5ad16d5a840f4d984eeac43035f6c388a91309acb4b815b84933e3fbb6598a1e

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe
Size

168KB
MD5

e49cd40e81545a149f13ad948a73763a
SHA1

d7e6449e0ca2cb0629be458ec0ea9d4c48146eb6
SHA256

5ad16d5a840f4d984eeac43035f6c388a91309acb4b815b84933e3fbb6598a1e
SHA512

0953e312628db37fc1a9bba0510115253827d99bb588e92a22cc3b22257edcc701df6083c0c153005e2bd64ade7276c40e54adf8e9d369dfeba91c9f8aaa4730
SSDEEP

1536:1EGh0o2lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o2lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F985DD16-03A8-44bf-A38F-674382DA460E}\stubpath = "C:\\Windows\\{F985DD16-03A8-44bf-A38F-674382DA460E}.exe"	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B488308-4184-4531-BC10-EB8D58664184}	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18D24C26-07B4-41bf-BB13-A3477B786776}	{4B488308-4184-4531-BC10-EB8D58664184}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}\stubpath = "C:\\Windows\\{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe"	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}\stubpath = "C:\\Windows\\{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe"	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}	{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}\stubpath = "C:\\Windows\\{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}.exe"	{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC13B23-DD69-4118-8120-35BDD695AAE7}\stubpath = "C:\\Windows\\{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe"	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B488308-4184-4531-BC10-EB8D58664184}\stubpath = "C:\\Windows\\{4B488308-4184-4531-BC10-EB8D58664184}.exe"	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18D24C26-07B4-41bf-BB13-A3477B786776}\stubpath = "C:\\Windows\\{18D24C26-07B4-41bf-BB13-A3477B786776}.exe"	{4B488308-4184-4531-BC10-EB8D58664184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{747E4FCC-6228-4627-B49B-40C6017C45A2}	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C6DC6E-18F7-453d-9BB1-7EF734D42492}\stubpath = "C:\\Windows\\{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe"	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC13B23-DD69-4118-8120-35BDD695AAE7}	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F985DD16-03A8-44bf-A38F-674382DA460E}	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}\stubpath = "C:\\Windows\\{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe"	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}\stubpath = "C:\\Windows\\{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe"	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D26EF60-1C02-4a14-8450-17374AC1AD4F}	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D26EF60-1C02-4a14-8450-17374AC1AD4F}\stubpath = "C:\\Windows\\{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe"	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{747E4FCC-6228-4627-B49B-40C6017C45A2}\stubpath = "C:\\Windows\\{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe"	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C6DC6E-18F7-453d-9BB1-7EF734D42492}	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe

Executes dropped EXE 12 IoCs

pid	Process
4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe
4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe
4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe
4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe
3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe
4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe
4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe
228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe
1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe
2368	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe
5008	{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe
1212	{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe
File created	C:\Windows\{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}.exe	{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe
File created	C:\Windows\{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe
File created	C:\Windows\{F985DD16-03A8-44bf-A38F-674382DA460E}.exe	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe
File created	C:\Windows\{18D24C26-07B4-41bf-BB13-A3477B786776}.exe	{4B488308-4184-4531-BC10-EB8D58664184}.exe
File created	C:\Windows\{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe
File created	C:\Windows\{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe
File created	C:\Windows\{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe
File created	C:\Windows\{4B488308-4184-4531-BC10-EB8D58664184}.exe	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe
File created	C:\Windows\{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe
File created	C:\Windows\{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe
File created	C:\Windows\{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	400	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe
Token: SeIncBasePriorityPrivilege	4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe
Token: SeIncBasePriorityPrivilege	4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe
Token: SeIncBasePriorityPrivilege	4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe
Token: SeIncBasePriorityPrivilege	3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe
Token: SeIncBasePriorityPrivilege	4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe
Token: SeIncBasePriorityPrivilege	4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe
Token: SeIncBasePriorityPrivilege	228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe
Token: SeIncBasePriorityPrivilege	1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe
Token: SeIncBasePriorityPrivilege	2368	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe
Token: SeIncBasePriorityPrivilege	5008	{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4100	400	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe	93
PID 400 wrote to memory of 4100	400	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe	93
PID 400 wrote to memory of 4100	400	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe	93
PID 400 wrote to memory of 1016	400	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe	94
PID 400 wrote to memory of 1016	400	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe	94
PID 400 wrote to memory of 1016	400	2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe	94
PID 4100 wrote to memory of 4604	4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe	95
PID 4100 wrote to memory of 4604	4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe	95
PID 4100 wrote to memory of 4604	4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe	95
PID 4100 wrote to memory of 1564	4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe	96
PID 4100 wrote to memory of 1564	4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe	96
PID 4100 wrote to memory of 1564	4100	{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe	96
PID 4604 wrote to memory of 4256	4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe	100
PID 4604 wrote to memory of 4256	4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe	100
PID 4604 wrote to memory of 4256	4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe	100
PID 4604 wrote to memory of 456	4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe	101
PID 4604 wrote to memory of 456	4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe	101
PID 4604 wrote to memory of 456	4604	{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe	101
PID 4256 wrote to memory of 4296	4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe	102
PID 4256 wrote to memory of 4296	4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe	102
PID 4256 wrote to memory of 4296	4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe	102
PID 4256 wrote to memory of 1076	4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe	103
PID 4256 wrote to memory of 1076	4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe	103
PID 4256 wrote to memory of 1076	4256	{F985DD16-03A8-44bf-A38F-674382DA460E}.exe	103
PID 4296 wrote to memory of 3552	4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe	104
PID 4296 wrote to memory of 3552	4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe	104
PID 4296 wrote to memory of 3552	4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe	104
PID 4296 wrote to memory of 3620	4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe	105
PID 4296 wrote to memory of 3620	4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe	105
PID 4296 wrote to memory of 3620	4296	{4B488308-4184-4531-BC10-EB8D58664184}.exe	105
PID 3552 wrote to memory of 4748	3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe	106
PID 3552 wrote to memory of 4748	3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe	106
PID 3552 wrote to memory of 4748	3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe	106
PID 3552 wrote to memory of 2464	3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe	107
PID 3552 wrote to memory of 2464	3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe	107
PID 3552 wrote to memory of 2464	3552	{18D24C26-07B4-41bf-BB13-A3477B786776}.exe	107
PID 4748 wrote to memory of 4104	4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe	108
PID 4748 wrote to memory of 4104	4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe	108
PID 4748 wrote to memory of 4104	4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe	108
PID 4748 wrote to memory of 2008	4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe	109
PID 4748 wrote to memory of 2008	4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe	109
PID 4748 wrote to memory of 2008	4748	{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe	109
PID 4104 wrote to memory of 228	4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe	110
PID 4104 wrote to memory of 228	4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe	110
PID 4104 wrote to memory of 228	4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe	110
PID 4104 wrote to memory of 1428	4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe	111
PID 4104 wrote to memory of 1428	4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe	111
PID 4104 wrote to memory of 1428	4104	{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe	111
PID 228 wrote to memory of 1112	228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe	112
PID 228 wrote to memory of 1112	228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe	112
PID 228 wrote to memory of 1112	228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe	112
PID 228 wrote to memory of 880	228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe	113
PID 228 wrote to memory of 880	228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe	113
PID 228 wrote to memory of 880	228	{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe	113
PID 1112 wrote to memory of 2368	1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe	114
PID 1112 wrote to memory of 2368	1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe	114
PID 1112 wrote to memory of 2368	1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe	114
PID 1112 wrote to memory of 3972	1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe	115
PID 1112 wrote to memory of 3972	1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe	115
PID 1112 wrote to memory of 3972	1112	{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe	115
PID 2368 wrote to memory of 5008	2368	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe	116
PID 2368 wrote to memory of 5008	2368	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe	116
PID 2368 wrote to memory of 5008	2368	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe	116
PID 2368 wrote to memory of 4048	2368	{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_e49cd40e81545a149f13ad948a73763a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe
  C:\Windows\{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe
    C:\Windows\{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\{F985DD16-03A8-44bf-A38F-674382DA460E}.exe
      C:\Windows\{F985DD16-03A8-44bf-A38F-674382DA460E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Windows\{4B488308-4184-4531-BC10-EB8D58664184}.exe
        
        C:\Windows\{4B488308-4184-4531-BC10-EB8D58664184}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
      - C:\Windows\{18D24C26-07B4-41bf-BB13-A3477B786776}.exe
        
        C:\Windows\{18D24C26-07B4-41bf-BB13-A3477B786776}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe
        
        C:\Windows\{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe
        
        C:\Windows\{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe
        
        C:\Windows\{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe
        
        C:\Windows\{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe
        
        C:\Windows\{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe
        
        C:\Windows\{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}.exe
        
        C:\Windows\{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18ACB~1.EXE > nul
        13⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31C6D~1.EXE > nul
        12⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{747E4~1.EXE > nul
        11⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D26E~1.EXE > nul
        10⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0307~1.EXE > nul
        9⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC41E~1.EXE > nul
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18D24~1.EXE > nul
        7⤵
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B488~1.EXE > nul
        6⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F985D~1.EXE > nul
        5⤵
        
        PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC13~1.EXE > nul
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1E8B2~1.EXE > nul
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,7545522914305657361,9950105517201397946,262144 --variations-seed-version --mojo-platform-channel-handle=3920 /prefetch:8
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18ACB2B1-CADB-4b92-85C3-DD2FC99E7DC6}.exe

Filesize
168KB

MD5
ff4db10441e809c6c4532c5def2dbe18

SHA1
f3bd921cd4887911c96710023ea441e3ec0493c0

SHA256
94fe422d0f37fbc4b964d78267bbd8d6f6590033cc7c4f06e2c5b784300996e7

SHA512
551cfebc4c0603a36d3ba85a937704d588bde20d81316a151b4d940ab4795e781bf79681c1bb1f3b879468ca906c4f8fc88d79ef48badf53196af90c20a196b2

Download Submit
C:\Windows\{18D24C26-07B4-41bf-BB13-A3477B786776}.exe

Filesize
168KB

MD5
45e5e36abc22ed54a873a4b070bffb3a

SHA1
c57db6524b86d308ca04d189a7bea5648df46285

SHA256
41e7638d5b7675bc2345ad0fd90c5e35ee682f76589d7f4c5993146607d89d02

SHA512
0c5588f583cb896c903df9c9103116da3ca12405dea4fad4847e53f14cee39c68085031ff6352d893d1b11590b98e62e976c7e5f54b7ab9a499a4e6f22d74463

Download Submit
C:\Windows\{1E8B2D61-637E-4b65-A1BE-30CD49AB87AE}.exe

Filesize
168KB

MD5
e111c80f0fa9ee71644cde27ffc4978a

SHA1
c82a7ea24b7110b7b2f9cd13ae4b18061f03674f

SHA256
4b2762dc1c53cedeb0520f8503dcaa90130be3c6077379f5239f455edc6b5213

SHA512
8388dcfaa5dd517afcac79fb4adec8f1fd9cec71c07eefecbad26d286f6a76391cb34cb97e474e4ad5d90c92bbf703fa5d92a82b7da6c887dadc261c973ec8bc

Download Submit
C:\Windows\{2FC13B23-DD69-4118-8120-35BDD695AAE7}.exe

Filesize
168KB

MD5
e8622747a8d3262ffc6ddc50140fcb76

SHA1
7c52616d694378f2014970a974b5272ae665cea8

SHA256
8a277e21ff94e6bf9178d65272c40df323068e0b1459d88722af1be691716e34

SHA512
6834d9a7b8e20528f12de3689884e66fc124845d0fc8d039cf21c9447c125857d06028b431df3a9487ffa948561a9cea8bccc381e300d78f22f28519c76b9e79

Download Submit
C:\Windows\{31C6DC6E-18F7-453d-9BB1-7EF734D42492}.exe

Filesize
168KB

MD5
b087f1ccbd232f4e5d45a10d6bed7ca9

SHA1
652e81dab5963f6a0b22e23aba21fd6fe090f974

SHA256
4cc915fc06288f4c828613b6455f4d8571c2d979624f7f611b1eb87468796952

SHA512
fcf2adb023a45826632828dd90601fa07cc89484574c3ebf3571e1b7501a5f97414d5e7cdac8375d388d265b502ff836e28cfb1ee718f86be51518ff742f1064

Download Submit
C:\Windows\{3D26EF60-1C02-4a14-8450-17374AC1AD4F}.exe

Filesize
168KB

MD5
2e38984c14351785efa1ed1ee20053f1

SHA1
331ef71012bdbdecf0a59a724854cb33174d4b1e

SHA256
fe11a122c5329a53620923386911e90628dace73659e2f330921c480289ead98

SHA512
5c6357d47f8fdb178f76fdb17ee3dcc093b58a2c5d30dd8e735c0a5fa0c57584688f5f2276c1d9792f63907339ba08380395d57cfdb390e2a606ec9cc586049a

Download Submit
C:\Windows\{4B488308-4184-4531-BC10-EB8D58664184}.exe

Filesize
168KB

MD5
4fc32b705905ecae5ce764390f352ed8

SHA1
a78b95beb78195fdbe7f24b66d0569e50490ea15

SHA256
6680b786c41a583a9c4d9a8a7790ee0a08e30d24de5424b78a7ea4eedb1b0cc9

SHA512
9bb6350985be242fa88b3d72f5a1769311fa5fa6b721bd2b9a1e40e03de959d99657c50228fde5c6e6f196939c76ba8f2cd1755be19a4f8e3a6a7b56373be784

Download Submit
C:\Windows\{747E4FCC-6228-4627-B49B-40C6017C45A2}.exe

Filesize
168KB

MD5
98d836a6b9984d43006956c765cf266c

SHA1
3e58ac5eeea86be6345b87ef465722cf102b9a0c

SHA256
f30b11ea087f40d6e9754ecdefb6da5f030f7c498546748a5782376ebcef4204

SHA512
0abe27a991db670f8e6099e330cbe579af634f5ddb80a962fd401f1ba43bd4de6983eeb8c6efb82ad687113df8f6b688d9bcc5ff4f6a96adef58cdbe249b84ab

Download Submit
C:\Windows\{AC41E0E6-A4F8-4443-9659-6C05A6BA9671}.exe

Filesize
168KB

MD5
38d062b60289ee30dafa6c6f2f8ec9f9

SHA1
234f190805d0ec783feb9a7ddc965e2dc34e396f

SHA256
6d79077df7f8e6115d2b30be784cb75d15928e4a439a19967b4f73f8991db740

SHA512
35abd1a881dce0e7127ec607dc5c0d85702f6f4de6a26cbdae2d5acdac306e52dbd04d1c86e9e476328beca1fee982d7e8f117950bfddb75284c5616c74648c2

Download Submit
C:\Windows\{B03078A0-2FC5-4e0d-8A10-2D0D1A9676F3}.exe

Filesize
168KB

MD5
25cb0e6778a548e9645db28191b474ca

SHA1
32d37434546d275ef1dff94ba95ea3862771f742

SHA256
3f1baadbc984e1d1e89d5849e9e9ea2672d75720b85747d05974c2335b4f7f25

SHA512
4eb1fde9b2272cadb33300befca5cf6ba421dfc305344616356a9db06f4b208db8cf1429fce5d5801f2f07b5584269c52de9d3b569ee20f03ed3c771ff8100e5

Download Submit
C:\Windows\{E66BD27F-DC6A-4df8-8F04-1A3F86FCD92E}.exe

Filesize
168KB

MD5
6aea89f8bf5bf81f7c873f4712c2053f

SHA1
d2be8494d864b25c390f406e9421551b22241fc5

SHA256
b68901aa57e120412108a2bfb8b3b456d6548d4a04fa6f85d7dc536773acc0ee

SHA512
32452837c91111c1b406646749cc464ac795d32104be1df321b44b3a3027a7d18249f4401ca298a01f4e37b072a2bd2e2349b6593c3828ab114dc64487133d48

Download Submit
C:\Windows\{F985DD16-03A8-44bf-A38F-674382DA460E}.exe

Filesize
168KB

MD5
81716b157b07784041e8d0330d5b6026

SHA1
95f23ebc6af44dd095962826e9df7d6a28d2163e

SHA256
50e4d09c2beec85a831312c7218cf45fe265d64abfe83fb12ecef1e0a3acb07d

SHA512
3b0215b986ce82c3c4375119364fd5d63c98bd07b6f5c020b6e3b6dca7a2fc0fcecdf7e25a3b7de2c76c474dbf928a1bac6917f3f17967cd6048318a29c23b0a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads