dd279f0043983caccba4329ddf58bb78c3c4a458c90dc52bf3bb47aef489e235

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Size

408KB
MD5

f8d93471c325600b7af6c5beeebedba3
SHA1

de9b87164f5590b892ddff9a8ea1bb84977c0556
SHA256

dd279f0043983caccba4329ddf58bb78c3c4a458c90dc52bf3bb47aef489e235
SHA512

23e23434f59c01bd8f5715971fcd3dfbaa6ece3fa97628848fa9664da08923f0d3e3b01e2a348c5d7cbcdbdbded8fe9444d16c583b96831e83b071b0954f9aba
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGtldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023240-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023244-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023251-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023110-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023251-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92CD861B-C376-4623-80B6-DC76B08633B2}	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B180FE3D-E561-4b39-9674-9F981EC50CF7}	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABF166A3-FC10-45a5-A350-5237458F155E}\stubpath = "C:\\Windows\\{ABF166A3-FC10-45a5-A350-5237458F155E}.exe"	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10CCBE58-7D66-4530-99B6-67F036A3A8E8}\stubpath = "C:\\Windows\\{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe"	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{872104FE-7CF7-455c-9826-DABEAB6145CD}\stubpath = "C:\\Windows\\{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe"	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{913DFB1C-482C-4a7d-9306-A62100396962}\stubpath = "C:\\Windows\\{913DFB1C-482C-4a7d-9306-A62100396962}.exe"	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0935E5-96B9-4b24-A5A3-431075A62018}	{913DFB1C-482C-4a7d-9306-A62100396962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5F0CB43-1BBD-4484-B794-641BA6E095BC}	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0048D5-71EE-459e-9099-84C9737D5C17}	{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5F0CB43-1BBD-4484-B794-641BA6E095BC}\stubpath = "C:\\Windows\\{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe"	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10CCBE58-7D66-4530-99B6-67F036A3A8E8}	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{872104FE-7CF7-455c-9826-DABEAB6145CD}	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F6ED80-D267-44a7-86FF-96BC3FD5F803}	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0935E5-96B9-4b24-A5A3-431075A62018}\stubpath = "C:\\Windows\\{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe"	{913DFB1C-482C-4a7d-9306-A62100396962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B180FE3D-E561-4b39-9674-9F981EC50CF7}\stubpath = "C:\\Windows\\{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe"	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}\stubpath = "C:\\Windows\\{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe"	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F6ED80-D267-44a7-86FF-96BC3FD5F803}\stubpath = "C:\\Windows\\{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe"	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABF166A3-FC10-45a5-A350-5237458F155E}	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{913DFB1C-482C-4a7d-9306-A62100396962}	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92CD861B-C376-4623-80B6-DC76B08633B2}\stubpath = "C:\\Windows\\{92CD861B-C376-4623-80B6-DC76B08633B2}.exe"	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}\stubpath = "C:\\Windows\\{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe"	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0048D5-71EE-459e-9099-84C9737D5C17}\stubpath = "C:\\Windows\\{DA0048D5-71EE-459e-9099-84C9737D5C17}.exe"	{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe

Executes dropped EXE 12 IoCs

pid	Process
3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe
3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe
1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe
1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe
2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe
60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe
1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe
3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe
760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe
3436	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe
4080	{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe
2232	{DA0048D5-71EE-459e-9099-84C9737D5C17}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe
File created	C:\Windows\{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe
File created	C:\Windows\{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe	{913DFB1C-482C-4a7d-9306-A62100396962}.exe
File created	C:\Windows\{ABF166A3-FC10-45a5-A350-5237458F155E}.exe	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe
File created	C:\Windows\{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe
File created	C:\Windows\{DA0048D5-71EE-459e-9099-84C9737D5C17}.exe	{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe
File created	C:\Windows\{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
File created	C:\Windows\{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe
File created	C:\Windows\{913DFB1C-482C-4a7d-9306-A62100396962}.exe	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe
File created	C:\Windows\{92CD861B-C376-4623-80B6-DC76B08633B2}.exe	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe
File created	C:\Windows\{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe
File created	C:\Windows\{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe
Token: SeIncBasePriorityPrivilege	3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe
Token: SeIncBasePriorityPrivilege	1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe
Token: SeIncBasePriorityPrivilege	1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe
Token: SeIncBasePriorityPrivilege	2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe
Token: SeIncBasePriorityPrivilege	60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe
Token: SeIncBasePriorityPrivilege	1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe
Token: SeIncBasePriorityPrivilege	3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe
Token: SeIncBasePriorityPrivilege	760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe
Token: SeIncBasePriorityPrivilege	3436	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe
Token: SeIncBasePriorityPrivilege	4080	{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3768	2368	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	90
PID 2368 wrote to memory of 3768	2368	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	90
PID 2368 wrote to memory of 3768	2368	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	90
PID 2368 wrote to memory of 2064	2368	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	91
PID 2368 wrote to memory of 2064	2368	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	91
PID 2368 wrote to memory of 2064	2368	2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe	91
PID 3768 wrote to memory of 3224	3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe	96
PID 3768 wrote to memory of 3224	3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe	96
PID 3768 wrote to memory of 3224	3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe	96
PID 3768 wrote to memory of 1920	3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe	97
PID 3768 wrote to memory of 1920	3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe	97
PID 3768 wrote to memory of 1920	3768	{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe	97
PID 3224 wrote to memory of 1256	3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe	102
PID 3224 wrote to memory of 1256	3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe	102
PID 3224 wrote to memory of 1256	3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe	102
PID 3224 wrote to memory of 2688	3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe	103
PID 3224 wrote to memory of 2688	3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe	103
PID 3224 wrote to memory of 2688	3224	{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe	103
PID 1256 wrote to memory of 1048	1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe	105
PID 1256 wrote to memory of 1048	1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe	105
PID 1256 wrote to memory of 1048	1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe	105
PID 1256 wrote to memory of 3352	1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe	106
PID 1256 wrote to memory of 3352	1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe	106
PID 1256 wrote to memory of 3352	1256	{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe	106
PID 1048 wrote to memory of 2572	1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe	107
PID 1048 wrote to memory of 2572	1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe	107
PID 1048 wrote to memory of 2572	1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe	107
PID 1048 wrote to memory of 3344	1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe	108
PID 1048 wrote to memory of 3344	1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe	108
PID 1048 wrote to memory of 3344	1048	{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe	108
PID 2572 wrote to memory of 60	2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe	109
PID 2572 wrote to memory of 60	2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe	109
PID 2572 wrote to memory of 60	2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe	109
PID 2572 wrote to memory of 1100	2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe	110
PID 2572 wrote to memory of 1100	2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe	110
PID 2572 wrote to memory of 1100	2572	{913DFB1C-482C-4a7d-9306-A62100396962}.exe	110
PID 60 wrote to memory of 1808	60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe	111
PID 60 wrote to memory of 1808	60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe	111
PID 60 wrote to memory of 1808	60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe	111
PID 60 wrote to memory of 4208	60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe	112
PID 60 wrote to memory of 4208	60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe	112
PID 60 wrote to memory of 4208	60	{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe	112
PID 1808 wrote to memory of 3804	1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe	113
PID 1808 wrote to memory of 3804	1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe	113
PID 1808 wrote to memory of 3804	1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe	113
PID 1808 wrote to memory of 1680	1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe	114
PID 1808 wrote to memory of 1680	1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe	114
PID 1808 wrote to memory of 1680	1808	{92CD861B-C376-4623-80B6-DC76B08633B2}.exe	114
PID 3804 wrote to memory of 760	3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe	115
PID 3804 wrote to memory of 760	3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe	115
PID 3804 wrote to memory of 760	3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe	115
PID 3804 wrote to memory of 1040	3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe	116
PID 3804 wrote to memory of 1040	3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe	116
PID 3804 wrote to memory of 1040	3804	{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe	116
PID 760 wrote to memory of 3436	760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe	117
PID 760 wrote to memory of 3436	760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe	117
PID 760 wrote to memory of 3436	760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe	117
PID 760 wrote to memory of 4040	760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe	118
PID 760 wrote to memory of 4040	760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe	118
PID 760 wrote to memory of 4040	760	{ABF166A3-FC10-45a5-A350-5237458F155E}.exe	118
PID 3436 wrote to memory of 4080	3436	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe	119
PID 3436 wrote to memory of 4080	3436	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe	119
PID 3436 wrote to memory of 4080	3436	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe	119
PID 3436 wrote to memory of 3576	3436	{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_f8d93471c325600b7af6c5beeebedba3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe
  C:\Windows\{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe
    C:\Windows\{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe
      C:\Windows\{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe
        
        C:\Windows\{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\{913DFB1C-482C-4a7d-9306-A62100396962}.exe
        
        C:\Windows\{913DFB1C-482C-4a7d-9306-A62100396962}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe
        
        C:\Windows\{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\{92CD861B-C376-4623-80B6-DC76B08633B2}.exe
        
        C:\Windows\{92CD861B-C376-4623-80B6-DC76B08633B2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe
        
        C:\Windows\{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\{ABF166A3-FC10-45a5-A350-5237458F155E}.exe
        
        C:\Windows\{ABF166A3-FC10-45a5-A350-5237458F155E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe
        
        C:\Windows\{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe
        
        C:\Windows\{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\{DA0048D5-71EE-459e-9099-84C9737D5C17}.exe
        
        C:\Windows\{DA0048D5-71EE-459e-9099-84C9737D5C17}.exe
        13⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A71B~1.EXE > nul
        13⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F0C~1.EXE > nul
        12⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABF16~1.EXE > nul
        11⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B180F~1.EXE > nul
        10⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92CD8~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD093~1.EXE > nul
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{913DF~1.EXE > nul
        7⤵
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54F6E~1.EXE > nul
        6⤵
        
        PID:3344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87210~1.EXE > nul
        5⤵
        
        PID:3352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{10CCB~1.EXE > nul
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E77C7~1.EXE > nul
    3⤵
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10CCBE58-7D66-4530-99B6-67F036A3A8E8}.exe

Filesize
408KB

MD5
1f5a9afc347518252cc30b55fb6bde87

SHA1
0a2dca5c4f6410d674885b34086c81ae5423c58c

SHA256
d93f9cba9efcbce9e2f083aa6b21ee4506573e2c4d0526ba62906432c344f9b8

SHA512
5e9b7ada99316fe8332282b9bd18c8b5db43336774d7149275883ec540b52752447d8e88a1accc15f462b832efe4d0586190e09e8e87985317fa7baa69b1f6d9

Download Submit
C:\Windows\{3A71B07C-BF19-4a98-B1FD-4BD80F3AF5A2}.exe

Filesize
408KB

MD5
96b0d24a19222f723d534f5aa2998ecf

SHA1
b6206e8a35f2208d1aebd861bdd1a395571a7e9e

SHA256
86ca450e40ab749e41e591048f1889e565257c66ebce4f40e544fe49ca2153b4

SHA512
7aabaf35bf2e143053f51369c62f4efecec3a6ce0c1d35cfe80077f8b690b2a666823bd183a9d12ab2f8a1d51a2d1de34193d3a5a69c4c2cea450c5f283bf4da

Download Submit
C:\Windows\{54F6ED80-D267-44a7-86FF-96BC3FD5F803}.exe

Filesize
408KB

MD5
ffc3650ae50cd0ba299ea8e609cc97c9

SHA1
5002f5ad075d58426a957ee81d06835ffccd90e6

SHA256
687416a7278561cc3bcb74eab121e1a8715dc74e7a6083cd465e8ad037bcd288

SHA512
4db6fe64d217ba7ebd4192deeb12845e0ece127b1d0f9023dfe46b402484c59ff8bf6e5c8463b9a317379781d07f9084c3352abe9de15c1b531dc4f75a2457e4

Download Submit
C:\Windows\{872104FE-7CF7-455c-9826-DABEAB6145CD}.exe

Filesize
408KB

MD5
a3b618f5e954c4a131ee02e23dcd1711

SHA1
2f9bbeea334fab38c4c1ae20649e1b5380986e75

SHA256
10eb1bf5314eb4408bafe30cb7deaed9acdd926d119414e36ce9f98cd0617c38

SHA512
fc5d1f8bd1bd026b9f00657b31073eb6a6b6ae02d6ab55b4cc8e61dd18a3c0928cd2f6219c7101333ed3a4d5a3720577c53cfce577f7e93ef22e7355f7f53707

Download Submit
C:\Windows\{913DFB1C-482C-4a7d-9306-A62100396962}.exe

Filesize
408KB

MD5
6cd4bb1b5dea8fdd27d1de4b13b74bde

SHA1
6284816872c419556dd5fca99f9425445bc5de5b

SHA256
92292da23ca598e8c7e414bfce626c6ebfd796ad864d4ab3c6c8f5a7bf7474be

SHA512
ebde9b74ca025a1409ff6dd6961b2f91b787d1ef44748e9d54db085cf7a684642b7482bdb8f43fc6f7a12c10003924d5b9c92cb468f0f1db544742849c856cb7

Download Submit
C:\Windows\{92CD861B-C376-4623-80B6-DC76B08633B2}.exe

Filesize
408KB

MD5
037a89bf8defd1a91dec7f5eee12e3c5

SHA1
8d9598098c12aa8df3310e91bf178a2cd8c5151b

SHA256
fd8c44a5d24a9ff26e944072e08886230196b38030b44a4811beea1dfceeb196

SHA512
a039008be892becc961ee1a8de94a1ff877b58802763e5d8a25afa185305165a53ed2a5052311865fb671fa451dfbc4410a1ca6c0aba23045b4698e9d857c9de

Download Submit
C:\Windows\{ABF166A3-FC10-45a5-A350-5237458F155E}.exe

Filesize
408KB

MD5
2ade0e72678d9c9a92167a87adbafada

SHA1
a062a46b4c8046309b2edee5782c0520eedf10ee

SHA256
754ef7d38bdafc201add50951452ce448aead4106e485a493d9f758f8d1d34bd

SHA512
e0c868ae18d174d81069d67f17fab7530ff6a9905510cab10c4dd51df28093d7ad2b9bfc02a44fb27bc1dcc7521f50d0ef947acb95cb7ef24fd9c40aa21a3a95

Download Submit
C:\Windows\{B180FE3D-E561-4b39-9674-9F981EC50CF7}.exe

Filesize
408KB

MD5
3023c92768655711f583e154464509b2

SHA1
253d54d5ce2d2cd89705ff60e443c4ad2a6ca3a4

SHA256
f9f0d0b55c8e61acf2dc8e09ac96b6b71d6a3dd607193a1267d19f4ceb6d4a1c

SHA512
69b68d9c40c50ba82f6bafdbdafdc036a85abee841c30030c150c2cff357f71bbd31c7af505c6175fde40fb5c6e731ab76644a1d3607851ecaa12b86cf308b79

Download Submit
C:\Windows\{CD0935E5-96B9-4b24-A5A3-431075A62018}.exe

Filesize
408KB

MD5
235611c32619e40c8034bc1db557f451

SHA1
c42c4ac279cac7e27c74ebe378fe64fb278db5af

SHA256
f1b90fbf247ab029286bec51ae7189f9c5b90636d46fa836fe8ce83b04b7c288

SHA512
8b81353d9b851904392172bdf22f92236695b02cc44905b2abebccdec503c46a65016b823380ba0a3fd9330b10c385b8b5f611a04532c4e8e162e89587befdcf

Download Submit
C:\Windows\{D5F0CB43-1BBD-4484-B794-641BA6E095BC}.exe

Filesize
408KB

MD5
f1f592dd923f28b75b7449381290a601

SHA1
551c358c571d5dc6546bc8bf1b9a84ece8003e41

SHA256
4e1f71d976ec32943fd194745cb6e08b923aa91e34ede4a9ba309720548efaf2

SHA512
4c1d10787dc2cbbc57696351e04131208ce44713269087a0cb6b329f535c7f54142c8d03a05caf987a366e3e97de6b99fb2955acbad8b59de82ffba241973205

Download Submit
C:\Windows\{DA0048D5-71EE-459e-9099-84C9737D5C17}.exe

Filesize
408KB

MD5
c5eff1bf1b1bb3004a3ca3bc0876bdb0

SHA1
0177c9826f2603e555194aec4afcdaf6d62bc0d2

SHA256
f45240b7e719ee50eec5bfe606948575627f47206de4fa8740656d6fe5b27818

SHA512
4ad06055f8be8d46a728c55e438ab21fc6851c20ee0c231fcd5a12b4c2466802c14919614db6f3a61b120696e8cb3540ae0aa13e498168bf89fc7f96d1085edf

Download Submit
C:\Windows\{E77C715E-8EC6-4dc3-ACDE-F82CA7B35D39}.exe

Filesize
408KB

MD5
7024509be8b0c75df202c68db467f4d8

SHA1
7c23a032fcddc545dbd5feac5d06ae6a0a42a188

SHA256
7fa322d7c07ed21d98fdc9b8733bfc27257103ed62185ad25b9eee1f25813d0f

SHA512
aec9cf640e49a089256fae9b7dafd102ecf4f97657e91fc32e9a1e6fe31381d54db9cfe758206a05ea7dc0d596cadae3136bd1c6074edd6443fc5275a653cd3f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads