a0f584bf5ed22c6fb9e6650fc2112bc5631105d05a492d0feca08220107dc0a4

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Size

380KB
MD5

c9cebb7ce9efc1224f7b6dbffab2bb44
SHA1

44a8c1cf0b89fb069c3713a09d808004c726486a
SHA256

a0f584bf5ed22c6fb9e6650fc2112bc5631105d05a492d0feca08220107dc0a4
SHA512

0e8a7530054cf0aa27dd917982e41d0120e4f3c041cef7e3ad82c6127ae11403d7b3d08ca97ce840111fb292e1687a12e5a8ae32d967fa6570f669ca063e3cdd
SSDEEP

3072:mEGh0oilPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGgl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022ea3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023295-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e457-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023295-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e457-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}\stubpath = "C:\\Windows\\{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe"	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32E2DADE-C658-4d56-8995-81EEBF3D38B0}\stubpath = "C:\\Windows\\{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe"	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC36315-68B2-4a91-A1A1-B63097507490}\stubpath = "C:\\Windows\\{EBC36315-68B2-4a91-A1A1-B63097507490}.exe"	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82FCBFF2-94B8-4561-9D62-820FEF21CC07}\stubpath = "C:\\Windows\\{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe"	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{245DCBC7-9746-4b10-B79C-056EDE22147E}	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99293A81-C0AC-4f93-92A4-81C5B8677588}	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3A0B845-B11E-425c-92AE-F923CFBE025F}\stubpath = "C:\\Windows\\{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe"	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FCAB413-D633-4326-A5EE-1E66C0B2C532}	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FCAB413-D633-4326-A5EE-1E66C0B2C532}\stubpath = "C:\\Windows\\{1FCAB413-D633-4326-A5EE-1E66C0B2C532}.exe"	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBC36315-68B2-4a91-A1A1-B63097507490}	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}\stubpath = "C:\\Windows\\{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe"	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{245DCBC7-9746-4b10-B79C-056EDE22147E}\stubpath = "C:\\Windows\\{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe"	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32E2DADE-C658-4d56-8995-81EEBF3D38B0}	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDCA65E-43BB-4d0e-B097-9547D8472F21}\stubpath = "C:\\Windows\\{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe"	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3A0B845-B11E-425c-92AE-F923CFBE025F}	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82FCBFF2-94B8-4561-9D62-820FEF21CC07}	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86913F6E-A5AF-4f38-8E41-C03736A2CB61}	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86913F6E-A5AF-4f38-8E41-C03736A2CB61}\stubpath = "C:\\Windows\\{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe"	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDCA65E-43BB-4d0e-B097-9547D8472F21}	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99293A81-C0AC-4f93-92A4-81C5B8677588}\stubpath = "C:\\Windows\\{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe"	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe

Executes dropped EXE 11 IoCs

pid	Process
908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe
4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe
4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe
4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe
2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe
3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe
808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe
3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe
4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe
3692	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe
1628	{1FCAB413-D633-4326-A5EE-1E66C0B2C532}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe
File created	C:\Windows\{1FCAB413-D633-4326-A5EE-1E66C0B2C532}.exe	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe
File created	C:\Windows\{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe
File created	C:\Windows\{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe
File created	C:\Windows\{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe
File created	C:\Windows\{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe
File created	C:\Windows\{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe
File created	C:\Windows\{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe
File created	C:\Windows\{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
File created	C:\Windows\{EBC36315-68B2-4a91-A1A1-B63097507490}.exe	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe
File created	C:\Windows\{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3792	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
Token: SeIncBasePriorityPrivilege	908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe
Token: SeIncBasePriorityPrivilege	4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe
Token: SeIncBasePriorityPrivilege	4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe
Token: SeIncBasePriorityPrivilege	4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe
Token: SeIncBasePriorityPrivilege	2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe
Token: SeIncBasePriorityPrivilege	3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe
Token: SeIncBasePriorityPrivilege	808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe
Token: SeIncBasePriorityPrivilege	3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe
Token: SeIncBasePriorityPrivilege	4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe
Token: SeIncBasePriorityPrivilege	3692	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 908	3792	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	100
PID 3792 wrote to memory of 908	3792	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	100
PID 3792 wrote to memory of 908	3792	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	100
PID 3792 wrote to memory of 3796	3792	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	101
PID 3792 wrote to memory of 3796	3792	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	101
PID 3792 wrote to memory of 3796	3792	2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe	101
PID 908 wrote to memory of 4352	908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe	105
PID 908 wrote to memory of 4352	908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe	105
PID 908 wrote to memory of 4352	908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe	105
PID 908 wrote to memory of 4340	908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe	106
PID 908 wrote to memory of 4340	908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe	106
PID 908 wrote to memory of 4340	908	{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe	106
PID 4352 wrote to memory of 4396	4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe	107
PID 4352 wrote to memory of 4396	4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe	107
PID 4352 wrote to memory of 4396	4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe	107
PID 4352 wrote to memory of 2388	4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe	108
PID 4352 wrote to memory of 2388	4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe	108
PID 4352 wrote to memory of 2388	4352	{EBC36315-68B2-4a91-A1A1-B63097507490}.exe	108
PID 4396 wrote to memory of 4868	4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe	110
PID 4396 wrote to memory of 4868	4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe	110
PID 4396 wrote to memory of 4868	4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe	110
PID 4396 wrote to memory of 5088	4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe	111
PID 4396 wrote to memory of 5088	4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe	111
PID 4396 wrote to memory of 5088	4396	{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe	111
PID 4868 wrote to memory of 2284	4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe	112
PID 4868 wrote to memory of 2284	4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe	112
PID 4868 wrote to memory of 2284	4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe	112
PID 4868 wrote to memory of 2428	4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe	113
PID 4868 wrote to memory of 2428	4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe	113
PID 4868 wrote to memory of 2428	4868	{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe	113
PID 2284 wrote to memory of 3336	2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe	114
PID 2284 wrote to memory of 3336	2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe	114
PID 2284 wrote to memory of 3336	2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe	114
PID 2284 wrote to memory of 4556	2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe	115
PID 2284 wrote to memory of 4556	2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe	115
PID 2284 wrote to memory of 4556	2284	{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe	115
PID 3336 wrote to memory of 808	3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe	116
PID 3336 wrote to memory of 808	3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe	116
PID 3336 wrote to memory of 808	3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe	116
PID 3336 wrote to memory of 4108	3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe	117
PID 3336 wrote to memory of 4108	3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe	117
PID 3336 wrote to memory of 4108	3336	{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe	117
PID 808 wrote to memory of 3412	808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe	118
PID 808 wrote to memory of 3412	808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe	118
PID 808 wrote to memory of 3412	808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe	118
PID 808 wrote to memory of 4004	808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe	119
PID 808 wrote to memory of 4004	808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe	119
PID 808 wrote to memory of 4004	808	{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe	119
PID 3412 wrote to memory of 4760	3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe	120
PID 3412 wrote to memory of 4760	3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe	120
PID 3412 wrote to memory of 4760	3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe	120
PID 3412 wrote to memory of 1944	3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe	121
PID 3412 wrote to memory of 1944	3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe	121
PID 3412 wrote to memory of 1944	3412	{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe	121
PID 4760 wrote to memory of 3692	4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe	122
PID 4760 wrote to memory of 3692	4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe	122
PID 4760 wrote to memory of 3692	4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe	122
PID 4760 wrote to memory of 1188	4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe	123
PID 4760 wrote to memory of 1188	4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe	123
PID 4760 wrote to memory of 1188	4760	{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe	123
PID 3692 wrote to memory of 1628	3692	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe	124
PID 3692 wrote to memory of 1628	3692	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe	124
PID 3692 wrote to memory of 1628	3692	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe	124
PID 3692 wrote to memory of 2204	3692	{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_c9cebb7ce9efc1224f7b6dbffab2bb44_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe
  C:\Windows\{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\{EBC36315-68B2-4a91-A1A1-B63097507490}.exe
    C:\Windows\{EBC36315-68B2-4a91-A1A1-B63097507490}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe
      C:\Windows\{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe
        
        C:\Windows\{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe
        
        C:\Windows\{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe
        
        C:\Windows\{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe
        
        C:\Windows\{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe
        
        C:\Windows\{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe
        
        C:\Windows\{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe
        
        C:\Windows\{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\{1FCAB413-D633-4326-A5EE-1E66C0B2C532}.exe
        
        C:\Windows\{1FCAB413-D633-4326-A5EE-1E66C0B2C532}.exe
        12⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3A0B~1.EXE > nul
        12⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99293~1.EXE > nul
        11⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBDCA~1.EXE > nul
        10⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86913~1.EXE > nul
        9⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32E2D~1.EXE > nul
        8⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{245DC~1.EXE > nul
        7⤵
        
        PID:4556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82FCB~1.EXE > nul
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3EF6~1.EXE > nul
        5⤵
        
        PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EBC36~1.EXE > nul
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AA51D~1.EXE > nul
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FCAB413-D633-4326-A5EE-1E66C0B2C532}.exe

Filesize
380KB

MD5
340b55a28a2218d56b630f7c37dc143e

SHA1
16d9efe6e978ce477c8ee1d9befcfc9eb0bd257e

SHA256
ed8283187b767e0e5f853791c654797ba6bb8428348d3de6b9cf87c0766145c8

SHA512
118dc9cfe66fbe7e9193ae32abd0bf1124e49056e9a58bdeb72239e162af350b5bf455bff0158f81a7ca542d412ffbd7a9d84fac1796b5c6ff9e5482c6189451

Download Submit
C:\Windows\{245DCBC7-9746-4b10-B79C-056EDE22147E}.exe

Filesize
380KB

MD5
07343eaabf1356e2d1c440ba75f84da5

SHA1
d4b52d7bbe4295ce2e4295f63f0f6d97980a09d6

SHA256
9396a3bc48e2e2666a2ab471c940d3e36680a44629785be15c7a5877a8eae379

SHA512
59d072cd4b2c6904c6353aa7019bdfcfddb838e86aa38ae3633604ee970e24c897f00f51fbafbadc42c79cbed66b119c76a420fab72fbb39bd690f6c9442f995

Download Submit
C:\Windows\{32E2DADE-C658-4d56-8995-81EEBF3D38B0}.exe

Filesize
380KB

MD5
ba41943450c1f60aa7c391b9b9f748de

SHA1
aedb24a250b45f82f0bc2073c20266793322260c

SHA256
d464238b7d3c36f2521f78f527fec88262b411d62c381a9192ea0a8674237a0e

SHA512
fe2e911a02d6022ed28d0eb144b996b80c6e4da4c92b12e67fe00be5674b3c0d9aa54123bb182d920e8344a7a56c8645121d1fd6dd67f38b6ea6400a5f7c3f91

Download Submit
C:\Windows\{82FCBFF2-94B8-4561-9D62-820FEF21CC07}.exe

Filesize
380KB

MD5
720b23e068a41d0ad16b9282a39b4891

SHA1
d9e86d54090cdf1bde44bf71b5558379b64fb4c5

SHA256
632850c95cbf581e06c9be174b8997794fb9bb326378d1378eb724d9701f7da6

SHA512
09716d1715acdcbeb6d196b2ae8d84872aac9e0d2f04301f570597a2741fc1767419bcc8a865b65d3050f0fbdf2a946c758fd9517210da52d41dffda340101a7

Download Submit
C:\Windows\{86913F6E-A5AF-4f38-8E41-C03736A2CB61}.exe

Filesize
380KB

MD5
38e7260e2e07a355669b0b885f732498

SHA1
d69a9a85a855f70aec955e66f5ed7d1285d830e7

SHA256
8302475a5484dc5afd0bb2cf1d59d13564ecfcfa63147915b972c9e5de335128

SHA512
d5ddff94b995da8f5259121d337e68b036d79934936bb552b3eaa648a04a534db9c1d69da2c399f0f88861ede567f119fc68e765224dfad278a5480f25cb133e

Download Submit
C:\Windows\{99293A81-C0AC-4f93-92A4-81C5B8677588}.exe

Filesize
380KB

MD5
c33a7060b8050a48b07325fda15240e3

SHA1
f9b7d0e1ef40953d39c590433d93aa3d76612472

SHA256
22b9c8cff7cb3794052b233406bac621b3da8ec04a603dbd45063fca4397fec8

SHA512
a1d7f14f914f94b5e9766bafa74631bda37e1d28f63612b3cd840996eca4fec7eb815ab7936f1b3113918a19a9f265c317ca1592de4dfe36ea00d96a8855f024

Download Submit
C:\Windows\{AA51D25D-1C64-4eb5-A8F1-AF09B935838F}.exe

Filesize
380KB

MD5
cb9c881f064fa6f6769bfd81703e6a9b

SHA1
b2e873e263519110fdec0e029005376fd4c6cc6d

SHA256
2de3375c5f23b5dcc2d12adf86cb3985f071600719357106acaaa4751f4da799

SHA512
0178e094b7477343d47c7070354a3e1646fab22ef7f7f7ac9b077cb1b0bc1880f6cf4c6c6ecc2a07a9abb8623602d3492cc1ce8becf43b4f18c3abcc3a2e72ad

Download Submit
C:\Windows\{C3EF6FFE-CC16-4c38-BF20-BDDA580AFD3E}.exe

Filesize
380KB

MD5
46a429b00499f27f21479ad133933f8d

SHA1
5783459fdc20f87363a99692c6ff51ed66bdb8e2

SHA256
e0044c8db1b71cd48b788efd560bbb9fd62af9c2669e07011694bd128655883f

SHA512
c986ad93cdda964a6ba485df36798a0f6d594996d61d0eb8290b23f496cd5c989da114dab168e3982ccc30446aeb583635df7c92b9a2358fa5298fb21f04ccbc

Download Submit
C:\Windows\{D3A0B845-B11E-425c-92AE-F923CFBE025F}.exe

Filesize
380KB

MD5
57c2ec56066bc355b846a1a13cd28f44

SHA1
16ed41f09dedc1b54f0a760c3518c53b88b6a08f

SHA256
6278d6a5288051a7ce54ce8983b792fc9c68b2701e32e2aaa279a71454f3a589

SHA512
752883cfe6fc660b95bbd592ad7b09e927fad6dafde0419405793397fa02c72d30b9038c9909a9e75d0bec16830f58811582b55465004f36545687ff3a6707e7

Download Submit
C:\Windows\{EBC36315-68B2-4a91-A1A1-B63097507490}.exe

Filesize
380KB

MD5
8d031ab0aa2fc48db06475028c041080

SHA1
01cab73df3a81e2b77789081e8f9594edfebd300

SHA256
aa58448b8e11f2020da70da3fa6df02976c0a0b54733b9e412b481f132db8ac4

SHA512
048f7dc7e90e97578c08775298e919bce185b7d47d37c4b374a158833073d8bfb3b35d7f2e621e00ef543aa7f0251647e3961fa817b382610ccb78e11f003866

Download Submit
C:\Windows\{FBDCA65E-43BB-4d0e-B097-9547D8472F21}.exe

Filesize
380KB

MD5
85d4cfa413fa14830736d74f139eeee9

SHA1
bba40e8fde8bd777b07191136ceb50a4e84fdf24

SHA256
7341fb2520c2ca69e226c5bf971412c057e4ff6275226d8350ff67093265fa76

SHA512
ac03b484e65b9fe11e8c65d9b786e388f7d5e07a968feb623e08d84ff655ced77a00d064a43c36936c79b8d925cc7f2de5fd2c313dff90909a6b3b2ecf058cf5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads