adf13a3f3ebc18c825e8f9f9a296288102805f6784a1322b66b7f3bc500888e8

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe
Size

408KB
MD5

0362eeb183d88fc10010dcfcb39223d8
SHA1

8e4e100d3966e08840b195790dbd193203fb3439
SHA256

adf13a3f3ebc18c825e8f9f9a296288102805f6784a1322b66b7f3bc500888e8
SHA512

aaadbef54dd637b617651d0965598ee9df1a032b8be7661f8075e6a8b4f4c41cfbb7b253fe623d69f812d5c77f18aedbe1c568495a871cf6f5429b42446abd27
SSDEEP

3072:CEGh0oKl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000800000002326f-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002327d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002327f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002327d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002327f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0370D7B4-1BA5-4fc5-B658-401558D486E5}	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28552337-2C5A-491c-BEF1-F02127E01CCA}\stubpath = "C:\\Windows\\{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe"	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6066AE0E-0CEA-4382-B0C5-42514A961CCF}	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C0C7EB-30D9-4602-833C-741962D1AF8D}	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A118CE28-83C3-423a-AC59-24EFC4002337}\stubpath = "C:\\Windows\\{A118CE28-83C3-423a-AC59-24EFC4002337}.exe"	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B739AA7A-D84B-4f44-91DD-9AA54342C05B}\stubpath = "C:\\Windows\\{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe"	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3859FCEE-B156-4de3-8C41-F2D035668B34}\stubpath = "C:\\Windows\\{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe"	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28552337-2C5A-491c-BEF1-F02127E01CCA}	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{822F0461-E3CC-4d36-8C19-DD968E736E62}	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6066AE0E-0CEA-4382-B0C5-42514A961CCF}\stubpath = "C:\\Windows\\{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe"	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C0C7EB-30D9-4602-833C-741962D1AF8D}\stubpath = "C:\\Windows\\{06C0C7EB-30D9-4602-833C-741962D1AF8D}.exe"	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0370D7B4-1BA5-4fc5-B658-401558D486E5}\stubpath = "C:\\Windows\\{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe"	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7096B5-1B3A-430d-AA87-C59505EFEE73}	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8476C54-81C1-401e-AA02-9BE6E4657A9F}	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8476C54-81C1-401e-AA02-9BE6E4657A9F}\stubpath = "C:\\Windows\\{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe"	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40CC7279-EE74-4681-AAD2-C6A7878B38E2}	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{822F0461-E3CC-4d36-8C19-DD968E736E62}\stubpath = "C:\\Windows\\{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe"	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7096B5-1B3A-430d-AA87-C59505EFEE73}\stubpath = "C:\\Windows\\{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe"	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A118CE28-83C3-423a-AC59-24EFC4002337}	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40CC7279-EE74-4681-AAD2-C6A7878B38E2}\stubpath = "C:\\Windows\\{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe"	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B739AA7A-D84B-4f44-91DD-9AA54342C05B}	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3859FCEE-B156-4de3-8C41-F2D035668B34}	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe

Executes dropped EXE 11 IoCs

pid	Process
3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe
2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe
2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe
1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe
3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe
3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe
2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe
4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe
2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe
1040	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe
4940	{06C0C7EB-30D9-4602-833C-741962D1AF8D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe
File created	C:\Windows\{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe
File created	C:\Windows\{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe
File created	C:\Windows\{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe
File created	C:\Windows\{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe
File created	C:\Windows\{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe
File created	C:\Windows\{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe
File created	C:\Windows\{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe
File created	C:\Windows\{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe
File created	C:\Windows\{06C0C7EB-30D9-4602-833C-741962D1AF8D}.exe	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe
File created	C:\Windows\{A118CE28-83C3-423a-AC59-24EFC4002337}.exe	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4416	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe
Token: SeIncBasePriorityPrivilege	2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe
Token: SeIncBasePriorityPrivilege	2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe
Token: SeIncBasePriorityPrivilege	1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe
Token: SeIncBasePriorityPrivilege	3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe
Token: SeIncBasePriorityPrivilege	3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe
Token: SeIncBasePriorityPrivilege	2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe
Token: SeIncBasePriorityPrivilege	4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe
Token: SeIncBasePriorityPrivilege	2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe
Token: SeIncBasePriorityPrivilege	1040	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 3508	4416	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe	95
PID 4416 wrote to memory of 3508	4416	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe	95
PID 4416 wrote to memory of 3508	4416	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe	95
PID 4416 wrote to memory of 1068	4416	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe	96
PID 4416 wrote to memory of 1068	4416	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe	96
PID 4416 wrote to memory of 1068	4416	2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe	96
PID 3508 wrote to memory of 2908	3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe	101
PID 3508 wrote to memory of 2908	3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe	101
PID 3508 wrote to memory of 2908	3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe	101
PID 3508 wrote to memory of 4568	3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe	102
PID 3508 wrote to memory of 4568	3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe	102
PID 3508 wrote to memory of 4568	3508	{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe	102
PID 2908 wrote to memory of 2484	2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe	103
PID 2908 wrote to memory of 2484	2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe	103
PID 2908 wrote to memory of 2484	2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe	103
PID 2908 wrote to memory of 2196	2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe	104
PID 2908 wrote to memory of 2196	2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe	104
PID 2908 wrote to memory of 2196	2908	{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe	104
PID 2484 wrote to memory of 1256	2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe	106
PID 2484 wrote to memory of 1256	2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe	106
PID 2484 wrote to memory of 1256	2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe	106
PID 2484 wrote to memory of 1556	2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe	107
PID 2484 wrote to memory of 1556	2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe	107
PID 2484 wrote to memory of 1556	2484	{A118CE28-83C3-423a-AC59-24EFC4002337}.exe	107
PID 1256 wrote to memory of 3092	1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe	108
PID 1256 wrote to memory of 3092	1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe	108
PID 1256 wrote to memory of 3092	1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe	108
PID 1256 wrote to memory of 4852	1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe	109
PID 1256 wrote to memory of 4852	1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe	109
PID 1256 wrote to memory of 4852	1256	{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe	109
PID 3092 wrote to memory of 3484	3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe	110
PID 3092 wrote to memory of 3484	3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe	110
PID 3092 wrote to memory of 3484	3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe	110
PID 3092 wrote to memory of 1968	3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe	111
PID 3092 wrote to memory of 1968	3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe	111
PID 3092 wrote to memory of 1968	3092	{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe	111
PID 3484 wrote to memory of 2360	3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe	112
PID 3484 wrote to memory of 2360	3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe	112
PID 3484 wrote to memory of 2360	3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe	112
PID 3484 wrote to memory of 4952	3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe	113
PID 3484 wrote to memory of 4952	3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe	113
PID 3484 wrote to memory of 4952	3484	{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe	113
PID 2360 wrote to memory of 4600	2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe	114
PID 2360 wrote to memory of 4600	2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe	114
PID 2360 wrote to memory of 4600	2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe	114
PID 2360 wrote to memory of 1408	2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe	115
PID 2360 wrote to memory of 1408	2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe	115
PID 2360 wrote to memory of 1408	2360	{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe	115
PID 4600 wrote to memory of 2528	4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe	116
PID 4600 wrote to memory of 2528	4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe	116
PID 4600 wrote to memory of 2528	4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe	116
PID 4600 wrote to memory of 3260	4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe	117
PID 4600 wrote to memory of 3260	4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe	117
PID 4600 wrote to memory of 3260	4600	{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe	117
PID 2528 wrote to memory of 1040	2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe	118
PID 2528 wrote to memory of 1040	2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe	118
PID 2528 wrote to memory of 1040	2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe	118
PID 2528 wrote to memory of 4252	2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe	119
PID 2528 wrote to memory of 4252	2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe	119
PID 2528 wrote to memory of 4252	2528	{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe	119
PID 1040 wrote to memory of 4940	1040	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe	120
PID 1040 wrote to memory of 4940	1040	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe	120
PID 1040 wrote to memory of 4940	1040	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe	120
PID 1040 wrote to memory of 2028	1040	{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_0362eeb183d88fc10010dcfcb39223d8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe
  C:\Windows\{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe
    C:\Windows\{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\{A118CE28-83C3-423a-AC59-24EFC4002337}.exe
      C:\Windows\{A118CE28-83C3-423a-AC59-24EFC4002337}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe
        
        C:\Windows\{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe
        
        C:\Windows\{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe
        
        C:\Windows\{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe
        
        C:\Windows\{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe
        
        C:\Windows\{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe
        
        C:\Windows\{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe
        
        C:\Windows\{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{06C0C7EB-30D9-4602-833C-741962D1AF8D}.exe
        
        C:\Windows\{06C0C7EB-30D9-4602-833C-741962D1AF8D}.exe
        12⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6066A~1.EXE > nul
        12⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{822F0~1.EXE > nul
        11⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28552~1.EXE > nul
        10⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3859F~1.EXE > nul
        9⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B739A~1.EXE > nul
        8⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40CC7~1.EXE > nul
        7⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8476~1.EXE > nul
        6⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A118C~1.EXE > nul
        5⤵
        
        PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA709~1.EXE > nul
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0370D~1.EXE > nul
    3⤵
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0370D7B4-1BA5-4fc5-B658-401558D486E5}.exe

Filesize
408KB

MD5
e4fd3d6cb9226aac4c6c19277f79203b

SHA1
eae130031de225fe7d4e8f4c72a0af956af68db8

SHA256
df72f7bf7bacb7545031464688ae56a274d1131fc1c687a20942cae6b5e67fc6

SHA512
176ae6ab2c826e01f91a1a36d20f92a2eeeb2857f7901f5106e515293caea5e17dbdcaedc1da6ceb7d3988fe2956194c477f96e33e0c0cfedd6eda130afab6ae

Download Submit
C:\Windows\{06C0C7EB-30D9-4602-833C-741962D1AF8D}.exe

Filesize
408KB

MD5
138ef3a8b8fd184bdd0c8d38f7cb5949

SHA1
74e923fb447af9bc8056e71d339d18e2c7c8900c

SHA256
574dd54db1775ef97351f4fbd299e18dbf6369481a8a1c9c8818845cf662a1fc

SHA512
2f898a91d9e23c6c1ace445fb70bc191b318f58ca2504699dffdef6e3074d373518c2b9b1f88943193a557338d45dd7258b70b5ecaa733d4b59ad8f440471dcf

Download Submit
C:\Windows\{28552337-2C5A-491c-BEF1-F02127E01CCA}.exe

Filesize
408KB

MD5
45d245ab02f6c2bd458a3ecc60702d20

SHA1
3a3e754ca115d85365ee8cccdba9174cccd5f584

SHA256
b28bf06be0ecc56f3ce05bbf2163871dbbd3d8c3245c1cdbb64a4ad1a9ea7276

SHA512
8779ce82dad2849d23da8dcd716fd2390d83f278fd02ec79dead376c835e7ee8c2f311eb82dee2c109ce94e6bd275b29987dae93f5f75fa7e7509aca5afd9361

Download Submit
C:\Windows\{3859FCEE-B156-4de3-8C41-F2D035668B34}.exe

Filesize
408KB

MD5
8c7614da5e5715fbd50a77cba57678f0

SHA1
2d9ff97a095df1714d0b8d7723558b289697afd7

SHA256
dd5a8fb44e6bece70d0a74ad7aa03e742a53801a1ae9266fd042893ab4592a5e

SHA512
4d6cb6619c15a51352840e2e7008d7d5edf319480151af5ac974b9ec0d5fce7ec1893c9c24497df6a28b473d011d26bee32efaacf7e781f7f9054daa42d8d83d

Download Submit
C:\Windows\{40CC7279-EE74-4681-AAD2-C6A7878B38E2}.exe

Filesize
408KB

MD5
f73ee8ee7e7bafe31937ef75839b4996

SHA1
a0d9714c98545bf8f3c8e2c4a5e15391c7046ca3

SHA256
fbace93dfaf8104452bc40272a872ca7c86eb24f5a48fd632776befb754ffcfd

SHA512
54a689941957e523e5ad790aeef73476af893dfbaf9e4c250506aa294358581019982b1629582f82506526bb4653dea337bceaaf30f904a7906fa69e9c756bb8

Download Submit
C:\Windows\{6066AE0E-0CEA-4382-B0C5-42514A961CCF}.exe

Filesize
408KB

MD5
8010cf3411e6c7532766164856020897

SHA1
c36bda2625082d0b6d5c978210f7cf1e19809f3c

SHA256
7c196168277d679799ccf6c5d3fed6a21a61c9628dc02992ac6314160726ff36

SHA512
d3199a26e0de440e92dfd5115bc379fbe1eac2cc21073722e252292ee0cae37fed1564ee6054ab3eddc36bd2f6db7833b71fc600ae2447f8e52a586376a241a8

Download Submit
C:\Windows\{822F0461-E3CC-4d36-8C19-DD968E736E62}.exe

Filesize
408KB

MD5
23b9a955c2344e52b4c3f1a5f56e6124

SHA1
ba199f7af9a3854867539741116a11f0311058c4

SHA256
69faa98f27f2d24c521fb94aa640e01f5e8d87fd91bed3f361b0fefde81d94ea

SHA512
5d1f57b2b55489f3c3f8203e945b25d4810d470c4764832dfd97afd4dc51965123b83a3b27bb0b306f0b5ddaa81f7351ac61b95a2ff33bf218f80a5b318d22c4

Download Submit
C:\Windows\{A118CE28-83C3-423a-AC59-24EFC4002337}.exe

Filesize
408KB

MD5
d352820677488f0a755f97ae1dd9616a

SHA1
0f1b1ab16677e8cab5558bc757b9820b22cea49d

SHA256
9de291d9bdc5a7cb2fd565c4b59d59467ce6fc9b380747b125d5d93e6ee692e7

SHA512
6be4ae926775226ffa358f83be34167c27052cef9afbe09eef98d3a2df3f49b1b259005d485ce3afcb4388aadcb5c71d94b1ae8cfe9ba9b8146cf97a0de0133c

Download Submit
C:\Windows\{AA7096B5-1B3A-430d-AA87-C59505EFEE73}.exe

Filesize
408KB

MD5
0f0bc97ffd9ca04c7c641fa7e3d9f222

SHA1
97ff6989ea7be5e56b8c657ce1e0460ca5938027

SHA256
2878fc7335cf62486af5ccffb35296d2681ef6fc59cb72850414e53caf6b6548

SHA512
fdfa7786cf9061d170bf246fc1663e3f43f0def88051bae346f2b3c3146384ae3aa94dbe1f0ca6bc298cac9b26ea3495c581b113bf4cd18b4fd16a812aae3a6b

Download Submit
C:\Windows\{B739AA7A-D84B-4f44-91DD-9AA54342C05B}.exe

Filesize
408KB

MD5
1706b787a5f589b85ba25df23e4c4da7

SHA1
59a89006e7e6a3b9767ab4d934b276aa652a2cf6

SHA256
a881097fcb4fb3ca9d34e50d765abef0d8b2f7e331733dbe2da9f3e0f55c9cb7

SHA512
ca76da0376361be14ae0815ac2b6286f112d8a9a736f2c6591bac6a1947c17cf09390fd1deaf32ad21c94036a414dcfbecc1b3ada082f3b496a463d642c2407a

Download Submit
C:\Windows\{E8476C54-81C1-401e-AA02-9BE6E4657A9F}.exe

Filesize
408KB

MD5
fc9131582a3f57e0a0519d0be199ecc2

SHA1
f111b31e53aa4ed001ab5247e889e60be43a6d50

SHA256
821ca7d4691e2279534fc3b415f1a03915feb2d36edb6f904e65c589681f13b3

SHA512
cc98e1be9d333f01e38e80938d3f0cd0d8da65de7c90a6a83bc27a55f2c22355c25d7ccdd43c330e3842472195f4f13edf9d2a900d2a4b8c6b84eb02e34d7768

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads