638f540e1aafdd9366176599556ab5741bca3a7ce97a101d2e6a415a21993c9a

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Size

344KB
MD5

013d27dac742e27278a05905184d6ba7
SHA1

8e44bc1bf997f4244667aec72beb5d665301d964
SHA256

638f540e1aafdd9366176599556ab5741bca3a7ce97a101d2e6a415a21993c9a
SHA512

e9dce493c6b3cd8024a11e37bcbbbf417f6605b4e8dca592f38fe7fab291c47884240fc8952d54e0425f53e1c0513707c4316fa76fc16c9b09d507fa7ecefb14
SSDEEP

3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGQlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023317-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002330b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000230cc-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002330b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e58d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001600000002330b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e58d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001700000002330b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000226c1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000230bc-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000230d1-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAC84D18-93FF-4cae-B110-5F17A227A1AE}\stubpath = "C:\\Windows\\{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe"	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C6B3CE-6739-454b-84C8-9EE07A37758F}\stubpath = "C:\\Windows\\{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe"	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84B1C49-270F-45e4-89CD-5B419710CF01}	{A97608E0-F962-42ab-B012-A27D0459282B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286A139B-D7F2-4262-80B9-0A866784A5C8}	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A11B1E20-F1F6-443d-8D09-1398F25AA98A}	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A11B1E20-F1F6-443d-8D09-1398F25AA98A}\stubpath = "C:\\Windows\\{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe"	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48597134-3300-4d79-BBBF-12DB910C2970}	{32CE0948-7689-484e-AB88-156BE64F3324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{089B1307-FFFF-457d-8E6C-8357C4097285}\stubpath = "C:\\Windows\\{089B1307-FFFF-457d-8E6C-8357C4097285}.exe"	{48597134-3300-4d79-BBBF-12DB910C2970}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A97608E0-F962-42ab-B012-A27D0459282B}	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A97608E0-F962-42ab-B012-A27D0459282B}\stubpath = "C:\\Windows\\{A97608E0-F962-42ab-B012-A27D0459282B}.exe"	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32CE0948-7689-484e-AB88-156BE64F3324}	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32CE0948-7689-484e-AB88-156BE64F3324}\stubpath = "C:\\Windows\\{32CE0948-7689-484e-AB88-156BE64F3324}.exe"	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65004336-C708-48fe-8C92-E321DDCFA7CF}	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAC84D18-93FF-4cae-B110-5F17A227A1AE}	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{089B1307-FFFF-457d-8E6C-8357C4097285}	{48597134-3300-4d79-BBBF-12DB910C2970}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84B1C49-270F-45e4-89CD-5B419710CF01}\stubpath = "C:\\Windows\\{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe"	{A97608E0-F962-42ab-B012-A27D0459282B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}\stubpath = "C:\\Windows\\{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe"	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65004336-C708-48fe-8C92-E321DDCFA7CF}\stubpath = "C:\\Windows\\{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe"	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286A139B-D7F2-4262-80B9-0A866784A5C8}\stubpath = "C:\\Windows\\{286A139B-D7F2-4262-80B9-0A866784A5C8}.exe"	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48597134-3300-4d79-BBBF-12DB910C2970}\stubpath = "C:\\Windows\\{48597134-3300-4d79-BBBF-12DB910C2970}.exe"	{32CE0948-7689-484e-AB88-156BE64F3324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C6B3CE-6739-454b-84C8-9EE07A37758F}	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe

Executes dropped EXE 11 IoCs

pid	Process
2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe
4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe
4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe
4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe
2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe
2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe
3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe
2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe
3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe
4704	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe
3936	{286A139B-D7F2-4262-80B9-0A866784A5C8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{48597134-3300-4d79-BBBF-12DB910C2970}.exe	{32CE0948-7689-484e-AB88-156BE64F3324}.exe
File created	C:\Windows\{089B1307-FFFF-457d-8E6C-8357C4097285}.exe	{48597134-3300-4d79-BBBF-12DB910C2970}.exe
File created	C:\Windows\{A97608E0-F962-42ab-B012-A27D0459282B}.exe	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe
File created	C:\Windows\{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe
File created	C:\Windows\{32CE0948-7689-484e-AB88-156BE64F3324}.exe	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe
File created	C:\Windows\{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe
File created	C:\Windows\{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe
File created	C:\Windows\{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe	{A97608E0-F962-42ab-B012-A27D0459282B}.exe
File created	C:\Windows\{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe
File created	C:\Windows\{286A139B-D7F2-4262-80B9-0A866784A5C8}.exe	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe
File created	C:\Windows\{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3544	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe
Token: SeIncBasePriorityPrivilege	4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe
Token: SeIncBasePriorityPrivilege	4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe
Token: SeIncBasePriorityPrivilege	4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe
Token: SeIncBasePriorityPrivilege	2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe
Token: SeIncBasePriorityPrivilege	2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe
Token: SeIncBasePriorityPrivilege	3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe
Token: SeIncBasePriorityPrivilege	2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe
Token: SeIncBasePriorityPrivilege	3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe
Token: SeIncBasePriorityPrivilege	4704	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2376	3544	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	106
PID 3544 wrote to memory of 2376	3544	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	106
PID 3544 wrote to memory of 2376	3544	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	106
PID 3544 wrote to memory of 1796	3544	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	107
PID 3544 wrote to memory of 1796	3544	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	107
PID 3544 wrote to memory of 1796	3544	2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe	107
PID 2376 wrote to memory of 4464	2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe	108
PID 2376 wrote to memory of 4464	2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe	108
PID 2376 wrote to memory of 4464	2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe	108
PID 2376 wrote to memory of 4512	2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe	109
PID 2376 wrote to memory of 4512	2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe	109
PID 2376 wrote to memory of 4512	2376	{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe	109
PID 4464 wrote to memory of 4832	4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe	112
PID 4464 wrote to memory of 4832	4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe	112
PID 4464 wrote to memory of 4832	4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe	112
PID 4464 wrote to memory of 2684	4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe	113
PID 4464 wrote to memory of 2684	4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe	113
PID 4464 wrote to memory of 2684	4464	{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe	113
PID 4832 wrote to memory of 4696	4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe	115
PID 4832 wrote to memory of 4696	4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe	115
PID 4832 wrote to memory of 4696	4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe	115
PID 4832 wrote to memory of 2928	4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe	116
PID 4832 wrote to memory of 2928	4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe	116
PID 4832 wrote to memory of 2928	4832	{32CE0948-7689-484e-AB88-156BE64F3324}.exe	116
PID 4696 wrote to memory of 2596	4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe	117
PID 4696 wrote to memory of 2596	4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe	117
PID 4696 wrote to memory of 2596	4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe	117
PID 4696 wrote to memory of 672	4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe	118
PID 4696 wrote to memory of 672	4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe	118
PID 4696 wrote to memory of 672	4696	{48597134-3300-4d79-BBBF-12DB910C2970}.exe	118
PID 2596 wrote to memory of 2992	2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe	120
PID 2596 wrote to memory of 2992	2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe	120
PID 2596 wrote to memory of 2992	2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe	120
PID 2596 wrote to memory of 4452	2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe	121
PID 2596 wrote to memory of 4452	2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe	121
PID 2596 wrote to memory of 4452	2596	{089B1307-FFFF-457d-8E6C-8357C4097285}.exe	121
PID 2992 wrote to memory of 3536	2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe	122
PID 2992 wrote to memory of 3536	2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe	122
PID 2992 wrote to memory of 3536	2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe	122
PID 2992 wrote to memory of 2804	2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe	123
PID 2992 wrote to memory of 2804	2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe	123
PID 2992 wrote to memory of 2804	2992	{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe	123
PID 3536 wrote to memory of 2500	3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe	124
PID 3536 wrote to memory of 2500	3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe	124
PID 3536 wrote to memory of 2500	3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe	124
PID 3536 wrote to memory of 2928	3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe	125
PID 3536 wrote to memory of 2928	3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe	125
PID 3536 wrote to memory of 2928	3536	{A97608E0-F962-42ab-B012-A27D0459282B}.exe	125
PID 2500 wrote to memory of 3932	2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe	133
PID 2500 wrote to memory of 3932	2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe	133
PID 2500 wrote to memory of 3932	2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe	133
PID 2500 wrote to memory of 4596	2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe	134
PID 2500 wrote to memory of 4596	2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe	134
PID 2500 wrote to memory of 4596	2500	{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe	134
PID 3932 wrote to memory of 4704	3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe	135
PID 3932 wrote to memory of 4704	3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe	135
PID 3932 wrote to memory of 4704	3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe	135
PID 3932 wrote to memory of 1568	3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe	136
PID 3932 wrote to memory of 1568	3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe	136
PID 3932 wrote to memory of 1568	3932	{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe	136
PID 4704 wrote to memory of 3936	4704	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe	140
PID 4704 wrote to memory of 3936	4704	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe	140
PID 4704 wrote to memory of 3936	4704	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe	140
PID 4704 wrote to memory of 3012	4704	{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe	141

C:\Users\Admin\AppData\Local\Temp\2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_013d27dac742e27278a05905184d6ba7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe
  C:\Windows\{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe
    C:\Windows\{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\{32CE0948-7689-484e-AB88-156BE64F3324}.exe
      C:\Windows\{32CE0948-7689-484e-AB88-156BE64F3324}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\{48597134-3300-4d79-BBBF-12DB910C2970}.exe
        
        C:\Windows\{48597134-3300-4d79-BBBF-12DB910C2970}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\{089B1307-FFFF-457d-8E6C-8357C4097285}.exe
        
        C:\Windows\{089B1307-FFFF-457d-8E6C-8357C4097285}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe
        
        C:\Windows\{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{A97608E0-F962-42ab-B012-A27D0459282B}.exe
        
        C:\Windows\{A97608E0-F962-42ab-B012-A27D0459282B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe
        
        C:\Windows\{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe
        
        C:\Windows\{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe
        
        C:\Windows\{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\{286A139B-D7F2-4262-80B9-0A866784A5C8}.exe
        
        C:\Windows\{286A139B-D7F2-4262-80B9-0A866784A5C8}.exe
        12⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65004~1.EXE > nul
        12⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF0F3~1.EXE > nul
        11⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E84B1~1.EXE > nul
        10⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9760~1.EXE > nul
        9⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C6B~1.EXE > nul
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{089B1~1.EXE > nul
        7⤵
        
        PID:4452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48597~1.EXE > nul
        6⤵
        
        PID:672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32CE0~1.EXE > nul
        5⤵
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CAC84~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A11B1~1.EXE > nul
    3⤵
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{089B1307-FFFF-457d-8E6C-8357C4097285}.exe

Filesize
344KB

MD5
f033362f6ba59d5455186aacbfb8927a

SHA1
c519b5dbb37c2d3e7c382f6ec3756f9f632a939e

SHA256
325d892e4e2794ac4b1db525004476dfd3f5b8454cb55854d0360d6c4e50574c

SHA512
37a923de3ab148de8897b935344b3a7112ec8432056a47b91f625520994644c78fcee80eb1e766e03f849f9355d53a756ba76678f9134b0a976dc4ecc5c331ad

Download Submit
C:\Windows\{15C6B3CE-6739-454b-84C8-9EE07A37758F}.exe

Filesize
344KB

MD5
dad7340e9a237d5d8bd624c38139b6d1

SHA1
a6b338041181594f6258a5fc6c39a9dfe7593df5

SHA256
c743e2308312c66c160bc3a49dd79eef87664db79234b7c65f0c02d0843fa73d

SHA512
6a58bc3f063c66d06c4fe5f5339be4d056b6c7102dd6e4558a1aaaa19b6ec299618df6c8d76f104cf1f575347c79075088133254441bdcf8d585ed0262e937f6

Download Submit
C:\Windows\{286A139B-D7F2-4262-80B9-0A866784A5C8}.exe

Filesize
344KB

MD5
dde1627b02d79b0e0c5b76080dd9ec76

SHA1
bc86e88d65fbf877da92f0504f0464eee2c7a25e

SHA256
84aad3206b1c140282333490a5daa4426731e4e624ef91060cf472cc743a7a3f

SHA512
f11dfa5c5ddb6fac189e1f114bb80251d7d905745fd78f5b73351729a09b8fdc363389b7e9578007654d1b268f5bdf318b115a1a3d03a38e7be8b038dd74d6b9

Download Submit
C:\Windows\{32CE0948-7689-484e-AB88-156BE64F3324}.exe

Filesize
344KB

MD5
d44c38344d1ff573b0a3ab32735560e2

SHA1
d9fc2d484d9ae4552be6b7d6adaeb9ffc8bbcabb

SHA256
dbea77bb4d14fc0b5a701b72850b7dfc0af4a6b5b627f2699eb390ed2537447f

SHA512
97dbc67cf019c085dee7fc318b0170984f903fa4f75747076e0cd38fe48297059ad625436ae473d41fbe4437b43570fead0ccbe52b6d49848fa5fe3f3aaaffae

Download Submit
C:\Windows\{48597134-3300-4d79-BBBF-12DB910C2970}.exe

Filesize
344KB

MD5
4b16cb7a3711b359dc2fd447403363a5

SHA1
fbf1d3cb2c5cc08ef02def82c5ad8fd3d8add117

SHA256
dd262a7a7ce111c3f496d10d780c56c76f4eccf9bf239653d3a797d4e65714ec

SHA512
17ef56cc8c3ef1646de2ab0f9bfdbab43f442e7c79ae178ac1cd833c7be448f093aa20d9ad1fc43e0831451a2f6f32efe742906fa611d1bf2377cc4545e5367f

Download Submit
C:\Windows\{65004336-C708-48fe-8C92-E321DDCFA7CF}.exe

Filesize
344KB

MD5
5d06e87d3001e86392473aeb7a7dd0eb

SHA1
bb23ed5b86219d4ebb47318fc81d3135e201db0f

SHA256
3610de490c6cabd1b7c20355d7b03cbc7504b311eb476a43773f2084032725b1

SHA512
8198d38c3eba59c80fcedbd6d3a5113e016246c65d6f6f1a0ec07eccf8f5ce026744bbea57f170da2c3bb0d126e850462011e90476daa7f019c86e13f3938b7a

Download Submit
C:\Windows\{A11B1E20-F1F6-443d-8D09-1398F25AA98A}.exe

Filesize
344KB

MD5
a14f2e2e33391a2833adb51401d3cd72

SHA1
ee62ca99d2a01ea4a5f1d648fd2970404fb27969

SHA256
2c3e70f8f59f517858d9ad1e46aa357440bbcb1b1bffebf78189c876c113f7a2

SHA512
8c1183ca627d444e1e817663fe34ebac0b1db97afa63f18b71615cf31c04ba1d9fc8e9136b72b1c67b08d96ff79059f52043e1f3d7e70980ea76f346fd05ed4d

Download Submit
C:\Windows\{A97608E0-F962-42ab-B012-A27D0459282B}.exe

Filesize
344KB

MD5
86622066d8b0f74ab6be7bd5bddce809

SHA1
e903a0a91ed3f1f89e17c87bda44978a04e52c40

SHA256
134ff20b2de4e54bd5309e079921fa65877898bd4633ea290524cc69caa69156

SHA512
2fa4bfd877cec648100f54a75d24980bf4009247a40024759aa16c9b66940a05ea0166d567953b01e53b4b5263cbd71915465095687edad809434dbf05ff894d

Download Submit
C:\Windows\{CAC84D18-93FF-4cae-B110-5F17A227A1AE}.exe

Filesize
344KB

MD5
facaa60294e0e61d548020f14170d633

SHA1
75e77b70f646280c17ad8718b31adeda7dcc395f

SHA256
d219e6fb63da787d8064bffa698020bf9c9267c35dfbcb4d094cbc17fc8314af

SHA512
6f36bc3d0101fa084fd549f4ede8a22495c8eac43bfecf99618872d7f499fd0d426c4f7d050a8509cbd000e574992d9523f410f36b47f02450c4bde467e98b03

Download Submit
C:\Windows\{DF0F368C-8185-4265-B89B-AE1C02ECDEF5}.exe

Filesize
344KB

MD5
33c8d8c07cff18d73c5b8930b283e953

SHA1
bd4b53ced77458b76f72a69f9b30c96715a9d4ee

SHA256
bfd02371a1fa57d23f53938dc57495c9ddfb6487be8e67effc0d8c4c9c7e2c0e

SHA512
b4c3262bb7ecbb521d1d27fa9323e96f7182780d236d597f3153cc56ff445cc1639d93311553aa9db59ac07bd0cc6394baed067bd838be19ffbf26691ecd00e5

Download Submit
C:\Windows\{E84B1C49-270F-45e4-89CD-5B419710CF01}.exe

Filesize
344KB

MD5
8a1fa9c17cd18bf8b5bc3e4c986051d9

SHA1
f73e1b5fa7e60e4a73d7fc87a4895c45331e1e8c

SHA256
149cb4f1ae080ac5f4c4f8c6430179b3a00215d43a845914d326042dcd40c061

SHA512
ad224ba0b68203339f30af56a6042146f2dd8d2243f16d2b22d870f7a2c4cc7e55689cff3def143a1f18dc252624a2b3b50789789a224dc855f3755d8e84a661

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads