6dff3b61ba87c731e92cd0bb53f11776b2921df8f0096f2fc714f609ed76540d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe
Size

197KB
MD5

dd1946873f291aeb59777b8e06c4a99f
SHA1

4d189705c699cb87b573d04e569dcbafbc14c6d9
SHA256

6dff3b61ba87c731e92cd0bb53f11776b2921df8f0096f2fc714f609ed76540d
SHA512

cb24c9c74cd0f77280b7597643027287edc02fa6630114f22b717120d51da3239d7bbf35ec98e82a4f7f13a2e4acedf471d7496a4607de9d76d170dec2123936
SSDEEP

3072:jEGh0ohl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023262-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002327b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000022e9f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002327b-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000022e9f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002327b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000022e9f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000232a0-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31FE0728-9726-488a-A614-DE8CED5882CE}\stubpath = "C:\\Windows\\{31FE0728-9726-488a-A614-DE8CED5882CE}.exe"	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478A0750-9ED4-4841-92CC-185449CA3FE4}\stubpath = "C:\\Windows\\{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe"	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDFDF5E1-D8DF-406b-832F-77E5572E2003}	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}\stubpath = "C:\\Windows\\{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe"	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{742109C6-AA8A-4aa7-8980-F85FB55B08BC}	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61D5043-D19C-4048-A9B1-39555DD667FB}\stubpath = "C:\\Windows\\{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe"	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BADCD1BD-C375-42c4-857F-367A04F7A558}	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BADCD1BD-C375-42c4-857F-367A04F7A558}\stubpath = "C:\\Windows\\{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe"	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478A0750-9ED4-4841-92CC-185449CA3FE4}	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61990F75-5486-4ab3-B78E-EABB1E117087}\stubpath = "C:\\Windows\\{61990F75-5486-4ab3-B78E-EABB1E117087}.exe"	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61D5043-D19C-4048-A9B1-39555DD667FB}	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDFDF5E1-D8DF-406b-832F-77E5572E2003}\stubpath = "C:\\Windows\\{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe"	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{205D08E4-025F-45e2-91B2-4333B09BC177}\stubpath = "C:\\Windows\\{205D08E4-025F-45e2-91B2-4333B09BC177}.exe"	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31FE0728-9726-488a-A614-DE8CED5882CE}	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D016F23-25F8-4b20-9C17-32D9778D6DF2}	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D016F23-25F8-4b20-9C17-32D9778D6DF2}\stubpath = "C:\\Windows\\{0D016F23-25F8-4b20-9C17-32D9778D6DF2}.exe"	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}\stubpath = "C:\\Windows\\{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe"	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61990F75-5486-4ab3-B78E-EABB1E117087}	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{205D08E4-025F-45e2-91B2-4333B09BC177}	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{742109C6-AA8A-4aa7-8980-F85FB55B08BC}\stubpath = "C:\\Windows\\{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe"	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe

Executes dropped EXE 11 IoCs

pid	Process
3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe
1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe
2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe
928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe
4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe
1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe
2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe
2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe
1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe
1896	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe
4516	{0D016F23-25F8-4b20-9C17-32D9778D6DF2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe
File created	C:\Windows\{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe
File created	C:\Windows\{61990F75-5486-4ab3-B78E-EABB1E117087}.exe	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe
File created	C:\Windows\{31FE0728-9726-488a-A614-DE8CED5882CE}.exe	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe
File created	C:\Windows\{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe
File created	C:\Windows\{0D016F23-25F8-4b20-9C17-32D9778D6DF2}.exe	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe
File created	C:\Windows\{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe
File created	C:\Windows\{205D08E4-025F-45e2-91B2-4333B09BC177}.exe	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe
File created	C:\Windows\{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe
File created	C:\Windows\{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe
File created	C:\Windows\{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	220	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe
Token: SeIncBasePriorityPrivilege	1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe
Token: SeIncBasePriorityPrivilege	2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe
Token: SeIncBasePriorityPrivilege	928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe
Token: SeIncBasePriorityPrivilege	4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe
Token: SeIncBasePriorityPrivilege	1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe
Token: SeIncBasePriorityPrivilege	2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe
Token: SeIncBasePriorityPrivilege	2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe
Token: SeIncBasePriorityPrivilege	1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe
Token: SeIncBasePriorityPrivilege	1896	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3260	220	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe	97
PID 220 wrote to memory of 3260	220	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe	97
PID 220 wrote to memory of 3260	220	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe	97
PID 220 wrote to memory of 4628	220	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe	98
PID 220 wrote to memory of 4628	220	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe	98
PID 220 wrote to memory of 4628	220	2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe	98
PID 3260 wrote to memory of 1992	3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe	102
PID 3260 wrote to memory of 1992	3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe	102
PID 3260 wrote to memory of 1992	3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe	102
PID 3260 wrote to memory of 2148	3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe	103
PID 3260 wrote to memory of 2148	3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe	103
PID 3260 wrote to memory of 2148	3260	{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe	103
PID 1992 wrote to memory of 2176	1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe	108
PID 1992 wrote to memory of 2176	1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe	108
PID 1992 wrote to memory of 2176	1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe	108
PID 1992 wrote to memory of 3188	1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe	109
PID 1992 wrote to memory of 3188	1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe	109
PID 1992 wrote to memory of 3188	1992	{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe	109
PID 2176 wrote to memory of 928	2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe	114
PID 2176 wrote to memory of 928	2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe	114
PID 2176 wrote to memory of 928	2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe	114
PID 2176 wrote to memory of 3260	2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe	115
PID 2176 wrote to memory of 3260	2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe	115
PID 2176 wrote to memory of 3260	2176	{61990F75-5486-4ab3-B78E-EABB1E117087}.exe	115
PID 928 wrote to memory of 4784	928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe	116
PID 928 wrote to memory of 4784	928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe	116
PID 928 wrote to memory of 4784	928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe	116
PID 928 wrote to memory of 456	928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe	117
PID 928 wrote to memory of 456	928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe	117
PID 928 wrote to memory of 456	928	{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe	117
PID 4784 wrote to memory of 1776	4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe	118
PID 4784 wrote to memory of 1776	4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe	118
PID 4784 wrote to memory of 1776	4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe	118
PID 4784 wrote to memory of 464	4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe	119
PID 4784 wrote to memory of 464	4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe	119
PID 4784 wrote to memory of 464	4784	{205D08E4-025F-45e2-91B2-4333B09BC177}.exe	119
PID 1776 wrote to memory of 2420	1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe	121
PID 1776 wrote to memory of 2420	1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe	121
PID 1776 wrote to memory of 2420	1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe	121
PID 1776 wrote to memory of 5032	1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe	122
PID 1776 wrote to memory of 5032	1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe	122
PID 1776 wrote to memory of 5032	1776	{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe	122
PID 2420 wrote to memory of 2220	2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe	123
PID 2420 wrote to memory of 2220	2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe	123
PID 2420 wrote to memory of 2220	2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe	123
PID 2420 wrote to memory of 3880	2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe	124
PID 2420 wrote to memory of 3880	2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe	124
PID 2420 wrote to memory of 3880	2420	{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe	124
PID 2220 wrote to memory of 1140	2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe	125
PID 2220 wrote to memory of 1140	2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe	125
PID 2220 wrote to memory of 1140	2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe	125
PID 2220 wrote to memory of 4072	2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe	126
PID 2220 wrote to memory of 4072	2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe	126
PID 2220 wrote to memory of 4072	2220	{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe	126
PID 1140 wrote to memory of 1896	1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe	132
PID 1140 wrote to memory of 1896	1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe	132
PID 1140 wrote to memory of 1896	1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe	132
PID 1140 wrote to memory of 4480	1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe	133
PID 1140 wrote to memory of 4480	1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe	133
PID 1140 wrote to memory of 4480	1140	{31FE0728-9726-488a-A614-DE8CED5882CE}.exe	133
PID 1896 wrote to memory of 4516	1896	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe	139
PID 1896 wrote to memory of 4516	1896	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe	139
PID 1896 wrote to memory of 4516	1896	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe	139
PID 1896 wrote to memory of 3020	1896	{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe	140

C:\Users\Admin\AppData\Local\Temp\2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_dd1946873f291aeb59777b8e06c4a99f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe
  C:\Windows\{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe
    C:\Windows\{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\{61990F75-5486-4ab3-B78E-EABB1E117087}.exe
      C:\Windows\{61990F75-5486-4ab3-B78E-EABB1E117087}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe
        
        C:\Windows\{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Windows\{205D08E4-025F-45e2-91B2-4333B09BC177}.exe
        
        C:\Windows\{205D08E4-025F-45e2-91B2-4333B09BC177}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe
        
        C:\Windows\{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe
        
        C:\Windows\{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe
        
        C:\Windows\{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{31FE0728-9726-488a-A614-DE8CED5882CE}.exe
        
        C:\Windows\{31FE0728-9726-488a-A614-DE8CED5882CE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe
        
        C:\Windows\{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{0D016F23-25F8-4b20-9C17-32D9778D6DF2}.exe
        
        C:\Windows\{0D016F23-25F8-4b20-9C17-32D9778D6DF2}.exe
        12⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BADCD~1.EXE > nul
        12⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31FE0~1.EXE > nul
        11⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C61D5~1.EXE > nul
        10⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74210~1.EXE > nul
        9⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC980~1.EXE > nul
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{205D0~1.EXE > nul
        7⤵
        
        PID:464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDFDF~1.EXE > nul
        6⤵
        
        PID:456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61990~1.EXE > nul
        5⤵
        
        PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{23ED9~1.EXE > nul
      4⤵
      PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{478A0~1.EXE > nul
    3⤵
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D016F23-25F8-4b20-9C17-32D9778D6DF2}.exe

Filesize
197KB

MD5
73012de2a547a5871bd4fb982eeff94d

SHA1
e5e6401ff310efbeb8e489952679193a681d5543

SHA256
b9ac9063068733a3b642b62f8e115c1886e9c20fb9731032455b95a94be01e9e

SHA512
3b2a4887716b7060cd89bb43bb517628f1098c6b381ac50f3e7b6189a473e9da8c08ce551147a3dc8c597203aea797599843fbe1a44ecc1f58fb344ad54924be

Download Submit
C:\Windows\{205D08E4-025F-45e2-91B2-4333B09BC177}.exe

Filesize
197KB

MD5
6475f9b5fb0b6ecab264b575b070e066

SHA1
503f1719b5e1e7be54a0f182e3e4dfa32c3b2870

SHA256
cb1120d50c38c2f1dbeca5c1d9bb5080c301e76bdb21b8a877c6cce4d0bfe298

SHA512
dbe37135904c557b4998dc8deee2835c7dc6b8d97b97ca13e12ce6995c70d1d3ef9453f533e6f54bd4b1f9981a5853761a572aec879e22169536b7afa5ca0042

Download Submit
C:\Windows\{23ED9FA9-2527-4ff9-9B31-61A2ED27AB78}.exe

Filesize
197KB

MD5
f11ad2e8d3a5140c2c3c73b5583631b1

SHA1
5877dedfbba3a6a1f22ce5989babc3e96fef88cf

SHA256
5cf85f7f2bb3ed0220a23559ec8bf3ec5fcbc687ac46777f9aa4ded12b937387

SHA512
42091da0b63c3023950fa9e8422307284b885b2521b88d685d145dd0ad5d38de25150c72dd804d07876adbd930e82062f2ac07701d83f67dccb7f6a76d4e8e86

Download Submit
C:\Windows\{31FE0728-9726-488a-A614-DE8CED5882CE}.exe

Filesize
197KB

MD5
09350ef46a814375c9bc09d03f6cfb05

SHA1
812f922ace72ef00f3c85ad1ea8870a99fda7e9a

SHA256
80001204f5e938bd7f342b6ad399dd97d210a97cf2391b55ae75f4434d87e275

SHA512
5e82237f1f336696d15fe438cd7976f8cffd35e5d4101e74d62f2b7976c7ff7fa6e668dca741e592ebd237dcf906b2fc0a24bc754897ab79f604c0732e820b14

Download Submit
C:\Windows\{478A0750-9ED4-4841-92CC-185449CA3FE4}.exe

Filesize
197KB

MD5
19370da4c938570714cc7e6c274a3367

SHA1
b6595144c3b8a27786643e103a46e59f700ad2eb

SHA256
cc2a1ee88c5f08f87eb6b884d92669edae1ce1a6502eaed89ce9db92c1ff6827

SHA512
8c4fa2946a66aea061bcba76120d2f4a6c8bd1a2046dad3fd948af18fc883abd9dc536c7e5879d33d11fc58baac71cd07b587c68f25bab3abbf65a2c8952b1b6

Download Submit
C:\Windows\{61990F75-5486-4ab3-B78E-EABB1E117087}.exe

Filesize
197KB

MD5
a3d0b63c782d50add9e8c2378bdb85e0

SHA1
7aa1cbcf7aa737dd0fcd59117cdb2100aa347812

SHA256
4a71c7c5cb4d2a6d39c7b4b596891e4767dc1b7b944e7cfa43b6868082da3780

SHA512
e99bd967d831c7bbb9f7485d63e3500342ffe15a05a69e145420f462040372b8e238657fb5998fcb8144160b497edf6c812924723e7cd544a7ddf70480d32ed7

Download Submit
C:\Windows\{742109C6-AA8A-4aa7-8980-F85FB55B08BC}.exe

Filesize
197KB

MD5
2509674a09fdf847d42b9eee0802e8f8

SHA1
de0a67ae0bb4687a306e8e64384b9fba69c27b52

SHA256
ef997a9542d6224f312807645319e25a2ef086ce1c666c20409734553e543c3a

SHA512
791e9130cfaf2fee9cd0f93cf2263989feb64d641f0525ec85ca19292e2721cb1648adc16ee2c6469c1a60c806db29089898cf8be9026cad82027d7d13daadb4

Download Submit
C:\Windows\{BADCD1BD-C375-42c4-857F-367A04F7A558}.exe

Filesize
197KB

MD5
1afdf06cb4d5502ca9c07d41f7539839

SHA1
b377b1b6ac6db60e52e1abc8c61be8d00c35a6af

SHA256
f8e6d8a0247ddacfa25c7f5e74bd224c38abcc7934b241bb159106f7b7dfc757

SHA512
c2bc74e626efcbb3c5be17cfbf4d538aa1268ef4c76bd7393aa3e910b28866eb87d56493e28f67d697d9eccc303bed4f52f43a8b334ff255b8a672a51d1df488

Download Submit
C:\Windows\{C61D5043-D19C-4048-A9B1-39555DD667FB}.exe

Filesize
197KB

MD5
331998c70bf3b7e1f6e4a1f9721bc2d9

SHA1
18bc55c576d2edcc3d8230009354c63aa79f5136

SHA256
dba964445226a7436b64c7579d63c588ef513b29c5a084de526865d6e806c5d4

SHA512
584d179706036be68f67a8ff11b211969af1a83cf19ab32bac84a28135722d43385e6b5281fe9e9ced09390ef0f20fcf5cadffdc52cb4f8fe097c47325a094a4

Download Submit
C:\Windows\{EC9800F6-74C3-47b9-A9A4-DCE8DE11AF30}.exe

Filesize
197KB

MD5
86562e4ed162d6acd0de78c80cd47f36

SHA1
c744e1932f8be3a8d56b73cf3f5e915774447412

SHA256
a75fc982a20ada68aeac85f954e3c7c7a629aa42f04ea4acf05b3fc2989a2cd9

SHA512
4127835fc47964e10113c1f459a2be8e0201377515698c07017e3b0c669f073c8880b6f5205a1338c6f039a69f922364b21418c23914975944854f17573327d7

Download Submit
C:\Windows\{EDFDF5E1-D8DF-406b-832F-77E5572E2003}.exe

Filesize
197KB

MD5
83debf32d116234415a5074d4a8731b4

SHA1
1d7f57124c9d45033f2463c4d4d23dab53d1fe54

SHA256
f8a3a80e026c7d38c95a8f74da1b10e737cdc82beea0719bb0c2a2883fb7a941

SHA512
50dee80bb36596f01a1216fb92009df2bb6b438839b72a85dd73d22826b5facea916e735dcd627044dd859ec97f48a0e84adeb6c8685ea2c48468499718a88cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads