7fdc3c20c0c0768db8fa8fed004347939efedd38a7765ad9b07624d1f82495c0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Size

216KB
MD5

78a599ab1577100535807503ea1ee25c
SHA1

90295cc8ff505753fb1bca5420f486a2d40ad261
SHA256

7fdc3c20c0c0768db8fa8fed004347939efedd38a7765ad9b07624d1f82495c0
SHA512

0bbfa043dc80ffeb8db600c2746527245ce11c8746b7790e9064f9f078509a703c5d8c31f8ce0e408ac60222126c9419583736cc4565153bbc49c94b6f8ff493
SSDEEP

3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGzlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022d20-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023269-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023270-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023269-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023270-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023269-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023270-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CF60A7-008C-4480-B7B9-12434B6C06C6}	{E68635C1-3F46-4775-9463-B9399136F76F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CF60A7-008C-4480-B7B9-12434B6C06C6}\stubpath = "C:\\Windows\\{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe"	{E68635C1-3F46-4775-9463-B9399136F76F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{659BB0B4-D25A-4cd7-A025-C5383517F640}	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{659BB0B4-D25A-4cd7-A025-C5383517F640}\stubpath = "C:\\Windows\\{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe"	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1357889A-4E02-4a1b-8974-36578B541A2B}	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7A7C1B-A28E-407d-84E3-6528509588A7}\stubpath = "C:\\Windows\\{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe"	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA223E2-0D35-4ac1-987B-64E48F0D5755}	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68635C1-3F46-4775-9463-B9399136F76F}	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B5A527-496B-4204-AB91-3D658F986241}\stubpath = "C:\\Windows\\{35B5A527-496B-4204-AB91-3D658F986241}.exe"	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}\stubpath = "C:\\Windows\\{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe"	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA223E2-0D35-4ac1-987B-64E48F0D5755}\stubpath = "C:\\Windows\\{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe"	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66F583D9-F03F-422f-A126-90BC9EEF4D33}	{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3350E042-FAFE-4958-9519-1B24C19F287F}\stubpath = "C:\\Windows\\{3350E042-FAFE-4958-9519-1B24C19F287F}.exe"	{35B5A527-496B-4204-AB91-3D658F986241}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7A7C1B-A28E-407d-84E3-6528509588A7}	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{332DAA1C-7B37-4b92-A3EE-42531122FF73}	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{332DAA1C-7B37-4b92-A3EE-42531122FF73}\stubpath = "C:\\Windows\\{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe"	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68635C1-3F46-4775-9463-B9399136F76F}\stubpath = "C:\\Windows\\{E68635C1-3F46-4775-9463-B9399136F76F}.exe"	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66F583D9-F03F-422f-A126-90BC9EEF4D33}\stubpath = "C:\\Windows\\{66F583D9-F03F-422f-A126-90BC9EEF4D33}.exe"	{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}\stubpath = "C:\\Windows\\{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe"	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B5A527-496B-4204-AB91-3D658F986241}	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3350E042-FAFE-4958-9519-1B24C19F287F}	{35B5A527-496B-4204-AB91-3D658F986241}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1357889A-4E02-4a1b-8974-36578B541A2B}\stubpath = "C:\\Windows\\{1357889A-4E02-4a1b-8974-36578B541A2B}.exe"	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe

Executes dropped EXE 12 IoCs

pid	Process
2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe
2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe
988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe
4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe
2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe
116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe
3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe
2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe
1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe
2172	{E68635C1-3F46-4775-9463-B9399136F76F}.exe
1992	{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe
932	{66F583D9-F03F-422f-A126-90BC9EEF4D33}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E68635C1-3F46-4775-9463-B9399136F76F}.exe	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe
File created	C:\Windows\{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
File created	C:\Windows\{3350E042-FAFE-4958-9519-1B24C19F287F}.exe	{35B5A527-496B-4204-AB91-3D658F986241}.exe
File created	C:\Windows\{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe
File created	C:\Windows\{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe
File created	C:\Windows\{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe
File created	C:\Windows\{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe	{E68635C1-3F46-4775-9463-B9399136F76F}.exe
File created	C:\Windows\{66F583D9-F03F-422f-A126-90BC9EEF4D33}.exe	{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe
File created	C:\Windows\{35B5A527-496B-4204-AB91-3D658F986241}.exe	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe
File created	C:\Windows\{1357889A-4E02-4a1b-8974-36578B541A2B}.exe	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe
File created	C:\Windows\{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe
File created	C:\Windows\{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	448	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe
Token: SeIncBasePriorityPrivilege	2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe
Token: SeIncBasePriorityPrivilege	988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe
Token: SeIncBasePriorityPrivilege	4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe
Token: SeIncBasePriorityPrivilege	2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe
Token: SeIncBasePriorityPrivilege	116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe
Token: SeIncBasePriorityPrivilege	3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe
Token: SeIncBasePriorityPrivilege	2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe
Token: SeIncBasePriorityPrivilege	1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe
Token: SeIncBasePriorityPrivilege	2172	{E68635C1-3F46-4775-9463-B9399136F76F}.exe
Token: SeIncBasePriorityPrivilege	1992	{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2196	448	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	97
PID 448 wrote to memory of 2196	448	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	97
PID 448 wrote to memory of 2196	448	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	97
PID 448 wrote to memory of 3008	448	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	98
PID 448 wrote to memory of 3008	448	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	98
PID 448 wrote to memory of 3008	448	2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe	98
PID 2196 wrote to memory of 2508	2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe	102
PID 2196 wrote to memory of 2508	2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe	102
PID 2196 wrote to memory of 2508	2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe	102
PID 2196 wrote to memory of 4628	2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe	103
PID 2196 wrote to memory of 4628	2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe	103
PID 2196 wrote to memory of 4628	2196	{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe	103
PID 2508 wrote to memory of 988	2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe	105
PID 2508 wrote to memory of 988	2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe	105
PID 2508 wrote to memory of 988	2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe	105
PID 2508 wrote to memory of 1016	2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe	106
PID 2508 wrote to memory of 1016	2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe	106
PID 2508 wrote to memory of 1016	2508	{35B5A527-496B-4204-AB91-3D658F986241}.exe	106
PID 988 wrote to memory of 4516	988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe	108
PID 988 wrote to memory of 4516	988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe	108
PID 988 wrote to memory of 4516	988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe	108
PID 988 wrote to memory of 4564	988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe	109
PID 988 wrote to memory of 4564	988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe	109
PID 988 wrote to memory of 4564	988	{3350E042-FAFE-4958-9519-1B24C19F287F}.exe	109
PID 4516 wrote to memory of 2400	4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe	110
PID 4516 wrote to memory of 2400	4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe	110
PID 4516 wrote to memory of 2400	4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe	110
PID 4516 wrote to memory of 2448	4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe	111
PID 4516 wrote to memory of 2448	4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe	111
PID 4516 wrote to memory of 2448	4516	{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe	111
PID 2400 wrote to memory of 116	2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe	112
PID 2400 wrote to memory of 116	2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe	112
PID 2400 wrote to memory of 116	2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe	112
PID 2400 wrote to memory of 4076	2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe	113
PID 2400 wrote to memory of 4076	2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe	113
PID 2400 wrote to memory of 4076	2400	{1357889A-4E02-4a1b-8974-36578B541A2B}.exe	113
PID 116 wrote to memory of 3296	116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe	114
PID 116 wrote to memory of 3296	116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe	114
PID 116 wrote to memory of 3296	116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe	114
PID 116 wrote to memory of 2924	116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe	115
PID 116 wrote to memory of 2924	116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe	115
PID 116 wrote to memory of 2924	116	{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe	115
PID 3296 wrote to memory of 2000	3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe	116
PID 3296 wrote to memory of 2000	3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe	116
PID 3296 wrote to memory of 2000	3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe	116
PID 3296 wrote to memory of 4148	3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe	117
PID 3296 wrote to memory of 4148	3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe	117
PID 3296 wrote to memory of 4148	3296	{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe	117
PID 2000 wrote to memory of 1036	2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe	118
PID 2000 wrote to memory of 1036	2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe	118
PID 2000 wrote to memory of 1036	2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe	118
PID 2000 wrote to memory of 1732	2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe	119
PID 2000 wrote to memory of 1732	2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe	119
PID 2000 wrote to memory of 1732	2000	{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe	119
PID 1036 wrote to memory of 2172	1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe	120
PID 1036 wrote to memory of 2172	1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe	120
PID 1036 wrote to memory of 2172	1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe	120
PID 1036 wrote to memory of 2720	1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe	121
PID 1036 wrote to memory of 2720	1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe	121
PID 1036 wrote to memory of 2720	1036	{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe	121
PID 2172 wrote to memory of 1992	2172	{E68635C1-3F46-4775-9463-B9399136F76F}.exe	122
PID 2172 wrote to memory of 1992	2172	{E68635C1-3F46-4775-9463-B9399136F76F}.exe	122
PID 2172 wrote to memory of 1992	2172	{E68635C1-3F46-4775-9463-B9399136F76F}.exe	122
PID 2172 wrote to memory of 772	2172	{E68635C1-3F46-4775-9463-B9399136F76F}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_78a599ab1577100535807503ea1ee25c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe
  C:\Windows\{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\{35B5A527-496B-4204-AB91-3D658F986241}.exe
    C:\Windows\{35B5A527-496B-4204-AB91-3D658F986241}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{3350E042-FAFE-4958-9519-1B24C19F287F}.exe
      C:\Windows\{3350E042-FAFE-4958-9519-1B24C19F287F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe
        
        C:\Windows\{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\{1357889A-4E02-4a1b-8974-36578B541A2B}.exe
        
        C:\Windows\{1357889A-4E02-4a1b-8974-36578B541A2B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe
        
        C:\Windows\{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe
        
        C:\Windows\{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe
        
        C:\Windows\{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe
        
        C:\Windows\{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{E68635C1-3F46-4775-9463-B9399136F76F}.exe
        
        C:\Windows\{E68635C1-3F46-4775-9463-B9399136F76F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe
        
        C:\Windows\{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{66F583D9-F03F-422f-A126-90BC9EEF4D33}.exe
        
        C:\Windows\{66F583D9-F03F-422f-A126-90BC9EEF4D33}.exe
        13⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29CF6~1.EXE > nul
        13⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6863~1.EXE > nul
        12⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{332DA~1.EXE > nul
        11⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA22~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF7A7~1.EXE > nul
        9⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CD25~1.EXE > nul
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13578~1.EXE > nul
        7⤵
        
        PID:4076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{659BB~1.EXE > nul
        6⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3350E~1.EXE > nul
        5⤵
        
        PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{35B5A~1.EXE > nul
      4⤵
      PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F02DE~1.EXE > nul
    3⤵
    PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1357889A-4E02-4a1b-8974-36578B541A2B}.exe

Filesize
216KB

MD5
5794869f362ccf90c2d112fc039e62c4

SHA1
c22349a55f41468b000a70f667c263040f4332f6

SHA256
1a0857f4fbdfa851d33a0341cb59f3374c654425410452757dd8e5f95b754713

SHA512
edeeb968e09e398c2a9553c8c27d3841ab7150ac4ee7876ca15a217a4da9a1073565aa5af0a2c3aa372dda14542a63b3d21e124158e05af20c914f655596e2e2

Download Submit
C:\Windows\{29CF60A7-008C-4480-B7B9-12434B6C06C6}.exe

Filesize
216KB

MD5
9889a6bff0ae58989665a223413d3dce

SHA1
eeb61364f8eaaf00d5ef7bd8b4b9462be74b6bf4

SHA256
3d899df7f8ddda9e705b9ff5ae9605cc38a8a5bc7eb668c89c7ecc924f5afaac

SHA512
9d897b62ff8ac82261a20c3c608a49ebdc84ed3244853cbff70a0acfecee2180dba604cd34a7398b129048c763fb523e2f7b12e9dbd269bc0df429b722b8f3d8

Download Submit
C:\Windows\{332DAA1C-7B37-4b92-A3EE-42531122FF73}.exe

Filesize
216KB

MD5
b35e2cb1a878a10ca08061b4e80237f8

SHA1
0194b13c7966128798212ea8576a30a180f31f76

SHA256
600fac9b4f7a7b4fa00eaa2b4aa717642463db6f76dbeeeaa24fbe62c6bf5b1c

SHA512
fa8a5b4b29e5339ee8f80429d1da3d321ad621b3bc43989917cf24dc61a7c65b818a57485a7e97a32ed920e3dbd552c49c871b4707ddf59801d9b5b3d5f3a78f

Download Submit
C:\Windows\{3350E042-FAFE-4958-9519-1B24C19F287F}.exe

Filesize
216KB

MD5
1320a319f919734433a9accc55c6d832

SHA1
9d6e8d5a359ea7ebe6491a8d44ed530f80c49867

SHA256
49658d48a636f46a570db19849a1ff6a0c575aa222c5036e810e41eb49b4c578

SHA512
445fddd1abe7246c7a1416e2afe62ab7bedc9220a6219a0ac4a5f42a12b6cfcf68643b281e54f4ab22f2be5f4c76bc9abef3a2ab94d049b03641f0849531656a

Download Submit
C:\Windows\{35B5A527-496B-4204-AB91-3D658F986241}.exe

Filesize
216KB

MD5
fa9b44d502e4710f9083ccaeaa8dfb0a

SHA1
f50a36af95e27b3263a4b4aa3b3a5b5bbd5aa658

SHA256
8fa87d5f64d45517518da845773ab929b07b13b25f1106b7908beddb84ac3b1a

SHA512
35a550d01ae6f878c909a6027476cbbab7c57586b877494903918759a0177762cb31f6b5528b314fedbfbb374372c6083f5459b29deeec38116b969c83b750f3

Download Submit
C:\Windows\{4CD255EE-3EDB-4c87-ADC2-A2FADD3BB5B9}.exe

Filesize
216KB

MD5
65a97e7228454d4b15f8687a5de5ffd4

SHA1
1425a4974e35c13c16d8d36b735bd5f38759e45f

SHA256
683adcca9df02987a2a0a8ba04a27ce4a4afc7d86b18f7366c2428d9a9be9d80

SHA512
8d7ea4bee5c7e38b6433f4b8fd237aa8b058c790f1fc2fad8d26983f2c8cf226194a57c087a2b8a46102b64d88a22028d8cc7e3e79ca9b312def4cab45885b85

Download Submit
C:\Windows\{659BB0B4-D25A-4cd7-A025-C5383517F640}.exe

Filesize
216KB

MD5
5ec99e30e06cab32e7aa058eb3be5d21

SHA1
8f283f0b0a214836e53f77b2cfd4cc1270038281

SHA256
3b89122545a1c85af89ee54acd54dedcb981375da59c8e110155747bae4ed88d

SHA512
e4e384848f1eee32ec5dd985812ee034ebd25ff2f1d089bdac58bffe8a5e811c3231fd0997a24d2ecdc300a0c367f4371e8ee84773cb07eafa0fa9e4daf1ef8a

Download Submit
C:\Windows\{66F583D9-F03F-422f-A126-90BC9EEF4D33}.exe

Filesize
216KB

MD5
a7c268c3fb75607b0964c0ac13f56c0f

SHA1
3735e7e54716aa4aa4df9f706794660f6ec0d248

SHA256
03246775b77e603d08237cc50e8df8a7beb6f07580e7663df77f7ce1da562fa3

SHA512
799fc6d16e09e9f63eb113d73d21fa24dfe82cc3afce0da83b1ccf3755807a2b3483af02cc1543003de0b6dc1dadeec09286174108c04de28b957de7f4c08c30

Download Submit
C:\Windows\{6BA223E2-0D35-4ac1-987B-64E48F0D5755}.exe

Filesize
216KB

MD5
0bd351a823da2ac5ce314a0c42aaef3c

SHA1
f67d8d27102d7d1e71560a4c7297d9fbd31d5826

SHA256
7ec63991863d7100c7f3337ad09f0723680bf2bd5ffd1ff90055eb831af7a569

SHA512
65489ac6ab1a1cb578357ff8f2e14c0399da8a2e7f8e377179d45ed52267ce26478d8864888e80f0098d214af66a269ef5ddbe84df821562542d05fa3753a968

Download Submit
C:\Windows\{E68635C1-3F46-4775-9463-B9399136F76F}.exe

Filesize
216KB

MD5
662da21d88118c04a7c3a6bb439f3030

SHA1
79f7105294da805496327fb11952444b4da9d1e2

SHA256
b14db64afc15100fdc3c40134ac77d34f2ba5cde179e33edba3c5b874c286447

SHA512
dce677b83f155932562f2f15869a2325ab03fc967d8d6c65e5862aa54f590edfc693aad963b7c3baf4fcb44e7083bfda1cc22e316cdc997c3f73ded7aedf4368

Download Submit
C:\Windows\{F02DE366-5269-42ae-A8F3-C126AC8EEE4D}.exe

Filesize
216KB

MD5
59ecc2bf93a29c3feb7868addede14da

SHA1
1a7de44e6c64448c79649cc539a463bea3d3521d

SHA256
4e48631291f87fb691358243c4bcb8322b5d76e83a9d0adb17657e001f20961e

SHA512
5de82ce228b42aafa7ece520ed55d653119efd0aee8b67823a5e781a70e604f33138442dcdd99a48357b53b7d072419fb65a6329f989e2a70ec62c6606051801

Download Submit
C:\Windows\{FF7A7C1B-A28E-407d-84E3-6528509588A7}.exe

Filesize
216KB

MD5
61ba85cbbf6d107026c05cf104423786

SHA1
bfca237783d9be89cd49998a6dac17824cf4b167

SHA256
8962f8687a3177cd31b8a3091da626a8bb9a5e3ca6ba54c829d291dd15ff624b

SHA512
9b35efdfd6debe1b7a84e3af74127215ce0c71f223584285e3cc1fdf011e4a0c4cba54d58a7c9368e2ec89ff2cef9c0214f164bf457f075485ecac40da1d09cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads