤵
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D979D~1.EXE > nul
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1231663E-B279-4132-9728-8F039EBA0C66}.exe

Filesize
408KB

MD5
6e2fac0cd73427b5a39afd1e0fc1d0cf

SHA1
85ad1bc5a412de9c8b430e85ceb80bab12767035

SHA256
d508dc619cbcfa737db77196e387e3e617e8df314394f9bc2c44cfe76323ee14

SHA512
7f43091f3e6438babdc7a0e760216d6af68a77a7e4dac2967124d8bd270fb9fc4be1de4dd349f307f29d400ef17a778c75d509f292c49985e548722366f218e6

Download Submit
C:\Windows\{4433199E-264C-4400-83B1-8D6F53354878}.exe

Filesize
408KB

MD5
29ae7c402b2bec06da2a7cda4783da37

SHA1
346849148d82251daf28e782a5fe779e7ccb83e8

SHA256
68fc0a7f355a35d27da9c28e7742881f906e2b695a7aace913d38a67a339f6b3

SHA512
91c94abe33a68cb72d540bd210177a5a657daacf9927feec87ce1e3d70ff2fc1a7fe987fb66f31838807dbdd6bff1c79205b4ed6bd0e6b7906a4c94fd034e61c

Download Submit
C:\Windows\{68235059-93D7-40d5-A4DF-93C7DD11C039}.exe

Filesize
408KB

MD5
5c00f44a07857c5986e16ff29f11b3fa

SHA1
fb416980497b70a56c12d30d3140e93472ab02ed

SHA256
3b4ba8c0a2ee70655b7e0bf0961c79f9e1b12211bcc4ccd5dc6cb3839ecf7b18

SHA512
1b4a7e126f7e50df8bcf88d264b3f8a591b4f3aa5f5fc1a8dda45c76e31c55a36cbafe40c937f49a5f85f5a6755fdedff6f0d4e23fc427719032efa3443d7192

Download Submit
C:\Windows\{68C1C0CF-405A-4b33-A1A0-33B1D92375A7}.exe

Filesize
408KB

MD5
38e1943aa5c3cc8f6a785b8c029dd5a1

SHA1
a925be27c5daf0a090b3c5396392a2a1088d538b

SHA256
ba209867f1cefd5dbdbf28099fb92a575810623c1410db6c84408200e937c621

SHA512
b152358690dd9515a5a3c613046069b3ee0d8cda92866b4f2fc8a7d70f96abca56d3068f40d595430706b1d36c86a319bcb20f88722c4a69e9b5e83a11d3cd10

Download Submit
C:\Windows\{692AE5C8-BA1C-4d93-9E1E-8433FC53015D}.exe

Filesize
408KB

MD5
0ed09bd7c447e15a6fb3506b83aa3254

SHA1
1b029bd0e044fa595cc3b3f539867d22fea549ef

SHA256
d01f82a1cb35b048d925267a7aba96da76259b4654c7c7498d338e6a5f76e869

SHA512
1b504963538ae303a568f1b0cb603024f9dd27a96ba1cb367ef81e863b7842682996fd2eddb0f870ce0de0828b558c9cfd60df4b006f421b3a5a86c38eec658c

Download Submit
C:\Windows\{7FDA943E-1EA6-493a-8328-1088A34E7719}.exe

Filesize
408KB

MD5
e8d4c5a5c688446033b3c6500c63efe2

SHA1
ca1080c244c33a816099253cfa21cf147158f46e

SHA256
8b8b61cb5679812cd2b4254951a1f81864f5ce8c8b00757ba50c128f8d326e35

SHA512
d9a9eabc43571ecd48937e5f455045bebb7ffae38c1d26d926388311f225a58d2aa57c0edb32104763fe6ce308206011f3899738d96c1e619c0900eda2d93cbe

Download Submit
C:\Windows\{A50AA4D9-9EE8-471e-87D7-86299451ED26}.exe

Filesize
408KB

MD5
46a3890dc9e5e5739ab71f67b2ed50f8

SHA1
2dd1d5ebf96a19963c451f2aeb5695bf40298581

SHA256
121a55239d751c8439d487ff6cbc1fb07fd6d25bad76cc4a20f2e082e9c26801

SHA512
67557f6e6e2cb277c948e31e9137ee7934fba7c6cdedb8884109a6808c025e04a7338122f179c1c2389eb125889b2c365367fde1c6709c70117a8383c4a8af4d

Download Submit
C:\Windows\{B1789219-1FB8-4506-B9B0-2E27B3887395}.exe

Filesize
408KB

MD5
9221120fcee9b9e62baf27f756c1cc3d

SHA1
de2343cb6d1c1d60e85e4ecb7fb9df06c9080248

SHA256
61291bd8e1cd38eaa8799795883f884ec0c7e066d1e4bcde16f6f86e7d84e309

SHA512
2fe10d3555edc35da4b74d92c7b91ee9efdd87d467a1e53ba003a21d428245b89cc13c8564f3630c46a2e2daa0c782ffbe75af4cb673dcf3072fc46fa8c7b522

Download Submit
C:\Windows\{D2CAC068-FEAD-485a-A964-B4D633F009A0}.exe

Filesize
408KB

MD5
58a4b1e454698311e5f96abf0b37395f

SHA1
431dc29bb30671dfd008b754019056fa18066334

SHA256
2ce0e09ce034fbf2226cd70c4a4fc48c6fefb2bfd3b3e1479f9854c2e99a3032

SHA512
bbfce796569e0849cb593e6cda70e57e16a290a5242739061b564f52f9668ef33c8c768f6ab6a3dbafd6548c651dd61cb3ceebc4dc21de390dfcace2a942ca0d

Download Submit
C:\Windows\{D979D493-E124-455d-866D-FC9E834910E2}.exe

Filesize
408KB

MD5
797a72d4cefe5163096eb917cf19cdec

SHA1
1d2575c46a1d6d3fd381d656890f966140b48f5e

SHA256
21315968af989dc9e536eb07c94c3a62583199c9a9e96b15e062a679fc4715c5

SHA512
7d95bfcd8dbdfe14926dc91c561c442c12dff5f60d64c991cff9ea3fe15d5e2c599ff9d7a91000dd03406a21081f2bf13bcf186ae52409790af4923a80d5cf5e

Download Submit
C:\Windows\{DC927079-3A83-47b3-898D-51D8121361A3}.exe

Filesize
408KB

MD5
356d6ec9c20c3c0cb6e9402b258e7fca

SHA1
6886603d53a1487494daf8dec316f1cb34a98f33

SHA256
029685b43ed35faa69101d0e115cc5362faad34e4e7074453617d393666b7602

SHA512
74534e8483481ee09c80995a144a6b1ec2773d31cbc3529a7c96ed5fc55e702e08f4ccd626a921a931cc3f9403c89e8816cc6abc52a531fb06b82883a9f9c517

Download Submit
C:\Windows\{E9CB1A6C-B609-48fc-B5ED-8DDD2D9C3915}.exe

Filesize
408KB

MD5
77aa894be62ae7a1a30c82d2a4240435

SHA1
985ab04ddc4e6759efd64c44834e60daa01dac27

SHA256
7092b1f80bf0a2e8567b2a941cc47b2fca7e729dd1aa60f3ef0936dc2c5a064a

SHA512
eab4e5b9bbbdbcba13ab28aa9191fd7e23fafdc9ed0c34fa2ace2d48a69cbaf8063cb3459c1d75c32394000cf64b3ad92e5c7318cce388f0599425e484885fe5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads