c2e7b7a1887ff2c3015780e9a4fef10ade061fe33c191ffd8096c41d6cfb4413

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe
Size

168KB
MD5

64124de5280f768f171f2d73632e45a4
SHA1

866d77ae1eef1529b0787ca3e1598bd07f4c548b
SHA256

c2e7b7a1887ff2c3015780e9a4fef10ade061fe33c191ffd8096c41d6cfb4413
SHA512

b864a3821b223f997465104622e731a4a01584d13361f02e4b6f9c83c011b8fe33ac668ec038c3e848fa206321e2ca8934f87d3778f79bbb97904c878528d7f6
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17261FFA-C7B1-418f-96EE-96884FA2ABA5}\stubpath = "C:\\Windows\\{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe"	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBA0214-2F60-412e-8C96-CDDAE556885A}\stubpath = "C:\\Windows\\{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe"	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}\stubpath = "C:\\Windows\\{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe"	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F91E709-D7DF-4b48-8A8B-E88CA6645005}\stubpath = "C:\\Windows\\{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe"	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83292954-2BA7-42ed-AD62-DF42D200E6DD}	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC31F59-56DA-4003-A38F-7F57119B2C2B}	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}\stubpath = "C:\\Windows\\{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe"	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83292954-2BA7-42ed-AD62-DF42D200E6DD}\stubpath = "C:\\Windows\\{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe"	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}	{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E095E4AF-C6E8-49b2-9878-24C10574D9D8}\stubpath = "C:\\Windows\\{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe"	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82471FE-E59B-4845-BA59-17796ABB768A}	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC31F59-56DA-4003-A38F-7F57119B2C2B}\stubpath = "C:\\Windows\\{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe"	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}\stubpath = "C:\\Windows\\{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe"	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C617AA40-1F7A-4bce-8D83-BF3786507960}	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C617AA40-1F7A-4bce-8D83-BF3786507960}\stubpath = "C:\\Windows\\{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe"	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBA0214-2F60-412e-8C96-CDDAE556885A}	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F91E709-D7DF-4b48-8A8B-E88CA6645005}	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}\stubpath = "C:\\Windows\\{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}.exe"	{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17261FFA-C7B1-418f-96EE-96884FA2ABA5}	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E095E4AF-C6E8-49b2-9878-24C10574D9D8}	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82471FE-E59B-4845-BA59-17796ABB768A}\stubpath = "C:\\Windows\\{C82471FE-E59B-4845-BA59-17796ABB768A}.exe"	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe

Executes dropped EXE 12 IoCs

pid	Process
2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe
928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe
4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe
1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe
4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe
3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe
1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe
4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe
768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe
2380	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe
3692	{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe
4300	{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe
File created	C:\Windows\{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe
File created	C:\Windows\{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}.exe	{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe
File created	C:\Windows\{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe
File created	C:\Windows\{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe
File created	C:\Windows\{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe
File created	C:\Windows\{C82471FE-E59B-4845-BA59-17796ABB768A}.exe	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe
File created	C:\Windows\{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe
File created	C:\Windows\{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe
File created	C:\Windows\{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe
File created	C:\Windows\{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe
File created	C:\Windows\{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4560	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe
Token: SeIncBasePriorityPrivilege	928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe
Token: SeIncBasePriorityPrivilege	4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe
Token: SeIncBasePriorityPrivilege	1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe
Token: SeIncBasePriorityPrivilege	4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe
Token: SeIncBasePriorityPrivilege	3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe
Token: SeIncBasePriorityPrivilege	1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe
Token: SeIncBasePriorityPrivilege	4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe
Token: SeIncBasePriorityPrivilege	768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe
Token: SeIncBasePriorityPrivilege	2380	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe
Token: SeIncBasePriorityPrivilege	3692	{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 2380	4560	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe	93
PID 4560 wrote to memory of 2380	4560	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe	93
PID 4560 wrote to memory of 2380	4560	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe	93
PID 4560 wrote to memory of 5084	4560	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe	94
PID 4560 wrote to memory of 5084	4560	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe	94
PID 4560 wrote to memory of 5084	4560	2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe	94
PID 2380 wrote to memory of 928	2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe	95
PID 2380 wrote to memory of 928	2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe	95
PID 2380 wrote to memory of 928	2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe	95
PID 2380 wrote to memory of 736	2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe	96
PID 2380 wrote to memory of 736	2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe	96
PID 2380 wrote to memory of 736	2380	{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe	96
PID 928 wrote to memory of 4436	928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe	99
PID 928 wrote to memory of 4436	928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe	99
PID 928 wrote to memory of 4436	928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe	99
PID 928 wrote to memory of 4908	928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe	100
PID 928 wrote to memory of 4908	928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe	100
PID 928 wrote to memory of 4908	928	{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe	100
PID 4436 wrote to memory of 1156	4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe	102
PID 4436 wrote to memory of 1156	4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe	102
PID 4436 wrote to memory of 1156	4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe	102
PID 4436 wrote to memory of 2624	4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe	103
PID 4436 wrote to memory of 2624	4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe	103
PID 4436 wrote to memory of 2624	4436	{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe	103
PID 1156 wrote to memory of 4916	1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe	104
PID 1156 wrote to memory of 4916	1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe	104
PID 1156 wrote to memory of 4916	1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe	104
PID 1156 wrote to memory of 1756	1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe	105
PID 1156 wrote to memory of 1756	1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe	105
PID 1156 wrote to memory of 1756	1156	{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe	105
PID 4916 wrote to memory of 3212	4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe	106
PID 4916 wrote to memory of 3212	4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe	106
PID 4916 wrote to memory of 3212	4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe	106
PID 4916 wrote to memory of 4564	4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe	107
PID 4916 wrote to memory of 4564	4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe	107
PID 4916 wrote to memory of 4564	4916	{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe	107
PID 3212 wrote to memory of 1388	3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe	108
PID 3212 wrote to memory of 1388	3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe	108
PID 3212 wrote to memory of 1388	3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe	108
PID 3212 wrote to memory of 4756	3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe	109
PID 3212 wrote to memory of 4756	3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe	109
PID 3212 wrote to memory of 4756	3212	{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe	109
PID 1388 wrote to memory of 4844	1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe	110
PID 1388 wrote to memory of 4844	1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe	110
PID 1388 wrote to memory of 4844	1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe	110
PID 1388 wrote to memory of 1732	1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe	111
PID 1388 wrote to memory of 1732	1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe	111
PID 1388 wrote to memory of 1732	1388	{C82471FE-E59B-4845-BA59-17796ABB768A}.exe	111
PID 4844 wrote to memory of 768	4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe	112
PID 4844 wrote to memory of 768	4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe	112
PID 4844 wrote to memory of 768	4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe	112
PID 4844 wrote to memory of 1288	4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe	113
PID 4844 wrote to memory of 1288	4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe	113
PID 4844 wrote to memory of 1288	4844	{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe	113
PID 768 wrote to memory of 2380	768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe	114
PID 768 wrote to memory of 2380	768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe	114
PID 768 wrote to memory of 2380	768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe	114
PID 768 wrote to memory of 2408	768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe	115
PID 768 wrote to memory of 2408	768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe	115
PID 768 wrote to memory of 2408	768	{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe	115
PID 2380 wrote to memory of 3692	2380	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe	116
PID 2380 wrote to memory of 3692	2380	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe	116
PID 2380 wrote to memory of 3692	2380	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe	116
PID 2380 wrote to memory of 3760	2380	{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_64124de5280f768f171f2d73632e45a4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe
  C:\Windows\{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe
    C:\Windows\{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe
      C:\Windows\{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe
        
        C:\Windows\{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe
        
        C:\Windows\{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe
        
        C:\Windows\{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\{C82471FE-E59B-4845-BA59-17796ABB768A}.exe
        
        C:\Windows\{C82471FE-E59B-4845-BA59-17796ABB768A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe
        
        C:\Windows\{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe
        
        C:\Windows\{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe
        
        C:\Windows\{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe
        
        C:\Windows\{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}.exe
        
        C:\Windows\{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}.exe
        13⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83292~1.EXE > nul
        13⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F91E~1.EXE > nul
        12⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E37FB~1.EXE > nul
        11⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FBA0~1.EXE > nul
        10⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8247~1.EXE > nul
        9⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E095E~1.EXE > nul
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17261~1.EXE > nul
        7⤵
        
        PID:4564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C617A~1.EXE > nul
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D39B1~1.EXE > nul
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E18F~1.EXE > nul
      4⤵
      PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC31~1.EXE > nul
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4140,i,7252135083366563450,1411796122645726339,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F91E709-D7DF-4b48-8A8B-E88CA6645005}.exe

Filesize
168KB

MD5
b3ea6152609c893d6b48d2058ecb2183

SHA1
06edaf9d8fc3832f4a7bb2e696c1af24ffe348ef

SHA256
38bc318944531b07745473c1e94a48bb161ea3d82b754d83cc6f41a3f14847c0

SHA512
f11f2eb12dae894b43eeb147b3ab45511fac856921046d37e3b1310373c77f97678f5810bdb7312af7a9a78619e180333a7c320be6afb3f3fb0b4b62df8dc80f

Download Submit
C:\Windows\{17261FFA-C7B1-418f-96EE-96884FA2ABA5}.exe

Filesize
168KB

MD5
cec5f0c140cf8b769a40f111c79a45d9

SHA1
446e193823ea1ffc824f41b27205754f64914db8

SHA256
74f8f234a21e2980d711fe448c28d08d245ae9a34fa97e5b2b02f04917c70ff4

SHA512
356fd1184efa6f076a58b50f6850a9c3f1c14479fe466697df8f3dd3a15b490e2a4997f2560e6b313e02c54fb7698461ffe686f8d63349f6f184537719fbe9c8

Download Submit
C:\Windows\{3FBA0214-2F60-412e-8C96-CDDAE556885A}.exe

Filesize
168KB

MD5
4503a3c92043bc1ba464865f09dd1630

SHA1
e5dfc66bcc91b4cf8fdc8f557cc70d95bcc37f5a

SHA256
aca8076bae23a9a2d3abfffcc934dc07e5f25f931afb06f781d925e89645d586

SHA512
2d9378d64007b9bda8fa27c118343520a71f59ff97350b2247fc12d8630208017f31eac7bbd3fb7c9a03a7cac47d5b1055ead3cf3a694aa673547560ed7bce9a

Download Submit
C:\Windows\{48C0E2B8-2B5A-4df4-938F-EAD4533BCE28}.exe

Filesize
168KB

MD5
0edf86acc479df54638814cb0ea506e0

SHA1
c504643e62867cc309f553c87d8a19b99769b3cd

SHA256
c9cc4b105df3d29cab113b5367396b2587f62638e83c275017fd6d502d8e4da4

SHA512
eda5e9cb07a677e91b4cb36143f403cd711ba3cc4123ce654e484b74ab505e2b71267de67f4b1475670d75e96d931012b4150130206347816d36b28085d41564

Download Submit
C:\Windows\{5FC31F59-56DA-4003-A38F-7F57119B2C2B}.exe

Filesize
168KB

MD5
8cfed288ede088e27cbcac0a8c2339cd

SHA1
ab4526d82475e1f27c772deb99edf230302f9699

SHA256
145fb10b9ad1e8ff63bb880a64f4677dd1b0800ea7a22bd502802236693bde68

SHA512
d5726d0f0318ffb882ded462e5d8aeaf93252aaac88c4bcc9b5f994a1d7d79660adcec9b2b7d37e33ed3b672fa39c9020af6833ec474b78860dfb2ada25f8f11

Download Submit
C:\Windows\{83292954-2BA7-42ed-AD62-DF42D200E6DD}.exe

Filesize
168KB

MD5
d34dfc55c110f232fd7aadd93ce71e3c

SHA1
678f0e1a50ad4eae55fedf00f2711c6718e31734

SHA256
2418975f9a1455e52fed00a0de70e6d1a8255d36110047584d1fcc9115b2fd86

SHA512
6849ef67864cccc0578811f5fc5cf77831e361064f13256749dbe20352b44589532691f2026441feb11c367f5ffb0a485270906ad927cae2974910a2285aec2c

Download Submit
C:\Windows\{9E18F799-1D53-4a2a-8DD6-766C2B33FA9B}.exe

Filesize
168KB

MD5
bf245608838c0b7812396df5a0fc12e0

SHA1
7161d73b4f89fd057d192e46345ec7f89193b176

SHA256
586712aafe7ed0f92e9efcf84927bcf03421b33620b55adf2ae38801bfeddc84

SHA512
30c52b3a042844f48a30ae52bd61815868ab8388bb8895f91ab0035e5ced6215e897f9d50fb7e727a50e34baae39f3083933f2f2ccf7de4538c2a055a47221d2

Download Submit
C:\Windows\{C617AA40-1F7A-4bce-8D83-BF3786507960}.exe

Filesize
168KB

MD5
3ad205c6c8cd8ea7a14fc5b922a32338

SHA1
21785faf5e009d36bb11081a7e5ab694f167d19e

SHA256
b31037dd42bc00ee2be3921268081f4520d3da8193a9e33d8fd8d0038794bc9a

SHA512
0aa7dc85c7ab432666d0fd18190923afc122f5768fc28676cd0397d4f4834ae3918e938f82a92f9e4adf701b18f92a042252e252ac01c8eea0c1ed5996ec41aa

Download Submit
C:\Windows\{C82471FE-E59B-4845-BA59-17796ABB768A}.exe

Filesize
168KB

MD5
b8b1f4173f40f49d66d1ba49cf02fc26

SHA1
63d6a6c140ba6034cd171bebbe678084286d278c

SHA256
e41ba3dcab3299de749a7be000a481779c624431bf8b1f1ba591bebcd58c73de

SHA512
ae5dd55e82b8671ec54b037324bd552708930954bb67db8dc42d0f2abc82e3631aaf3935a052bc94427ae91eb60f7ebea1f98f65823e5dcbaf7ec83aa7a9aadc

Download Submit
C:\Windows\{D39B1CB0-0A1D-41b3-94C9-ADAB1955DFFC}.exe

Filesize
168KB

MD5
92db2bc2eb891f06f1a2ac5d61b281e2

SHA1
1bc0fa537af60d8b8c8849e2228ca7fc4760a518

SHA256
fc256e60c7c4fe95fb8147b56c6713905bbf66e486a7cf9fddecddc2f6b83d1d

SHA512
b4ba98dabce9b1ca622fe2b1b7370fd9eaad94a6f32a49dbe7eca9fc0efa6e814652f757f7629e7efb0a5e70a9f47a571d8d2a13b0416c4a402fe845c76dc188

Download Submit
C:\Windows\{E095E4AF-C6E8-49b2-9878-24C10574D9D8}.exe

Filesize
168KB

MD5
9cd658ec927635381eb2b91ef24ff877

SHA1
d70f5719cfd24eaad4ee52ac61ea27218093c667

SHA256
620100e5b04422f55b392651c7f2d87f32d4bbb99e414808defe967af70bc8c8

SHA512
3834d0f60df11c96714a500d2495ea08fbb100693c97e03fb44d2997563ef212db281399c503c10774270df9ec489fa2878bccd26a6a0350cadca61626984bc2

Download Submit
C:\Windows\{E37FBD05-0F57-4df3-B2BF-DBF805954DA0}.exe

Filesize
168KB

MD5
eddfe497710dde16515559a52264836d

SHA1
17bd1f57b72c8366cd54d3c6e895db223f4745f6

SHA256
b9a0b4220bf3b903362640596807d30199acb684830e8c6cdf111af350f12983

SHA512
4eb23920b76bdbe71fe961747ffba8abf9e17dfe45b104a64a0bfa035df17cc19d7793f567741dbc6fa5417d425dc3450d5a8542e7ebcaede8a2edf8a45dedd9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads