454ae04bef06f2201227f29b53c5f1fa9bbf6c4c2412347e801a9b25fe63dd2f

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Size

408KB
MD5

31cdad6f6ca6b31819b235b0d62adfc2
SHA1

e9d4940c2d418cfd9a3119dcadc9f1b5aba8fa4f
SHA256

454ae04bef06f2201227f29b53c5f1fa9bbf6c4c2412347e801a9b25fe63dd2f
SHA512

04c2ce725f159df0586e90fbca36a7265f3dc5c304bd72a76f75cbfdeb7dae85e63496489cea1fa9277a63bb84bcde251bf1c93849437477ea401c2ebf71bb6c
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000700000002324b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023259-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023259-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002325c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60C24E0B-104E-4681-975C-F871654B85B9}	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C933318-FF2D-448f-8467-581F5272F0CB}	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33027D0-9697-424d-90EA-6B9708BE99AB}	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}\stubpath = "C:\\Windows\\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe"	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}\stubpath = "C:\\Windows\\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe"	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20982204-0D4A-4ea0-89DA-A23208B35A05}	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB592587-7A8D-4b0f-9268-3D36DD323343}	{60C24E0B-104E-4681-975C-F871654B85B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB592587-7A8D-4b0f-9268-3D36DD323343}\stubpath = "C:\\Windows\\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe"	{60C24E0B-104E-4681-975C-F871654B85B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7E360A8-DB0F-4288-9526-D3D095DC7508}	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7E360A8-DB0F-4288-9526-D3D095DC7508}\stubpath = "C:\\Windows\\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe"	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33027D0-9697-424d-90EA-6B9708BE99AB}\stubpath = "C:\\Windows\\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe"	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20982204-0D4A-4ea0-89DA-A23208B35A05}\stubpath = "C:\\Windows\\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe"	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C933318-FF2D-448f-8467-581F5272F0CB}\stubpath = "C:\\Windows\\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe"	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}\stubpath = "C:\\Windows\\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe"	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60C24E0B-104E-4681-975C-F871654B85B9}\stubpath = "C:\\Windows\\{60C24E0B-104E-4681-975C-F871654B85B9}.exe"	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}\stubpath = "C:\\Windows\\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe"	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}\stubpath = "C:\\Windows\\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe"	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe

Executes dropped EXE 11 IoCs

pid	Process
4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe
4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
4572	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
988	{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe	{60C24E0B-104E-4681-975C-F871654B85B9}.exe
File created	C:\Windows\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
File created	C:\Windows\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
File created	C:\Windows\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
File created	C:\Windows\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
File created	C:\Windows\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
File created	C:\Windows\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
File created	C:\Windows\{60C24E0B-104E-4681-975C-F871654B85B9}.exe	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
File created	C:\Windows\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
File created	C:\Windows\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
File created	C:\Windows\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1368	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
Token: SeIncBasePriorityPrivilege	4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe
Token: SeIncBasePriorityPrivilege	4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
Token: SeIncBasePriorityPrivilege	3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
Token: SeIncBasePriorityPrivilege	116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
Token: SeIncBasePriorityPrivilege	4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
Token: SeIncBasePriorityPrivilege	632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
Token: SeIncBasePriorityPrivilege	384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
Token: SeIncBasePriorityPrivilege	2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
Token: SeIncBasePriorityPrivilege	4572	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 4404	1368	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	94
PID 1368 wrote to memory of 4404	1368	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	94
PID 1368 wrote to memory of 4404	1368	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	94
PID 1368 wrote to memory of 2908	1368	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	95
PID 1368 wrote to memory of 2908	1368	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	95
PID 1368 wrote to memory of 2908	1368	2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe	95
PID 4404 wrote to memory of 4908	4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe	100
PID 4404 wrote to memory of 4908	4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe	100
PID 4404 wrote to memory of 4908	4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe	100
PID 4404 wrote to memory of 4740	4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe	101
PID 4404 wrote to memory of 4740	4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe	101
PID 4404 wrote to memory of 4740	4404	{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe	101
PID 4908 wrote to memory of 4876	4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe	102
PID 4908 wrote to memory of 4876	4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe	102
PID 4908 wrote to memory of 4876	4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe	102
PID 4908 wrote to memory of 1356	4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe	103
PID 4908 wrote to memory of 1356	4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe	103
PID 4908 wrote to memory of 1356	4908	{60C24E0B-104E-4681-975C-F871654B85B9}.exe	103
PID 4876 wrote to memory of 3976	4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe	105
PID 4876 wrote to memory of 3976	4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe	105
PID 4876 wrote to memory of 3976	4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe	105
PID 4876 wrote to memory of 4348	4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe	106
PID 4876 wrote to memory of 4348	4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe	106
PID 4876 wrote to memory of 4348	4876	{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe	106
PID 3976 wrote to memory of 116	3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe	107
PID 3976 wrote to memory of 116	3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe	107
PID 3976 wrote to memory of 116	3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe	107
PID 3976 wrote to memory of 1132	3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe	108
PID 3976 wrote to memory of 1132	3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe	108
PID 3976 wrote to memory of 1132	3976	{1C933318-FF2D-448f-8467-581F5272F0CB}.exe	108
PID 116 wrote to memory of 4208	116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe	109
PID 116 wrote to memory of 4208	116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe	109
PID 116 wrote to memory of 4208	116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe	109
PID 116 wrote to memory of 4320	116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe	110
PID 116 wrote to memory of 4320	116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe	110
PID 116 wrote to memory of 4320	116	{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe	110
PID 4208 wrote to memory of 632	4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe	111
PID 4208 wrote to memory of 632	4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe	111
PID 4208 wrote to memory of 632	4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe	111
PID 4208 wrote to memory of 4496	4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe	112
PID 4208 wrote to memory of 4496	4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe	112
PID 4208 wrote to memory of 4496	4208	{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe	112
PID 632 wrote to memory of 384	632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe	113
PID 632 wrote to memory of 384	632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe	113
PID 632 wrote to memory of 384	632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe	113
PID 632 wrote to memory of 860	632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe	114
PID 632 wrote to memory of 860	632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe	114
PID 632 wrote to memory of 860	632	{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe	114
PID 384 wrote to memory of 2932	384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe	115
PID 384 wrote to memory of 2932	384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe	115
PID 384 wrote to memory of 2932	384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe	115
PID 384 wrote to memory of 2016	384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe	116
PID 384 wrote to memory of 2016	384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe	116
PID 384 wrote to memory of 2016	384	{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe	116
PID 2932 wrote to memory of 4572	2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe	117
PID 2932 wrote to memory of 4572	2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe	117
PID 2932 wrote to memory of 4572	2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe	117
PID 2932 wrote to memory of 2816	2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe	118
PID 2932 wrote to memory of 2816	2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe	118
PID 2932 wrote to memory of 2816	2932	{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe	118
PID 4572 wrote to memory of 988	4572	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe	119
PID 4572 wrote to memory of 988	4572	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe	119
PID 4572 wrote to memory of 988	4572	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe	119
PID 4572 wrote to memory of 2924	4572	{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
  C:\Windows\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\{60C24E0B-104E-4681-975C-F871654B85B9}.exe
    C:\Windows\{60C24E0B-104E-4681-975C-F871654B85B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
      C:\Windows\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
        
        C:\Windows\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Windows\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
        
        C:\Windows\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
        
        C:\Windows\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
        
        C:\Windows\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
        
        C:\Windows\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
        
        C:\Windows\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
        
        C:\Windows\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe
        
        C:\Windows\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe
        12⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A89~1.EXE > nul
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60B82~1.EXE > nul
        11⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3302~1.EXE > nul
        10⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E7EC~1.EXE > nul
        9⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E36~1.EXE > nul
        8⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8AF6~1.EXE > nul
        7⤵
        
        PID:4320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C933~1.EXE > nul
        6⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB592~1.EXE > nul
        5⤵
        
        PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{60C24~1.EXE > nul
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20982~1.EXE > nul
    3⤵
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe

Filesize
408KB

MD5
27ae2fbced0872bc8862a74e69d6d130

SHA1
cb969b34556b01b03e3d4ce083b97f6ea243bdad

SHA256
0873410ec93248b0ee997aad60e4d7230ac0f1e6c5204558cee41031a69d65b9

SHA512
5b42a233bd9cfeabf124060268695ad3ff747bd0ad2cc8901c47b7c8c1f8b97cbb277795178d3c0a9595860af2f84ec3a9a6a506fe4c003573d9ff1c77a1fea1

Download Submit
C:\Windows\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe

Filesize
408KB

MD5
130566922a0a789058addcdefc85a888

SHA1
e4758119c4e84b5fa04f44160ab7dc243f24454c

SHA256
4227aa8c33039fa1ad999000dce83a717b86e3e0cbf4cec6958c7cd9289c8618

SHA512
99880371b572cd2853921a9957c521ed455c536d04f06fce9c75ff0313649c7331754c1582797b8c9a97152356cf84d3ed5904213c46186bbb2c37a3365c1568

Download Submit
C:\Windows\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe

Filesize
408KB

MD5
486b4e7ed63127cace10683aacb1f4a5

SHA1
ea2a980e093b1aac005d4569eee23c787737c089

SHA256
c01abb9dfb9b2207eb21dbf314c774f2352ed25ada185747768b2c17125141c4

SHA512
d52ecb5995c5134e395f241eb84ae418127bba78b08b438571380d0f6c821e121bb7130db053077f8cf6a728b293590c1661d48ec313b056f5c88e6329bfe54b

Download Submit
C:\Windows\{60C24E0B-104E-4681-975C-F871654B85B9}.exe

Filesize
408KB

MD5
c10bb6b997a0ad7783005d79c71f48de

SHA1
631f1bc6cfbeae5359ff7cfbb5b11acacbd22d07

SHA256
aca9a08f954b1083a94ec75a22b59be9c16afe670a4a4bc488ce07f1967a307b

SHA512
072d9e8e2f0af3aafc6c8c2df4c0a97c1ece122943ed304f66b459a0f1c37c7d55be19604e31d8538fd1f8711590d1b1f5ae1ba2f1b1eaf44a08466a25e6b5cd

Download Submit
C:\Windows\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe

Filesize
408KB

MD5
de0560378a9b5602c996ce4cb15ffccd

SHA1
731e31beb7c627edd990f3fa65d9d25f6c409523

SHA256
c076f97389adcc33d9d854df85acbd7b68b1de921e585b67b181b59d49796854

SHA512
97b60ae5409f4433429384f508cde2874209fb7d6e9aedf30acde4791d35ad83e1ee9ecaaad1b03db2484ec407a3aa755cf515d4e9b9f7fb7061d604bb732dd1

Download Submit
C:\Windows\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe

Filesize
408KB

MD5
87bfd1d84c84b245b5166725b52d8e3f

SHA1
13b44a1cbbe8f15ef731c1cfda2ab58415d229cc

SHA256
fb17e0ab9c562d95c9da6462333fa854ed2ab53f943ddd90c843a5d31704fe8a

SHA512
41056c5f654dde5eb0874c6bccfec1c2ddc26559e3d95a6d6cfb1865a483ab4a5ba47df9b3006382a15cd30cb89290fb75ebba8fdb17cbf0cadc783327b34651

Download Submit
C:\Windows\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe

Filesize
408KB

MD5
af3b25e4e8d33036691ff56c3f0b932c

SHA1
c1f2691f95c953dbb400808e0194ef6262ac741f

SHA256
462b05204a34e3c182c88b7e3475c93e38c3a77dd10ba99d9294d3a60e86bdb6

SHA512
090ce0722b343c401bd63c3f923409e3341fad5f9d03167e8723334d2bddda13f3391adc9b12dd972e75ebb832b4d213e95051819a4748fc75b5c2802921ea6a

Download Submit
C:\Windows\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe

Filesize
408KB

MD5
e82b085dfab085849fd1948f284a3455

SHA1
14975b9c432cac18c9d5da2b108b1e0db8cc7c55

SHA256
fe11853a4490d62577c34951623886ee87b156d8b1f6bff34b89c35c25dbc598

SHA512
3b2397454b887868863b20961752076ccccfb2ff9fc1a1334e565997dd62d012a3130ffcc2d99dbcca62d2eb8698b016e2556475be654e88ccdcf2e38a94b42a

Download Submit
C:\Windows\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe

Filesize
408KB

MD5
fcdc9cd7c9a951c7cbad2a0b5be92145

SHA1
16d637da7646e5fefce4168c54e244aa68b9b10e

SHA256
d0e4a12bc5f1b50f28efec5d184e5cebc2be378a2312946ab3b5be10935caebb

SHA512
881e7ed8a3d178b6016f41336ee12dc81bbc11917d47be15251f3662fe0f292943cc515b8fb3e19a07b270c0d7999567ca5f156d5450a81ff83a180edefccccc

Download Submit
C:\Windows\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe

Filesize
408KB

MD5
8f0620613ea8c1979aa1bd3326581051

SHA1
34a105f3567747c6f7b5251571e5661461473d3f

SHA256
f3fc2c8eb12c22e416df2bfa8c9a7f5e0022a8510d6b3bbf29dc37e976e1676b

SHA512
f9ca896da075f1dc233c4495f48bac074a1285c64e42591a9ff41aa7578ffe5ce884d260ff6e9aacf73ab0b4288d352268c20e14d9441afe4241869c16dd3405

Download Submit
C:\Windows\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe

Filesize
408KB

MD5
8f86f5c76c8449692db2ba2c207c9d47

SHA1
00a57789cc61096dd12ca9e3dfc02a021447c4a7

SHA256
3ea38e64b0b1d48b327fee5be691611565b136f267437946282e2cddd55c0467

SHA512
17da7d9bb78f355857964d88247bd76299d2d327eae40fae5f966b9ef11ecb39696ea3cb05442472ad606ac40d3ae56db58ca9915d6d8c901bc4ef44f106277e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads