hxxps://github[.]com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye

Resubmissions

01/03/2025, 12:05

250301-n9ewpszxft 10

01/03/2025, 12:02

01/03/2025, 12:00

01/03/2025, 11:57

01/03/2025, 11:54

01/03/2025, 11:51

01/03/2025, 11:48

01/03/2025, 11:46

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
01/03/2025, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye

Score

10^/10

agilenet defense_evasion discovery trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
35	4052	msedge.exe
35	4052	msedge.exe

Executes dropped EXE 3 IoCs

pid	Process
788	BlueScreen.exe
680	MrsMajor3.0.exe
2264	eulascr.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001900000002aea1-333.dat	agile_net
behavioral1/memory/2264-335-0x0000000000F20000-0x0000000000F4A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
15	drive.google.com
35	raw.githubusercontent.com
39	drive.google.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002ad77-239.dat	upx
behavioral1/memory/788-249-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/788-251-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 308839.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
3896	msedge.exe
3896	msedge.exe
4684	msedge.exe
4684	msedge.exe
4540	identity_helper.exe
4540	identity_helper.exe
2056	msedge.exe
2056	msedge.exe
3860	msedge.exe
3860	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	eulascr.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
680	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 4724	3896	msedge.exe	81
PID 3896 wrote to memory of 4724	3896	msedge.exe	81
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4112	3896	msedge.exe	82
PID 3896 wrote to memory of 4052	3896	msedge.exe	83
PID 3896 wrote to memory of 4052	3896	msedge.exe	83
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84
PID 3896 wrote to memory of 5060	3896	msedge.exe	84

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9077c3cb8,0x7ff9077c3cc8,0x7ff9077c3cd8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:2252
- C:\Users\Admin\Downloads\BlueScreen.exe
  "C:\Users\Admin\Downloads\BlueScreen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:1076
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:680
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\AD62.tmp\AD63.tmp\AD64.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\AD62.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\AD62.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8751612707618715168,14180542242381134350,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4776 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0517a9ec1a0298a87dac0ad50c998d79

SHA1
c01cab2a1ffb6180134315d827709b46d07018ea

SHA256
084f62f24d15ce30e231b1690497a004070932b3618e06d6b26079a489f689a5

SHA512
d9be6c0e55a74137b1e6dc882b0e665cb6c18fe80ff585cccff0bd4fc32923b155b62000492613c861b3f0cbfa8996dac7ca12d66fcf06d1b1d0e57294dee84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
236fd72d944b494ed36178d8c80baa40

SHA1
affaef8eea7ac675dfccc68528f9cc828906d209

SHA256
c84f8f8ff1471655a154db4ba294d245cdcee376bd482f7b433b42f28d4f0184

SHA512
6db4bcd8f81de26f8d5a350019f45be7fe00c3531efbc2cf8e96c696b4e75acc81514fbe10c02410895fa318ec1d2c0bfec429da97451d32d9b0a8c340b2894b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b3298a4d834ae14cc908313a0a03ba3a

SHA1
4a4176c5f871bbc5afbfe875b5fd2985606b7af3

SHA256
923f84f3747ff29fb8e3fb49abcc6fb41b5ecd809cb321d4e6cc28743cb6c6dd

SHA512
f005b9d485e1e1ea6bea2de9ac521c851a3b5ce93f6174edbaaa73ca0036b91e348dc5ce9b7e8ba2d55a3d36f4be14e5ba94182d1c2aa1b58d3ad402a05dea69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
f6b24ad07edab42c88540a87562c81de

SHA1
dd8691937a6a089fd58b9db56b6f599022b48168

SHA256
ab8d2b9c88df9ac33fbf60ee72a5d8c84d0dbb28ebc1de08a4bae02a8af8071f

SHA512
5fa8a1df39ee12048ba5817c1962cb897a3454d69d78ad4c40e0f72fe04c4ccfca674a2d629dba8376f2862ca587163435318d4cd7b5ab5c64ec03703322ae1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b71c8b5e1e1b5cbee1bb009546f6d8a3

SHA1
f6a12b8562df57c9adf29bb3944b359dd90d3258

SHA256
2c6eb151edbd8e1dc8685276f89d3d1ad76770691c5b9910279c2bac3b842bd7

SHA512
62b91036f5c38ad5d9e7ca5e54e806adec49e522744d392fb2e9a7da54b0c57b5f4c781e874426be64c99090b350eec03fa2cad480a4a0034dbdb586b224d46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f426d12d815ec20ae57d7fd3b742a60b

SHA1
d156820016be05f5cf8ccfd64fdf246962926ada

SHA256
c9d5466ae3fc5d895ee2472ded92bb9d4de5078f2e67a88cf0969b1c7dbd39a8

SHA512
472d6bd1f0a18a3ede59ac5a7b9ff5103af0d2cb3c3d01e79aab63ca97e593cdbce657d791fec58d524b04bd5d802d436e37f999555de7aaf65f0cb17dfe3357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fb4af3cc814f8bf143a169baa912cf2f

SHA1
5bb60147315523699ef2fd47ea3fdd6f720d7844

SHA256
3329b31156287a608d3e0e3d698f8f265b45bb19084c083e5c48964d8f0d613e

SHA512
9266a01abde51d6035fcea6cb65df0f683e23ee1e62ac5281316d95d3e98c645030bf4a79f50870b4fadca9bb94a662a0461584dbd93ab340b71b253c86e3392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
263ab7d28fbbe9a83adf0f2a4fc890db

SHA1
11113b5b477e15ef1c5529db1c7efa63715bfc44

SHA256
e84088562e904d1b901dcea083566f4b3b0a19f69fa2fb67c913ff5b6ec608c4

SHA512
813f593ebd7051830cc62fec1adc1cbd1877e3f2db743d72b38a670583f86feb1e5ad1d6032a87d26ce8df7f318bdf00b730993078808d58d234a24ad7eee4f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
50144449b85d1d1261e0d2f961c936b7

SHA1
ce111b57586067ab5a0e9ac24632560971e958a2

SHA256
6edc24861243043cec49c400b34b8fe2b477e1f7c917fa974f3997f92d1c2649

SHA512
399f40aed40394df703d7393e39357cbb5eb062bdc1400e803dae621aca542476add94911289e476a2ce3d654a6b1fdbeb1fc618e27829a0ede48b619ece2c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6773cef13e2b6acee21e20b4cbee8a5d

SHA1
0340e9393698ccff6ead3c061375fe7237ab71be

SHA256
ba2610b11fe07d861902e131c5f6562f440e36bac81b6bfbb861c3bda928d009

SHA512
3e177bd3bda5028c28d247654fd25ca82650a6e8958376e5678895d6037be6933f0d336d816b8a050f416784c93393fa83f08d2aa816ab5cd1ebff63bb44af3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1024B

MD5
354f6d67f1a7ae0fb771e18825b113a9

SHA1
748c9464d9a7c14d2906f661cc67afb16e178217

SHA256
c7a8563cd289bd3f2217556325ad9b998b092fa0f76a8482327eea2bbdbdbea0

SHA512
49111e1f690ed83271b5a5d2d015fc9bb7e66368a2fd6cea69cc4929c103dcb1e55594088514999b7a09b7263bf06a06861415e6bb8c2a93c1d7e25f5ba672ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580c5f.TMP

Filesize
864B

MD5
88c0b68de34de390d61a9494bf0e2723

SHA1
b642279a9a56638ba4b904c4ac5271c225406f65

SHA256
a4a362bea0e58ea3a7a89f0d2230d22a1a50233db343684db289b36caaa0faf1

SHA512
1d029e373820670063ed83b96fee00a21163d0a3448faa0a055f071e3928fd0b8de02cd6f6741a747a7d37c88de21d2c5603646e2a7ece2b4b25e0421942f193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4477d99e5d3afb28c0c3df014e889c08

SHA1
c016aedfe21c789f5de09e478d804fc10d915605

SHA256
9c68ab4f262b24c0a702a549baa1772f06474f24130a8421ff85cd23a26c1da9

SHA512
45670bc8ef6cf41e1b3e4ac89cabe7cb57caacf004665b3053ab3c5891c3bc230d2222efe822b03cd3d2ea8a0efc2628bf5003bc5bf42844fb334aa399ed2f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
277f6ab7fc32af56f6f66f6a12f83b14

SHA1
0bc720aeadd81551b5d00cd58cab35ee06f637ea

SHA256
4b6d53cc16f212ee3c803688d53c9148226867958a3b4516a58129093db4643f

SHA512
facc384b4895074c9529e6453e65c8b1b306937770ae621c9ad3650615c16fc7e16a5572e7ea465b6253e50a4182114823670f04d4d9f136d5db633e33b86b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c3690237784bda015dc43bf6873b712

SHA1
ce25ac9c4c3fa2abc94a268a36f63efd529e4fc2

SHA256
156efbe50ee8169138164be3de272dc0748658a4d066b4bc99676ac9587177d6

SHA512
098fc62bc5dbbd9640f0c390dee3bcb1ac1cb350e2e6f68c1ac7bebf8636b752dd4eada4948baf9cd637cbdd136325708d776764ec4bce7f102bcdbbfc2e8187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ee501dfc7ce6d28c11a62352ac9627d4

SHA1
f3bd82ebe095696293cf4611841634ce34644996

SHA256
29bba10f16580b8c6cd61f9a226392679584d559d77e26c6b23e9fa02dba0db1

SHA512
f72522f98ade1e2ff2661c21d28aa1debb68a2370f411c80d949c8aba3dd0e1d4d573033241d4b8f4ef3ee1a0930f9caceede8e85fbf08dfc51ccad4d68e0140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
effc36d0c7a06d1008653925fb2141b4

SHA1
ab64c66a9383b1dfdacc3999b1b4c8e7d0c78be2

SHA256
9f2b1db404cb918cc0714fbd85c7ef575a40ac77c298e4f5dd1f6278c45b6355

SHA512
1b9fd4235557838a77b478ad55dcfc7bc2b8b433ab747c4996511258743299e439c29658ec25ead86a6a5836f00f53ac5e1c0b20a7a3fc46a9b0acde93f1c5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD62.tmp\AD63.tmp\AD64.vbs

Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD62.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\Downloads\BlueScreen.exe

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 399462.crdownload

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
memory/788-251-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/788-249-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2264-335-0x0000000000F20000-0x0000000000F4A000-memory.dmp

Filesize
168KB

Download
memory/2264-342-0x00007FF8F2190000-0x00007FF8F22DF000-memory.dmp

Filesize
1.3MB

Download
memory/2264-343-0x000000001D810000-0x000000001D9D2000-memory.dmp

Filesize
1.8MB

Download
memory/2264-344-0x000000001DF10000-0x000000001E438000-memory.dmp

Filesize
5.2MB

Download