3f2e5e68f3f2ef4d86ae6bee35adedb8f8665ee974eafb41a3088136f6be62de

Analysis

max time kernel
165s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Size

408KB
MD5

d23c74d26ba418b2599b51c77fe67c01
SHA1

bd8507b937872ec64143c99cc4fbcf3d395288ea
SHA256

3f2e5e68f3f2ef4d86ae6bee35adedb8f8665ee974eafb41a3088136f6be62de
SHA512

1e44f1473900206f31ed2137f89f4b75d633ff998f6ac754d1876fbce707f6732120112943718820f1dbc99440c696e086648ed47b53554ebfcf79d7d67696b5
SSDEEP

3072:CEGh0o4Zl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTB1:CEGaldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000800000002325b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023261-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023265-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023270-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023265-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1169DAD8-BAE8-4994-AB49-D7E17F31151D}\stubpath = "C:\\Windows\\{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe"	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C413607-F108-4b1e-AFB7-8C596612AEB5}\stubpath = "C:\\Windows\\{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe"	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEB8905C-52E6-47b3-945A-D17C605B7230}	{58009728-287A-4bad-8ED6-81814EC894B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB477481-8D1A-4e74-B2BA-381C6DA908B6}	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B9633B-DA84-4ccb-AF0A-7710E7182B84}\stubpath = "C:\\Windows\\{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe"	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05854152-D529-44b6-BE81-4DC2FFE62A9A}	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05854152-D529-44b6-BE81-4DC2FFE62A9A}\stubpath = "C:\\Windows\\{05854152-D529-44b6-BE81-4DC2FFE62A9A}.exe"	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1169DAD8-BAE8-4994-AB49-D7E17F31151D}	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F0B2172-F67D-40b6-8585-1B0477130168}	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F0B2172-F67D-40b6-8585-1B0477130168}\stubpath = "C:\\Windows\\{0F0B2172-F67D-40b6-8585-1B0477130168}.exe"	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}\stubpath = "C:\\Windows\\{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe"	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}\stubpath = "C:\\Windows\\{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe"	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B9633B-DA84-4ccb-AF0A-7710E7182B84}	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C1192A8-F298-47a5-91D8-70FB7719A81B}	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C413607-F108-4b1e-AFB7-8C596612AEB5}	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB477481-8D1A-4e74-B2BA-381C6DA908B6}\stubpath = "C:\\Windows\\{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe"	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C1192A8-F298-47a5-91D8-70FB7719A81B}\stubpath = "C:\\Windows\\{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe"	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58009728-287A-4bad-8ED6-81814EC894B6}	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58009728-287A-4bad-8ED6-81814EC894B6}\stubpath = "C:\\Windows\\{58009728-287A-4bad-8ED6-81814EC894B6}.exe"	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEB8905C-52E6-47b3-945A-D17C605B7230}\stubpath = "C:\\Windows\\{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe"	{58009728-287A-4bad-8ED6-81814EC894B6}.exe

Executes dropped EXE 11 IoCs

pid	Process
60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe
4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe
4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe
4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe
552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe
4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe
1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe
1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe
436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe
4628	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe
4988	{05854152-D529-44b6-BE81-4DC2FFE62A9A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe
File created	C:\Windows\{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe
File created	C:\Windows\{58009728-287A-4bad-8ED6-81814EC894B6}.exe	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe
File created	C:\Windows\{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe
File created	C:\Windows\{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe
File created	C:\Windows\{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
File created	C:\Windows\{0F0B2172-F67D-40b6-8585-1B0477130168}.exe	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe
File created	C:\Windows\{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe	{58009728-287A-4bad-8ED6-81814EC894B6}.exe
File created	C:\Windows\{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe
File created	C:\Windows\{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe
File created	C:\Windows\{05854152-D529-44b6-BE81-4DC2FFE62A9A}.exe	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3800	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
Token: SeIncBasePriorityPrivilege	60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe
Token: SeIncBasePriorityPrivilege	4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe
Token: SeIncBasePriorityPrivilege	4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe
Token: SeIncBasePriorityPrivilege	4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe
Token: SeIncBasePriorityPrivilege	552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe
Token: SeIncBasePriorityPrivilege	4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe
Token: SeIncBasePriorityPrivilege	1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe
Token: SeIncBasePriorityPrivilege	1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe
Token: SeIncBasePriorityPrivilege	436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe
Token: SeIncBasePriorityPrivilege	4628	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 60	3800	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	91
PID 3800 wrote to memory of 60	3800	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	91
PID 3800 wrote to memory of 60	3800	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	91
PID 3800 wrote to memory of 3868	3800	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	92
PID 3800 wrote to memory of 3868	3800	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	92
PID 3800 wrote to memory of 3868	3800	2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe	92
PID 60 wrote to memory of 4524	60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe	95
PID 60 wrote to memory of 4524	60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe	95
PID 60 wrote to memory of 4524	60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe	95
PID 60 wrote to memory of 2336	60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe	96
PID 60 wrote to memory of 2336	60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe	96
PID 60 wrote to memory of 2336	60	{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe	96
PID 4524 wrote to memory of 4068	4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe	101
PID 4524 wrote to memory of 4068	4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe	101
PID 4524 wrote to memory of 4068	4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe	101
PID 4524 wrote to memory of 1204	4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe	102
PID 4524 wrote to memory of 1204	4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe	102
PID 4524 wrote to memory of 1204	4524	{0F0B2172-F67D-40b6-8585-1B0477130168}.exe	102
PID 4068 wrote to memory of 4064	4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe	106
PID 4068 wrote to memory of 4064	4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe	106
PID 4068 wrote to memory of 4064	4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe	106
PID 4068 wrote to memory of 4208	4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe	107
PID 4068 wrote to memory of 4208	4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe	107
PID 4068 wrote to memory of 4208	4068	{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe	107
PID 4064 wrote to memory of 552	4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe	108
PID 4064 wrote to memory of 552	4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe	108
PID 4064 wrote to memory of 552	4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe	108
PID 4064 wrote to memory of 4848	4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe	109
PID 4064 wrote to memory of 4848	4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe	109
PID 4064 wrote to memory of 4848	4064	{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe	109
PID 552 wrote to memory of 4236	552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe	110
PID 552 wrote to memory of 4236	552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe	110
PID 552 wrote to memory of 4236	552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe	110
PID 552 wrote to memory of 1432	552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe	111
PID 552 wrote to memory of 1432	552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe	111
PID 552 wrote to memory of 1432	552	{58009728-287A-4bad-8ED6-81814EC894B6}.exe	111
PID 4236 wrote to memory of 1396	4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe	112
PID 4236 wrote to memory of 1396	4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe	112
PID 4236 wrote to memory of 1396	4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe	112
PID 4236 wrote to memory of 3132	4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe	113
PID 4236 wrote to memory of 3132	4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe	113
PID 4236 wrote to memory of 3132	4236	{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe	113
PID 1396 wrote to memory of 1156	1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe	114
PID 1396 wrote to memory of 1156	1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe	114
PID 1396 wrote to memory of 1156	1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe	114
PID 1396 wrote to memory of 2204	1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe	115
PID 1396 wrote to memory of 2204	1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe	115
PID 1396 wrote to memory of 2204	1396	{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe	115
PID 1156 wrote to memory of 436	1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe	116
PID 1156 wrote to memory of 436	1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe	116
PID 1156 wrote to memory of 436	1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe	116
PID 1156 wrote to memory of 4992	1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe	117
PID 1156 wrote to memory of 4992	1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe	117
PID 1156 wrote to memory of 4992	1156	{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe	117
PID 436 wrote to memory of 4628	436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe	118
PID 436 wrote to memory of 4628	436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe	118
PID 436 wrote to memory of 4628	436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe	118
PID 436 wrote to memory of 496	436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe	119
PID 436 wrote to memory of 496	436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe	119
PID 436 wrote to memory of 496	436	{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe	119
PID 4628 wrote to memory of 4988	4628	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe	120
PID 4628 wrote to memory of 4988	4628	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe	120
PID 4628 wrote to memory of 4988	4628	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe	120
PID 4628 wrote to memory of 3104	4628	{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_d23c74d26ba418b2599b51c77fe67c01_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe
  C:\Windows\{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\{0F0B2172-F67D-40b6-8585-1B0477130168}.exe
    C:\Windows\{0F0B2172-F67D-40b6-8585-1B0477130168}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe
      C:\Windows\{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe
        
        C:\Windows\{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\{58009728-287A-4bad-8ED6-81814EC894B6}.exe
        
        C:\Windows\{58009728-287A-4bad-8ED6-81814EC894B6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe
        
        C:\Windows\{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe
        
        C:\Windows\{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe
        
        C:\Windows\{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe
        
        C:\Windows\{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe
        
        C:\Windows\{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{05854152-D529-44b6-BE81-4DC2FFE62A9A}.exe
        
        C:\Windows\{05854152-D529-44b6-BE81-4DC2FFE62A9A}.exe
        12⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C119~1.EXE > nul
        12⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28B96~1.EXE > nul
        11⤵
        
        PID:496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB477~1.EXE > nul
        10⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7DB9~1.EXE > nul
        9⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB89~1.EXE > nul
        8⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58009~1.EXE > nul
        7⤵
        
        PID:1432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFB73~1.EXE > nul
        6⤵
        
        PID:4848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C413~1.EXE > nul
        5⤵
        
        PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F0B2~1.EXE > nul
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1169D~1.EXE > nul
    3⤵
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05854152-D529-44b6-BE81-4DC2FFE62A9A}.exe

Filesize
408KB

MD5
fa5f99fa2b34f68cb1aed748fba4038f

SHA1
dd2063816e948781c9e79dc1a2d829f589cd5415

SHA256
407371b49073bea8722c8c57c1baf651fbe9d0a3d7f562723fe286bfa34c8ea4

SHA512
5ae26cd4cb256d9d523ddae89e7305dcdefbf2ee08ef207be7cb5ce93b43422a12aee6d3b9f5577642aba02e081403ff59d0a438265ef57ca13c022324134711

Download Submit
C:\Windows\{0F0B2172-F67D-40b6-8585-1B0477130168}.exe

Filesize
408KB

MD5
5e5ce7020bf22b08643935a11c305cc7

SHA1
432bb486bc37a659e5c4c53563aaf9f16f6657be

SHA256
0bd5cbb65b22892d58a64b02b1f2d4eaf4c384b189213d8ea2d5d73f121d82bb

SHA512
68679f450687f4ebc71245726262bbdfbdaff5c7ab667a0f9b77b8825f62a6261e0e351a1777033e715fbd0fe7671f4d82a0239c1dafc5c2f15f4d627b7becd8

Download Submit
C:\Windows\{1169DAD8-BAE8-4994-AB49-D7E17F31151D}.exe

Filesize
408KB

MD5
14018b3e3ddc28261562153b64d3acfe

SHA1
1c7b8ae16b1dac6131ac70352cbe47fb1bd18466

SHA256
a4f66678045959426429ad1516cb6c0b8677df81afe1413f278f6980e94b8dcc

SHA512
0b4a8c33bf31b4781be12aa23d893cd6b0aa855484c80bf51fa7fdd5a678955f8944f6db33f4843fdc08a206ea7ced9364894233d80144caf4abb9b2eb15b1be

Download Submit
C:\Windows\{28B9633B-DA84-4ccb-AF0A-7710E7182B84}.exe

Filesize
408KB

MD5
ef77bb3d83bf358370e4ad587ffd530c

SHA1
320f54e2ef053caa6572262165850e2655ecbfe1

SHA256
5ec3b5953941b6a08e586ce9258a45d76917cccdef8fa2e2500205b103042db1

SHA512
8e260e390208af13d504a5a9811bec53e1b367311975359f06b6e7d033e23b833b50c90d769cc7c07f261af33e2cceb4b4dbb424c62441313afc4a8996e8fd10

Download Submit
C:\Windows\{2C413607-F108-4b1e-AFB7-8C596612AEB5}.exe

Filesize
408KB

MD5
5b563d7018d741813ff6c360ba165a57

SHA1
f2ae4fc0f5318c7cbff560cbe7c5a43ec038f9e9

SHA256
1e5ff1566d86af505f1ef36efba86cee5492bbc93888fceaf1f32c38614ec114

SHA512
e41a2249cf2795012238b615d1d0a5c8a46346c5b54d5cecf32a0c3663b2054b4330438a04c5541fe9a52bf4f03983203ff8635928aa2c35638ff9029500d8e0

Download Submit
C:\Windows\{58009728-287A-4bad-8ED6-81814EC894B6}.exe

Filesize
408KB

MD5
f12428221d491b8808b0ba626c97d606

SHA1
b53b25eae2bdae6bba63f181b84aece98544edce

SHA256
e8d973019a0a8c855904665092e9d1a38c97a00c41b0e4098f210c7fb3150b80

SHA512
b2d9fdd77cc17986e11dec9f02651fb470cc5c76be56a17439cb64faad5ea8b16a672c4ab9ec01b24ab58de32e1372a81491376dd3eb97b77e48e6a0b727c429

Download Submit
C:\Windows\{8C1192A8-F298-47a5-91D8-70FB7719A81B}.exe

Filesize
408KB

MD5
7ea97d99b1e63611f522d99ab663d138

SHA1
2b45ca66b147f59b90f6a5424c72bc7379dd7395

SHA256
bc7ba3255fb02f832904b43065d19047567ae7562418b47b604a5e798e981da4

SHA512
a83ff381d76b8be255a6f16549d7d00bd5925bdeda131c889a836c06c86cb56044333be6637a82ba2b4c261f9972773a6ae839a6104502df0da8bdb4a1ab278d

Download Submit
C:\Windows\{AB477481-8D1A-4e74-B2BA-381C6DA908B6}.exe

Filesize
408KB

MD5
eae790b3474e852f93b8cf0b4051dd02

SHA1
4d06ee81ed94921cee6a94b8c17f062e6e8fbf6a

SHA256
9724cb4d3ea3b7b68c320adda30a4fcecc5f1b9d0b279bf12c85bf6f34e10af6

SHA512
d400fd03074809c7252005f17e65800ae380cc5297fbf6ac942b6195a08aa81eb8745e999274b44b8301e239ce33bff59ada9e76333ebbdefda758f21f33bc0f

Download Submit
C:\Windows\{C7DB9DDF-9EC0-4a35-9D0D-EB16FC7A92D5}.exe

Filesize
408KB

MD5
21983991e677767002d5da3107382b00

SHA1
c15905983067919d5bf7d68b4b9c85977d6c3dae

SHA256
16b7bc75daa60280f94874345c6550c5daaef8a92abdd576a2b9313e88cb3f76

SHA512
717dd4c34c9937aa93045dc1a81254a0bcf6011028f09b01857b8acbe7fcf3feacfbd277b1cf1925809a20a411ddbd55f9238f1d363b16f74d547d1ba6016df8

Download Submit
C:\Windows\{DEB8905C-52E6-47b3-945A-D17C605B7230}.exe

Filesize
408KB

MD5
d7cdfa6383b5281130966f7e528ca0f3

SHA1
ba5061920628708419b969f2cc6c2f1a90fa80d6

SHA256
e2578b1aea5a44264f1ce664878ddfd9c63c357a276d9b540fa926695639d8f2

SHA512
d06e4f8062965f230a2913e4689b5e152b674f6ccca0a54451478cb050c14d82ea14017ed916af782cc8135df34b9ad9f518005bbd9a5524b36a850050585bca

Download Submit
C:\Windows\{EFB73A12-0E8B-4a22-AC01-234116BFDEAE}.exe

Filesize
408KB

MD5
8a481018f4618c326164d56a4752cf31

SHA1
afc1a312e90dc7ae8ddfc1a755f34285da4161b3

SHA256
076a788f7b8b2088ac2eb407fda3bbb830afd0e852c602ddcc43c5d2288eef28

SHA512
ea3ff989769f6e8062ded5fb8c785e4423df539add011f8ba20c51bca590eb982568eaba6143ba171b2f48115d2f51fd9474f1ccec324f471edd8fa864525a5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads