26a13d6724316956f4540be79a84ce39c8401fcce2e6b7d809aad7e454098928

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe
Size

168KB
MD5

5eb662982d5cbb00fbf1ed50404ff6b0
SHA1

4a68536a6a3f7f3970a019fac54a52db13843120
SHA256

26a13d6724316956f4540be79a84ce39c8401fcce2e6b7d809aad7e454098928
SHA512

51c2ca33e7455108759d6464743d6a47ce7e8ae03ff4cf08077c54383933c5f52ed5d4b8d066f35e4fc27068af870b6e5db21af9418e0259cdbfc74c93ffd31c
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023249-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023265-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002311e-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002311e-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002326c-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002311e-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023276-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e3d2-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d0c-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022dae-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCCADD14-625C-454a-A9E7-BF0916BB86D1}	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCCADD14-625C-454a-A9E7-BF0916BB86D1}\stubpath = "C:\\Windows\\{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe"	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53240413-AE5E-4916-85AB-F2F21DF653C6}\stubpath = "C:\\Windows\\{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe"	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B13B3443-91E9-4ab8-8601-F09708722804}	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}\stubpath = "C:\\Windows\\{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}.exe"	{D3D94537-91E0-487a-842E-C2A1999E4730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B962708-8F5D-495a-BF7F-DBD6C534EC86}\stubpath = "C:\\Windows\\{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe"	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B1EECEA-862A-48f5-8350-EEFA19916326}	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59335C8A-091C-43cb-AE0D-B0C92663D9E8}\stubpath = "C:\\Windows\\{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe"	{B13B3443-91E9-4ab8-8601-F09708722804}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}\stubpath = "C:\\Windows\\{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe"	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44ECA517-14B6-440a-B2EB-FE54BFF931D3}	{012D2CF6-8C62-4136-B045-F1157104316F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44ECA517-14B6-440a-B2EB-FE54BFF931D3}\stubpath = "C:\\Windows\\{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe"	{012D2CF6-8C62-4136-B045-F1157104316F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B962708-8F5D-495a-BF7F-DBD6C534EC86}	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}	{D3D94537-91E0-487a-842E-C2A1999E4730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3D94537-91E0-487a-842E-C2A1999E4730}\stubpath = "C:\\Windows\\{D3D94537-91E0-487a-842E-C2A1999E4730}.exe"	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{110F5C28-210A-4519-A8CD-C960EF54201A}	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{110F5C28-210A-4519-A8CD-C960EF54201A}\stubpath = "C:\\Windows\\{110F5C28-210A-4519-A8CD-C960EF54201A}.exe"	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012D2CF6-8C62-4136-B045-F1157104316F}\stubpath = "C:\\Windows\\{012D2CF6-8C62-4136-B045-F1157104316F}.exe"	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B13B3443-91E9-4ab8-8601-F09708722804}\stubpath = "C:\\Windows\\{B13B3443-91E9-4ab8-8601-F09708722804}.exe"	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3D94537-91E0-487a-842E-C2A1999E4730}	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012D2CF6-8C62-4136-B045-F1157104316F}	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B1EECEA-862A-48f5-8350-EEFA19916326}\stubpath = "C:\\Windows\\{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe"	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53240413-AE5E-4916-85AB-F2F21DF653C6}	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59335C8A-091C-43cb-AE0D-B0C92663D9E8}	{B13B3443-91E9-4ab8-8601-F09708722804}.exe

Executes dropped EXE 12 IoCs

pid	Process
4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe
3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe
412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe
4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe
3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe
3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe
700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe
1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe
4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe
5068	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe
4656	{D3D94537-91E0-487a-842E-C2A1999E4730}.exe
3792	{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{012D2CF6-8C62-4136-B045-F1157104316F}.exe	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe
File created	C:\Windows\{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe	{012D2CF6-8C62-4136-B045-F1157104316F}.exe
File created	C:\Windows\{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe
File created	C:\Windows\{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe
File created	C:\Windows\{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe
File created	C:\Windows\{B13B3443-91E9-4ab8-8601-F09708722804}.exe	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe
File created	C:\Windows\{110F5C28-210A-4519-A8CD-C960EF54201A}.exe	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe
File created	C:\Windows\{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe
File created	C:\Windows\{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe	{B13B3443-91E9-4ab8-8601-F09708722804}.exe
File created	C:\Windows\{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}.exe	{D3D94537-91E0-487a-842E-C2A1999E4730}.exe
File created	C:\Windows\{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe
File created	C:\Windows\{D3D94537-91E0-487a-842E-C2A1999E4730}.exe	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4948	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe
Token: SeIncBasePriorityPrivilege	3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe
Token: SeIncBasePriorityPrivilege	412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe
Token: SeIncBasePriorityPrivilege	4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe
Token: SeIncBasePriorityPrivilege	3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe
Token: SeIncBasePriorityPrivilege	3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe
Token: SeIncBasePriorityPrivilege	700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe
Token: SeIncBasePriorityPrivilege	1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe
Token: SeIncBasePriorityPrivilege	4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe
Token: SeIncBasePriorityPrivilege	5068	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe
Token: SeIncBasePriorityPrivilege	4656	{D3D94537-91E0-487a-842E-C2A1999E4730}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4288	4948	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe	104
PID 4948 wrote to memory of 4288	4948	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe	104
PID 4948 wrote to memory of 4288	4948	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe	104
PID 4948 wrote to memory of 4000	4948	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe	105
PID 4948 wrote to memory of 4000	4948	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe	105
PID 4948 wrote to memory of 4000	4948	2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe	105
PID 4288 wrote to memory of 3400	4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe	109
PID 4288 wrote to memory of 3400	4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe	109
PID 4288 wrote to memory of 3400	4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe	109
PID 4288 wrote to memory of 3900	4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe	110
PID 4288 wrote to memory of 3900	4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe	110
PID 4288 wrote to memory of 3900	4288	{110F5C28-210A-4519-A8CD-C960EF54201A}.exe	110
PID 3400 wrote to memory of 412	3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe	112
PID 3400 wrote to memory of 412	3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe	112
PID 3400 wrote to memory of 412	3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe	112
PID 3400 wrote to memory of 2800	3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe	113
PID 3400 wrote to memory of 2800	3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe	113
PID 3400 wrote to memory of 2800	3400	{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe	113
PID 412 wrote to memory of 4088	412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe	116
PID 412 wrote to memory of 4088	412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe	116
PID 412 wrote to memory of 4088	412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe	116
PID 412 wrote to memory of 4336	412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe	117
PID 412 wrote to memory of 4336	412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe	117
PID 412 wrote to memory of 4336	412	{012D2CF6-8C62-4136-B045-F1157104316F}.exe	117
PID 4088 wrote to memory of 3488	4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe	118
PID 4088 wrote to memory of 3488	4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe	118
PID 4088 wrote to memory of 3488	4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe	118
PID 4088 wrote to memory of 2556	4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe	119
PID 4088 wrote to memory of 2556	4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe	119
PID 4088 wrote to memory of 2556	4088	{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe	119
PID 3488 wrote to memory of 3828	3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe	120
PID 3488 wrote to memory of 3828	3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe	120
PID 3488 wrote to memory of 3828	3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe	120
PID 3488 wrote to memory of 1616	3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe	121
PID 3488 wrote to memory of 1616	3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe	121
PID 3488 wrote to memory of 1616	3488	{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe	121
PID 3828 wrote to memory of 700	3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe	123
PID 3828 wrote to memory of 700	3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe	123
PID 3828 wrote to memory of 700	3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe	123
PID 3828 wrote to memory of 752	3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe	124
PID 3828 wrote to memory of 752	3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe	124
PID 3828 wrote to memory of 752	3828	{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe	124
PID 700 wrote to memory of 1068	700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe	125
PID 700 wrote to memory of 1068	700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe	125
PID 700 wrote to memory of 1068	700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe	125
PID 700 wrote to memory of 412	700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe	126
PID 700 wrote to memory of 412	700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe	126
PID 700 wrote to memory of 412	700	{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe	126
PID 1068 wrote to memory of 4420	1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe	130
PID 1068 wrote to memory of 4420	1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe	130
PID 1068 wrote to memory of 4420	1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe	130
PID 1068 wrote to memory of 3112	1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe	131
PID 1068 wrote to memory of 3112	1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe	131
PID 1068 wrote to memory of 3112	1068	{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe	131
PID 4420 wrote to memory of 5068	4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe	137
PID 4420 wrote to memory of 5068	4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe	137
PID 4420 wrote to memory of 5068	4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe	137
PID 4420 wrote to memory of 1080	4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe	138
PID 4420 wrote to memory of 1080	4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe	138
PID 4420 wrote to memory of 1080	4420	{B13B3443-91E9-4ab8-8601-F09708722804}.exe	138
PID 5068 wrote to memory of 4656	5068	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe	139
PID 5068 wrote to memory of 4656	5068	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe	139
PID 5068 wrote to memory of 4656	5068	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe	139
PID 5068 wrote to memory of 2240	5068	{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe	140

C:\Users\Admin\AppData\Local\Temp\2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_5eb662982d5cbb00fbf1ed50404ff6b0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\{110F5C28-210A-4519-A8CD-C960EF54201A}.exe
  C:\Windows\{110F5C28-210A-4519-A8CD-C960EF54201A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe
    C:\Windows\{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\{012D2CF6-8C62-4136-B045-F1157104316F}.exe
      C:\Windows\{012D2CF6-8C62-4136-B045-F1157104316F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe
        
        C:\Windows\{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe
        
        C:\Windows\{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe
        
        C:\Windows\{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe
        
        C:\Windows\{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe
        
        C:\Windows\{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\{B13B3443-91E9-4ab8-8601-F09708722804}.exe
        
        C:\Windows\{B13B3443-91E9-4ab8-8601-F09708722804}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe
        
        C:\Windows\{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\{D3D94537-91E0-487a-842E-C2A1999E4730}.exe
        
        C:\Windows\{D3D94537-91E0-487a-842E-C2A1999E4730}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}.exe
        
        C:\Windows\{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}.exe
        13⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3D94~1.EXE > nul
        13⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59335~1.EXE > nul
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B13B3~1.EXE > nul
        11⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53240~1.EXE > nul
        10⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCCAD~1.EXE > nul
        9⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B1EE~1.EXE > nul
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B962~1.EXE > nul
        7⤵
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44ECA~1.EXE > nul
        6⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{012D2~1.EXE > nul
        5⤵
        
        PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A56ED~1.EXE > nul
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{110F5~1.EXE > nul
    3⤵
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{012D2CF6-8C62-4136-B045-F1157104316F}.exe

Filesize
168KB

MD5
eb4fab570f20d9324f2e7654b7639fed

SHA1
538d182ea8931b047797ffce6e30c657693f6f4d

SHA256
ee6ca25d91f5d1825dc578a4fb4a335b050c7f4e0e3cce9945e7cc88aca6c4cc

SHA512
de1c1628d8d77c6de6d3c99fcffdc6876c74f2f33e3ea20cebaf663ade1ee84e0786cf2d27b59e54c40a9edcf26d545df37f767b1eadd3dd9bd0d7d4f0fb25ff

Download Submit
C:\Windows\{0B1EECEA-862A-48f5-8350-EEFA19916326}.exe

Filesize
168KB

MD5
66f86a095ed597081bfa799c52c5b5f7

SHA1
fb437f69f8396c633dc7741c2db520c5fcefd940

SHA256
f68a9de8a7abb2e2050b292d5e2925565a95848014e7eae3659dde763ac185cb

SHA512
cfb0181d1612daa4337b374355f631ef83f69370944db1d3748274673d08a027c539269da4bc3f352490442c76d4cbd8bb7571e4f02b676fe42ae8478cc418c2

Download Submit
C:\Windows\{110F5C28-210A-4519-A8CD-C960EF54201A}.exe

Filesize
168KB

MD5
c1d9670644aff1255e570012d1514be9

SHA1
db7a0ee10716826bc41ef42abb0b5084c9f4d704

SHA256
04cbbbf3076f6c1eac20f0c2a22900a3126644eea10c080b047ac08b553f5d26

SHA512
222aea77c481990892b563d8101297a47503859d654ae6960733e37897f5ed4d98553d0212cbc4e028fa4de9f57c012fdeb7fc279e100a3f0aef5aca7e664c6d

Download Submit
C:\Windows\{2B962708-8F5D-495a-BF7F-DBD6C534EC86}.exe

Filesize
168KB

MD5
265c8b820b4e222afe5c342e27e631b6

SHA1
fc5a98e09c3b8c549b447f66e8b5b2295dcb4a77

SHA256
72a745f2b36e1aa4e464287d67441d70c21abaa3dbd2665c257f27da385c76f4

SHA512
1e7dd1c89a3423c678bccb8841c86908e171f866305cea1419a6d9cd5fb3d9f9597c0697fb17532f4d032df5acfc40e336b7125145b47786a855a8cb43bc9691

Download Submit
C:\Windows\{44ECA517-14B6-440a-B2EB-FE54BFF931D3}.exe

Filesize
168KB

MD5
7d1f31b3a39b39b49e4c0945c2bb08ac

SHA1
0dcbc56aabcd76d210800bfd0cab65403160d8cf

SHA256
28f8ad25c7ae667d6c42bd91552abdcede34a61b7c91e50cc3cfb146df74dee1

SHA512
18e7a0848f7ad3bf7c61ae542c1e20502fb06db7bd8a30609ec575ebad4305f180ca0bff01ec2932726bf1690336f166d3aac7e465804cd4c10eda4942c89d2f

Download Submit
C:\Windows\{53240413-AE5E-4916-85AB-F2F21DF653C6}.exe

Filesize
168KB

MD5
06c1adb2c9c16b9e075294f81d0e03df

SHA1
2fd78d23da5472340d2495d01374fd4d4bfd1e1b

SHA256
8ea4e9a863e16f3aa4e6a86926e3b5561465cd1d3c9bd49d0fee99ad37280382

SHA512
f7dfddefd480fcc47755268b7b127eff3bdd7cfcb152352a30607a8af7b16e8a02ca5c282ebf7846c31a973f0287dadf7c8c076553d694e0400c1f989474bb75

Download Submit
C:\Windows\{59335C8A-091C-43cb-AE0D-B0C92663D9E8}.exe

Filesize
168KB

MD5
be46b66c39d2aa218b86d849f0b1a937

SHA1
7c41b20782bcd07292e5ce3c24cbd05300650ebb

SHA256
6812c52755be0db4dda2a7f01647421d42f8ccf0b3dc731a282a2b555ecde9e4

SHA512
34b49d5d31e688f267ec14b9c755ed230eb65ba371b23b4db56770f8f144be72dfb84f6d9ff85c07b73eb7f09a79af8ea939acfff0762429c2660dcf100d43de

Download Submit
C:\Windows\{A56ED6F3-40EA-4e85-B97D-F2F23AC84284}.exe

Filesize
168KB

MD5
4cf4ac01240f51f97d12016657bf3430

SHA1
6577e192cd1d8bf7fe8e2b9bfd15be6727dff8e9

SHA256
d0d5506737d5746b5c42b3c3cee562d9f2a9b20d780b97984ed08f5cd408c365

SHA512
b85a86d8956f48438a10144df3d25866784dde1db514264fe5f1b57965bedb6d7a4c6cebc904b3d1db7a73d1ea4076057d11a25e85d91023f3be8611a30ac7c7

Download Submit
C:\Windows\{B13B3443-91E9-4ab8-8601-F09708722804}.exe

Filesize
168KB

MD5
89284571a4ea06fcc24cbb0f67a63b9b

SHA1
8a140c2d5c3f5c84afec09135ebb51cc25a931a4

SHA256
a7379919a011adb615fa73cefc8d3937aab91af7eb51f2e07e482a57713ed382

SHA512
a58a6bae88bc31fc2d76aef4f73bcb4a770d7df2f7641bd250b3ecb2fc0bdfcf540afe0a9386aaec461aa9594c02439eef20986b767acca0c74f04565500b336

Download Submit
C:\Windows\{CCCADD14-625C-454a-A9E7-BF0916BB86D1}.exe

Filesize
168KB

MD5
d64deea93f1d07ae9f64c9c3d31b1e2b

SHA1
2cc86f21781f7a3488a3611058ac82c30d11e103

SHA256
93930296fdae60e3287866f2d36a1a128da9ce7bf04cc8dd99aca2153fed94e9

SHA512
2e1751b14bc9f6200fd1c85f17ec0735aee1da0a166e7f8f039502c558781782fab6688119647fe403ab5a5bd54cfbacc75ae8fd2497ae49dd73aae7765424f9

Download Submit
C:\Windows\{D3D94537-91E0-487a-842E-C2A1999E4730}.exe

Filesize
168KB

MD5
221a3a8bf3ea553029318c84cfd3b156

SHA1
b01e87cd75cfceebdaf3d04ad34ef92fcba7fb12

SHA256
8dc14da7bbac7533e803a8415818c048405cdf47f2217eb64626fc15ee5a9363

SHA512
7e3618a2e863f12e57fe31e4b51c2457aca9885a6e7b3d1c6bf08bcf4f6d7084fcebf7cf0b41813bebf62f5d43dbcce8d422ada19fdd26a0b2452adcd7e4b34c

Download Submit
C:\Windows\{FFF35614-DA3A-442b-912B-3F1DFDBB33A0}.exe

Filesize
168KB

MD5
b80768498098fdef386a65ef8d472ca3

SHA1
7aaecb31f74a912c462595f81ef1a90586543806

SHA256
7227589d37198341a594d905e13c312069f66ca35e6a141fd305aff116e7a44e

SHA512
2f6fe5c2535ac77f23e89e3c65f65894b74805e6bc37e0694a4a6aa523070456fb4515699e7186713b1304dba3296c4011efc03b3e421b31e7f75d76e9bb2327

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads