0db813dd449574cfd56b459480a155167338e8f5e19a5ab02c8335d98be295d1

Analysis

max time kernel
155s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
Size

204KB
MD5

4ede1f20c01989f6fc2afefd1c7fd0c8
SHA1

9fcb63da846cfc5b37d933a77819758806c123c1
SHA256

0db813dd449574cfd56b459480a155167338e8f5e19a5ab02c8335d98be295d1
SHA512

37db6856dc67475166c05a86eddc8582789ad3227d3e15d1abfdcc005e3fa305373a835d99264ff775804db758e970e689a16369e24892145b54808eac17a460
SSDEEP

1536:1EGh0oKl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oKl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022ea1-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023275-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023279-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023275-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023279-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023275-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023279-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023275-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000232a4-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d0c-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}\stubpath = "C:\\Windows\\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe"	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}\stubpath = "C:\\Windows\\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe"	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}\stubpath = "C:\\Windows\\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe"	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}\stubpath = "C:\\Windows\\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe"	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}\stubpath = "C:\\Windows\\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe"	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}\stubpath = "C:\\Windows\\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe"	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}\stubpath = "C:\\Windows\\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe"	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}\stubpath = "C:\\Windows\\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe"	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DDEA412-122E-4900-9163-315CBCE669A2}	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}\stubpath = "C:\\Windows\\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe"	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C65DA071-055D-4502-AC1A-85C740048BF7}	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C65DA071-055D-4502-AC1A-85C740048BF7}\stubpath = "C:\\Windows\\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe"	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DDEA412-122E-4900-9163-315CBCE669A2}\stubpath = "C:\\Windows\\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe"	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe

Executes dropped EXE 11 IoCs

pid	Process
2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
916	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
1532	{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
File created	C:\Windows\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
File created	C:\Windows\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
File created	C:\Windows\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
File created	C:\Windows\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
File created	C:\Windows\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
File created	C:\Windows\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
File created	C:\Windows\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
File created	C:\Windows\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
File created	C:\Windows\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
File created	C:\Windows\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4880	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
Token: SeIncBasePriorityPrivilege	1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
Token: SeIncBasePriorityPrivilege	4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
Token: SeIncBasePriorityPrivilege	2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
Token: SeIncBasePriorityPrivilege	4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
Token: SeIncBasePriorityPrivilege	2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
Token: SeIncBasePriorityPrivilege	4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
Token: SeIncBasePriorityPrivilege	3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
Token: SeIncBasePriorityPrivilege	2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
Token: SeIncBasePriorityPrivilege	916	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2660	4880	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe	102
PID 4880 wrote to memory of 2660	4880	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe	102
PID 4880 wrote to memory of 2660	4880	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe	102
PID 4880 wrote to memory of 4960	4880	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe	103
PID 4880 wrote to memory of 4960	4880	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe	103
PID 4880 wrote to memory of 4960	4880	2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe	103
PID 2660 wrote to memory of 1716	2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe	112
PID 2660 wrote to memory of 1716	2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe	112
PID 2660 wrote to memory of 1716	2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe	112
PID 2660 wrote to memory of 1224	2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe	113
PID 2660 wrote to memory of 1224	2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe	113
PID 2660 wrote to memory of 1224	2660	{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe	113
PID 1716 wrote to memory of 4488	1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe	116
PID 1716 wrote to memory of 4488	1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe	116
PID 1716 wrote to memory of 4488	1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe	116
PID 1716 wrote to memory of 1692	1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe	117
PID 1716 wrote to memory of 1692	1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe	117
PID 1716 wrote to memory of 1692	1716	{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe	117
PID 4488 wrote to memory of 2204	4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe	118
PID 4488 wrote to memory of 2204	4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe	118
PID 4488 wrote to memory of 2204	4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe	118
PID 4488 wrote to memory of 2332	4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe	119
PID 4488 wrote to memory of 2332	4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe	119
PID 4488 wrote to memory of 2332	4488	{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe	119
PID 2204 wrote to memory of 4312	2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe	120
PID 2204 wrote to memory of 4312	2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe	120
PID 2204 wrote to memory of 4312	2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe	120
PID 2204 wrote to memory of 3004	2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe	121
PID 2204 wrote to memory of 3004	2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe	121
PID 2204 wrote to memory of 3004	2204	{C65DA071-055D-4502-AC1A-85C740048BF7}.exe	121
PID 4312 wrote to memory of 2908	4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe	123
PID 4312 wrote to memory of 2908	4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe	123
PID 4312 wrote to memory of 2908	4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe	123
PID 4312 wrote to memory of 2316	4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe	124
PID 4312 wrote to memory of 2316	4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe	124
PID 4312 wrote to memory of 2316	4312	{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe	124
PID 2908 wrote to memory of 4048	2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe	125
PID 2908 wrote to memory of 4048	2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe	125
PID 2908 wrote to memory of 4048	2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe	125
PID 2908 wrote to memory of 4860	2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe	126
PID 2908 wrote to memory of 4860	2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe	126
PID 2908 wrote to memory of 4860	2908	{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe	126
PID 4048 wrote to memory of 3936	4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe	127
PID 4048 wrote to memory of 3936	4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe	127
PID 4048 wrote to memory of 3936	4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe	127
PID 4048 wrote to memory of 3184	4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe	128
PID 4048 wrote to memory of 3184	4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe	128
PID 4048 wrote to memory of 3184	4048	{6DDEA412-122E-4900-9163-315CBCE669A2}.exe	128
PID 3936 wrote to memory of 2912	3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe	135
PID 3936 wrote to memory of 2912	3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe	135
PID 3936 wrote to memory of 2912	3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe	135
PID 3936 wrote to memory of 3956	3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe	136
PID 3936 wrote to memory of 3956	3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe	136
PID 3936 wrote to memory of 3956	3936	{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe	136
PID 2912 wrote to memory of 916	2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe	139
PID 2912 wrote to memory of 916	2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe	139
PID 2912 wrote to memory of 916	2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe	139
PID 2912 wrote to memory of 4332	2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe	140
PID 2912 wrote to memory of 4332	2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe	140
PID 2912 wrote to memory of 4332	2912	{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe	140
PID 916 wrote to memory of 1532	916	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe	141
PID 916 wrote to memory of 1532	916	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe	141
PID 916 wrote to memory of 1532	916	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe	141
PID 916 wrote to memory of 3864	916	{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe	142

C:\Users\Admin\AppData\Local\Temp\2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
  C:\Windows\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
    C:\Windows\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
      C:\Windows\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Windows\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
        
        C:\Windows\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
        
        C:\Windows\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
        
        C:\Windows\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
        
        C:\Windows\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
        
        C:\Windows\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
        
        C:\Windows\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
        
        C:\Windows\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe
        
        C:\Windows\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FFA1~1.EXE > nul
        12⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B038~1.EXE > nul
        11⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ECCA~1.EXE > nul
        10⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDEA~1.EXE > nul
        9⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B209C~1.EXE > nul
        8⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99B3F~1.EXE > nul
        7⤵
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C65DA~1.EXE > nul
        6⤵
        
        PID:3004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C6F0~1.EXE > nul
        5⤵
        
        PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{488AB~1.EXE > nul
      4⤵
      PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E3B15~1.EXE > nul
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe

Filesize
204KB

MD5
3707aa55bb4f261cee597394af0998c9

SHA1
6e54b41411afa2d2f2ab580678e8ba3dfd5bf54a

SHA256
cd4a9abda2339e330cf045a18cdff82aba0a6ffdfafb5aaf45086fca05fc3b76

SHA512
6775af8ab26b7f7f7564377659a3c92379d93d4420af7f0dc9ee5b3922fd1a47a07ac21ead0990ee475ff8fb438a936992f97c130c2bfb8e4aec0b2ab833ae42

Download Submit
C:\Windows\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe

Filesize
204KB

MD5
9fcd8e28f7cc65f4702cff964caf0125

SHA1
8426750636474a3cecffc706201666afd7f582f8

SHA256
970c725d7bef71a793a218579038197e47e4f4927f5fc76eeb417e42986213c2

SHA512
b20f267b49ae5cb50c95b69006ad18c078bcef1ce9c4326517ddf08bd5b2a51cc8201117a04aa16b9ae85a02494664136eee26e146fbe0020f568f0639802b2c

Download Submit
C:\Windows\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe

Filesize
204KB

MD5
1e78964082663840f17b6438b6b9d121

SHA1
6c090d0dbc225262c72d7afce30ac076883f1d2b

SHA256
ff9071659468ff338ede9f080fd333d0bc79d23a9ae3fb14d1e3d194616b7797

SHA512
a452e1df87d4e8bbd6d6179d9806a7f9d85c250d4e40d0f53119cbb43ea2ef13fab7d3da379598026fd2cd769270c9a58aa372f46111e460a74b502ffef702c6

Download Submit
C:\Windows\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe

Filesize
204KB

MD5
4e5169d219950cd21bda608a02982230

SHA1
948e021131888453fc657a52b27cc365d7762a14

SHA256
e2888f7ca8076485c753d4eb2a97316bc8bcd80626908c33b14fb322c7998320

SHA512
eaa12020dae69644d403e69aa5f1760b7e2d8e001a11868e5999440799bb9bc7ee487413ad92d93ea0e97d8b4ab0fb84dc913af57b051fff7cf51e9effc38a58

Download Submit
C:\Windows\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe

Filesize
204KB

MD5
df84ab456d75eedeb04557ecfc235d37

SHA1
aa36d78eb4de9fea9a0cd2e9f9c64586856bcdd3

SHA256
798ad8b4da9d0f36710cc8ee25b72052fae5a51273d1020783dfc2c8317ae3f3

SHA512
6a81f9172aff4cba0c58923a41862ceaf31539bf83e48db06a7962807ca7ba114b092b8a4f52948fe26b807c73afb24d93320caeac23825022f2d50bd71c2698

Download Submit
C:\Windows\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe

Filesize
204KB

MD5
95b63b2603507b79a465d2c478238f3a

SHA1
aec1303b20d913283b129faeeca906b75d9ec053

SHA256
36b39ea3c6e7d6045f0dcab2e07de100cc8d97ae495062fdac3eda3d3f5b77bc

SHA512
4793b12a7ea661b23a02b35ee34174e8a9d2cb2e9e6699a09c4ad51f526bc4083bb540f3deeb5ff4cbc1b58d65c72ad0f1937d3b5715ad2da6155ac092dbb619

Download Submit
C:\Windows\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe

Filesize
204KB

MD5
121bdc5d6d98f33c981b3ae71c39d377

SHA1
e088e1ff6ef0740bcc2b929a9dbb66e685c19ca1

SHA256
987a6d1921b108659e77f2a6054a10ba7f6f57d3fbd0257d4ad0f4cc06ed05d0

SHA512
009141dffb5b4b6941625c9dd3da091a781a19c8a45032e7e2d49ad64c43177149029ef64dbea3d5525d980b43b5f94e3a2e11f1d6654568527fc8b78c08db0e

Download Submit
C:\Windows\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe

Filesize
204KB

MD5
2a5f276e5ed8f6bb4e1dfd152f7aa416

SHA1
331daf1cbd0e9c60f353f98d033b61c45d800f0e

SHA256
c5dc4a0a9249fa3126a95e8d2231fd4f31c2a2bddf337e8e7f9568a35bf08a8d

SHA512
f6c3ba4d400c4e3c7199b26c8741b631c08898de69fdfce2ace4c4cd9919242746a000d4aaef2e4503512963aa28710a0f6932a0977ebf98bc7b894e217ef0a9

Download Submit
C:\Windows\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe

Filesize
204KB

MD5
c063a09380b6ad42b4afde75cd198c3a

SHA1
4e922d06683efe892b5f655d05d9d4ec6c967763

SHA256
867df88719a2ee349e76a632ae1fbd73ff17f86b2cbb04b6680f4364710139ed

SHA512
469200451bb6ebaa97d3afc6b2acdd3236bbf022138841e18f2e4b50e7931556432ea6cf8abdc27618d6b7ceca4b25751292a55b052e29880facb7060a630872

Download Submit
C:\Windows\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe

Filesize
204KB

MD5
73aca31b90af96e17a820e39986de67e

SHA1
e72196ebb103da3bd6d586625b4cf74ea913cb47

SHA256
6d3be06623f026f275662702345ca4f1678e379b21016301a6a9e97222b311be

SHA512
43355e8b797c8718d14810c1b6e81d1036ae4c14fbbb518ab1cbc14ea568a78be6e626fda0ae72954658e6319fe57fa799e4d5ffcb01e8125e1a14270ca276f1

Download Submit
C:\Windows\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe

Filesize
204KB

MD5
ac9efb539b47871df411c0ee36220542

SHA1
6e348352b6430755d9b4f3ddc6c04bd65c242dca

SHA256
9c848a0a94f565d22c50030743a7a8efed4a097f63a8c61ec8658e9eed4e2662

SHA512
b513f4bf9254f203b79788687aeeb9d6eb1679ee7454159ce313ae0d78f6bceb701bbb6d08690d38bc5b450c358ea01dc954a5f5fffb059a6ccad556d75ba4a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads