f0a374167bfb884a25fcf9523f9cd175e5fc2f301bec3a1a9cf1162da6711c64

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe
Size

408KB
MD5

a1088338fe7cc19f6d9c707aae733d0d
SHA1

cdfb95d11893ead6b4eb7f72af666a803359a9b8
SHA256

f0a374167bfb884a25fcf9523f9cd175e5fc2f301bec3a1a9cf1162da6711c64
SHA512

5100f827ba1f361a8399f989e0ef3ed27acf7f31171ea742a49effce91842c53fb6d5d53801c31371b833056aa6146d257b49b4b9433ece3bb44929c37c04bc7
SSDEEP

3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023256-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023260-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023269-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e2e1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023260-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e2e1-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000733-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000000070f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}\stubpath = "C:\\Windows\\{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe"	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}\stubpath = "C:\\Windows\\{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}.exe"	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{222F439B-8992-4443-A145-9AF6A75DDA44}	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}\stubpath = "C:\\Windows\\{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe"	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}\stubpath = "C:\\Windows\\{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe"	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}\stubpath = "C:\\Windows\\{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe"	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A2A560-57D6-4717-A774-81C61EFCA8D6}	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A2A560-57D6-4717-A774-81C61EFCA8D6}\stubpath = "C:\\Windows\\{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe"	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}\stubpath = "C:\\Windows\\{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe"	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD7D44DF-76D8-487b-9D03-72A903E3F57C}	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{222F439B-8992-4443-A145-9AF6A75DDA44}\stubpath = "C:\\Windows\\{222F439B-8992-4443-A145-9AF6A75DDA44}.exe"	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD7D44DF-76D8-487b-9D03-72A903E3F57C}\stubpath = "C:\\Windows\\{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe"	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}\stubpath = "C:\\Windows\\{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe"	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}\stubpath = "C:\\Windows\\{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe"	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe

Executes dropped EXE 11 IoCs

pid	Process
4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe
1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe
3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe
3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe
2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe
224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe
3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe
1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe
3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe
2764	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe
4000	{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{222F439B-8992-4443-A145-9AF6A75DDA44}.exe	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe
File created	C:\Windows\{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe
File created	C:\Windows\{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe
File created	C:\Windows\{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}.exe	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe
File created	C:\Windows\{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe
File created	C:\Windows\{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe
File created	C:\Windows\{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe
File created	C:\Windows\{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe
File created	C:\Windows\{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe
File created	C:\Windows\{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe
File created	C:\Windows\{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1476	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe
Token: SeIncBasePriorityPrivilege	1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe
Token: SeIncBasePriorityPrivilege	3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe
Token: SeIncBasePriorityPrivilege	3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe
Token: SeIncBasePriorityPrivilege	2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe
Token: SeIncBasePriorityPrivilege	224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe
Token: SeIncBasePriorityPrivilege	3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe
Token: SeIncBasePriorityPrivilege	1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe
Token: SeIncBasePriorityPrivilege	3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe
Token: SeIncBasePriorityPrivilege	2764	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4316	1476	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe	91
PID 1476 wrote to memory of 4316	1476	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe	91
PID 1476 wrote to memory of 4316	1476	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe	91
PID 1476 wrote to memory of 4908	1476	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe	92
PID 1476 wrote to memory of 4908	1476	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe	92
PID 1476 wrote to memory of 4908	1476	2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe	92
PID 4316 wrote to memory of 1100	4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe	98
PID 4316 wrote to memory of 1100	4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe	98
PID 4316 wrote to memory of 1100	4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe	98
PID 4316 wrote to memory of 4356	4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe	99
PID 4316 wrote to memory of 4356	4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe	99
PID 4316 wrote to memory of 4356	4316	{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe	99
PID 1100 wrote to memory of 3732	1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe	104
PID 1100 wrote to memory of 3732	1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe	104
PID 1100 wrote to memory of 3732	1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe	104
PID 1100 wrote to memory of 1432	1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe	105
PID 1100 wrote to memory of 1432	1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe	105
PID 1100 wrote to memory of 1432	1100	{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe	105
PID 3732 wrote to memory of 3400	3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe	106
PID 3732 wrote to memory of 3400	3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe	106
PID 3732 wrote to memory of 3400	3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe	106
PID 3732 wrote to memory of 3740	3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe	107
PID 3732 wrote to memory of 3740	3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe	107
PID 3732 wrote to memory of 3740	3732	{222F439B-8992-4443-A145-9AF6A75DDA44}.exe	107
PID 3400 wrote to memory of 2060	3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe	108
PID 3400 wrote to memory of 2060	3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe	108
PID 3400 wrote to memory of 2060	3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe	108
PID 3400 wrote to memory of 936	3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe	109
PID 3400 wrote to memory of 936	3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe	109
PID 3400 wrote to memory of 936	3400	{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe	109
PID 2060 wrote to memory of 224	2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe	110
PID 2060 wrote to memory of 224	2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe	110
PID 2060 wrote to memory of 224	2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe	110
PID 2060 wrote to memory of 928	2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe	111
PID 2060 wrote to memory of 928	2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe	111
PID 2060 wrote to memory of 928	2060	{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe	111
PID 224 wrote to memory of 3860	224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe	112
PID 224 wrote to memory of 3860	224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe	112
PID 224 wrote to memory of 3860	224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe	112
PID 224 wrote to memory of 4560	224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe	113
PID 224 wrote to memory of 4560	224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe	113
PID 224 wrote to memory of 4560	224	{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe	113
PID 3860 wrote to memory of 1368	3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe	114
PID 3860 wrote to memory of 1368	3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe	114
PID 3860 wrote to memory of 1368	3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe	114
PID 3860 wrote to memory of 4500	3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe	115
PID 3860 wrote to memory of 4500	3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe	115
PID 3860 wrote to memory of 4500	3860	{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe	115
PID 1368 wrote to memory of 3164	1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe	116
PID 1368 wrote to memory of 3164	1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe	116
PID 1368 wrote to memory of 3164	1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe	116
PID 1368 wrote to memory of 1484	1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe	117
PID 1368 wrote to memory of 1484	1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe	117
PID 1368 wrote to memory of 1484	1368	{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe	117
PID 3164 wrote to memory of 2764	3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe	118
PID 3164 wrote to memory of 2764	3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe	118
PID 3164 wrote to memory of 2764	3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe	118
PID 3164 wrote to memory of 3484	3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe	119
PID 3164 wrote to memory of 3484	3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe	119
PID 3164 wrote to memory of 3484	3164	{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe	119
PID 2764 wrote to memory of 4000	2764	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe	120
PID 2764 wrote to memory of 4000	2764	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe	120
PID 2764 wrote to memory of 4000	2764	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe	120
PID 2764 wrote to memory of 3092	2764	{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_a1088338fe7cc19f6d9c707aae733d0d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe
  C:\Windows\{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe
    C:\Windows\{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\{222F439B-8992-4443-A145-9AF6A75DDA44}.exe
      C:\Windows\{222F439B-8992-4443-A145-9AF6A75DDA44}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Windows\{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe
        
        C:\Windows\{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe
        
        C:\Windows\{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe
        
        C:\Windows\{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe
        
        C:\Windows\{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe
        
        C:\Windows\{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe
        
        C:\Windows\{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe
        
        C:\Windows\{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}.exe
        
        C:\Windows\{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}.exe
        12⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55A2A~1.EXE > nul
        12⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8B2F~1.EXE > nul
        11⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC138~1.EXE > nul
        10⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3C2D~1.EXE > nul
        9⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33DCF~1.EXE > nul
        8⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD7D4~1.EXE > nul
        7⤵
        
        PID:928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC6F4~1.EXE > nul
        6⤵
        
        PID:936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{222F4~1.EXE > nul
        5⤵
        
        PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A7C0~1.EXE > nul
      4⤵
      PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA9E3~1.EXE > nul
    3⤵
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3748 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{222F439B-8992-4443-A145-9AF6A75DDA44}.exe

Filesize
408KB

MD5
45eefaafd54573e724e54e81e4c311a4

SHA1
5567d158d73c9115b94ee8ee3f4ade19b61e0e49

SHA256
e07e9903fd232774d529e47f4df6a58d42679f81517a7130a8368b3d57cbc20f

SHA512
c103acb1b384c6c695cc57ba886580c8c98dca2a66a562ba8462b36dd454f8aeb958f42083b35535e26b9ec25ae9515cb0cfe149436b8b6f2d5405fbcc199f3e

Download Submit
C:\Windows\{33DCFEEA-E24B-4eae-98C1-ED2419D8F8E4}.exe

Filesize
408KB

MD5
c5fd69e94ea21133eb67549896aed399

SHA1
5110f409f8a9384f1ed610fd37688581c5b378f1

SHA256
5a046953b44cbe2cb75262666bb13a780599938d42dd79270f018bae7eddd901

SHA512
bf28f8397c64babbb5bb2a7bb9b29087a5e19cdc2fe521c8200186cb1d8d70859d08a953dd529a4f4647a0aa298fc2b25721076c316f5c542eee04c4b83037a5

Download Submit
C:\Windows\{55A2A560-57D6-4717-A774-81C61EFCA8D6}.exe

Filesize
408KB

MD5
e15a68bd6e6dbcc2efd2e6046c9f08b6

SHA1
ab3a6e351cc3bdb0b465a3438b14308f752505ab

SHA256
55bbcb894aeba788d04958d059b6fc8c5d8330bb7480326754a42d882ab582f3

SHA512
39679aea9d4455a839a752306df56cb833cf7506a97897ab52fb7569a400b8e77e089ed4ed79e37c17263876aa09c24090f3bf568e40fc359f17c7a58f81f85f

Download Submit
C:\Windows\{6A0F2AC4-B865-44c4-8FBB-91CD98EEA491}.exe

Filesize
408KB

MD5
534187cf202128b51f76a87fb55f89c4

SHA1
66ab442d7995a5455ea15a8751b14ffa80501f0a

SHA256
b907ac876cc13ec07cb5f959283485f6709e45336206f16739db138d520601f5

SHA512
4883c5c0d94b44f7fa71fb4af1fb15512d5cdab75fa7f3865a054058eb059e1c9a8e192139e892c73b3f7a0ed5591c9d28e8a1b08f1fab2754c734ce71b962ca

Download Submit
C:\Windows\{9A7C0F40-B28C-4223-A0DC-8C4179DB05CE}.exe

Filesize
408KB

MD5
ab2246c28d9c5d07db599bbbc27d9aef

SHA1
1ea6077696b4babf5b3e43d61ad4b1b1760f2e1a

SHA256
60215fa38357b3ef74d54fe6b643ff1abbebb69e4c698c649c5db251c9f88aa2

SHA512
3c046c50cf6a1adaea8d359209b655bf1183d56a8caa6fcd008ff9a2dda5c39cab42af15fc095ebbb302bcdb28bf9799be3bddd0d9cdc8f054566c49340d1da6

Download Submit
C:\Windows\{BC6F4C9B-802E-4b62-B4FF-7B8F820C3C0F}.exe

Filesize
408KB

MD5
d2580f78e11a06b810c28eac17ba2d7f

SHA1
3733db350c60c0d0a5e99ea29757d50bcd7fbfec

SHA256
7976efe6b90caea2391363fa20a4062c7595f722424ceddbc66afe6866303f96

SHA512
15f611fe9f7b656171583aa141582fac3ad5e50185f1de905af63a858d74f511c7261cfab52245132408d30820cd0c80cc51ad9a4e5c150f872e1387d68a205e

Download Submit
C:\Windows\{DD7D44DF-76D8-487b-9D03-72A903E3F57C}.exe

Filesize
408KB

MD5
719cf81ad04d42bd96aaac8eaab50ec9

SHA1
570590c1a5083c27515b80b2968a14ca69360bc2

SHA256
cb006d3f76ae4adbdb4d3ea01951a0e20e08b7175398c3d1a6cb60f63c844c1e

SHA512
0c6f0fa3eeed5629efb42e3e9f10d977b935846f6158b7699c9f41ed8d2d4a9a4160fdb00640bbbfa64df92ad9f0e0797fe997e8ec1ee25a9f83a6d49a2fbe04

Download Submit
C:\Windows\{E8B2F6D4-BEBC-4b71-84A4-225C9D192577}.exe

Filesize
408KB

MD5
d1b74c196b408adaaa285aa4f69ffbd3

SHA1
00ddc2a1bd7ec644dfa6bc6c68fcf424d33bac4e

SHA256
ba778a4d48c6c2c9bcc7ae3cdc1cfc34bc6e45b8eab93ed5f827bb65ad3f1cc9

SHA512
634db9c29eaf1adbb0be928aa70848d90af8b3c1c21fb84109cb9385df2bb7162617ab5c38707c484fa5a5763dd18acebf817d0890b004c877745206bfb48141

Download Submit
C:\Windows\{EA9E3A6A-8382-4c70-8298-E4CB520F38BF}.exe

Filesize
408KB

MD5
7aa93142446d2a0f005312181f0d41ee

SHA1
6c760804afff2eafcda13df700c8a70142a583ea

SHA256
47b2cc07439262d8dfc63c89b6520b5b9b8938f20c875ecb28581022c654114e

SHA512
460fb945996015cfa7430dd806bcf0ce48ad8ad7bee7a5be08c93c174fb04680220027bd355d69ffc53e6a8f658656e579006eeac9ad06e7fe219392c02b48b0

Download Submit
C:\Windows\{F3C2D51A-3C4C-49cd-A346-A93FB14E3B49}.exe

Filesize
408KB

MD5
ebd7b7de276b985c4d27e52a8802e7f9

SHA1
d3a49421b26ad73882cff41745d3c7312b668655

SHA256
8414b342554eb409367983788398907165fb945f62756acefcc782056042f880

SHA512
bd111538aed2e33f99c8ae88e7cfe1ec698f1d190262d3611d0a0b55a60b5861abbc1c6f4e9f00840d7e9c987ee27e0012f8349e006acff9ec39c51a064f7e55

Download Submit
C:\Windows\{FC1383BD-3ECB-4ca1-A5D2-C11DFB3969E2}.exe

Filesize
408KB

MD5
1860637ac20481245fe3f6f181c155fe

SHA1
aa22edc5598f904fc97987b39338a0f522bc0988

SHA256
32f2e43beb0d712e465c1ef0908cefa0e5813c2be7a6e61589f62174a87dc293

SHA512
adf0914e59c6f7edef120e342d9a024e92b26e222ff48c0f4073e4f63162043c0d6897a194d93ab2902822f13d040c98ef5fc3b383e879230e43486875174500

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads