22dbce52e908097a2be5622b9a82dcaa0b63fea5a3921f8fe642c726518c8d1f

Analysis

max time kernel
158s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Size

344KB
MD5

6af43a5f2ce142a75703da365acb32a8
SHA1

3ac041723f68fbdf094fdb376165ead8c3899dbe
SHA256

22dbce52e908097a2be5622b9a82dcaa0b63fea5a3921f8fe642c726518c8d1f
SHA512

b0665b635a7d6cfc5a7139367d83fb742e21420d33b7b9301319ebebcaf56f8a3c7057dabc45a5bfc462d9c360638dfecc42409dbc48bf46c0ae9c28d6654eba
SSDEEP

3072:mEGh0oFlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 10 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023270-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023278-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023281-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023278-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023281-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023278-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022cfb-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d06-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022cfb-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022d06-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56ACF31-FA10-431e-889B-B418D24CCC93}	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF9DE470-99C4-42db-800B-7AFDB849DA37}	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B564612A-6E6A-400d-93D6-0A2D9B027380}	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B564612A-6E6A-400d-93D6-0A2D9B027380}\stubpath = "C:\\Windows\\{B564612A-6E6A-400d-93D6-0A2D9B027380}.exe"	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D391023-1118-4b16-B43D-65573DF4E843}\stubpath = "C:\\Windows\\{7D391023-1118-4b16-B43D-65573DF4E843}.exe"	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}\stubpath = "C:\\Windows\\{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe"	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D391023-1118-4b16-B43D-65573DF4E843}	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAB07233-9689-486d-8D2A-F551DC2BD46A}	{7D391023-1118-4b16-B43D-65573DF4E843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}\stubpath = "C:\\Windows\\{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe"	{86EC5CED-2E70-405a-8415-8D668A391215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56ACF31-FA10-431e-889B-B418D24CCC93}\stubpath = "C:\\Windows\\{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe"	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0549F5E1-2964-4170-9ADA-482E117234F7}	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0549F5E1-2964-4170-9ADA-482E117234F7}\stubpath = "C:\\Windows\\{0549F5E1-2964-4170-9ADA-482E117234F7}.exe"	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}\stubpath = "C:\\Windows\\{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe"	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EC5CED-2E70-405a-8415-8D668A391215}	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}	{86EC5CED-2E70-405a-8415-8D668A391215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF9DE470-99C4-42db-800B-7AFDB849DA37}\stubpath = "C:\\Windows\\{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe"	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAB07233-9689-486d-8D2A-F551DC2BD46A}\stubpath = "C:\\Windows\\{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe"	{7D391023-1118-4b16-B43D-65573DF4E843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EC5CED-2E70-405a-8415-8D668A391215}\stubpath = "C:\\Windows\\{86EC5CED-2E70-405a-8415-8D668A391215}.exe"	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe

Executes dropped EXE 10 IoCs

pid	Process
3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe
868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe
1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe
1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe
1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe
1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe
3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe
2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe
3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe
3428	{B564612A-6E6A-400d-93D6-0A2D9B027380}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{0549F5E1-2964-4170-9ADA-482E117234F7}.exe	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
File created	C:\Windows\{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe	{86EC5CED-2E70-405a-8415-8D668A391215}.exe
File created	C:\Windows\{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe
File created	C:\Windows\{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe
File created	C:\Windows\{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe
File created	C:\Windows\{7D391023-1118-4b16-B43D-65573DF4E843}.exe	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe
File created	C:\Windows\{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe	{7D391023-1118-4b16-B43D-65573DF4E843}.exe
File created	C:\Windows\{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe
File created	C:\Windows\{86EC5CED-2E70-405a-8415-8D668A391215}.exe	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe
File created	C:\Windows\{B564612A-6E6A-400d-93D6-0A2D9B027380}.exe	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4512	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe
Token: SeIncBasePriorityPrivilege	868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe
Token: SeIncBasePriorityPrivilege	1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe
Token: SeIncBasePriorityPrivilege	1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe
Token: SeIncBasePriorityPrivilege	1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe
Token: SeIncBasePriorityPrivilege	1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe
Token: SeIncBasePriorityPrivilege	3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe
Token: SeIncBasePriorityPrivilege	2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe
Token: SeIncBasePriorityPrivilege	3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3232	4512	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	104
PID 4512 wrote to memory of 3232	4512	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	104
PID 4512 wrote to memory of 3232	4512	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	104
PID 4512 wrote to memory of 2800	4512	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	105
PID 4512 wrote to memory of 2800	4512	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	105
PID 4512 wrote to memory of 2800	4512	2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe	105
PID 3232 wrote to memory of 868	3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe	111
PID 3232 wrote to memory of 868	3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe	111
PID 3232 wrote to memory of 868	3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe	111
PID 3232 wrote to memory of 4312	3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe	112
PID 3232 wrote to memory of 4312	3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe	112
PID 3232 wrote to memory of 4312	3232	{0549F5E1-2964-4170-9ADA-482E117234F7}.exe	112
PID 868 wrote to memory of 1268	868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe	115
PID 868 wrote to memory of 1268	868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe	115
PID 868 wrote to memory of 1268	868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe	115
PID 868 wrote to memory of 1580	868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe	116
PID 868 wrote to memory of 1580	868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe	116
PID 868 wrote to memory of 1580	868	{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe	116
PID 1268 wrote to memory of 1840	1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe	117
PID 1268 wrote to memory of 1840	1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe	117
PID 1268 wrote to memory of 1840	1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe	117
PID 1268 wrote to memory of 2040	1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe	118
PID 1268 wrote to memory of 2040	1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe	118
PID 1268 wrote to memory of 2040	1268	{7D391023-1118-4b16-B43D-65573DF4E843}.exe	118
PID 1840 wrote to memory of 1868	1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe	120
PID 1840 wrote to memory of 1868	1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe	120
PID 1840 wrote to memory of 1868	1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe	120
PID 1840 wrote to memory of 4600	1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe	121
PID 1840 wrote to memory of 4600	1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe	121
PID 1840 wrote to memory of 4600	1840	{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe	121
PID 1868 wrote to memory of 1452	1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe	122
PID 1868 wrote to memory of 1452	1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe	122
PID 1868 wrote to memory of 1452	1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe	122
PID 1868 wrote to memory of 1288	1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe	123
PID 1868 wrote to memory of 1288	1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe	123
PID 1868 wrote to memory of 1288	1868	{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe	123
PID 1452 wrote to memory of 3180	1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe	124
PID 1452 wrote to memory of 3180	1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe	124
PID 1452 wrote to memory of 3180	1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe	124
PID 1452 wrote to memory of 1256	1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe	125
PID 1452 wrote to memory of 1256	1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe	125
PID 1452 wrote to memory of 1256	1452	{86EC5CED-2E70-405a-8415-8D668A391215}.exe	125
PID 3180 wrote to memory of 2652	3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe	133
PID 3180 wrote to memory of 2652	3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe	133
PID 3180 wrote to memory of 2652	3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe	133
PID 3180 wrote to memory of 1892	3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe	134
PID 3180 wrote to memory of 1892	3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe	134
PID 3180 wrote to memory of 1892	3180	{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe	134
PID 2652 wrote to memory of 3828	2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe	135
PID 2652 wrote to memory of 3828	2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe	135
PID 2652 wrote to memory of 3828	2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe	135
PID 2652 wrote to memory of 4424	2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe	136
PID 2652 wrote to memory of 4424	2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe	136
PID 2652 wrote to memory of 4424	2652	{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe	136
PID 3828 wrote to memory of 3428	3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe	137
PID 3828 wrote to memory of 3428	3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe	137
PID 3828 wrote to memory of 3428	3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe	137
PID 3828 wrote to memory of 4664	3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe	138
PID 3828 wrote to memory of 4664	3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe	138
PID 3828 wrote to memory of 4664	3828	{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_6af43a5f2ce142a75703da365acb32a8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\{0549F5E1-2964-4170-9ADA-482E117234F7}.exe
  C:\Windows\{0549F5E1-2964-4170-9ADA-482E117234F7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe
    C:\Windows\{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\{7D391023-1118-4b16-B43D-65573DF4E843}.exe
      C:\Windows\{7D391023-1118-4b16-B43D-65573DF4E843}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe
        
        C:\Windows\{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe
        
        C:\Windows\{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{86EC5CED-2E70-405a-8415-8D668A391215}.exe
        
        C:\Windows\{86EC5CED-2E70-405a-8415-8D668A391215}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe
        
        C:\Windows\{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe
        
        C:\Windows\{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe
        
        C:\Windows\{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{B564612A-6E6A-400d-93D6-0A2D9B027380}.exe
        
        C:\Windows\{B564612A-6E6A-400d-93D6-0A2D9B027380}.exe
        11⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF9DE~1.EXE > nul
        11⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F56AC~1.EXE > nul
        10⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E51C8~1.EXE > nul
        9⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86EC5~1.EXE > nul
        8⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAF2~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAB07~1.EXE > nul
        6⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D391~1.EXE > nul
        5⤵
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DBDF7~1.EXE > nul
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0549F~1.EXE > nul
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0549F5E1-2964-4170-9ADA-482E117234F7}.exe

Filesize
344KB

MD5
c0b113b6a1e107dcd3c1ee389bedb520

SHA1
a3bb40d108a8c872fd621db250e02be892697508

SHA256
24e5f8d7223b248eb5cf7bf725fd347e6cc55dff3a085ff74bc57558ff385c0c

SHA512
212bc3a22542e1e6df089da02454be3e73214f17753d741d3a16105d934ec104b1c68b020404a8881d84040a210ebde684013a1949b48e30d315e2427f2c7b8d

Download Submit
C:\Windows\{7D391023-1118-4b16-B43D-65573DF4E843}.exe

Filesize
344KB

MD5
96b523eeb95fabc129cca0ef8697288f

SHA1
29e085d55eacf6786d5c9e01a75e7ba8c6f755fa

SHA256
62eb5e7a2a2f20b4964bcf48707e1ce78fd1f2f7f3453e8a98345fa018daf048

SHA512
dfd0cff062725c50fa0e0fba011c3be7899fea1d9010dd2fc6d9736118199928a1315156c04e887aaab70b244e7fb1c9b023e51bbd6271c9d9aa36bfd719ddea

Download Submit
C:\Windows\{86EC5CED-2E70-405a-8415-8D668A391215}.exe

Filesize
344KB

MD5
d479accc2c6ef9c431b80de697ad85e5

SHA1
25cac8dc2eb759846a2f400b5cdc1dd8f03adc0d

SHA256
b4998a37419b22386e34fdad558a5e6e93fa3a9b1e0383e8ab4e3bff602ca511

SHA512
7df9982b363b73ec69e1beab167e99f8c0e4538fb87aac0d56bbb191bc519fc3e642ea4afdea138be5e34afaffff3834b363f2379e8e31a16c36a0aff0ee6012

Download Submit
C:\Windows\{B564612A-6E6A-400d-93D6-0A2D9B027380}.exe

Filesize
344KB

MD5
749180b8c9a68dae4f3a1afe14076fee

SHA1
76e1f9c9586340a5cb316ed98cae71109ad7e8eb

SHA256
78e93798829f28d9915a23e587d86c4c5404a2da356564fe63641911b18f1ed5

SHA512
9dcb472391294138ca10c2ef4fbb5479be575cb3d77911fa4b3cf656928203df63d7503b42f7a8583c4254433102f01a9ee15ea3ecff0ed418ac18d7a2cd39ac

Download Submit
C:\Windows\{CFAF24EB-1930-465a-B4E2-2F0A25CFA4F6}.exe

Filesize
344KB

MD5
205c59597581b00bcbc485e8cc3d48d3

SHA1
89180d3fc5b4e8b64c977594100c0f3e43104aa7

SHA256
0fe7949c6f59225606c30f42a1c5420fd0168e73106b234aa9f4bec527287122

SHA512
b11d15294352c853d84b9c73c1d28adf59513ddf0bc65083ddb521a257c4948ecebd7612cfa1b3ad26eaddd1699a3d7665eccb55ec30acdca9f97f344c383efc

Download Submit
C:\Windows\{DAB07233-9689-486d-8D2A-F551DC2BD46A}.exe

Filesize
344KB

MD5
20313f46762037b055a641bc0b8fbf99

SHA1
650de8cee6ba8040886b1dccc6ad54da56cf371c

SHA256
d53a2bd33646fdfa34af05bba9429d5a04bc46db09b5269183bb8429366bb09b

SHA512
942423f8f41e9c2985f21b523657a8fec4d7ca9756b8145578058518bce4184e087536fe581917a372ed8a8b5de25177176c24096266ccbfcfa7196c645cbe55

Download Submit
C:\Windows\{DBDF7378-FBBA-4d4b-B285-4D2D8AE6DC47}.exe

Filesize
344KB

MD5
4f9587141adc89377309db3cd5f53bc3

SHA1
a7d559cc103d249b5173e262b68cb4b9f53839b2

SHA256
30fcdd51db6bcdde9763d8dce11efbd8c2870445051999810d56d692a2d8e2de

SHA512
b82b799fc00730aafc5643f260fbdf4304c5224e8b0a8a69a4053002cc9b309a37e5b21f21e601d404241039db286d61b19c4de115dce1d307b00e8f4c4ececb

Download Submit
C:\Windows\{E51C875B-68EB-434f-ADDE-9E1A06AB7F77}.exe

Filesize
344KB

MD5
551caa5fb5d46db8c11cfea5817c9046

SHA1
4d0fcac5735bbcdbd61986b132c11f19e47782b7

SHA256
37fb3c78b36f46220d91e3a5187e2245a23b2b988ad09d3d0f5e0d00d585e53e

SHA512
bf9172382f6d70b6af6498e3a41925c80bdb3190c5906a77bad250071700eb41e51b754ba2370b522cb7fdb93bce44b60cd61fd2558d98ca438b817cf417e380

Download Submit
C:\Windows\{F56ACF31-FA10-431e-889B-B418D24CCC93}.exe

Filesize
344KB

MD5
6025de76892e0a852abcfe603063dba2

SHA1
842966fc26fcd6df1c1cd1324c21440b91da3dbc

SHA256
ab7cd7a6736861406adf7b1d8897c8576bc18300181034f36f6a685b99070f14

SHA512
b755480474df9ebfadc03974e0063d3b5ecb89cae083a6e79f63ed4dbc44bc8999c711d4cea092d46eea93c4cf3b7b1b0022f08d763f596e786aa20bcc8b9169

Download Submit
C:\Windows\{FF9DE470-99C4-42db-800B-7AFDB849DA37}.exe

Filesize
344KB

MD5
fff2ab385d6171b2a89e5cd852c82aa8

SHA1
485c6472ee921adabfa160ddbdc92d0939794418

SHA256
81f784b7c1ee75cf105f16fde697c5fafc37aedad128363643111a5cf6a4a658

SHA512
3941d7068b3b529e415bda6187875d5ab7f2d71a2c5f3255447c53eb2471ad751c9d343c2398047377bd69ffd4909c3d3109659e54439b807a45b3c44a2d4c0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads