39c14c550ac2c65502f4ed3bee54d3231ead3eb63e70dcc739f7439912df4b36

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Size

180KB
MD5

7ecbcbdc0671945868a4ee73fea64f70
SHA1

18a4e924bd64afbc0bf01e05ea453d7be971d197
SHA256

39c14c550ac2c65502f4ed3bee54d3231ead3eb63e70dcc739f7439912df4b36
SHA512

3e16a336aa4bdf4e53e29a894391ca7ac254d5f6d348cb91dad7b9724fc354506a5e29220d5786bdb71a3d42fe2d023435d9d9bd0f48731ecda11bfa18a68458
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGNl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB2B70CE-6422-4c95-A628-1AC977323781}\stubpath = "C:\\Windows\\{FB2B70CE-6422-4c95-A628-1AC977323781}.exe"	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33B27E7E-C4EB-43c2-9023-8A08C4142819}	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCCB591-2480-44ac-8D1C-D189C872CD26}	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCCB591-2480-44ac-8D1C-D189C872CD26}\stubpath = "C:\\Windows\\{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe"	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}\stubpath = "C:\\Windows\\{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe"	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{061A8B8D-4F21-4601-B018-07989685A4C3}	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81809BFA-BE2A-4a66-A73A-889419A4DAE2}\stubpath = "C:\\Windows\\{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe"	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{733F88AF-5AE4-498a-859C-D2D47B80FA08}	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{733F88AF-5AE4-498a-859C-D2D47B80FA08}\stubpath = "C:\\Windows\\{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe"	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB2B70CE-6422-4c95-A628-1AC977323781}	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFECAA1-C233-4045-89EC-85C7B3613BB6}	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33B27E7E-C4EB-43c2-9023-8A08C4142819}\stubpath = "C:\\Windows\\{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe"	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31475DBD-8A5A-4be8-B790-6E1B8614889F}	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31475DBD-8A5A-4be8-B790-6E1B8614889F}\stubpath = "C:\\Windows\\{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe"	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}	{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{061A8B8D-4F21-4601-B018-07989685A4C3}\stubpath = "C:\\Windows\\{061A8B8D-4F21-4601-B018-07989685A4C3}.exe"	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81809BFA-BE2A-4a66-A73A-889419A4DAE2}	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707BF501-9671-44e1-A18D-102CD12EE4CB}\stubpath = "C:\\Windows\\{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe"	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFECAA1-C233-4045-89EC-85C7B3613BB6}\stubpath = "C:\\Windows\\{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe"	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707BF501-9671-44e1-A18D-102CD12EE4CB}	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}\stubpath = "C:\\Windows\\{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe"	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}\stubpath = "C:\\Windows\\{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}.exe"	{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe

Executes dropped EXE 12 IoCs

pid	Process
3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe
3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe
3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe
1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe
4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe
2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe
4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe
4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe
1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe
4628	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe
3680	{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe
416	{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe
File created	C:\Windows\{FB2B70CE-6422-4c95-A628-1AC977323781}.exe	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe
File created	C:\Windows\{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe
File created	C:\Windows\{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe
File created	C:\Windows\{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe
File created	C:\Windows\{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}.exe	{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe
File created	C:\Windows\{061A8B8D-4F21-4601-B018-07989685A4C3}.exe	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
File created	C:\Windows\{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe
File created	C:\Windows\{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe
File created	C:\Windows\{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe
File created	C:\Windows\{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe
File created	C:\Windows\{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3896	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe
Token: SeIncBasePriorityPrivilege	3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe
Token: SeIncBasePriorityPrivilege	3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe
Token: SeIncBasePriorityPrivilege	1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe
Token: SeIncBasePriorityPrivilege	4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe
Token: SeIncBasePriorityPrivilege	2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe
Token: SeIncBasePriorityPrivilege	4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe
Token: SeIncBasePriorityPrivilege	4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe
Token: SeIncBasePriorityPrivilege	1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe
Token: SeIncBasePriorityPrivilege	4628	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe
Token: SeIncBasePriorityPrivilege	3680	{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 3112	3896	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	102
PID 3896 wrote to memory of 3112	3896	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	102
PID 3896 wrote to memory of 3112	3896	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	102
PID 3896 wrote to memory of 4604	3896	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	103
PID 3896 wrote to memory of 4604	3896	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	103
PID 3896 wrote to memory of 4604	3896	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	103
PID 3112 wrote to memory of 3532	3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe	104
PID 3112 wrote to memory of 3532	3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe	104
PID 3112 wrote to memory of 3532	3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe	104
PID 3112 wrote to memory of 700	3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe	105
PID 3112 wrote to memory of 700	3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe	105
PID 3112 wrote to memory of 700	3112	{061A8B8D-4F21-4601-B018-07989685A4C3}.exe	105
PID 3532 wrote to memory of 3996	3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe	110
PID 3532 wrote to memory of 3996	3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe	110
PID 3532 wrote to memory of 3996	3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe	110
PID 3532 wrote to memory of 1948	3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe	111
PID 3532 wrote to memory of 1948	3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe	111
PID 3532 wrote to memory of 1948	3532	{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe	111
PID 3996 wrote to memory of 1124	3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe	112
PID 3996 wrote to memory of 1124	3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe	112
PID 3996 wrote to memory of 1124	3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe	112
PID 3996 wrote to memory of 4588	3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe	113
PID 3996 wrote to memory of 4588	3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe	113
PID 3996 wrote to memory of 4588	3996	{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe	113
PID 1124 wrote to memory of 4572	1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe	114
PID 1124 wrote to memory of 4572	1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe	114
PID 1124 wrote to memory of 4572	1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe	114
PID 1124 wrote to memory of 812	1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe	115
PID 1124 wrote to memory of 812	1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe	115
PID 1124 wrote to memory of 812	1124	{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe	115
PID 4572 wrote to memory of 2184	4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe	117
PID 4572 wrote to memory of 2184	4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe	117
PID 4572 wrote to memory of 2184	4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe	117
PID 4572 wrote to memory of 2356	4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe	118
PID 4572 wrote to memory of 2356	4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe	118
PID 4572 wrote to memory of 2356	4572	{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe	118
PID 2184 wrote to memory of 4348	2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe	119
PID 2184 wrote to memory of 4348	2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe	119
PID 2184 wrote to memory of 4348	2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe	119
PID 2184 wrote to memory of 4344	2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe	120
PID 2184 wrote to memory of 4344	2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe	120
PID 2184 wrote to memory of 4344	2184	{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe	120
PID 4348 wrote to memory of 4156	4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe	128
PID 4348 wrote to memory of 4156	4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe	128
PID 4348 wrote to memory of 4156	4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe	128
PID 4348 wrote to memory of 956	4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe	129
PID 4348 wrote to memory of 956	4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe	129
PID 4348 wrote to memory of 956	4348	{FB2B70CE-6422-4c95-A628-1AC977323781}.exe	129
PID 4156 wrote to memory of 1084	4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe	130
PID 4156 wrote to memory of 1084	4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe	130
PID 4156 wrote to memory of 1084	4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe	130
PID 4156 wrote to memory of 1776	4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe	131
PID 4156 wrote to memory of 1776	4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe	131
PID 4156 wrote to memory of 1776	4156	{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe	131
PID 1084 wrote to memory of 4628	1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe	132
PID 1084 wrote to memory of 4628	1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe	132
PID 1084 wrote to memory of 4628	1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe	132
PID 1084 wrote to memory of 3128	1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe	133
PID 1084 wrote to memory of 3128	1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe	133
PID 1084 wrote to memory of 3128	1084	{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe	133
PID 4628 wrote to memory of 3680	4628	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe	137
PID 4628 wrote to memory of 3680	4628	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe	137
PID 4628 wrote to memory of 3680	4628	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe	137
PID 4628 wrote to memory of 3776	4628	{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\{061A8B8D-4F21-4601-B018-07989685A4C3}.exe
  C:\Windows\{061A8B8D-4F21-4601-B018-07989685A4C3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe
    C:\Windows\{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe
      C:\Windows\{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe
        
        C:\Windows\{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Windows\{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe
        
        C:\Windows\{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe
        
        C:\Windows\{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{FB2B70CE-6422-4c95-A628-1AC977323781}.exe
        
        C:\Windows\{FB2B70CE-6422-4c95-A628-1AC977323781}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe
        
        C:\Windows\{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe
        
        C:\Windows\{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe
        
        C:\Windows\{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe
        
        C:\Windows\{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
        
        C:\Windows\{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}.exe
        
        C:\Windows\{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}.exe
        13⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33B27~1.EXE > nul
        13⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{705FD~1.EXE > nul
        12⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31475~1.EXE > nul
        11⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BFEC~1.EXE > nul
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB2B7~1.EXE > nul
        9⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{707BF~1.EXE > nul
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC1EE~1.EXE > nul
        7⤵
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADCCB~1.EXE > nul
        6⤵
        
        PID:812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{733F8~1.EXE > nul
        5⤵
        
        PID:4588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{81809~1.EXE > nul
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{061A8~1.EXE > nul
    3⤵
    PID:700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{061A8B8D-4F21-4601-B018-07989685A4C3}.exe

Filesize
180KB

MD5
4c1f18ff401fa32440191422006cc3b5

SHA1
023c974b3e60f23d6c3bb8a4a03bee8975a021dc

SHA256
1fab4ca48bc5da0aafc59aa1416003ebe361f645def7b4d914fb7dc0e44f0691

SHA512
2b4f7c48eece5b5430c36344a353387635548fc62f2ddc67a83809b5e880f28f0d4546e0948420fb40c5bdae4479111dfe20c33f4cebc530e81f38d5d1eee905

Download Submit
C:\Windows\{2BFECAA1-C233-4045-89EC-85C7B3613BB6}.exe

Filesize
180KB

MD5
1fdc032c93d5a5378b766c08e514930a

SHA1
1d694890b36738ab402357e634349ad51fd8dcbc

SHA256
c617101c22674e774c6daab9b43f758fded60cda84a8e7aa1509392e327f72fc

SHA512
e9549898048b461c277357998d9d3865b203f148118ec4de6012025db5bd693e02b8852c522cf9e689c8189a474f82703cd7f58c4c27d8f6c57c64064d85c97d

Download Submit
C:\Windows\{31475DBD-8A5A-4be8-B790-6E1B8614889F}.exe

Filesize
180KB

MD5
60caff226ed5561b9258f14b12f8bc1f

SHA1
e6cf61efa20498722e5ae53e7a58f1f9e5aafd68

SHA256
7b1600d57b081a7b132d54822a8040bf53b4ba0cfdf5bad26a1a259ff2db143b

SHA512
0e0d4aae0960327a440bda779e2849172ad8d7dd4adb378ab7f2c990f472dd47648f35163ee45a7e9039f641811d906dd81a6e5c2a56f06c55894bc1c43c4b75

Download Submit
C:\Windows\{33B27E7E-C4EB-43c2-9023-8A08C4142819}.exe

Filesize
180KB

MD5
70f2d29cb75068b2dfcb8f911fa0ba3e

SHA1
380e66fac535f043e3a26fbd38a2224867d56696

SHA256
625faa3d1371e67ce32edd6d21a6eae7fd4a5618545d9a2a9e04d41e12637874

SHA512
55f5267854daec2e1e64f9bf55a47ceb2909d89df9a4796393638cb76dd079b5def5a8d07b5731df8313f69148184a4ead8c1d58fe00ecf09457ae7f375a724f

Download Submit
C:\Windows\{705FD2C7-944D-4e64-B8FA-0E93C22F5AF3}.exe

Filesize
180KB

MD5
afade4ee3102dca0a0b027d8520ffe6a

SHA1
f29eb2ba0df9d573dcc03a4caa704d9a5ae43e2e

SHA256
df2217a81ed8f1e098a5209b259a23aec2e8f6b1fc7234c481e3be36b10dd13a

SHA512
2a623f209408891278975a062ff5004544ac9fe99a7331a8f5b7057f1788384782751c4a0c98287039691c6f884bcb6573a40b5e9f15e5fdaa0842ec733bd1ce

Download Submit
C:\Windows\{707BF501-9671-44e1-A18D-102CD12EE4CB}.exe

Filesize
180KB

MD5
ece76406ec23985ab1e3cbf991e92ec8

SHA1
cd55cfbe70c8a7dd7b27666d897c159399cc6c32

SHA256
db385b089e0f6733b7876ef853d2cc4e596040b854ba7412662672e07be8fa99

SHA512
4cf0a18c9ab38d064cdb30583fcddcd83e4a813edb26d4e95474a70de2c40735f098d8e8ca0c98d22cde19e40bd341cbfd8c57da0c8bc53b6ad713f5dd740527

Download Submit
C:\Windows\{733F88AF-5AE4-498a-859C-D2D47B80FA08}.exe

Filesize
180KB

MD5
530ef7dd920f1aa24bd8b14eab65728d

SHA1
543330728cb5169d9084e8b8d7e17d51cdb73d1e

SHA256
6dca35af128d235c4f72d4630550be8df8d3f4da9ec6cd92490bc0bfd72cb601

SHA512
4a1417feac11e3e4cdbc76a521c44a5562ee4102304a7a3a34d1e06c17f54a1179ba5e08ebbaf24d955a7ebd0a179b4087b2a14ea60b89bbbfad9961a4601877

Download Submit
C:\Windows\{81809BFA-BE2A-4a66-A73A-889419A4DAE2}.exe

Filesize
180KB

MD5
7908eb4ee4d540ef4a168b0a4ce33d58

SHA1
adff260e7e6b1ccc0631966490dadab2536356b7

SHA256
eedf40879cd91c270963da27f4599ad43af777cf88440f4115c83c9664ebfd6f

SHA512
41e1a5e79bcca640442aed96d6df65a6bb123d9b889e042113b0b4621d556e1f05697bec1e659b8dd576caf74859ea8c5a98948dbb9cb2484de3a9a8c502efe0

Download Submit
C:\Windows\{88E400F2-6EB9-471f-B77D-DBD5734DDA5C}.exe

Filesize
180KB

MD5
dd824c778be79d96932388f3b61cd251

SHA1
0739dac5806731b917e87ca25289225ff561caf5

SHA256
807eae7f5c72b4611b3958a681f9c8eb034e57252c1056af11c147b778301402

SHA512
b2dfaa7d398a435d34a0f4b2b318891d7ea4adc4b3210d124ca0e4c6dd4c49850a292d67e08b3dbc962ac3e82383160fc8ac5246bd75bf3ddd8a3d6b03da878c

Download Submit
C:\Windows\{ADCCB591-2480-44ac-8D1C-D189C872CD26}.exe

Filesize
180KB

MD5
a166e78ad75770117f498082d779987a

SHA1
511483c7e3a9981fd0206208dfaf85cc00e91b19

SHA256
6ea5ff8822311b89d90bfc5a40ce7ec507a26ab571a93264477e3d6028c544e1

SHA512
46bfe99dd7d7f04dbc438fedf2bb0e95f9ce9fb41795f915e5f12f24c335d727f9c423db1a52d82bf8468c8ab831495428a0f7a37172717f11332f7a814b1efa

Download Submit
C:\Windows\{EC1EEE88-CC01-4c47-BDB2-A82F3F516BE7}.exe

Filesize
180KB

MD5
83b9265cb41718210e8c5b8eed0bc799

SHA1
2a15d93fc6c77df1a03d44fb0d9e15b1a13a0010

SHA256
1084b3900779172dfbdea1ca7c84293d7c5a2b294fc6d300da7c0de43e102867

SHA512
99974180f8ad509ba5b51ce1dbdbcf0b2bf340acf5b379e6ff242fc75db932f4f6b9a0af1e444194b2399c3c84bda0808f953a22a1d73e55b077aeeca6abcee7

Download Submit
C:\Windows\{FB2B70CE-6422-4c95-A628-1AC977323781}.exe

Filesize
180KB

MD5
cc26cd45d5bfbff70e3318c058545933

SHA1
3ed17ea54894179cf2ffceae09be3247aff30e66

SHA256
dcf0dccacfc90574e8940b3f7c9bd0fede44078278b1dd27d6dcef63606b09fa

SHA512
7926b3f3ebfd959861cf5571feb04ff76802c9f4689e3ef23a350a473e4d3d350155bdf0d535845b1f268edd2b7b0253103a86d61edf475a0cb2e06394a8ec0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads