4aaa03fa27576d9d6f39609058be5d90a63bba07e43ae5cdca5c0cc5f3d4dcf3

Analysis

max time kernel
156s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 01:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe
Size

180KB
MD5

41630e8cddcc8f604d97a64b63d9f264
SHA1

1c7afcd23297871f007a292505828f2b4555cf50
SHA256

4aaa03fa27576d9d6f39609058be5d90a63bba07e43ae5cdca5c0cc5f3d4dcf3
SHA512

137095e101e53c6ea82568a2c7f0d61e9cbbb2694118b67901ceff6ce4c53ef20bb0783f1db86f664e04eda8b3b951a9a2e3839e7e475ba818cb5089de66f4d7
SSDEEP

3072:jEGh0oYlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x00020000000227ea-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023259-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002324f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023259-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27B18226-98A5-4b7d-99ED-41D0EA3FC650}\stubpath = "C:\\Windows\\{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe"	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6E8486-1B0E-459a-86B6-A1227AD5531D}\stubpath = "C:\\Windows\\{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe"	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}\stubpath = "C:\\Windows\\{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}.exe"	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14ADDEB9-88E0-4de3-B612-6D459877DADF}\stubpath = "C:\\Windows\\{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe"	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{885D3879-CCE8-493c-A4C5-5AB268DA872A}	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6E8486-1B0E-459a-86B6-A1227AD5531D}	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C690993A-6ECF-43bc-8B16-53BF40F32A5F}\stubpath = "C:\\Windows\\{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe"	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}\stubpath = "C:\\Windows\\{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe"	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}\stubpath = "C:\\Windows\\{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe"	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64D394C-60E7-402c-AC2A-1C939B3901A6}\stubpath = "C:\\Windows\\{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe"	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{885D3879-CCE8-493c-A4C5-5AB268DA872A}\stubpath = "C:\\Windows\\{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe"	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C690993A-6ECF-43bc-8B16-53BF40F32A5F}	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27B18226-98A5-4b7d-99ED-41D0EA3FC650}	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64D394C-60E7-402c-AC2A-1C939B3901A6}	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14ADDEB9-88E0-4de3-B612-6D459877DADF}	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}\stubpath = "C:\\Windows\\{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe"	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}\stubpath = "C:\\Windows\\{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe"	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe

Executes dropped EXE 11 IoCs

pid	Process
1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe
3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe
1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe
5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe
3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe
228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe
460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe
4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe
3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe
1144	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe
5000	{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe
File created	C:\Windows\{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe
File created	C:\Windows\{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe
File created	C:\Windows\{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe
File created	C:\Windows\{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe
File created	C:\Windows\{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe
File created	C:\Windows\{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe
File created	C:\Windows\{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe
File created	C:\Windows\{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe
File created	C:\Windows\{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}.exe	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe
File created	C:\Windows\{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2576	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe
Token: SeIncBasePriorityPrivilege	3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe
Token: SeIncBasePriorityPrivilege	1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe
Token: SeIncBasePriorityPrivilege	5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe
Token: SeIncBasePriorityPrivilege	3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe
Token: SeIncBasePriorityPrivilege	228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe
Token: SeIncBasePriorityPrivilege	460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe
Token: SeIncBasePriorityPrivilege	4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe
Token: SeIncBasePriorityPrivilege	3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe
Token: SeIncBasePriorityPrivilege	1144	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1732	2576	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe	95
PID 2576 wrote to memory of 1732	2576	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe	95
PID 2576 wrote to memory of 1732	2576	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe	95
PID 2576 wrote to memory of 860	2576	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe	96
PID 2576 wrote to memory of 860	2576	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe	96
PID 2576 wrote to memory of 860	2576	2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe	96
PID 1732 wrote to memory of 3960	1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe	105
PID 1732 wrote to memory of 3960	1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe	105
PID 1732 wrote to memory of 3960	1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe	105
PID 1732 wrote to memory of 212	1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe	106
PID 1732 wrote to memory of 212	1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe	106
PID 1732 wrote to memory of 212	1732	{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe	106
PID 3960 wrote to memory of 1520	3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe	108
PID 3960 wrote to memory of 1520	3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe	108
PID 3960 wrote to memory of 1520	3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe	108
PID 3960 wrote to memory of 1004	3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe	109
PID 3960 wrote to memory of 1004	3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe	109
PID 3960 wrote to memory of 1004	3960	{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe	109
PID 1520 wrote to memory of 5112	1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe	110
PID 1520 wrote to memory of 5112	1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe	110
PID 1520 wrote to memory of 5112	1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe	110
PID 1520 wrote to memory of 1032	1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe	111
PID 1520 wrote to memory of 1032	1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe	111
PID 1520 wrote to memory of 1032	1520	{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe	111
PID 5112 wrote to memory of 3580	5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe	112
PID 5112 wrote to memory of 3580	5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe	112
PID 5112 wrote to memory of 3580	5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe	112
PID 5112 wrote to memory of 1596	5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe	113
PID 5112 wrote to memory of 1596	5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe	113
PID 5112 wrote to memory of 1596	5112	{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe	113
PID 3580 wrote to memory of 228	3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe	114
PID 3580 wrote to memory of 228	3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe	114
PID 3580 wrote to memory of 228	3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe	114
PID 3580 wrote to memory of 3020	3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe	115
PID 3580 wrote to memory of 3020	3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe	115
PID 3580 wrote to memory of 3020	3580	{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe	115
PID 228 wrote to memory of 460	228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe	116
PID 228 wrote to memory of 460	228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe	116
PID 228 wrote to memory of 460	228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe	116
PID 228 wrote to memory of 3976	228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe	117
PID 228 wrote to memory of 3976	228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe	117
PID 228 wrote to memory of 3976	228	{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe	117
PID 460 wrote to memory of 4844	460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe	118
PID 460 wrote to memory of 4844	460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe	118
PID 460 wrote to memory of 4844	460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe	118
PID 460 wrote to memory of 1956	460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe	119
PID 460 wrote to memory of 1956	460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe	119
PID 460 wrote to memory of 1956	460	{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe	119
PID 4844 wrote to memory of 3704	4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe	120
PID 4844 wrote to memory of 3704	4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe	120
PID 4844 wrote to memory of 3704	4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe	120
PID 4844 wrote to memory of 1492	4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe	121
PID 4844 wrote to memory of 1492	4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe	121
PID 4844 wrote to memory of 1492	4844	{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe	121
PID 3704 wrote to memory of 1144	3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe	122
PID 3704 wrote to memory of 1144	3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe	122
PID 3704 wrote to memory of 1144	3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe	122
PID 3704 wrote to memory of 368	3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe	123
PID 3704 wrote to memory of 368	3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe	123
PID 3704 wrote to memory of 368	3704	{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe	123
PID 1144 wrote to memory of 5000	1144	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe	124
PID 1144 wrote to memory of 5000	1144	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe	124
PID 1144 wrote to memory of 5000	1144	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe	124
PID 1144 wrote to memory of 1800	1144	{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_41630e8cddcc8f604d97a64b63d9f264_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe
  C:\Windows\{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe
    C:\Windows\{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe
      C:\Windows\{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe
        
        C:\Windows\{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe
        
        C:\Windows\{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe
        
        C:\Windows\{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe
        
        C:\Windows\{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe
        
        C:\Windows\{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe
        
        C:\Windows\{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe
        
        C:\Windows\{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}.exe
        
        C:\Windows\{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}.exe
        12⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70A4B~1.EXE > nul
        12⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6909~1.EXE > nul
        11⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B6E8~1.EXE > nul
        10⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{885D3~1.EXE > nul
        9⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14ADD~1.EXE > nul
        8⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E64D3~1.EXE > nul
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D2F~1.EXE > nul
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27B18~1.EXE > nul
        5⤵
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{486EB~1.EXE > nul
      4⤵
      PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{64F42~1.EXE > nul
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14ADDEB9-88E0-4de3-B612-6D459877DADF}.exe

Filesize
180KB

MD5
034f14d866705ea240b85efe4673e0af

SHA1
8dc88f8ce65d19b18b1bd68886f646584fe4faec

SHA256
8a49738a69771d2019bf50f9bb80844bb12e27875b94b7999d22f0552a96adc5

SHA512
2d67fe85866a40e8314c5fb3e8e0683a20e1e595dde0e1973ff008584e55aedafb3aa7220f35599361e8d46f284ea469e73450d994b5fc94be204d3c193e7507

Download Submit
C:\Windows\{27B18226-98A5-4b7d-99ED-41D0EA3FC650}.exe

Filesize
180KB

MD5
322cd5d7827772eaf944be831f9e59f4

SHA1
3f41a35d7e410748efb773b7537b0819de5a5859

SHA256
84418bb24f465e5ddbb944e3ecc210089acce15f11f9767dff2dcb59531251ec

SHA512
e58dcd1b40a0a17b947aec053c2dee9b32c297c32a541925a649cdcf6f6655f07c767d3861b0f88cc959cd666c567149ae3f2ded16b7a64c79d8ca765ce2b5ea

Download Submit
C:\Windows\{486EBFC7-4BCD-4f7d-A783-B5F659A2B3E2}.exe

Filesize
180KB

MD5
d0b05237166a5e7089a810eade8f3acf

SHA1
1289ffc00df534165990f5a22d2adcfc53822713

SHA256
131010c0710f0802656f1b269ffe3d78e5a9e139ed5f5e6bf8a89586a2bd1594

SHA512
ae539bc31cb0c4f57f71c56209fff7e7a6a145c612580c50a2fd3314d327e46cf2ebc0d8b264b3fc98a0896ad02943eaacee09aa1f9510511c2f7cc03414804d

Download Submit
C:\Windows\{64F42C32-5C7A-4d1e-9B78-BACA2DE6402C}.exe

Filesize
180KB

MD5
7922640867e79f48c56e36c1230ac404

SHA1
26a82ac85748d681a9e5f9e9361259aa6b16cd4c

SHA256
a590e67a5bd9e9b074fb0a7e0023a533f9fdf5d881d0d726c5c301468f72bc74

SHA512
7f1a04f235146aa8f60a3316ca26448239c5822fa3fe55b6ab03db1e1746b809d9d29b766a29b6cc0d8062bd4f3bca5f3df92285c8a398aa1ff652385c73ef2f

Download Submit
C:\Windows\{70A4BAD4-07D3-437b-BACD-6FD1F97889DA}.exe

Filesize
180KB

MD5
6074119aa47e5a0568a984d372a90773

SHA1
40abca970faeec6359574d9ccb976d85ea3128fb

SHA256
ad0afbcd49d6d73091e3b41b2ffe61fc64d38c560a754b573a07bc5387ebf632

SHA512
47a45ae21747824681f6e8e3f7f692064ca4dfc344754cb74f41bd7c3ab9ec70ab07cafaeece08e23996373d1206df34ece45b1c76ab05c4bce63d43196b13cf

Download Submit
C:\Windows\{7B6E8486-1B0E-459a-86B6-A1227AD5531D}.exe

Filesize
180KB

MD5
cd19625365a1071c6be32bb2e4dc60fc

SHA1
c9d7b2aaf29e641e9036f9398e0d17daf3ceb5c4

SHA256
c803d9b4782ea99527ef4298b706eea90bc4bd2f5eda4c9abe881afe03dd6c9b

SHA512
fe90fdc83488df5c6e9e62acb42ef336a295f7a483d67886124ab782e4009e8702ac46d5dc52c26dfcad65c86b4cca891110d35b0deed463bbceb0366f0ff6e2

Download Submit
C:\Windows\{885D3879-CCE8-493c-A4C5-5AB268DA872A}.exe

Filesize
180KB

MD5
ad61412e6ddcc30576722619d202503e

SHA1
ed9c8243e2086f6af3864a6d8733e5fbae2ca9bb

SHA256
e66ca4cb5ae181f9cfcb77a2b892524c6fcb47ec7c11cf5832d33d3b6c78a461

SHA512
fd8c23e052a061cf493a4eefcd4374d150106325aa67097b395f2117951f73a523d33a6faebc5809f2dde150e618aa1e4d58c6f2953df2f0e79457bc1d56d434

Download Submit
C:\Windows\{B4D2F4CC-ECB9-409b-B51B-41159A3DFEC2}.exe

Filesize
180KB

MD5
270c38f606c82990da73084e9c2e9961

SHA1
614e074cc35d0f22f8dc430aa84ed30a1aa1af9c

SHA256
07df6df4b8003df12f82a4d2cd2c08cad8e40d0a147bb955db2e9bbe0de6c237

SHA512
7cb46ffb93b763673b24d1670981e8a366494d31bc147d69f21118944402aa4304d2d9ddcc32ceca1aa138eb1812197612621d56e6277caa61fa60776c68450f

Download Submit
C:\Windows\{BBD17A0B-ACF9-47a4-BAAA-6E7AE39A9FB1}.exe

Filesize
180KB

MD5
8806130c5961ba11386a16f05f06e372

SHA1
91ddc31a07bd4c5207f10d9bc8a0a489ead93c9b

SHA256
bae0dcc4685da8ca0daa280a2600397650c00fce31998d9ad2a40d7e844b44c6

SHA512
48e557c00d78e0d49bcce7f5b5b141640281255eca5f1ffe0f40196999f2c3e18143f2be4138a36aa589eb4ff85a8f7038eb123e21993e908f2f006f27e11fe5

Download Submit
C:\Windows\{C690993A-6ECF-43bc-8B16-53BF40F32A5F}.exe

Filesize
180KB

MD5
4f7367c6bbf82101448f2bf055461a2c

SHA1
38f6107ef8c111402dbcf6ac3cd2b102f6178d59

SHA256
355c2a1f7c17aa38ee23bbfb8cbdbf4d2191d91185cbd215bb52e883f22e7dc2

SHA512
0a702ee544ac9291da265668b5b8473c0065d0f537d5f88dca28a708cebaa78859e05d4cbb5b403eb6103b49312ff4d82917f661abb5639d99bf2d7f4cade65e

Download Submit
C:\Windows\{E64D394C-60E7-402c-AC2A-1C939B3901A6}.exe

Filesize
180KB

MD5
eac0b887723328878387a85c487c16d3

SHA1
e5d86a3aa68d6dbb3f37f88c669b22bec2112d4c

SHA256
f389246cb6fa40ba4130e36ad0e34dd89239051fca7d730a5a32f955e6d83a45

SHA512
b7f23990943260c6f30913277c19b1ed2fd3920090189de547c080783c64a5cb2f2cb422c3228088cbd08bb44f9e84d90de0341688e1311b032fca0aae59b63e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads