3ba9e96367e3b48f03570443040f06adf59592de7118c770c07e0339c1fc05fc

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe
Size

192KB
MD5

8bf8907717332226bc87eb017eea80b8
SHA1

d6e923f58fb9c996ea2817a1b642ce4d370417ed
SHA256

3ba9e96367e3b48f03570443040f06adf59592de7118c770c07e0339c1fc05fc
SHA512

653a7397033337fd9b564aaa13af80aa40de5e00008b34e37da89ed3cb98e60e5635269027b2161a66838698817d409a249a019cefd8a4d9728e4795626cadad
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oWl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a000000016fa5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023262-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023268-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023262-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023268-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-28.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-32.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-36.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-44.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB526F5-C09A-40b3-B7A0-8BED0713574B}\stubpath = "C:\\Windows\\{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe"	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6519D3CF-D775-4e11-8B97-52846DC69B87}\stubpath = "C:\\Windows\\{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe"	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA43E20A-85F7-402c-85F1-FA33381579F5}\stubpath = "C:\\Windows\\{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe"	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{880D5DF0-9626-476e-80C4-5C9A4F86958E}	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BEA001C-A105-41e3-9AD0-D68A20E01464}\stubpath = "C:\\Windows\\{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe"	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C88572-4641-467d-A431-F5E0BDD8226D}\stubpath = "C:\\Windows\\{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe"	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A03486FD-8664-4ae0-B583-8F6EF4A13603}	{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD368572-760D-4872-9D8E-1BF95A1090C1}	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD368572-760D-4872-9D8E-1BF95A1090C1}\stubpath = "C:\\Windows\\{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe"	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}\stubpath = "C:\\Windows\\{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe"	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB526F5-C09A-40b3-B7A0-8BED0713574B}	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85555D08-DEC1-47dc-AA40-110B44CCB7F7}	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C88572-4641-467d-A431-F5E0BDD8226D}	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A03486FD-8664-4ae0-B583-8F6EF4A13603}\stubpath = "C:\\Windows\\{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe"	{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEFC0501-AA56-41b8-B27A-79F58E550A83}\stubpath = "C:\\Windows\\{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe"	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA43E20A-85F7-402c-85F1-FA33381579F5}	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{880D5DF0-9626-476e-80C4-5C9A4F86958E}\stubpath = "C:\\Windows\\{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe"	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BEA001C-A105-41e3-9AD0-D68A20E01464}	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}\stubpath = "C:\\Windows\\{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}.exe"	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85555D08-DEC1-47dc-AA40-110B44CCB7F7}\stubpath = "C:\\Windows\\{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe"	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEFC0501-AA56-41b8-B27A-79F58E550A83}	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6519D3CF-D775-4e11-8B97-52846DC69B87}	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe

Executes dropped EXE 11 IoCs

pid	Process
912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe
4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe
1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe
5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe
4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe
1064	{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe
716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe
912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe
756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe
3228	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe
3984	{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe
File created	C:\Windows\{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe
File created	C:\Windows\{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe
File created	C:\Windows\{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe
File created	C:\Windows\{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe
File created	C:\Windows\{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe
File created	C:\Windows\{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe
File created	C:\Windows\{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe
File created	C:\Windows\{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe
File created	C:\Windows\{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe
File created	C:\Windows\{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}.exe	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe
Token: SeIncBasePriorityPrivilege	4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe
Token: SeIncBasePriorityPrivilege	1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe
Token: SeIncBasePriorityPrivilege	5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe
Token: SeIncBasePriorityPrivilege	4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe
Token: SeIncBasePriorityPrivilege	3644	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe
Token: SeIncBasePriorityPrivilege	716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe
Token: SeIncBasePriorityPrivilege	912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe
Token: SeIncBasePriorityPrivilege	756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe
Token: SeIncBasePriorityPrivilege	3228	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 912	2236	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe	95
PID 2236 wrote to memory of 912	2236	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe	95
PID 2236 wrote to memory of 912	2236	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe	95
PID 2236 wrote to memory of 4900	2236	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe	96
PID 2236 wrote to memory of 4900	2236	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe	96
PID 2236 wrote to memory of 4900	2236	2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe	96
PID 912 wrote to memory of 4700	912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe	101
PID 912 wrote to memory of 4700	912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe	101
PID 912 wrote to memory of 4700	912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe	101
PID 912 wrote to memory of 4296	912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe	102
PID 912 wrote to memory of 4296	912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe	102
PID 912 wrote to memory of 4296	912	{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe	102
PID 4700 wrote to memory of 1592	4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe	104
PID 4700 wrote to memory of 1592	4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe	104
PID 4700 wrote to memory of 1592	4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe	104
PID 4700 wrote to memory of 3816	4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe	105
PID 4700 wrote to memory of 3816	4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe	105
PID 4700 wrote to memory of 3816	4700	{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe	105
PID 1592 wrote to memory of 5116	1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe	107
PID 1592 wrote to memory of 5116	1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe	107
PID 1592 wrote to memory of 5116	1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe	107
PID 1592 wrote to memory of 4880	1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe	108
PID 1592 wrote to memory of 4880	1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe	108
PID 1592 wrote to memory of 4880	1592	{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe	108
PID 5116 wrote to memory of 4032	5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe	109
PID 5116 wrote to memory of 4032	5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe	109
PID 5116 wrote to memory of 4032	5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe	109
PID 5116 wrote to memory of 3900	5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe	110
PID 5116 wrote to memory of 3900	5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe	110
PID 5116 wrote to memory of 3900	5116	{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe	110
PID 4032 wrote to memory of 1064	4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe	111
PID 4032 wrote to memory of 1064	4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe	111
PID 4032 wrote to memory of 1064	4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe	111
PID 4032 wrote to memory of 4556	4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe	112
PID 4032 wrote to memory of 4556	4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe	112
PID 4032 wrote to memory of 4556	4032	{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe	112
PID 3644 wrote to memory of 716	3644	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe	115
PID 3644 wrote to memory of 716	3644	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe	115
PID 3644 wrote to memory of 716	3644	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe	115
PID 3644 wrote to memory of 2180	3644	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe	116
PID 3644 wrote to memory of 2180	3644	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe	116
PID 3644 wrote to memory of 2180	3644	{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe	116
PID 716 wrote to memory of 912	716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe	117
PID 716 wrote to memory of 912	716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe	117
PID 716 wrote to memory of 912	716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe	117
PID 716 wrote to memory of 3504	716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe	118
PID 716 wrote to memory of 3504	716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe	118
PID 716 wrote to memory of 3504	716	{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe	118
PID 912 wrote to memory of 756	912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe	119
PID 912 wrote to memory of 756	912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe	119
PID 912 wrote to memory of 756	912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe	119
PID 912 wrote to memory of 3256	912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe	120
PID 912 wrote to memory of 3256	912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe	120
PID 912 wrote to memory of 3256	912	{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe	120
PID 756 wrote to memory of 3228	756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe	121
PID 756 wrote to memory of 3228	756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe	121
PID 756 wrote to memory of 3228	756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe	121
PID 756 wrote to memory of 4532	756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe	122
PID 756 wrote to memory of 4532	756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe	122
PID 756 wrote to memory of 4532	756	{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe	122
PID 3228 wrote to memory of 3984	3228	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe	123
PID 3228 wrote to memory of 3984	3228	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe	123
PID 3228 wrote to memory of 3984	3228	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe	123
PID 3228 wrote to memory of 2092	3228	{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_8bf8907717332226bc87eb017eea80b8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe
  C:\Windows\{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe
    C:\Windows\{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe
      C:\Windows\{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe
        
        C:\Windows\{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe
        
        C:\Windows\{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe
        
        C:\Windows\{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe
        
        C:\Windows\{A03486FD-8664-4ae0-B583-8F6EF4A13603}.exe
        8⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe
        
        C:\Windows\{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe
        
        C:\Windows\{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe
        
        C:\Windows\{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe
        
        C:\Windows\{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}.exe
        
        C:\Windows\{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}.exe
        13⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA43E~1.EXE > nul
        13⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6519D~1.EXE > nul
        12⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD368~1.EXE > nul
        11⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEFC0~1.EXE > nul
        10⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0348~1.EXE > nul
        9⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85555~1.EXE > nul
        8⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB52~1.EXE > nul
        7⤵
        
        PID:4556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C88~1.EXE > nul
        6⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BEA0~1.EXE > nul
        5⤵
        
        PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB5CC~1.EXE > nul
      4⤵
      PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{880D5~1.EXE > nul
    3⤵
    PID:4296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DB526F5-C09A-40b3-B7A0-8BED0713574B}.exe

Filesize
192KB

MD5
aafa842f0832061679f661e67b4ff5d1

SHA1
f79b88831ffc52ebcdc639c2253af42f712bf2c1

SHA256
515f6a4e707eae6569e684ff484658abda5426f3ba1f50b1f11981b0fccfca17

SHA512
51d6fb0fb16eb839fbbc2238b3a09dcd2c198bf6fbd70f2a478a55507d946938110e990b9b59235cb706912671e91e9f70ccd0734c7babad519a8e2e2c4feebb

Download Submit
C:\Windows\{6519D3CF-D775-4e11-8B97-52846DC69B87}.exe

Filesize
192KB

MD5
02c0be9f61075bcd544abaa9ed122242

SHA1
f4e4c60c88be2a103ba4c2b91733b619e950885e

SHA256
29eba5e465b1276ad43bb7a58342bbb8c5a5886baeed06fc53a2afd3ee75c654

SHA512
0aa79cba43fcb9165bd9ec3001bbb4adff0c8848cd9284c7bcac4e79c4d09be07f15d7fb8856c7e813e1dc96715ed9ed7e9a18b99c79a2831dd774a1a9b9cd45

Download Submit
C:\Windows\{6BEA001C-A105-41e3-9AD0-D68A20E01464}.exe

Filesize
192KB

MD5
3598bcebd3435e76529f1cfc92bdf91e

SHA1
f5624e0e177232804606ad20013ed83b149f9f1d

SHA256
6c15b7d0915bf9cbe31df117c797d46ed57184b1c34244e93ba034a0380baccc

SHA512
9ced1ae2f4949fa27187c0e17d81827648fa10d6d3e617b4a135573c4cf6b2daa55a406ad0149ea38a6e02c2f892c2fbf4b2eec85ffa397a43af7f178e5a81da

Download Submit
C:\Windows\{85555D08-DEC1-47dc-AA40-110B44CCB7F7}.exe

Filesize
192KB

MD5
15fd8c6b96474c8a24fd5729e8aa9ecd

SHA1
4a10b17a7c9f2ee40d6bcadc47509829cba6e69a

SHA256
c49f0de507ba8692d32a01564da9fd555f95783e8fb3cd8817ba7dd90c614b47

SHA512
85fb2908b330e85947bd79704df711c802b2cfaee76207c2e270fc979a8c89ab4e9907e1742d041d03e50f242b6df074343f1e6308f69dcc78a8c85e22edbeaf

Download Submit
C:\Windows\{880D5DF0-9626-476e-80C4-5C9A4F86958E}.exe

Filesize
192KB

MD5
7752426fb84615523685a780c7b69a14

SHA1
e62db0855f0d7acd80b8b98f9b88d0c5ba6bcec5

SHA256
33b711de3158f1bc505f2772e9d4eef06522b73b0c070b1864a5a57e4b42484c

SHA512
e6492354aff3b2e93a0fe459f63315c021bd613b0c285f6c6b1c28176ff40ef7ab5eae320733c1bab62363b54288f3bf457e75cfe1a72fdf17d133c131adcc3a

Download Submit
C:\Windows\{AA43E20A-85F7-402c-85F1-FA33381579F5}.exe

Filesize
192KB

MD5
daa01c03bfdc526885783d1fc29a73c8

SHA1
d1a854bf996183bb152fa3fc3c7e717647a24c87

SHA256
b4d90a1e5740b3a6f6780b0e3c8c79a5b27b03f4866ef9f797e6579322897b8b

SHA512
1fc51179b42dee179edcf6533380f721506e3cc932a8fca99460e09a941788f493e95d073f47f21d26b0e70d30fb23ebb34021971b76830fee18f422d3db9cb4

Download Submit
C:\Windows\{C0C88572-4641-467d-A431-F5E0BDD8226D}.exe

Filesize
192KB

MD5
cd85e85187895a71b01637be25d32eac

SHA1
b4797fd3060666b90fd344a418b64b3da6665350

SHA256
cc9cf24f52c1f768d8a913b48a2fb5784717d0e192234bda82df08120a0bfca7

SHA512
d476001f11204e568bb16d1e68229c38e483164b19d351ba28c2e497bc5141db0b91402ec441aef147def891fd1bd8b94bcb3043b5cc920fcb673ee84a5aca41

Download Submit
C:\Windows\{DEFC0501-AA56-41b8-B27A-79F58E550A83}.exe

Filesize
192KB

MD5
cb33780ba46f7659df9a0398f09be651

SHA1
4198800eece579aa80c60a50397f856dbbee52d9

SHA256
9f32fd82bd1b746720e834e86770bac8a58aa2caf5ddd876f77cf6b997f6e94a

SHA512
cf6131744ea4a3b6b60c9131b2057cab6f5d3f1f147a0376e24f07cf122f94857e71b2e4c0187848e70f8be3b04f4d44de2eef4e2e46fbae412b12a25237e6ac

Download Submit
C:\Windows\{EB5CCF49-E1F0-463d-9CBC-3CC9774AD33E}.exe

Filesize
192KB

MD5
a9a4f735add8e07d097c0edad9d9627e

SHA1
5ab1d2ab85fcb9df64384d9386bf2e79980133fc

SHA256
57c808aaaaa4501bc004647ad0524ad407f579bc79d86771bf68f1563385ca59

SHA512
d960afa32e093267df20562537337d53579e13f7fb289e7a576186011dc5cd904eacdc2147d2c5f988f7264d17fe3e23929d549af5a479cb222232b4138fc2b1

Download Submit
C:\Windows\{F25C62DF-7D20-441e-92DA-A1219EDBDEF2}.exe

Filesize
192KB

MD5
ecd1c40fca1013022371bd7381937939

SHA1
b2e80370fe59ce31eb4371d6d6e47b624c45a2e3

SHA256
943adca617349ce17fec3b50eb05530ab8c16b213ba8a5f9226805289472c9c2

SHA512
93dec3ca0e95a7d88697ec43c6279ac439c54a722255f52b8d5e2496630086183e93b02e499aa6807c89a560588ebbdf6880d1622738e4172ed6813cb3d0ea41

Download Submit
C:\Windows\{FD368572-760D-4872-9D8E-1BF95A1090C1}.exe

Filesize
192KB

MD5
ef90c53ab39b774cd494a078c9bf1ab9

SHA1
27b0547ef889634be529797f152d3ebc19f4396e

SHA256
39eae4b52ed23e37e4d4787faefae27ac41b26bb68a69f417e343f3946b21780

SHA512
259141e2b0aa2180b9a6d55d19c7062bcf91520ff72cd0602f17ba046b3a57e70cca8c01790a91e270863a8692d15e06425c7141c72ab1c9132ad88dec3fc12e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads