751c1f905ce13fa682fec131efac1a10ad89469b02bdeb4ed24fc3942c971967

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Size

168KB
MD5

ef696fb03edc89ff18c46e62ebd47797
SHA1

e6ffa917a454fe9d9f2300ee5f2ce600a1cc42d0
SHA256

751c1f905ce13fa682fec131efac1a10ad89469b02bdeb4ed24fc3942c971967
SHA512

43ecd9319a2feb08bccd0527015ce2a8bc3cc17c5159faa844d70006b081a076ef1aa35ff6619c71ed9770dffce13142a321689cdbad4465f48c8761d77c3efc
SSDEEP

1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023272-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002327e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023272-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002327e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4289F79B-8B5F-4558-8DCC-472B92935716}	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159F72D9-0F63-49f4-B63C-11FCE2320BD7}	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{042E4A2E-F37B-487b-B032-1537EC764881}\stubpath = "C:\\Windows\\{042E4A2E-F37B-487b-B032-1537EC764881}.exe"	{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58D3B465-224D-4240-AEA4-A23614D7EA9B}	{042E4A2E-F37B-487b-B032-1537EC764881}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8FE7B15-06A6-45da-970E-48B43F1E8351}	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8FE7B15-06A6-45da-970E-48B43F1E8351}\stubpath = "C:\\Windows\\{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe"	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F69585D-79E4-49d0-A66C-37ED515648C1}	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}\stubpath = "C:\\Windows\\{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}.exe"	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159F72D9-0F63-49f4-B63C-11FCE2320BD7}\stubpath = "C:\\Windows\\{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe"	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4289F79B-8B5F-4558-8DCC-472B92935716}\stubpath = "C:\\Windows\\{4289F79B-8B5F-4558-8DCC-472B92935716}.exe"	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{042E4A2E-F37B-487b-B032-1537EC764881}	{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5487EDD8-6C70-4f69-9513-B53227ED8877}	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5487EDD8-6C70-4f69-9513-B53227ED8877}\stubpath = "C:\\Windows\\{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe"	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58D3B465-224D-4240-AEA4-A23614D7EA9B}\stubpath = "C:\\Windows\\{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe"	{042E4A2E-F37B-487b-B032-1537EC764881}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}\stubpath = "C:\\Windows\\{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe"	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}\stubpath = "C:\\Windows\\{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe"	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F69585D-79E4-49d0-A66C-37ED515648C1}\stubpath = "C:\\Windows\\{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe"	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}\stubpath = "C:\\Windows\\{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe"	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}\stubpath = "C:\\Windows\\{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe"	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe

Executes dropped EXE 11 IoCs

pid	Process
2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe
1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe
4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe
2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe
4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe
4872	{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe
1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe
2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe
5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe
3416	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe
2940	{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe
File created	C:\Windows\{4289F79B-8B5F-4558-8DCC-472B92935716}.exe	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe
File created	C:\Windows\{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe
File created	C:\Windows\{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe
File created	C:\Windows\{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}.exe	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe
File created	C:\Windows\{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
File created	C:\Windows\{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe
File created	C:\Windows\{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe
File created	C:\Windows\{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe	{042E4A2E-F37B-487b-B032-1537EC764881}.exe
File created	C:\Windows\{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe
File created	C:\Windows\{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4888	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe
Token: SeIncBasePriorityPrivilege	1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe
Token: SeIncBasePriorityPrivilege	4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe
Token: SeIncBasePriorityPrivilege	2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe
Token: SeIncBasePriorityPrivilege	4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe
Token: SeIncBasePriorityPrivilege	1904	{042E4A2E-F37B-487b-B032-1537EC764881}.exe
Token: SeIncBasePriorityPrivilege	1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe
Token: SeIncBasePriorityPrivilege	2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe
Token: SeIncBasePriorityPrivilege	5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe
Token: SeIncBasePriorityPrivilege	3416	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2324	4888	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	91
PID 4888 wrote to memory of 2324	4888	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	91
PID 4888 wrote to memory of 2324	4888	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	91
PID 4888 wrote to memory of 848	4888	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	92
PID 4888 wrote to memory of 848	4888	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	92
PID 4888 wrote to memory of 848	4888	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	92
PID 2324 wrote to memory of 1028	2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe	98
PID 2324 wrote to memory of 1028	2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe	98
PID 2324 wrote to memory of 1028	2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe	98
PID 2324 wrote to memory of 548	2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe	99
PID 2324 wrote to memory of 548	2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe	99
PID 2324 wrote to memory of 548	2324	{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe	99
PID 1028 wrote to memory of 4492	1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe	103
PID 1028 wrote to memory of 4492	1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe	103
PID 1028 wrote to memory of 4492	1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe	103
PID 1028 wrote to memory of 4344	1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe	104
PID 1028 wrote to memory of 4344	1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe	104
PID 1028 wrote to memory of 4344	1028	{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe	104
PID 4492 wrote to memory of 2340	4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe	106
PID 4492 wrote to memory of 2340	4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe	106
PID 4492 wrote to memory of 2340	4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe	106
PID 4492 wrote to memory of 4868	4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe	107
PID 4492 wrote to memory of 4868	4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe	107
PID 4492 wrote to memory of 4868	4492	{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe	107
PID 2340 wrote to memory of 4040	2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe	108
PID 2340 wrote to memory of 4040	2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe	108
PID 2340 wrote to memory of 4040	2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe	108
PID 2340 wrote to memory of 4976	2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe	109
PID 2340 wrote to memory of 4976	2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe	109
PID 2340 wrote to memory of 4976	2340	{4289F79B-8B5F-4558-8DCC-472B92935716}.exe	109
PID 4040 wrote to memory of 4872	4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe	110
PID 4040 wrote to memory of 4872	4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe	110
PID 4040 wrote to memory of 4872	4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe	110
PID 4040 wrote to memory of 4308	4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe	111
PID 4040 wrote to memory of 4308	4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe	111
PID 4040 wrote to memory of 4308	4040	{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe	111
PID 1904 wrote to memory of 1192	1904	{042E4A2E-F37B-487b-B032-1537EC764881}.exe	114
PID 1904 wrote to memory of 1192	1904	{042E4A2E-F37B-487b-B032-1537EC764881}.exe	114
PID 1904 wrote to memory of 1192	1904	{042E4A2E-F37B-487b-B032-1537EC764881}.exe	114
PID 1904 wrote to memory of 852	1904	{042E4A2E-F37B-487b-B032-1537EC764881}.exe	115
PID 1904 wrote to memory of 852	1904	{042E4A2E-F37B-487b-B032-1537EC764881}.exe	115
PID 1904 wrote to memory of 852	1904	{042E4A2E-F37B-487b-B032-1537EC764881}.exe	115
PID 1192 wrote to memory of 2884	1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe	116
PID 1192 wrote to memory of 2884	1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe	116
PID 1192 wrote to memory of 2884	1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe	116
PID 1192 wrote to memory of 3296	1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe	117
PID 1192 wrote to memory of 3296	1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe	117
PID 1192 wrote to memory of 3296	1192	{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe	117
PID 2884 wrote to memory of 5012	2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe	118
PID 2884 wrote to memory of 5012	2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe	118
PID 2884 wrote to memory of 5012	2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe	118
PID 2884 wrote to memory of 1360	2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe	119
PID 2884 wrote to memory of 1360	2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe	119
PID 2884 wrote to memory of 1360	2884	{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe	119
PID 5012 wrote to memory of 3416	5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe	120
PID 5012 wrote to memory of 3416	5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe	120
PID 5012 wrote to memory of 3416	5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe	120
PID 5012 wrote to memory of 4084	5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe	121
PID 5012 wrote to memory of 4084	5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe	121
PID 5012 wrote to memory of 4084	5012	{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe	121
PID 3416 wrote to memory of 2940	3416	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe	122
PID 3416 wrote to memory of 2940	3416	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe	122
PID 3416 wrote to memory of 2940	3416	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe	122
PID 3416 wrote to memory of 1412	3416	{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe
  C:\Windows\{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe
    C:\Windows\{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe
      C:\Windows\{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\{4289F79B-8B5F-4558-8DCC-472B92935716}.exe
        
        C:\Windows\{4289F79B-8B5F-4558-8DCC-472B92935716}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe
        
        C:\Windows\{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe
        
        C:\Windows\{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\{042E4A2E-F37B-487b-B032-1537EC764881}.exe
        
        C:\Windows\{042E4A2E-F37B-487b-B032-1537EC764881}.exe
        8⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe
        
        C:\Windows\{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe
        
        C:\Windows\{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe
        
        C:\Windows\{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe
        
        C:\Windows\{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}.exe
        
        C:\Windows\{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}.exe
        13⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F695~1.EXE > nul
        13⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77C2D~1.EXE > nul
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7028~1.EXE > nul
        11⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58D3B~1.EXE > nul
        10⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{042E4~1.EXE > nul
        9⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3406C~1.EXE > nul
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{159F7~1.EXE > nul
        7⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4289F~1.EXE > nul
        6⤵
        
        PID:4976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A13E~1.EXE > nul
        5⤵
        
        PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8FE7~1.EXE > nul
      4⤵
      PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5487E~1.EXE > nul
    3⤵
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3728 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A13E17D-1B61-4478-8CCE-80A4F3399CB1}.exe

Filesize
168KB

MD5
0cebfcfd3db64d99f773553bca58d741

SHA1
2e0ab35068eceba36e1c3d9e34edcbaf43b91d86

SHA256
762411c070b4e614753e40c3124e1dacfc69cb2acfcfaa9fa957f1b0c599c125

SHA512
3a42f340690bb7b9c958b0c699ed119673b7ae23441a2b36e4c981206302e3404b60507b32c67241034f23159970175c9dd3ae1448b1ca0bde54940dec824112

Download Submit
C:\Windows\{159F72D9-0F63-49f4-B63C-11FCE2320BD7}.exe

Filesize
168KB

MD5
8af813111ff11ab987eb391c1425549f

SHA1
8c5b736b492319641006b8ede3f2798c86c79310

SHA256
55ff7e47f52a766dd45ce0a5b80230e6758ff48472d7d13e954f8511ce481c93

SHA512
75faecd57c32ffdcc63b76b08dac89d33f082f129f3dd3b98add2dea60408a5fe1b42ebc2fcd0523beb0bb5f04914c5f02707c8eb3f4c4c90d5a3bc26aef0099

Download Submit
C:\Windows\{3406C40D-24E7-42f1-ADEC-C1ED6DDBDBA8}.exe

Filesize
168KB

MD5
3f3739ccd0c06b8836747c23a9ba35f4

SHA1
92c83890df27f1e81704027c6695ae5141c663a7

SHA256
69deb822a8bd5c5ea772da1ec77c4f22b40d43d840e288ff8e4a515435613723

SHA512
2315aea3346e7b37bfe67659095040335ce627e833b06258888538263985f02d6eb46f9dfaff9730a64e9fe35ed8e1e3e9011d2634d31f07de4c4df8c12fbca9

Download Submit
C:\Windows\{3F69585D-79E4-49d0-A66C-37ED515648C1}.exe

Filesize
168KB

MD5
920eb2ab988b0e653e2d3b44bc17d854

SHA1
6b666c99bd95d7d7384b4df712b8d7b9e9c73240

SHA256
d42559e7e0c26b8767bf88c1e961250b96cc7531da5b9ce30f65972fad0f5641

SHA512
371377223bf3a9e4dc83c59e1cab337ace35a0dcd1d117a6b69e4e8108a68c2a30195a74af4bf167d41254db41c59bd1b4605b8d61d36790d151649f160fb222

Download Submit
C:\Windows\{4289F79B-8B5F-4558-8DCC-472B92935716}.exe

Filesize
168KB

MD5
df38ad5c8db1a3f16eacf7867847a82b

SHA1
27eb42ac9695d6680b69363e6b93f4308f0d073e

SHA256
599db300fefeab556e588571089ceeae3813b207c6e78b466dfb9680222a60e7

SHA512
09e101c9cce66a37776fe8e25324ab2042d319a48bfbf19593c406e257b136dbe76df545871defeb19f94756773e8920347234f45be158c23d4270dae3779689

Download Submit
C:\Windows\{5487EDD8-6C70-4f69-9513-B53227ED8877}.exe

Filesize
168KB

MD5
22ec772c9538f98f098dd43aab27ee28

SHA1
dabe20008e43a965bb18c63a5253dc1ec9bdcca8

SHA256
0f79689b129d5adf05a0e5d49c2ada0b76467b52cff838ad5998e2d077b42061

SHA512
273f440025e6e3ad8dbe2e9fcae2c45c29cb312a07b949547e51a8b18fc988967c0612a31b6a8dea87af5407b0b55fa29ded13baf8909d6154af4294e1e2610f

Download Submit
C:\Windows\{58D3B465-224D-4240-AEA4-A23614D7EA9B}.exe

Filesize
168KB

MD5
fbb37965f294d4b49426f3b06693e47e

SHA1
a371124160e4e28f33a01a0c9e2f1dfddaef4ba6

SHA256
6e5f4814d3b75c949e0ae8b1008af88ce4ccb924624140d98879151be470ee0e

SHA512
a7aa08ec86850c0006567d67e3f8120b1333e9b99964142e694c370ef05d50a0ff12e5177cdcaabc2840d388425bbf9f6db7b651f8eb2d192fc5a5a4272d921a

Download Submit
C:\Windows\{77C2DAEB-3820-44aa-B08F-474BFC8FE6EA}.exe

Filesize
168KB

MD5
2db446e731528807c5d97d56c1d565d7

SHA1
bf1faebb304704fad9305d3816bee7d6138a054c

SHA256
b76fed390c0f8339a8eac79d652b53d639945e1ead7b171486e5b514caabdb62

SHA512
ca6d56d8f8c8a61434a76626071a9f742cf5801ec34335628c49b2f56db190127f245c8273137565c0f246b5d2dcc079f279294865e9db6f30e7d980ae7ba025

Download Submit
C:\Windows\{87E49E4C-7E43-4ab0-80B0-ECE3B6FBC715}.exe

Filesize
168KB

MD5
a47ce9e30ece244c06c444831f30f701

SHA1
af9fde6517ef17ad4c923aabef78079ec98d4b22

SHA256
1b75006df1582c21e6649341f621d4a8a9da57afa5f8846b5d8b03d24c3dd1b5

SHA512
852462adbef42afe81111170c3440a142c3c4e6c4e54581a69a04ce0859a4f9cfb4c8cd48b95eafd0312cf4bc8c8c60bddbcb16e577e281750f32e933acdeccd

Download Submit
C:\Windows\{B8FE7B15-06A6-45da-970E-48B43F1E8351}.exe

Filesize
168KB

MD5
4fe2a42347aeddfb98eea8331e364517

SHA1
495a5e3de3f9e97e90fa3fe99dc4a1eb0c89df40

SHA256
b4693b597fbf62a2645d0e935cd0e6bac1a331fd8020276af0621c7e0ef6309a

SHA512
79647cdd14c4b786227fcbb9072f085c4f4c280a719e42bc1b3432439cde842d724cf40a6f05a6a7e356e9ca785b8b565be072a2d49fb5ba39654b7f1cdb2d31

Download Submit
C:\Windows\{D702858B-FC0E-4e0c-BCE1-188D7D4C8CEF}.exe

Filesize
168KB

MD5
93887d575ea0a7fef6fe0ed42e537406

SHA1
a3b67ff56d32f489ddc910e1e212e96837f563b6

SHA256
670e297f9fdf98fae93273727128e66efdfa56daf1a82f128504919546cd6a56

SHA512
524cd0a0a4ec4b7bb8d3d2990c210f020a8509427579034bc875793a04ef677b0f4661d3788e90ad5dcce21c32805e6f1565746c823579a4e2e8e5356ca862cf

Download Submit
memory/4872-24-0x00000000038E0000-0x00000000039BB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads