a6698c4d74235df65d8fd3c8b5e8934edc8583f909fc623aee4c4953fc575514

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe
Size

204KB
MD5

fecdd6613a27e6c1c7f328fa461fe099
SHA1

cf80f206045d82d2d03ec798ec3f89c2b3ad7cad
SHA256

a6698c4d74235df65d8fd3c8b5e8934edc8583f909fc623aee4c4953fc575514
SHA512

6f16d4ded0570c02727333b9c6a63fac942c5a5341dfb5213d59682329e261bbab8606ccb1359d2a9f6efeb1be166f2ba282f2434783a386bf52a39b0aebe72c
SSDEEP

1536:1EGh0o3l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o3l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002325d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023268-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326e-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023268-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{226AB414-2689-48df-955F-F49E0FD16CFE}\stubpath = "C:\\Windows\\{226AB414-2689-48df-955F-F49E0FD16CFE}.exe"	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9F378F-A4A9-4072-B529-8D2414986D88}\stubpath = "C:\\Windows\\{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe"	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}\stubpath = "C:\\Windows\\{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}.exe"	{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68375FB-3C8D-4908-BA36-2A105A95935B}	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D69AB41D-E827-40a6-A40A-E77969B3500E}\stubpath = "C:\\Windows\\{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe"	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{226AB414-2689-48df-955F-F49E0FD16CFE}	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965A98F4-E80C-4c20-82A6-C2435C41B219}	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A120903-CE1A-4185-A20A-EFC27E514901}	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}	{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}\stubpath = "C:\\Windows\\{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe"	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{072C12C8-74FE-4f62-BF14-19EDD3412B22}	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9F378F-A4A9-4072-B529-8D2414986D88}	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965A98F4-E80C-4c20-82A6-C2435C41B219}\stubpath = "C:\\Windows\\{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe"	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}\stubpath = "C:\\Windows\\{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe"	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D3DE5E2-3F0B-4523-9227-4939B9823C63}\stubpath = "C:\\Windows\\{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe"	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F68375FB-3C8D-4908-BA36-2A105A95935B}\stubpath = "C:\\Windows\\{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe"	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}\stubpath = "C:\\Windows\\{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe"	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A120903-CE1A-4185-A20A-EFC27E514901}\stubpath = "C:\\Windows\\{6A120903-CE1A-4185-A20A-EFC27E514901}.exe"	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D3DE5E2-3F0B-4523-9227-4939B9823C63}	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{072C12C8-74FE-4f62-BF14-19EDD3412B22}\stubpath = "C:\\Windows\\{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe"	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D69AB41D-E827-40a6-A40A-E77969B3500E}	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe

Executes dropped EXE 12 IoCs

pid	Process
4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe
4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe
5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe
440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe
1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe
4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe
3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe
4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe
4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe
3100	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe
3824	{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe
4052	{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe
File created	C:\Windows\{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe
File created	C:\Windows\{6A120903-CE1A-4185-A20A-EFC27E514901}.exe	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe
File created	C:\Windows\{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}.exe	{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe
File created	C:\Windows\{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe
File created	C:\Windows\{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe
File created	C:\Windows\{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe
File created	C:\Windows\{226AB414-2689-48df-955F-F49E0FD16CFE}.exe	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe
File created	C:\Windows\{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe
File created	C:\Windows\{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe
File created	C:\Windows\{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe
File created	C:\Windows\{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	380	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe
Token: SeIncBasePriorityPrivilege	4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe
Token: SeIncBasePriorityPrivilege	5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe
Token: SeIncBasePriorityPrivilege	440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe
Token: SeIncBasePriorityPrivilege	1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe
Token: SeIncBasePriorityPrivilege	4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe
Token: SeIncBasePriorityPrivilege	3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe
Token: SeIncBasePriorityPrivilege	4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe
Token: SeIncBasePriorityPrivilege	4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe
Token: SeIncBasePriorityPrivilege	3100	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe
Token: SeIncBasePriorityPrivilege	3824	{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4780	380	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe	93
PID 380 wrote to memory of 4780	380	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe	93
PID 380 wrote to memory of 4780	380	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe	93
PID 380 wrote to memory of 5020	380	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe	94
PID 380 wrote to memory of 5020	380	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe	94
PID 380 wrote to memory of 5020	380	2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe	94
PID 4780 wrote to memory of 4684	4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe	100
PID 4780 wrote to memory of 4684	4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe	100
PID 4780 wrote to memory of 4684	4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe	100
PID 4780 wrote to memory of 4388	4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe	101
PID 4780 wrote to memory of 4388	4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe	101
PID 4780 wrote to memory of 4388	4780	{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe	101
PID 4684 wrote to memory of 5052	4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe	103
PID 4684 wrote to memory of 5052	4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe	103
PID 4684 wrote to memory of 5052	4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe	103
PID 4684 wrote to memory of 3396	4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe	104
PID 4684 wrote to memory of 3396	4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe	104
PID 4684 wrote to memory of 3396	4684	{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe	104
PID 5052 wrote to memory of 440	5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe	106
PID 5052 wrote to memory of 440	5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe	106
PID 5052 wrote to memory of 440	5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe	106
PID 5052 wrote to memory of 4772	5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe	107
PID 5052 wrote to memory of 4772	5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe	107
PID 5052 wrote to memory of 4772	5052	{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe	107
PID 440 wrote to memory of 1928	440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe	108
PID 440 wrote to memory of 1928	440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe	108
PID 440 wrote to memory of 1928	440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe	108
PID 440 wrote to memory of 64	440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe	109
PID 440 wrote to memory of 64	440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe	109
PID 440 wrote to memory of 64	440	{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe	109
PID 1928 wrote to memory of 4584	1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe	110
PID 1928 wrote to memory of 4584	1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe	110
PID 1928 wrote to memory of 4584	1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe	110
PID 1928 wrote to memory of 4212	1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe	111
PID 1928 wrote to memory of 4212	1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe	111
PID 1928 wrote to memory of 4212	1928	{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe	111
PID 4584 wrote to memory of 3724	4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe	112
PID 4584 wrote to memory of 3724	4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe	112
PID 4584 wrote to memory of 3724	4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe	112
PID 4584 wrote to memory of 368	4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe	113
PID 4584 wrote to memory of 368	4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe	113
PID 4584 wrote to memory of 368	4584	{226AB414-2689-48df-955F-F49E0FD16CFE}.exe	113
PID 3724 wrote to memory of 4004	3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe	114
PID 3724 wrote to memory of 4004	3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe	114
PID 3724 wrote to memory of 4004	3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe	114
PID 3724 wrote to memory of 4404	3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe	115
PID 3724 wrote to memory of 4404	3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe	115
PID 3724 wrote to memory of 4404	3724	{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe	115
PID 4004 wrote to memory of 4388	4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe	116
PID 4004 wrote to memory of 4388	4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe	116
PID 4004 wrote to memory of 4388	4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe	116
PID 4004 wrote to memory of 1860	4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe	117
PID 4004 wrote to memory of 1860	4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe	117
PID 4004 wrote to memory of 1860	4004	{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe	117
PID 4388 wrote to memory of 3100	4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe	118
PID 4388 wrote to memory of 3100	4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe	118
PID 4388 wrote to memory of 3100	4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe	118
PID 4388 wrote to memory of 4140	4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe	119
PID 4388 wrote to memory of 4140	4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe	119
PID 4388 wrote to memory of 4140	4388	{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe	119
PID 3100 wrote to memory of 3824	3100	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe	120
PID 3100 wrote to memory of 3824	3100	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe	120
PID 3100 wrote to memory of 3824	3100	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe	120
PID 3100 wrote to memory of 1632	3100	{6A120903-CE1A-4185-A20A-EFC27E514901}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_fecdd6613a27e6c1c7f328fa461fe099_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe
  C:\Windows\{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe
    C:\Windows\{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe
      C:\Windows\{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe
        
        C:\Windows\{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Windows\{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe
        
        C:\Windows\{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{226AB414-2689-48df-955F-F49E0FD16CFE}.exe
        
        C:\Windows\{226AB414-2689-48df-955F-F49E0FD16CFE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe
        
        C:\Windows\{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe
        
        C:\Windows\{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe
        
        C:\Windows\{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\{6A120903-CE1A-4185-A20A-EFC27E514901}.exe
        
        C:\Windows\{6A120903-CE1A-4185-A20A-EFC27E514901}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe
        
        C:\Windows\{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}.exe
        
        C:\Windows\{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22D5F~1.EXE > nul
        13⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A120~1.EXE > nul
        12⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{965A9~1.EXE > nul
        11⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A9F3~1.EXE > nul
        10⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B24A~1.EXE > nul
        9⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{226AB~1.EXE > nul
        8⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D69AB~1.EXE > nul
        7⤵
        
        PID:4212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{072C1~1.EXE > nul
        6⤵
        
        PID:64
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F80~1.EXE > nul
        5⤵
        
        PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F6837~1.EXE > nul
      4⤵
      PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D3DE~1.EXE > nul
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{072C12C8-74FE-4f62-BF14-19EDD3412B22}.exe

Filesize
204KB

MD5
be23defcca019a4f0aa66ae0e3ab41ab

SHA1
57055f9e26567dc26fe9bd7ea33cbc4c3b4771f6

SHA256
76fe7ee69346fac399da4c14262c9e6dec9f1698f0245160f59c306bc50b488d

SHA512
24a585311da4162380ddf37bd26d10a7cead47f5f301392f25d7f4bef8d0edea04bc5e610e3a6a7998e90c6d4a6635811b856b497ba4403568649757e2a7e8ab

Download Submit
C:\Windows\{226AB414-2689-48df-955F-F49E0FD16CFE}.exe

Filesize
204KB

MD5
972fcfd31182ed896417228796e2ae18

SHA1
92a99f330f19506b0fd8975df3251a32db3a4fe9

SHA256
1d01e00451c8de903fc7abaa3fef2867e587a318663d34704c834466f6ebfb48

SHA512
b67e2b8203c0e485727c6b9987645582fa472999abcbe208643c8d921af43977707bd10af827e50f83d1e576fadb26888b114ba5f8f8e19fa986776a5b8d25e0

Download Submit
C:\Windows\{22D5F6E2-40A1-43c1-B1AC-5B28F15AB512}.exe

Filesize
204KB

MD5
92d9ad85201982932e92e2b3080d1e1f

SHA1
fc3a7fa4b132ddb247a3deb67575440096480123

SHA256
2ce9f550a09b276a4659a9787a30fefc3bb96f6b1b05d0e15b4b5eea87b7a727

SHA512
8f7c6052ed924877d3e999f8b92e5dbaaa791335ffacddceb9a9f0c0d7544d20040c671b7ff9723f925c0c48fb08aff496bc21ee69bebc2957097a9f36002f79

Download Submit
C:\Windows\{3A9F378F-A4A9-4072-B529-8D2414986D88}.exe

Filesize
204KB

MD5
7cc23d00b1e8c3725baab0a7bd59b393

SHA1
12fac29d608ee13826f414dd3b2c0d410ea527ce

SHA256
a94ea46833c0b6f94e15a0e36ffe0251bf047be8199117b0c964f47fd6f3858d

SHA512
273b98160c3a99d1312c5f81d6a86e516bd8f08255a6d7623a266910974d40feeacefa835deec55ef630218ffb82fc4f2368606391f54d674eaab8c0f1436233

Download Submit
C:\Windows\{5D3DE5E2-3F0B-4523-9227-4939B9823C63}.exe

Filesize
204KB

MD5
8c14c84cb4d1c3ca7df1e65915237c5f

SHA1
0e919b445742bba3878963ad180e85af98134a15

SHA256
ecb8d5a81673b2ea63aa4f44d48b1bcddb47e11f23021b49867215d8e03023f0

SHA512
9f695f4afe5dd1480a347343ffcb1a174447b435c25c0c8d93055353bb6b01b6f5293812c60f2ec677c6361165a325cfc6964577ae1cb6fd0f2b1ff7edfd47ee

Download Submit
C:\Windows\{6A120903-CE1A-4185-A20A-EFC27E514901}.exe

Filesize
204KB

MD5
0e978eaa0ed71f4bba9b5287cc54868a

SHA1
93141c58b1d5fdcd30f37b22a08d8e8f62237ffd

SHA256
c194ebfd94463b636543492ebc54d52bd4332c10f5e21e1a5bbc868de4c1053d

SHA512
abb31771f0d9689ba30a3e1d8a7f20ff75eb2465030dbc2586ea4fc0bc08e830ec2391ea1cc967ef3c7b08a33771a36a6feed4761932a9b5105310695c219da2

Download Submit
C:\Windows\{8A8AF879-6E1D-41b4-8380-BB42D1D0755C}.exe

Filesize
204KB

MD5
63b7d8c4ef84b543b694f6a9ca50c7b4

SHA1
5d2812f10b25cb4089bb5cc2b978333180f6b653

SHA256
aac5099dcca965a1cdc2ba331bdcae2ad718ed7210221e86ae7537efa255aea4

SHA512
7a1452cc00f5018fe5f6d880ffa175b7b9ccb3d22bd3ded2082d7525329edb85af44f60248cb683f82a21065b6b35c6c2bc56ff4a6223edf6ce5cbb6f39d26b9

Download Submit
C:\Windows\{965A98F4-E80C-4c20-82A6-C2435C41B219}.exe

Filesize
204KB

MD5
0821d8ddf28df169ce1ce9e90370c7b5

SHA1
99630a8b8f4464811863ffedd325db983dcaadbf

SHA256
67cc5132bc75d095c9c371c9e5ff886bcd6438397afa8a5e99e302f7ef0ffc57

SHA512
441bb5ec911dd1eb04d27a30ba58e974426890cd830cf713b4815127f7790858223b3d382a06498c5f5c6d2073b083830ed8808028717612d96b5929ef0c04be

Download Submit
C:\Windows\{9B24A633-F3CD-48e6-B9EF-005F9BBD4C68}.exe

Filesize
204KB

MD5
f18313695af8d744cf68145ff4d24850

SHA1
aee28e67eeb4a3a046a9d7b7aa78349020f36890

SHA256
53de2ab5bf6029adb0bed6c077638f9539106e0a0a797bc2b0f759c41828c4e6

SHA512
3289756aec45a5c2c6bd45c2dcebc0e39ea49492d992821359b8c8a1839c826521a7ab616e1ad47cd4d9331011598c8f031784b209a064eddbd15d70652e840b

Download Submit
C:\Windows\{A7F80C4F-1E55-42d4-AF2D-79D90637E08A}.exe

Filesize
204KB

MD5
de4d0fbd49e4f2dfc78b7780fc502ad9

SHA1
a14aca772b886ccaaa14c6d598ec9be576d4336d

SHA256
e703d1bd6ebba79a8d2079b2c72355e4e1886a5ae185cc124df22d364bc96e18

SHA512
a2821b23bd2dd38b4ea08f30d58a840829a8f6ec9187f6c65588f5b23cd2b98b08033aad17fddd9940cb84c86650f812faf61bbd416d2ca6dc4918a9b549529d

Download Submit
C:\Windows\{D69AB41D-E827-40a6-A40A-E77969B3500E}.exe

Filesize
204KB

MD5
57a9b70b25327681b39792ba4e40013a

SHA1
82af0587eb08b748613de1bffd197d66059e6bce

SHA256
76826817dcdc79762bf9a78d5048f30a59f56fc9c893d8b1d120abfaa4b15518

SHA512
82d1b8f160e2082e015a5ae961855b8a53eae081ffdd2ea9b0399b63397646512afe1789485e1a45085b95f9db8c14531cccc2e824ba5ee1dee923215373053b

Download Submit
C:\Windows\{F68375FB-3C8D-4908-BA36-2A105A95935B}.exe

Filesize
204KB

MD5
d1520440f4f4351c8b2b8d6bdc8a3e67

SHA1
328f28f7628b1065ddeedb350fac483445fe5f42

SHA256
8b9efe59f9cd712faa99be3fb5fbf86a4241473ad4a7aa3e4b7c9a6612578d1b

SHA512
3ec908c4b4c390385b0a28aac591e38276bbad4ce7e21f51e9008364ea66fd79969c3ed0ffd6823a0d6ba095504a8369354b9eb24ebff6bc95e374d5a9156975

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads