7f96c894639093f6323f208d81cb422f65ff5c776990ba6f30949f5a27bd01a0

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Size

192KB
MD5

6415d46b5168733c37d1f3f8b41a05c4
SHA1

1492d02cb85eaa2914b9f325cf83fd0ce09b7c54
SHA256

7f96c894639093f6323f208d81cb422f65ff5c776990ba6f30949f5a27bd01a0
SHA512

1c6db00c286447a4fe9875ef7d1f2e7267b5fcf7b650d9145fcf14aacf4eeaf36e4c2e81959b97832ef3a988db3c03576edc7fd6967dec6079517f13d8164eb6
SSDEEP

1536:1EGh0oil15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oil1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022d20-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023243-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023243-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002324a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000733-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}\stubpath = "C:\\Windows\\{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe"	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE2144A-4735-4ff2-A674-BCDA88725E85}	{837DE124-003D-48cd-839E-853002B17869}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C66B981-04B6-4f77-87CE-01FE527D1C0E}	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF4D1BD-1AFB-42ce-A002-3B819B779955}\stubpath = "C:\\Windows\\{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe"	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C8E92E-0359-4202-B623-1190C019A5ED}	{8916715B-53C3-49a8-9920-128E6A621739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{226AB54D-1F21-4b6a-9D76-CCFAC996743D}	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{226AB54D-1F21-4b6a-9D76-CCFAC996743D}\stubpath = "C:\\Windows\\{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe"	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98315A79-EB84-436a-87F9-F84F8D4057C9}\stubpath = "C:\\Windows\\{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe"	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{837DE124-003D-48cd-839E-853002B17869}	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF4D1BD-1AFB-42ce-A002-3B819B779955}	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8916715B-53C3-49a8-9920-128E6A621739}	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C8E92E-0359-4202-B623-1190C019A5ED}\stubpath = "C:\\Windows\\{77C8E92E-0359-4202-B623-1190C019A5ED}.exe"	{8916715B-53C3-49a8-9920-128E6A621739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{837DE124-003D-48cd-839E-853002B17869}\stubpath = "C:\\Windows\\{837DE124-003D-48cd-839E-853002B17869}.exe"	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A194C237-BA45-404a-8422-FEAE8F2054DA}	{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE2144A-4735-4ff2-A674-BCDA88725E85}\stubpath = "C:\\Windows\\{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe"	{837DE124-003D-48cd-839E-853002B17869}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67A7232E-8080-4760-8FF7-FEE8471C5989}	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67A7232E-8080-4760-8FF7-FEE8471C5989}\stubpath = "C:\\Windows\\{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe"	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C66B981-04B6-4f77-87CE-01FE527D1C0E}\stubpath = "C:\\Windows\\{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe"	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}\stubpath = "C:\\Windows\\{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe"	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A194C237-BA45-404a-8422-FEAE8F2054DA}\stubpath = "C:\\Windows\\{A194C237-BA45-404a-8422-FEAE8F2054DA}.exe"	{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8916715B-53C3-49a8-9920-128E6A621739}\stubpath = "C:\\Windows\\{8916715B-53C3-49a8-9920-128E6A621739}.exe"	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98315A79-EB84-436a-87F9-F84F8D4057C9}	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe

Executes dropped EXE 12 IoCs

pid	Process
4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe
972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe
2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe
3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe
2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe
4864	{837DE124-003D-48cd-839E-853002B17869}.exe
3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe
4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe
3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe
3276	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe
4068	{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe
4524	{A194C237-BA45-404a-8422-FEAE8F2054DA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe
File created	C:\Windows\{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe
File created	C:\Windows\{837DE124-003D-48cd-839E-853002B17869}.exe	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe
File created	C:\Windows\{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe	{837DE124-003D-48cd-839E-853002B17869}.exe
File created	C:\Windows\{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe
File created	C:\Windows\{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe
File created	C:\Windows\{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe
File created	C:\Windows\{8916715B-53C3-49a8-9920-128E6A621739}.exe	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
File created	C:\Windows\{77C8E92E-0359-4202-B623-1190C019A5ED}.exe	{8916715B-53C3-49a8-9920-128E6A621739}.exe
File created	C:\Windows\{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe
File created	C:\Windows\{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe
File created	C:\Windows\{A194C237-BA45-404a-8422-FEAE8F2054DA}.exe	{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5008	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe
Token: SeIncBasePriorityPrivilege	972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe
Token: SeIncBasePriorityPrivilege	2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe
Token: SeIncBasePriorityPrivilege	3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe
Token: SeIncBasePriorityPrivilege	2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe
Token: SeIncBasePriorityPrivilege	4864	{837DE124-003D-48cd-839E-853002B17869}.exe
Token: SeIncBasePriorityPrivilege	3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe
Token: SeIncBasePriorityPrivilege	4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe
Token: SeIncBasePriorityPrivilege	3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe
Token: SeIncBasePriorityPrivilege	3276	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe
Token: SeIncBasePriorityPrivilege	4068	{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4364	5008	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	99
PID 5008 wrote to memory of 4364	5008	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	99
PID 5008 wrote to memory of 4364	5008	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	99
PID 5008 wrote to memory of 2440	5008	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	100
PID 5008 wrote to memory of 2440	5008	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	100
PID 5008 wrote to memory of 2440	5008	2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe	100
PID 4364 wrote to memory of 972	4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe	104
PID 4364 wrote to memory of 972	4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe	104
PID 4364 wrote to memory of 972	4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe	104
PID 4364 wrote to memory of 740	4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe	105
PID 4364 wrote to memory of 740	4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe	105
PID 4364 wrote to memory of 740	4364	{8916715B-53C3-49a8-9920-128E6A621739}.exe	105
PID 972 wrote to memory of 2172	972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe	107
PID 972 wrote to memory of 2172	972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe	107
PID 972 wrote to memory of 2172	972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe	107
PID 972 wrote to memory of 1212	972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe	108
PID 972 wrote to memory of 1212	972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe	108
PID 972 wrote to memory of 1212	972	{77C8E92E-0359-4202-B623-1190C019A5ED}.exe	108
PID 2172 wrote to memory of 3660	2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe	110
PID 2172 wrote to memory of 3660	2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe	110
PID 2172 wrote to memory of 3660	2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe	110
PID 2172 wrote to memory of 4188	2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe	111
PID 2172 wrote to memory of 4188	2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe	111
PID 2172 wrote to memory of 4188	2172	{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe	111
PID 3660 wrote to memory of 2584	3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe	112
PID 3660 wrote to memory of 2584	3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe	112
PID 3660 wrote to memory of 2584	3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe	112
PID 3660 wrote to memory of 2636	3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe	113
PID 3660 wrote to memory of 2636	3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe	113
PID 3660 wrote to memory of 2636	3660	{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe	113
PID 2584 wrote to memory of 4864	2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe	114
PID 2584 wrote to memory of 4864	2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe	114
PID 2584 wrote to memory of 4864	2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe	114
PID 2584 wrote to memory of 2252	2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe	115
PID 2584 wrote to memory of 2252	2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe	115
PID 2584 wrote to memory of 2252	2584	{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe	115
PID 4864 wrote to memory of 3360	4864	{837DE124-003D-48cd-839E-853002B17869}.exe	116
PID 4864 wrote to memory of 3360	4864	{837DE124-003D-48cd-839E-853002B17869}.exe	116
PID 4864 wrote to memory of 3360	4864	{837DE124-003D-48cd-839E-853002B17869}.exe	116
PID 4864 wrote to memory of 1988	4864	{837DE124-003D-48cd-839E-853002B17869}.exe	117
PID 4864 wrote to memory of 1988	4864	{837DE124-003D-48cd-839E-853002B17869}.exe	117
PID 4864 wrote to memory of 1988	4864	{837DE124-003D-48cd-839E-853002B17869}.exe	117
PID 3360 wrote to memory of 4620	3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe	118
PID 3360 wrote to memory of 4620	3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe	118
PID 3360 wrote to memory of 4620	3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe	118
PID 3360 wrote to memory of 5016	3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe	119
PID 3360 wrote to memory of 5016	3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe	119
PID 3360 wrote to memory of 5016	3360	{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe	119
PID 4620 wrote to memory of 3620	4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe	120
PID 4620 wrote to memory of 3620	4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe	120
PID 4620 wrote to memory of 3620	4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe	120
PID 4620 wrote to memory of 4144	4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe	121
PID 4620 wrote to memory of 4144	4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe	121
PID 4620 wrote to memory of 4144	4620	{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe	121
PID 3620 wrote to memory of 3276	3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe	122
PID 3620 wrote to memory of 3276	3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe	122
PID 3620 wrote to memory of 3276	3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe	122
PID 3620 wrote to memory of 1724	3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe	123
PID 3620 wrote to memory of 1724	3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe	123
PID 3620 wrote to memory of 1724	3620	{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe	123
PID 3276 wrote to memory of 4068	3276	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe	124
PID 3276 wrote to memory of 4068	3276	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe	124
PID 3276 wrote to memory of 4068	3276	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe	124
PID 3276 wrote to memory of 4788	3276	{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_6415d46b5168733c37d1f3f8b41a05c4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\{8916715B-53C3-49a8-9920-128E6A621739}.exe
  C:\Windows\{8916715B-53C3-49a8-9920-128E6A621739}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\{77C8E92E-0359-4202-B623-1190C019A5ED}.exe
    C:\Windows\{77C8E92E-0359-4202-B623-1190C019A5ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe
      C:\Windows\{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe
        
        C:\Windows\{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe
        
        C:\Windows\{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{837DE124-003D-48cd-839E-853002B17869}.exe
        
        C:\Windows\{837DE124-003D-48cd-839E-853002B17869}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe
        
        C:\Windows\{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe
        
        C:\Windows\{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe
        
        C:\Windows\{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe
        
        C:\Windows\{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe
        
        C:\Windows\{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\{A194C237-BA45-404a-8422-FEAE8F2054DA}.exe
        
        C:\Windows\{A194C237-BA45-404a-8422-FEAE8F2054DA}.exe
        13⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF4D~1.EXE > nul
        13⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5A15~1.EXE > nul
        12⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C66B~1.EXE > nul
        11⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67A72~1.EXE > nul
        10⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFE21~1.EXE > nul
        9⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{837DE~1.EXE > nul
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98315~1.EXE > nul
        7⤵
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFE62~1.EXE > nul
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{226AB~1.EXE > nul
        5⤵
        
        PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{77C8E~1.EXE > nul
      4⤵
      PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{89167~1.EXE > nul
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C66B981-04B6-4f77-87CE-01FE527D1C0E}.exe

Filesize
192KB

MD5
697e8e4a382f5e9f4dd0d2c35459fac3

SHA1
fec6e2041622453d9436947072c476026e23b223

SHA256
c687b1b01c15510b7a4ded75a71c603b96a91e83b307f506f6c1ac086d991a14

SHA512
23afa67c7a0cc6ea452cfe09f02b3d9c87d58bb7cf574bafa56558c58921332c35b4629ef54cee52ce3f3efb7e03e38db244861c1789e5395c8afec5bcd08e27

Download Submit
C:\Windows\{226AB54D-1F21-4b6a-9D76-CCFAC996743D}.exe

Filesize
192KB

MD5
312d7fd99ade0b09142b17e37309e237

SHA1
4ba3b90ff2d35e4ff433c202ce89b2efd49c5590

SHA256
9715db35a795481557caab749b88a91b413d0ca3d4bf99033b9ab0f37cb6c1c6

SHA512
a3953f2c0dddb883a9937cc64ef531dbb25c6a5cf534b22105f20b56af2e436ca8e49d7b49d69542f6cd4f8843b979db9e27bba312c7614d35a6b576d397bb10

Download Submit
C:\Windows\{5FF4D1BD-1AFB-42ce-A002-3B819B779955}.exe

Filesize
192KB

MD5
0107ca378523c1692e0f56e0824fb21a

SHA1
e12d4375ff0c83ea0a50e810f087fed90e2758ac

SHA256
911e8f1040c98707bde18d8196e0bc141ba9bb1d65b81e0f99b049238a2a8420

SHA512
8b2f9c1862789a706787609a6c1a3c95d87bb9a279959a055a240a6cca7bb05d2786e98535919d16f429c729d08992746db4c5cbbe49b941534232accc2945f3

Download Submit
C:\Windows\{67A7232E-8080-4760-8FF7-FEE8471C5989}.exe

Filesize
192KB

MD5
763a107b5765cb3529df3ee4c0001cd2

SHA1
4520227e8c7c29aec19cefdb8406b7327a397958

SHA256
3cb04520f6fb977579295b1b331b020b270698a34820c2fe247d6a4b8d8066f9

SHA512
d128a8085c28753ee4a3905d9d405f3108089202b902014db7714c177d6bdac447f22bf9e8aa3d8e6de4de0b16bc21ad306cf6048f2b35c011a50ba61e5f23c0

Download Submit
C:\Windows\{77C8E92E-0359-4202-B623-1190C019A5ED}.exe

Filesize
192KB

MD5
0e653523e1197a3edc0a01ee443d153e

SHA1
8872b846f2f898bc8e96a6c4af85ef2a84121dfd

SHA256
47e0c339c83472e6daddc2962e12c2688aedf998b4627093c38b3b78bde6d156

SHA512
841e32b9a9e9528f0e76bd72c8ac0885a3c16892036f99f13ce875ac8a88842291f59dbab094600c6adfaa07743eeee959a6a85eb7e6f116ca2e662e680ff82d

Download Submit
C:\Windows\{837DE124-003D-48cd-839E-853002B17869}.exe

Filesize
192KB

MD5
a5ec4b1851979b0676b5905396583642

SHA1
ca540d0459d7d3daac2d5b86136ae5c7be0ba1db

SHA256
d2debf3b481359241c311c8bda24c5cf75f94b2fabb4aa44f073feb1ed73ae98

SHA512
5495d649d3d54313802bca66a2a1f0d5643567631a1b2b4c66ff77a2bfaa20edd889001b54acd9a819a9a7202b38461c0c350fc3c577e574b2573997b20b7386

Download Submit
C:\Windows\{8916715B-53C3-49a8-9920-128E6A621739}.exe

Filesize
192KB

MD5
394a715e437c3eb49e7c101cab0fe982

SHA1
95cf31a1c3c5a7123de1a72fda23a6c133f13aab

SHA256
3267ab4f3b148d0d21232ae867621d4caee10f1a470535db4cd9c3eaeb2d5916

SHA512
3b4fc0bbbe61c467c6bb98b2d5e04b7d85bc2aa2b5d8d6ae810b9b9ca8f0a5f39ae50f8fff871dbb37917df097b0d1d327af6eb104682287fb8b1079261d87ff

Download Submit
C:\Windows\{98315A79-EB84-436a-87F9-F84F8D4057C9}.exe

Filesize
192KB

MD5
282a314a9ed6668bae2249a0e69e1595

SHA1
02b57fa0f46dd0784b2d1045fcd37f5b18597c99

SHA256
bdd88c81d61d503b10a547b13c8fa10189b324d81292746b0c63f22d76e06db9

SHA512
0b0d0119c54af5353f267cca07edba312b8ead4e2dc957d08869661cd1ed8fc07a83754467a2fe49c9aa8744adb1bf8b538dd15cd23b2f7041479e53cf9e50c8

Download Submit
C:\Windows\{A194C237-BA45-404a-8422-FEAE8F2054DA}.exe

Filesize
192KB

MD5
7cb79d63736084d7fd7880d67e89b9de

SHA1
03ca4b3c4009ed7a502658cc6dec6d41421b5493

SHA256
e1b00ffcff6f544c2b7c2e0d1709a67ab6473a29c98dc2264172e78126603449

SHA512
ac43e91de6c4e49ee2e9d2c761e3b0469a0f90049f5f54460ca1af837f3609431bbb807ff11d1aafd0e28f47fedffdf9201b9a9a19aa26b6d5ecd9060227a261

Download Submit
C:\Windows\{BFE2144A-4735-4ff2-A674-BCDA88725E85}.exe

Filesize
192KB

MD5
6c11077e69b7440a5851aac8c2124cff

SHA1
172aa1562864b8635f4249398b4af329b0df8286

SHA256
a8c36724d733711f41deaed7eab8a6cab254ad8c54159bcce105d3816c3c0ad7

SHA512
ad625e5eca413b3165569bd6f54452cefb3afafbb75eea4d6a7e15c703e25d25882e2abeca082518b6a57bb265602e0e61836c0be307c15ff35abc848f20fb42

Download Submit
C:\Windows\{BFE62DBD-DED8-45a2-8A92-27B1A9E84070}.exe

Filesize
192KB

MD5
869301ee6c8e0c4e3dc7a1488c3258d2

SHA1
a930f93a4ee49172d4a3febf0cb8c4009def41d6

SHA256
f6e61609532adee747fb51eac2eb92fcc8aa4854598dd60ec4fbf35194c876a9

SHA512
f7482bf563e481793d6e7e5e22ff27f2b30215ffffca2df47bb3f6ef30795964f91e684fe18f02e0b5c2b458cfac59079b2fff082ce23ecaf5849e8b3d1fae63

Download Submit
C:\Windows\{D5A15E8C-2887-46a7-BBEC-9B7ACBBB3004}.exe

Filesize
192KB

MD5
1c019232661773ac9604f3e26c3a92c0

SHA1
67f3e8b33c581850f4dd4d4d5802419e0458a72a

SHA256
d7f330fe9b6c08c56fd78fa782c433156a9fad04dfa31ff1df0e7adef0faf565

SHA512
5502378eafe5ecf4eb684e9dfad89fe4844fda9e934fda4c1000d182042c82d689fd2e576c992410c34ab733ad0518920f1fe5e56603e5dc11ae2c7d45565170

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads