hxxp://github[.]com

max time kernel
77s
max time network
90s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 17:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://github.com

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
972	GoldenEye (1).exe
1096	HOSTNAME.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
1	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HOSTNAME.EXE

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GoldenEye (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HOSTNAME.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 462239.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 211509.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GoldenEye (1).exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{0f1b88e0-f089-4589-9918-6e539aec7e9c}\HOSTNAME.EXE\:SmartScreen:$DATA	GoldenEye (1).exe
File created	C:\Users\Admin\AppData\Roaming\{0f1b88e0-f089-4589-9918-6e539aec7e9c}\HOSTNAME.EXE\:Zone.Identifier:$DATA	GoldenEye (1).exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
4864	msedge.exe
4864	msedge.exe
1136	msedge.exe
1136	msedge.exe
2132	identity_helper.exe
2132	identity_helper.exe
4164	msedge.exe
4164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1096	HOSTNAME.EXE

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3104	4864	msedge.exe	77
PID 4864 wrote to memory of 3104	4864	msedge.exe	77
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1004	4864	msedge.exe	78
PID 4864 wrote to memory of 1080	4864	msedge.exe	79
PID 4864 wrote to memory of 1080	4864	msedge.exe	79
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80
PID 4864 wrote to memory of 4696	4864	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb92293cb8,0x7ffb92293cc8,0x7ffb92293cd8
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,18261361380607135392,10552221911689962816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Users\Admin\Downloads\GoldenEye (1).exe
  "C:\Users\Admin\Downloads\GoldenEye (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:972
- - C:\Users\Admin\AppData\Roaming\{0f1b88e0-f089-4589-9918-6e539aec7e9c}\HOSTNAME.EXE
    "C:\Users\Admin\AppData\Roaming\{0f1b88e0-f089-4589-9918-6e539aec7e9c}\HOSTNAME.EXE"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
17KB

MD5
18a9531f05f4a3662558d102349767b1

SHA1
328114b78180b5931d651669bf0b21d3a5cf8adc

SHA256
2d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716

SHA512
b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6f9737113091cf1d309d3ed978448134

SHA1
4917d575c5c0c4543696600ce61f3562911fbb06

SHA256
95430828c205d88d21a9aa3cd65332177ae252a6c1d9f1d9ac1b95c8f451d60e

SHA512
400d92c82e81074d1a32cee428e32df9cb3474331ba04f1c1b22ea887a7390160e96f24fc65376085031158ee68266fddf80b80d4132bdc56974917e1f117186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
35c33d5924c48303930fd4aafa5c6b25

SHA1
2a35f4956f3bd76aae15b46dd8adab05fd5f9031

SHA256
56079b794bb851a86df24d0d7e6dfd2c15fd43086db25f9c05557e86fae65201

SHA512
83e744f3d311f6a6291f0640bb1a67169036a279787c43377ec7ed86ebc113cea953c99f3555a2e2f8b3aadbb47905306fe0a55927c2278dde3b637ad11054cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2e88b7c77d3db34ef42a21f4a4d5025

SHA1
974334073bd7ce17d176057a1e3be8a0ca81e350

SHA256
54ae0805ead41bd4106ed97a89f69b81cf426ef21f2a6d5a89aae746220190a9

SHA512
573ddf3c58581b3eb28007409f8ebe91a47239c17897f38e377ccb535726f0eea926b38f1d0d7ea31eb95cfa32f75ea0219eb8be24361cb0d8d524d18b42a86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2220862d4175b75af2e1f456151e8263

SHA1
08b854b50dca08612e90bcec1a3994bf288162d0

SHA256
487504da4992f7de9603127d711ab51ef3e132064d2816326c245f7e93e7ac1e

SHA512
32a123004e93648a19a48e6508b6ebeb49f7d22fbd579e499459c56dc000bd6a997d0feac143d4659acc08050896d43a8bfdb864e82507f08f45105fb946389e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
affbf1e303324717637eb2af0ddefa80

SHA1
32b36707f4f2b6e2513d2054aafd46beb10b0b25

SHA256
f1b6140ef297b0326c8e8fbcc5b56640b54291d874e59367ae8c3d21e1a9429e

SHA512
2fa0c3e0a997aa1fb70158906311d4a29f8b5956f545173fb18f8ee1c233e9ffecaa785b176f3860e1255f128c6f1763eda9827996df4244a7b5de872c357702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fce35e2b2838958903672de46976b665

SHA1
e79faa270ae4af989c8bc85f44f0ce56ee14a57b

SHA256
61c2202ca184a5885d9bf90c8e34072fbbdbfd75ebfa9bed7c894a95bcbca9b0

SHA512
59c29157df98af0af536f2d2e63b7c8d24b12f392483f77cb96303a8db7e01b2046376a10364a6bd8ec7676f7d9d6134a35524c4228b5d9352e17ada47b6ac17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
528859981779ce188055f0cc094e9029

SHA1
a25a2cbfe0d705e5b31a3efeb5c96974aa18fe74

SHA256
dbcbef44eef39a0cf899268b09065fa5dbc7b7868d32454f4773473766c68226

SHA512
534e269603ce5ed44392f53a0bd11253a4875818d66f5a11e25387de549a35913ded6ff2e104655754e0cfb0f250f5e8b20db33660921201c759adc5e039b1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
36cd8564bbdca7d7a5c591549bcea18f

SHA1
8a1ac6ae6193d7e95c27baface58114bdac387b8

SHA256
bbbbf0308a7007c288095faff56977d690ca90eeeed6ac93482de69bbfd733fc

SHA512
585214a7a203f64450fa00524d163d6375a7b3de46da0b2b6f3e97a9a7f01554decafd820c351cbba6f560821d79951cbae56d179f0b85f3de191ce5ff969b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dcdeec012479aa486140fcdd229d1eb5

SHA1
c54e316febd14c5d4e722685170042f4d236f772

SHA256
ac9897cbeea365f08a4da545a38570acf467cd198533e01b36ed20a2ce497a8f

SHA512
16983e6451fd8db396dfc26d422b9ea53476f8d92640cc74943f6df1aeaf197e337e3a5f80f67b94641b2775834f965a3559ebe4861e05c6f10c102d168fc7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03ea854765b6ae0ee4ad538fd4c0e6b2

SHA1
2a25b72f391e17ea043d93aeecf80cbe83aeb70a

SHA256
238c99e817b1d57bf9dba3b04a0585d9d99106b9207b236f8a9802f28ba34b61

SHA512
6d57d8b2bef182c9cb94c3ade74279e0286f1dcb9ff1f1fbc1e7a7e9953c61558b31b3b60cbf09756abd5dce71f589bbf0e274b347570b390641176b61b36871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582016.TMP

Filesize
706B

MD5
4545c71edd0c925af6cd80dc8c331dcf

SHA1
76685395aa28e6c41e1debbf12bb861a6a809f1d

SHA256
45f832592ae2f6876aa32ff77f66f87b8e17821aebb6bd208735004fe5f0825a

SHA512
19f9843cd0c68c89dbb48ac77c068198cb95459eff4bb9dc1c96591bb2839d361af14e6e54abe4583019eddadb2a68d609938963989e4ad2fd393d6855721b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e7a23b12e2f9e3691038f8712223b221

SHA1
53ddb49aae97748ad1153244091aaa795912edf0

SHA256
4ba5aca4842b34ec2956106cfce001a61bf682861ba6c01490904c20c541994e

SHA512
72714eb5840e5700466f8586f6f77ed19b9cac248db46f4bccb0f4a5853e669fee4d1ec09fe93e70d434ed79292348d63dc64d277e410cbd8b5d8314960cf244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a26b6f8d63ec4a683a3ad1b0f9a034c2

SHA1
d9cbee0ce4e0410d8d58c1d9bb703980cddbcc5c

SHA256
b5bc7652134a7bccf4cb62d1a37792e0d79522467b230d470d1163835aa6e0e4

SHA512
a2744b4f8ad5577d63684a2d8995726374185c5463a29162db3eba70181e4d0d667668fdf987f2f026c787168af542ce1765ce612f4689ed0a8f02e83a9caae4

Download Submit
C:\Users\Admin\AppData\Roaming\{0f1b88e0-f089-4589-9918-6e539aec7e9c}\HOSTNAME.EXE

Filesize
255KB

MD5
e8cca3b983b076a5a65fa3e8fdb8e80d

SHA1
3507f9d2ff9bb2db51f9ccbc731f1b52226482c2

SHA256
3968452a3f0e683886c3c1c9a17862c4dff189d065641b2f4737d46bb779d835

SHA512
94fed34a32488dabe1ee470fa784ef8d48ac33e63f02bf6ea3b4b236e0d561b5c26ad60e014749b472e7f80af7761f181376116b8d13f05fecc67b6a1d4ff20f

Download Submit
C:\Users\Admin\Downloads\GoldenEye (1).exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 462239.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads