138f1db4e83f5ac0c841205c11c1730b9343af3fb5a4aa92d48b3378beaeec30

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe
Size

168KB
MD5

7ff8dc1c5f4003e53becaac97adaef4d
SHA1

c95d3ef78bb165a0c37def0f9c8e0e416f854cbe
SHA256

138f1db4e83f5ac0c841205c11c1730b9343af3fb5a4aa92d48b3378beaeec30
SHA512

ab99c60fad8768f53a8fcf9114563d05a8dee35353c6cd0eca263b1b28524202bd96a63d3ad1b28faf267b2030468a6b21a11f7311dc9fe5f5d4d9eeed48a18d
SSDEEP

1536:1EGh0onlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0onlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002327a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002327f-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002327a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002327f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7906B03F-8AAC-4e9a-A465-710566AB45DE}	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAD7878C-C302-458e-9CC7-8B7F487E85E0}\stubpath = "C:\\Windows\\{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe"	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5853C916-3A12-42dc-9C89-EF378FECDEAF}	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA744B7E-823E-4d7d-B844-0F6C47554A5F}	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8D754B-B142-49ff-875C-A5B10E725D9F}	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0E5637E-9390-4f35-957B-4A134B76690B}\stubpath = "C:\\Windows\\{E0E5637E-9390-4f35-957B-4A134B76690B}.exe"	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97078F96-F980-4d4a-9AD8-51FE57959922}	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9148DCC0-FC7D-4889-A0B7-87E829511417}\stubpath = "C:\\Windows\\{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe"	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8D754B-B142-49ff-875C-A5B10E725D9F}\stubpath = "C:\\Windows\\{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe"	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0E5637E-9390-4f35-957B-4A134B76690B}	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7906B03F-8AAC-4e9a-A465-710566AB45DE}\stubpath = "C:\\Windows\\{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe"	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAD7878C-C302-458e-9CC7-8B7F487E85E0}	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}\stubpath = "C:\\Windows\\{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe"	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5853C916-3A12-42dc-9C89-EF378FECDEAF}\stubpath = "C:\\Windows\\{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe"	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA744B7E-823E-4d7d-B844-0F6C47554A5F}\stubpath = "C:\\Windows\\{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe"	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9148DCC0-FC7D-4889-A0B7-87E829511417}	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}\stubpath = "C:\\Windows\\{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe"	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97078F96-F980-4d4a-9AD8-51FE57959922}\stubpath = "C:\\Windows\\{97078F96-F980-4d4a-9AD8-51FE57959922}.exe"	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}\stubpath = "C:\\Windows\\{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}.exe"	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe

Executes dropped EXE 11 IoCs

pid	Process
4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe
4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe
4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe
208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe
4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe
5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe
3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe
4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe
2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe
3124	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe
3652	{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe
File created	C:\Windows\{E0E5637E-9390-4f35-957B-4A134B76690B}.exe	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe
File created	C:\Windows\{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe
File created	C:\Windows\{97078F96-F980-4d4a-9AD8-51FE57959922}.exe	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe
File created	C:\Windows\{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe
File created	C:\Windows\{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe
File created	C:\Windows\{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe
File created	C:\Windows\{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe
File created	C:\Windows\{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe
File created	C:\Windows\{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe
File created	C:\Windows\{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}.exe	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3352	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe
Token: SeIncBasePriorityPrivilege	4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe
Token: SeIncBasePriorityPrivilege	4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe
Token: SeIncBasePriorityPrivilege	208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe
Token: SeIncBasePriorityPrivilege	4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe
Token: SeIncBasePriorityPrivilege	5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe
Token: SeIncBasePriorityPrivilege	3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe
Token: SeIncBasePriorityPrivilege	4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe
Token: SeIncBasePriorityPrivilege	2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe
Token: SeIncBasePriorityPrivilege	3124	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4208	3352	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe	91
PID 3352 wrote to memory of 4208	3352	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe	91
PID 3352 wrote to memory of 4208	3352	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe	91
PID 3352 wrote to memory of 3692	3352	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe	92
PID 3352 wrote to memory of 3692	3352	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe	92
PID 3352 wrote to memory of 3692	3352	2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe	92
PID 4208 wrote to memory of 4948	4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe	101
PID 4208 wrote to memory of 4948	4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe	101
PID 4208 wrote to memory of 4948	4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe	101
PID 4208 wrote to memory of 3260	4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe	102
PID 4208 wrote to memory of 3260	4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe	102
PID 4208 wrote to memory of 3260	4208	{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe	102
PID 4948 wrote to memory of 4748	4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe	104
PID 4948 wrote to memory of 4748	4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe	104
PID 4948 wrote to memory of 4748	4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe	104
PID 4948 wrote to memory of 4548	4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe	105
PID 4948 wrote to memory of 4548	4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe	105
PID 4948 wrote to memory of 4548	4948	{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe	105
PID 4748 wrote to memory of 208	4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe	106
PID 4748 wrote to memory of 208	4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe	106
PID 4748 wrote to memory of 208	4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe	106
PID 4748 wrote to memory of 312	4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe	107
PID 4748 wrote to memory of 312	4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe	107
PID 4748 wrote to memory of 312	4748	{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe	107
PID 208 wrote to memory of 4380	208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe	108
PID 208 wrote to memory of 4380	208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe	108
PID 208 wrote to memory of 4380	208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe	108
PID 208 wrote to memory of 3016	208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe	109
PID 208 wrote to memory of 3016	208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe	109
PID 208 wrote to memory of 3016	208	{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe	109
PID 4380 wrote to memory of 5108	4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe	110
PID 4380 wrote to memory of 5108	4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe	110
PID 4380 wrote to memory of 5108	4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe	110
PID 4380 wrote to memory of 2300	4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe	111
PID 4380 wrote to memory of 2300	4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe	111
PID 4380 wrote to memory of 2300	4380	{E0E5637E-9390-4f35-957B-4A134B76690B}.exe	111
PID 5108 wrote to memory of 3280	5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe	112
PID 5108 wrote to memory of 3280	5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe	112
PID 5108 wrote to memory of 3280	5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe	112
PID 5108 wrote to memory of 4436	5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe	113
PID 5108 wrote to memory of 4436	5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe	113
PID 5108 wrote to memory of 4436	5108	{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe	113
PID 3280 wrote to memory of 4040	3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe	114
PID 3280 wrote to memory of 4040	3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe	114
PID 3280 wrote to memory of 4040	3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe	114
PID 3280 wrote to memory of 1372	3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe	115
PID 3280 wrote to memory of 1372	3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe	115
PID 3280 wrote to memory of 1372	3280	{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe	115
PID 4040 wrote to memory of 2332	4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe	116
PID 4040 wrote to memory of 2332	4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe	116
PID 4040 wrote to memory of 2332	4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe	116
PID 4040 wrote to memory of 8	4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe	117
PID 4040 wrote to memory of 8	4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe	117
PID 4040 wrote to memory of 8	4040	{97078F96-F980-4d4a-9AD8-51FE57959922}.exe	117
PID 2332 wrote to memory of 3124	2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe	118
PID 2332 wrote to memory of 3124	2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe	118
PID 2332 wrote to memory of 3124	2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe	118
PID 2332 wrote to memory of 4684	2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe	119
PID 2332 wrote to memory of 4684	2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe	119
PID 2332 wrote to memory of 4684	2332	{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe	119
PID 3124 wrote to memory of 3652	3124	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe	120
PID 3124 wrote to memory of 3652	3124	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe	120
PID 3124 wrote to memory of 3652	3124	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe	120
PID 3124 wrote to memory of 2940	3124	{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_7ff8dc1c5f4003e53becaac97adaef4d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe
  C:\Windows\{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe
    C:\Windows\{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe
      C:\Windows\{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe
        
        C:\Windows\{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
      - C:\Windows\{E0E5637E-9390-4f35-957B-4A134B76690B}.exe
        
        C:\Windows\{E0E5637E-9390-4f35-957B-4A134B76690B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe
        
        C:\Windows\{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe
        
        C:\Windows\{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{97078F96-F980-4d4a-9AD8-51FE57959922}.exe
        
        C:\Windows\{97078F96-F980-4d4a-9AD8-51FE57959922}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe
        
        C:\Windows\{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe
        
        C:\Windows\{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}.exe
        
        C:\Windows\{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}.exe
        12⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10692~1.EXE > nul
        12⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9148D~1.EXE > nul
        11⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97078~1.EXE > nul
        10⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAD78~1.EXE > nul
        9⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7906B~1.EXE > nul
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0E56~1.EXE > nul
        7⤵
        
        PID:2300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD8D7~1.EXE > nul
        6⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA744~1.EXE > nul
        5⤵
        
        PID:312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5853C~1.EXE > nul
      4⤵
      PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1262~1.EXE > nul
    3⤵
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10692CC0-E7D9-4fe7-8D3D-505C402B2A40}.exe

Filesize
168KB

MD5
4cbb760a18ee81c262b0ddde9b9996a3

SHA1
547205e5a401ce797330a8298ed43a2eb04feaba

SHA256
21bb58fc9cbd1975fb0327965da1bedb62830dcc3ea9fff19005fe3725164087

SHA512
4aa8c1e4a756c6640713df66a3f0fdf066a4a76b1ecdb545cead692104000ba88fe2000e8604aa7340bfc5c1eb47aabc2e6e15fb99882d13babba950eae28db9

Download Submit
C:\Windows\{5853C916-3A12-42dc-9C89-EF378FECDEAF}.exe

Filesize
168KB

MD5
c61a9790e1db72013af96cb615bae5d6

SHA1
5828658d2fb8618c447ce0f87219436e308cd456

SHA256
41de44a42fd63a321ca52039077a097390143cdae4cbc29864b6ac69d5d3f23e

SHA512
a23952827bb167e789db395d50462a5be3a3118dab06e28ea295da43b8c3abf1583a4640e80719e2f99730faf528d3bce932401d0abe1f44a780c895720fd8e7

Download Submit
C:\Windows\{7906B03F-8AAC-4e9a-A465-710566AB45DE}.exe

Filesize
168KB

MD5
0688de848a96c5b4aa8a79ffc0feb7c3

SHA1
fd2dfe29807dc444b27fcf669fc6134d77fe50dd

SHA256
e2708af44deef31990762ed4e13bd072b7ee75465bf09c35f9ad00377b963142

SHA512
bfeb1d4d2d346f48f281a38282e4ad5b70b58b473dd50ac3102a4655e8e3a3b3d3af77adcbe76541f2e4b993de1c10ee116ae3fed76ce68ffd9be0a1e5aeec1d

Download Submit
C:\Windows\{9148DCC0-FC7D-4889-A0B7-87E829511417}.exe

Filesize
168KB

MD5
b03a15e86d15552ecbbe8cd73f92a731

SHA1
9e86b72f6995881a6a9f6012b4d847e1d9dc8a15

SHA256
af5ae8718a610cadd1a4be5ed6cbfdd1624dd44cabb027725f684c0c39b9d466

SHA512
c4207a18ae2d6716f7786f156ada161445256569c1c00f745372db97ef4d29a400dc7573db3df3f7a73f87af613e8d1dbbc6b60a641574a86896ab4a4789e0d9

Download Submit
C:\Windows\{97078F96-F980-4d4a-9AD8-51FE57959922}.exe

Filesize
168KB

MD5
94c136acc38a3f17c34e3d2fff479071

SHA1
2a945d20fb654557c02934d1f3445dad28cb2908

SHA256
c00df91221e15afb4f21026b1e9d275bc7d25dc351781f246b50bc75980a79ba

SHA512
4eb25d6156a54434cb0fab8c4c471ee50ef5d821629b0532357d3acb4f39c2f89d0ee0fb21a3f59c97e8478093cb5bec526f6205cdb794c90a1bc2da51fda527

Download Submit
C:\Windows\{C1262F84-3BC2-440a-BEFC-40F26E84AC8B}.exe

Filesize
168KB

MD5
f5065891e6459cb25f897060bcce2bbb

SHA1
b083096ca1774e26c0ac43c0eed474f8c176a354

SHA256
d4cea935e07a81759ca33bfc759b33751dcb1e0cf77b463d2fb36261569218fe

SHA512
250a4cd3ea2e1d0180352746c64a1b9c0f9bd05459dc7503c132ac8bd7c032ce91e4f91c2e5cec320ff5b181f054e39eff31f299d80817b89ea6d4ed9bdcbe25

Download Submit
C:\Windows\{DAD7878C-C302-458e-9CC7-8B7F487E85E0}.exe

Filesize
168KB

MD5
6830d1d3350309d4f63dd5b2dad836d9

SHA1
0792343c00f62af0f426514cbec6c372cc3f387e

SHA256
de7b0714487427504460417b79b56975583a056e8d1370d7379a273e33e2a8d9

SHA512
d612d9d64ac379af9616823a95bc44120ee41d92fef104c80931d050fe1fdcb96b44aea061a46d6662da3c5f6064d1dcac8d6dc5a98c5e294fa4023a18e12c87

Download Submit
C:\Windows\{DD8D754B-B142-49ff-875C-A5B10E725D9F}.exe

Filesize
168KB

MD5
f82cc3a59b07b7838d5a318671fd1b5d

SHA1
c1105665207a6c744a8666635fe80c390f9e7782

SHA256
42d738bf0e1600e0e5cba2b590982a7e596572493e232a75f2586e1348988e9c

SHA512
4200056d90e64103cc01f9e13df8d18cbc4a3d0261ff75ae744423d9a387a54afdf25d77d302c559087701d30e8a293613d834a81365389008c672b35c22d4aa

Download Submit
C:\Windows\{E0E5637E-9390-4f35-957B-4A134B76690B}.exe

Filesize
168KB

MD5
5c4b2db486d5ceff8bcc6ad8feb4ff4f

SHA1
88715a09e78a188b5ca7bcec55ec9328d92f1106

SHA256
6fb8bbc59dbafbe67365bcc6f8a55bf9ed8dc6cdf494b18922364e8bda5cb8f6

SHA512
db7092209b095c63c071c2e34fd25888f47f595ad96a480998d98be13a8155eb82fdaa3096eb775b6250f6f1c1b12165a8b9416cb9e0024f35bf39c8c19d91b9

Download Submit
C:\Windows\{E2020F08-5315-45a2-96A2-69FD9C5CD3E2}.exe

Filesize
168KB

MD5
0277c516eacbb64d7cd3ff8f107bdd9d

SHA1
a7b0b7223b592be4b03b62b248d18f0b2f3ff6a8

SHA256
9aaea1cef17e9abebb0e8baf28802db0066cb467f5b1e7e204d93b1255370ef5

SHA512
925f0d896ca521676611b9d8868847a8aeaf1a877c417a38e740679ab3bf9b3f0d1d9be8214333903549c46608106c76a4ae7829947e3e2ccc9dd693af3a08d6

Download Submit
C:\Windows\{EA744B7E-823E-4d7d-B844-0F6C47554A5F}.exe

Filesize
168KB

MD5
ca1a6380b601ef0e9353ca2307fce08e

SHA1
aa29b2e3f654aa3188985c1df46ce0a67e415af3

SHA256
21823190acdf4b5327fa2121f35193c323d6d046652c86da55ea4c9b390616b1

SHA512
fee296ff52246201325d8fc01a0cad28ef58b47876144b5411cebf5de697b58637fcb137d42ef2bdaed901b04c2b81b9518ff5c2311f06e5113d20419f5c1af3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads