7d9f91e966c5db3c43ac87388a8e41aa4f93777a727b10d699fa32686292e6d8

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Size

408KB
MD5

088a7ee9f1de414a2e82b22927a13737
SHA1

bfff33cdbb85af2fdbf9a1bd1383d60d3e096b10
SHA256

7d9f91e966c5db3c43ac87388a8e41aa4f93777a727b10d699fa32686292e6d8
SHA512

d24e1ad10787784295344d566b1e3759af50d3a633468318856daf7c70c88093d3eaeaeaf0b3bba3b598c5062c1765ee4cbab238c6ccec166682327d52a37bda
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGZldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023278-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023288-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000023278-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023146-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023278-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}\stubpath = "C:\\Windows\\{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}.exe"	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}\stubpath = "C:\\Windows\\{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe"	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F3CCD6B-5E06-41dc-A130-06B353792747}	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F0009A-26AA-4c62-9702-1C4D4426F17A}\stubpath = "C:\\Windows\\{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe"	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFC7F420-73B6-46dd-A12B-747548318C9E}	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501C29B5-5ACE-44e4-B890-E5450B3292A8}	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501C29B5-5ACE-44e4-B890-E5450B3292A8}\stubpath = "C:\\Windows\\{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe"	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{826460EE-78D6-4b98-957A-5EE5A556615C}\stubpath = "C:\\Windows\\{826460EE-78D6-4b98-957A-5EE5A556615C}.exe"	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F0009A-26AA-4c62-9702-1C4D4426F17A}	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFC7F420-73B6-46dd-A12B-747548318C9E}\stubpath = "C:\\Windows\\{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe"	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}\stubpath = "C:\\Windows\\{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe"	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}\stubpath = "C:\\Windows\\{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe"	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302331DC-7652-4c4d-B10E-85261FCA2CB7}	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302331DC-7652-4c4d-B10E-85261FCA2CB7}\stubpath = "C:\\Windows\\{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe"	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F3CCD6B-5E06-41dc-A130-06B353792747}\stubpath = "C:\\Windows\\{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe"	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{826460EE-78D6-4b98-957A-5EE5A556615C}	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}\stubpath = "C:\\Windows\\{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe"	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe

Executes dropped EXE 11 IoCs

pid	Process
3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe
812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe
4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe
4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe
4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe
1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe
1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe
1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe
4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe
628	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe
4940	{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
File created	C:\Windows\{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe
File created	C:\Windows\{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe
File created	C:\Windows\{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe
File created	C:\Windows\{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe
File created	C:\Windows\{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}.exe	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe
File created	C:\Windows\{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe
File created	C:\Windows\{826460EE-78D6-4b98-957A-5EE5A556615C}.exe	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe
File created	C:\Windows\{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe
File created	C:\Windows\{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe
File created	C:\Windows\{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3484	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe
Token: SeIncBasePriorityPrivilege	812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe
Token: SeIncBasePriorityPrivilege	4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe
Token: SeIncBasePriorityPrivilege	4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe
Token: SeIncBasePriorityPrivilege	4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe
Token: SeIncBasePriorityPrivilege	1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe
Token: SeIncBasePriorityPrivilege	1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe
Token: SeIncBasePriorityPrivilege	1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe
Token: SeIncBasePriorityPrivilege	4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe
Token: SeIncBasePriorityPrivilege	628	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 3832	3484	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	94
PID 3484 wrote to memory of 3832	3484	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	94
PID 3484 wrote to memory of 3832	3484	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	94
PID 3484 wrote to memory of 4572	3484	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	96
PID 3484 wrote to memory of 4572	3484	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	96
PID 3484 wrote to memory of 4572	3484	2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe	96
PID 3832 wrote to memory of 812	3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe	101
PID 3832 wrote to memory of 812	3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe	101
PID 3832 wrote to memory of 812	3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe	101
PID 3832 wrote to memory of 452	3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe	102
PID 3832 wrote to memory of 452	3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe	102
PID 3832 wrote to memory of 452	3832	{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe	102
PID 812 wrote to memory of 4784	812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe	103
PID 812 wrote to memory of 4784	812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe	103
PID 812 wrote to memory of 4784	812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe	103
PID 812 wrote to memory of 3816	812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe	104
PID 812 wrote to memory of 3816	812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe	104
PID 812 wrote to memory of 3816	812	{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe	104
PID 4784 wrote to memory of 4788	4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe	106
PID 4784 wrote to memory of 4788	4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe	106
PID 4784 wrote to memory of 4788	4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe	106
PID 4784 wrote to memory of 872	4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe	107
PID 4784 wrote to memory of 872	4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe	107
PID 4784 wrote to memory of 872	4784	{826460EE-78D6-4b98-957A-5EE5A556615C}.exe	107
PID 4788 wrote to memory of 4164	4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe	108
PID 4788 wrote to memory of 4164	4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe	108
PID 4788 wrote to memory of 4164	4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe	108
PID 4788 wrote to memory of 3952	4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe	109
PID 4788 wrote to memory of 3952	4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe	109
PID 4788 wrote to memory of 3952	4788	{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe	109
PID 4164 wrote to memory of 1260	4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe	110
PID 4164 wrote to memory of 1260	4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe	110
PID 4164 wrote to memory of 1260	4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe	110
PID 4164 wrote to memory of 1104	4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe	111
PID 4164 wrote to memory of 1104	4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe	111
PID 4164 wrote to memory of 1104	4164	{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe	111
PID 1260 wrote to memory of 1616	1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe	112
PID 1260 wrote to memory of 1616	1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe	112
PID 1260 wrote to memory of 1616	1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe	112
PID 1260 wrote to memory of 3940	1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe	113
PID 1260 wrote to memory of 3940	1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe	113
PID 1260 wrote to memory of 3940	1260	{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe	113
PID 1616 wrote to memory of 1088	1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe	114
PID 1616 wrote to memory of 1088	1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe	114
PID 1616 wrote to memory of 1088	1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe	114
PID 1616 wrote to memory of 4924	1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe	115
PID 1616 wrote to memory of 4924	1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe	115
PID 1616 wrote to memory of 4924	1616	{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe	115
PID 1088 wrote to memory of 4056	1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe	116
PID 1088 wrote to memory of 4056	1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe	116
PID 1088 wrote to memory of 4056	1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe	116
PID 1088 wrote to memory of 2192	1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe	117
PID 1088 wrote to memory of 2192	1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe	117
PID 1088 wrote to memory of 2192	1088	{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe	117
PID 4056 wrote to memory of 628	4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe	118
PID 4056 wrote to memory of 628	4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe	118
PID 4056 wrote to memory of 628	4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe	118
PID 4056 wrote to memory of 4780	4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe	119
PID 4056 wrote to memory of 4780	4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe	119
PID 4056 wrote to memory of 4780	4056	{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe	119
PID 628 wrote to memory of 4940	628	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe	120
PID 628 wrote to memory of 4940	628	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe	120
PID 628 wrote to memory of 4940	628	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe	120
PID 628 wrote to memory of 4524	628	{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_088a7ee9f1de414a2e82b22927a13737_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe
  C:\Windows\{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe
    C:\Windows\{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\{826460EE-78D6-4b98-957A-5EE5A556615C}.exe
      C:\Windows\{826460EE-78D6-4b98-957A-5EE5A556615C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe
        
        C:\Windows\{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe
        
        C:\Windows\{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe
        
        C:\Windows\{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe
        
        C:\Windows\{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe
        
        C:\Windows\{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe
        
        C:\Windows\{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe
        
        C:\Windows\{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}.exe
        
        C:\Windows\{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}.exe
        12⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF931~1.EXE > nul
        12⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC7F~1.EXE > nul
        11⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F3CC~1.EXE > nul
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74F00~1.EXE > nul
        9⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30233~1.EXE > nul
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4AB8~1.EXE > nul
        7⤵
        
        PID:1104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC1E~1.EXE > nul
        6⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82646~1.EXE > nul
        5⤵
        
        PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0EE06~1.EXE > nul
      4⤵
      PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{501C2~1.EXE > nul
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{043F55DA-1601-4f1b-8412-F0EFD6ABC3CD}.exe

Filesize
408KB

MD5
d68f441d386da6007dc352e1cd01570d

SHA1
19207bc1402ac9f99667029a235727d829211f75

SHA256
86d7848ecb8ab005d7228497a64114053642a64bbf39d1ed83251d77d16502d1

SHA512
2c8e8d99fbeb4bba352c91410357ec943f63ef033f7a537e8098f38515b0abe4bb96e1f6557cfdfa938e5892384ff38ab5cae47414e64663fc4686b8e1f8fa37

Download Submit
C:\Windows\{0EE06158-59F7-41d0-BC3A-E4E4C5BD6B9F}.exe

Filesize
408KB

MD5
5b4ed8725f32e5bbf5bfebe86127c090

SHA1
14dd80c1da8b02d843433bd7e867ea85c97252ca

SHA256
9d3b5d86857dc0dad00ccd52a55a7ad417aedd4e703b862e97cc4f58ac07c28d

SHA512
2a128e84bb9039c6b2a4cbb375eaf8e9e88f583c18b648b42c2408f80b3b9953ece94b06a8f68c245593fc275beb9082a12cef2dce1b055da25d20f4b9f40544

Download Submit
C:\Windows\{2FC1EE46-E51B-40a6-9B74-B9A6BF0A1F46}.exe

Filesize
408KB

MD5
0dcb24963e5640d131d6d7472639ea73

SHA1
5e428c315d563a6b8a8e15beaff57a718cad9f9c

SHA256
082857a1d62d9ec42bf49291c33401726fc282897daed056ddf9516aa2ec0371

SHA512
5a09df0f082ac2669a14b5e85c31eab40ab8a99312ca92d30c2c6001cfcb2a1cb5814a4b66e01a162dcf9d6bf7cea7f6d3d4c9c49116ab81b23875e9450efb88

Download Submit
C:\Windows\{302331DC-7652-4c4d-B10E-85261FCA2CB7}.exe

Filesize
408KB

MD5
5b6526281baf28e84a6be6a7c8b75d69

SHA1
ef3850a380948f7f423e95c0780098ea22a2427e

SHA256
d6cda64569335322bd9a19f3777593b41482bd252329662d59374c60b63ae1c6

SHA512
234e61f657e88258667af6db0059b0f5d7493415cf6448acc00c63d944e7aeccebdc7318a81211c71bf321e0826200e6cd3118ed6ac5505d7359db0abce78513

Download Submit
C:\Windows\{3F3CCD6B-5E06-41dc-A130-06B353792747}.exe

Filesize
408KB

MD5
f6e00ed985c636c09515f0554485af34

SHA1
e24ac58911233d0ac9aaed5cf9dd0601e4a8bad4

SHA256
c6f1e18e436be25886e6d455ffb512e024efb897a68b22584049c82f512e2f90

SHA512
859a0f9aaedff6d25a41883e70fa621aafaaf5a4cf3a923545d588295872b18eeca54ca9cb8798848c1eb00e16808269d62b8e3d36973c187000d5c832f9686c

Download Submit
C:\Windows\{501C29B5-5ACE-44e4-B890-E5450B3292A8}.exe

Filesize
408KB

MD5
253e435a1bd8658eb83c929465cb8ed0

SHA1
abd784049cd6078ed4fee8f4ec615448f275343f

SHA256
2c7607ab8fa22b887491e9d3eb972661130254b189b12055158d50ffe1947c30

SHA512
d568276cff0a984fdbd209276c61875fe37bf23414b06317ccfb5e9561b0f71414923116b123225b88f208b6f90fafd6f8a4ebeaf9670f049d4622cd94542197

Download Submit
C:\Windows\{74F0009A-26AA-4c62-9702-1C4D4426F17A}.exe

Filesize
408KB

MD5
acffc5e5d728c43a900b6893f53c574d

SHA1
9edb87913a1004cb23758e3029e81280f6271d26

SHA256
90821c5a439afbc0209773bd7f7d193953da99b557ce64c668a067e4b264ae15

SHA512
3630c72b701760d19a34cf972216b18862807da8f11854f36763971321462f459f2b5a33a4d8dff561847f0e2cf44d946c7a1dcb94271a8b9e1f6cc7510907ca

Download Submit
C:\Windows\{826460EE-78D6-4b98-957A-5EE5A556615C}.exe

Filesize
408KB

MD5
e3f31dea5eec2fd7884787dcb94c9c4e

SHA1
94bb8344f47cf9665e1bc93d352ded81b3e7503f

SHA256
00f545052b871d604ea574e30ae32561fd1d852556ad96c7febb6440905adcf4

SHA512
828b1bb0d7b7345ae41d410d60b7163bf44c7e0ccd2aa528dee6c166fde146c180c64cddafe076637eda9697bd9896106e758b3a16987b02b4b3848608183090

Download Submit
C:\Windows\{CF931FB8-DCFB-4bc5-859F-EEDBA37F9FFE}.exe

Filesize
408KB

MD5
1a05d9909bf86e09377f265ee8902949

SHA1
918c2591b7abf5169bfceb33cb7620b3b720ae80

SHA256
689f9c673dd407073d815cc934c294d7259ac826752a43f0e15eabf9a9c09964

SHA512
de1627890f7682fa8577d2cdcd2e777ae9442eba62d0019fd7b9c74744e8e555181ce91a481565904d9d85b337a94f539ffaca81bfd80dccde8d1e9f0ec1ef21

Download Submit
C:\Windows\{CFC7F420-73B6-46dd-A12B-747548318C9E}.exe

Filesize
408KB

MD5
537cf6325065ff6d90f9c2948b3a49e0

SHA1
1e496f3afca32124d76822575485f4d32a358af1

SHA256
7e85c94ba38442f3a8a8a862f41835c640e5a3a92568779a6ce0fcab0b980e7d

SHA512
61fb95696e1efd72a641b60fe2024478b475085e4bccd7b3f2b41a5fb9073df8b61e83df340c9e4bdd202feef29c5a0ffda9a8e54af8f89025e37b8a2cac34b9

Download Submit
C:\Windows\{D4AB87E8-2A6A-4f4d-8B55-2A89723573CC}.exe

Filesize
408KB

MD5
779ab85b1587936bb00b688b82af22ec

SHA1
6cc9d67b84fd0e5ced415cdc8ad2e4b8b3883fa0

SHA256
2fafb96dfcb09f755a0d4b9d7238778ecad35d8dd707febcde251235ec5ccefd

SHA512
335e3b49fa51e0767d86b1c7aaca746386f1ead6eb8cb3ae69bcc89e7e58d2954f15cc94a57fbef05dd5efeeb015adfa0b9b2f215d263fbc71fce038d13a8d1b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads