92ef050adeccd487569f8839d845c413f7891ae11ece63677d3271dd81da888a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Size

408KB
MD5

de2f7d8796c1a582c314f11f98351e18
SHA1

ceb6abd026aad9685f1f15a8ff32158b3611dfbd
SHA256

92ef050adeccd487569f8839d845c413f7891ae11ece63677d3271dd81da888a
SHA512

8d334a4bb8ef9bfacd90da89dff91e61c02fcc89216bb4f8ce56abc18b08ff04cb9aaabf666b606178f6bc1e8e6912d50b590045785a51a1798ce9cf0dc3fab2
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGnldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002325e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023265-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023271-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023265-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023271-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}	{A2096729-6A14-417c-84A9-FABC8B119506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B51BB0A5-977F-4989-B888-04C597E62E55}	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B31609A1-BD60-42f3-B2E9-3AF3968E1765}	{51790225-4CDA-4a21-B438-B62ACA698470}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}\stubpath = "C:\\Windows\\{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe"	{A2096729-6A14-417c-84A9-FABC8B119506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51790225-4CDA-4a21-B438-B62ACA698470}	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E94709-5DF3-49cf-B35E-8E38C94869D5}	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C864404-D152-411f-A454-4349B1BF3612}\stubpath = "C:\\Windows\\{5C864404-D152-411f-A454-4349B1BF3612}.exe"	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2096729-6A14-417c-84A9-FABC8B119506}	{5C864404-D152-411f-A454-4349B1BF3612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}\stubpath = "C:\\Windows\\{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe"	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}\stubpath = "C:\\Windows\\{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe"	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{411C3671-7E1A-4efa-8990-EFC3929E4B18}\stubpath = "C:\\Windows\\{411C3671-7E1A-4efa-8990-EFC3929E4B18}.exe"	{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51790225-4CDA-4a21-B438-B62ACA698470}\stubpath = "C:\\Windows\\{51790225-4CDA-4a21-B438-B62ACA698470}.exe"	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F119868-921C-43c4-BE24-552A7E43DF35}	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F119868-921C-43c4-BE24-552A7E43DF35}\stubpath = "C:\\Windows\\{1F119868-921C-43c4-BE24-552A7E43DF35}.exe"	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B51BB0A5-977F-4989-B888-04C597E62E55}\stubpath = "C:\\Windows\\{B51BB0A5-977F-4989-B888-04C597E62E55}.exe"	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E94709-5DF3-49cf-B35E-8E38C94869D5}\stubpath = "C:\\Windows\\{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe"	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C864404-D152-411f-A454-4349B1BF3612}	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2096729-6A14-417c-84A9-FABC8B119506}\stubpath = "C:\\Windows\\{A2096729-6A14-417c-84A9-FABC8B119506}.exe"	{5C864404-D152-411f-A454-4349B1BF3612}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6B72D6C-8754-4451-8321-E9B20F9B5194}	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B31609A1-BD60-42f3-B2E9-3AF3968E1765}\stubpath = "C:\\Windows\\{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe"	{51790225-4CDA-4a21-B438-B62ACA698470}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{411C3671-7E1A-4efa-8990-EFC3929E4B18}	{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6B72D6C-8754-4451-8321-E9B20F9B5194}\stubpath = "C:\\Windows\\{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe"	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe
4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe
3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe
1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe
2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe
832	{5C864404-D152-411f-A454-4349B1BF3612}.exe
3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe
1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe
2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe
5100	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe
3948	{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe
3552	{411C3671-7E1A-4efa-8990-EFC3929E4B18}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe
File created	C:\Windows\{51790225-4CDA-4a21-B438-B62ACA698470}.exe	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
File created	C:\Windows\{1F119868-921C-43c4-BE24-552A7E43DF35}.exe	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe
File created	C:\Windows\{B51BB0A5-977F-4989-B888-04C597E62E55}.exe	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe
File created	C:\Windows\{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe	{A2096729-6A14-417c-84A9-FABC8B119506}.exe
File created	C:\Windows\{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe
File created	C:\Windows\{411C3671-7E1A-4efa-8990-EFC3929E4B18}.exe	{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe
File created	C:\Windows\{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe	{51790225-4CDA-4a21-B438-B62ACA698470}.exe
File created	C:\Windows\{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe
File created	C:\Windows\{5C864404-D152-411f-A454-4349B1BF3612}.exe	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe
File created	C:\Windows\{A2096729-6A14-417c-84A9-FABC8B119506}.exe	{5C864404-D152-411f-A454-4349B1BF3612}.exe
File created	C:\Windows\{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2116	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe
Token: SeIncBasePriorityPrivilege	4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe
Token: SeIncBasePriorityPrivilege	3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe
Token: SeIncBasePriorityPrivilege	1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe
Token: SeIncBasePriorityPrivilege	2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe
Token: SeIncBasePriorityPrivilege	832	{5C864404-D152-411f-A454-4349B1BF3612}.exe
Token: SeIncBasePriorityPrivilege	3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe
Token: SeIncBasePriorityPrivilege	1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe
Token: SeIncBasePriorityPrivilege	2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe
Token: SeIncBasePriorityPrivilege	5100	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe
Token: SeIncBasePriorityPrivilege	3948	{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3104	2116	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	91
PID 2116 wrote to memory of 3104	2116	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	91
PID 2116 wrote to memory of 3104	2116	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	91
PID 2116 wrote to memory of 2704	2116	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	92
PID 2116 wrote to memory of 2704	2116	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	92
PID 2116 wrote to memory of 2704	2116	2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe	92
PID 3104 wrote to memory of 4088	3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe	100
PID 3104 wrote to memory of 4088	3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe	100
PID 3104 wrote to memory of 4088	3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe	100
PID 3104 wrote to memory of 4180	3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe	101
PID 3104 wrote to memory of 4180	3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe	101
PID 3104 wrote to memory of 4180	3104	{51790225-4CDA-4a21-B438-B62ACA698470}.exe	101
PID 4088 wrote to memory of 3864	4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe	103
PID 4088 wrote to memory of 3864	4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe	103
PID 4088 wrote to memory of 3864	4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe	103
PID 4088 wrote to memory of 2092	4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe	104
PID 4088 wrote to memory of 2092	4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe	104
PID 4088 wrote to memory of 2092	4088	{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe	104
PID 3864 wrote to memory of 1156	3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe	106
PID 3864 wrote to memory of 1156	3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe	106
PID 3864 wrote to memory of 1156	3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe	106
PID 3864 wrote to memory of 4900	3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe	107
PID 3864 wrote to memory of 4900	3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe	107
PID 3864 wrote to memory of 4900	3864	{1F119868-921C-43c4-BE24-552A7E43DF35}.exe	107
PID 1156 wrote to memory of 2700	1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe	108
PID 1156 wrote to memory of 2700	1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe	108
PID 1156 wrote to memory of 2700	1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe	108
PID 1156 wrote to memory of 4592	1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe	109
PID 1156 wrote to memory of 4592	1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe	109
PID 1156 wrote to memory of 4592	1156	{B51BB0A5-977F-4989-B888-04C597E62E55}.exe	109
PID 2700 wrote to memory of 832	2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe	110
PID 2700 wrote to memory of 832	2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe	110
PID 2700 wrote to memory of 832	2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe	110
PID 2700 wrote to memory of 400	2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe	111
PID 2700 wrote to memory of 400	2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe	111
PID 2700 wrote to memory of 400	2700	{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe	111
PID 832 wrote to memory of 3004	832	{5C864404-D152-411f-A454-4349B1BF3612}.exe	112
PID 832 wrote to memory of 3004	832	{5C864404-D152-411f-A454-4349B1BF3612}.exe	112
PID 832 wrote to memory of 3004	832	{5C864404-D152-411f-A454-4349B1BF3612}.exe	112
PID 832 wrote to memory of 3428	832	{5C864404-D152-411f-A454-4349B1BF3612}.exe	113
PID 832 wrote to memory of 3428	832	{5C864404-D152-411f-A454-4349B1BF3612}.exe	113
PID 832 wrote to memory of 3428	832	{5C864404-D152-411f-A454-4349B1BF3612}.exe	113
PID 3004 wrote to memory of 1964	3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe	114
PID 3004 wrote to memory of 1964	3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe	114
PID 3004 wrote to memory of 1964	3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe	114
PID 3004 wrote to memory of 2192	3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe	115
PID 3004 wrote to memory of 2192	3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe	115
PID 3004 wrote to memory of 2192	3004	{A2096729-6A14-417c-84A9-FABC8B119506}.exe	115
PID 1964 wrote to memory of 2036	1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe	116
PID 1964 wrote to memory of 2036	1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe	116
PID 1964 wrote to memory of 2036	1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe	116
PID 1964 wrote to memory of 2108	1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe	117
PID 1964 wrote to memory of 2108	1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe	117
PID 1964 wrote to memory of 2108	1964	{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe	117
PID 2036 wrote to memory of 5100	2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe	118
PID 2036 wrote to memory of 5100	2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe	118
PID 2036 wrote to memory of 5100	2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe	118
PID 2036 wrote to memory of 3520	2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe	119
PID 2036 wrote to memory of 3520	2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe	119
PID 2036 wrote to memory of 3520	2036	{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe	119
PID 5100 wrote to memory of 3948	5100	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe	120
PID 5100 wrote to memory of 3948	5100	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe	120
PID 5100 wrote to memory of 3948	5100	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe	120
PID 5100 wrote to memory of 4428	5100	{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_de2f7d8796c1a582c314f11f98351e18_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\{51790225-4CDA-4a21-B438-B62ACA698470}.exe
  C:\Windows\{51790225-4CDA-4a21-B438-B62ACA698470}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe
    C:\Windows\{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\{1F119868-921C-43c4-BE24-552A7E43DF35}.exe
      C:\Windows\{1F119868-921C-43c4-BE24-552A7E43DF35}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\{B51BB0A5-977F-4989-B888-04C597E62E55}.exe
        
        C:\Windows\{B51BB0A5-977F-4989-B888-04C597E62E55}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe
        
        C:\Windows\{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{5C864404-D152-411f-A454-4349B1BF3612}.exe
        
        C:\Windows\{5C864404-D152-411f-A454-4349B1BF3612}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{A2096729-6A14-417c-84A9-FABC8B119506}.exe
        
        C:\Windows\{A2096729-6A14-417c-84A9-FABC8B119506}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe
        
        C:\Windows\{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe
        
        C:\Windows\{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe
        
        C:\Windows\{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe
        
        C:\Windows\{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\{411C3671-7E1A-4efa-8990-EFC3929E4B18}.exe
        
        C:\Windows\{411C3671-7E1A-4efa-8990-EFC3929E4B18}.exe
        13⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6B72~1.EXE > nul
        13⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69BD7~1.EXE > nul
        12⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{999BA~1.EXE > nul
        11⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BAB7~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2096~1.EXE > nul
        9⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C864~1.EXE > nul
        8⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51E94~1.EXE > nul
        7⤵
        
        PID:400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B51BB~1.EXE > nul
        6⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F119~1.EXE > nul
        5⤵
        
        PID:4900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3160~1.EXE > nul
      4⤵
      PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51790~1.EXE > nul
    3⤵
    PID:4180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F119868-921C-43c4-BE24-552A7E43DF35}.exe

Filesize
408KB

MD5
e77832c314bbcc39f630343892b6fb36

SHA1
e75be08810e1182ae864286159b825de4dface04

SHA256
9fccdb103e579dc77c68bed32624149a61a9259af7235e3b20a1e5fbe1e700b2

SHA512
21f94fc769ede304b4ee5222db1354c34705df354b901d475756c82215ed8bbb2150fb74e16012b899d05a02811436e9e2b4e8e0bf262ecfa7a94fdb6f154ce4

Download Submit
C:\Windows\{411C3671-7E1A-4efa-8990-EFC3929E4B18}.exe

Filesize
408KB

MD5
048eba7e4aef77b7c421e9377128a434

SHA1
7e90062f6ba6925f1b4d250e05e6ae338112dbbd

SHA256
9552ad93401d3a32c0c89a9936a5861e11c53cc1f8c3912baeb0ffc1b309eeff

SHA512
a13d4021b522d5bae8ce2d454bb1ea515fcf4b0af33be9184b4d6395438183a491780e30a54e8d21a358bcae2c28c50fad28d02c0af6faeba24478e7a5f6927e

Download Submit
C:\Windows\{4BAB74F4-5DB9-455f-AF96-54CF4E2C5696}.exe

Filesize
408KB

MD5
5d5705c48f4b49b8203da96b344bf58c

SHA1
b87e1c80e3b262209b4e31d84bc4ae46db56c391

SHA256
0b9f723baaf45441c128f69a63859f66230be9f4c2eb0e7e800a542978d67a54

SHA512
ba530621bb1df97f47494c2e990cd158e33d249e70e55ead1f4f74f0955941a4209165132b2d8eedf523d4858bc3daf3e5e49ba483b6df16f4f7c652aee2ac2c

Download Submit
C:\Windows\{51790225-4CDA-4a21-B438-B62ACA698470}.exe

Filesize
408KB

MD5
40a7e1adb14721e29d9fd7a4292c8202

SHA1
1f3495bd5a7480d7ce72d8f70b66bc5389266cf8

SHA256
89dc7a1ad50cff39c321fa1e779585343a3a79541ca9ace8ef2f9216af0e04ff

SHA512
422df0b65aaa8fd46fa32bee763f33da44f28239d672977ddcf2d85e4b224743bb92b88ad4f90cbe3c9e521ddc5bf45f2e964842fda5d43c5983f43aed0778d2

Download Submit
C:\Windows\{51E94709-5DF3-49cf-B35E-8E38C94869D5}.exe

Filesize
408KB

MD5
57f01557463fcc5c5c6c5d94ceb437cb

SHA1
7f84507083c8485df9d4048cb4d8611d158511cd

SHA256
cff4c34bea4aed29602995a2d55f1f4079727d68fc438fda637bf141b11307f7

SHA512
dbe0d8cce90337b258138c5191b7c1ff8a691ed8d01894affb1124bd93733f3c78cf8623c5f4cf3ce306d6e2e93543a1ced4911441f71620f8433eec26fdabef

Download Submit
C:\Windows\{5C864404-D152-411f-A454-4349B1BF3612}.exe

Filesize
408KB

MD5
c0f26b3f220b4a1cf675d37887b25385

SHA1
804d5135c2a8b9272f957ac021cf1676c0f3abc7

SHA256
45dcdaf46f40fd32ca5681f6b91be2ced62d2f7243d412460e60b914587f7735

SHA512
2538173121703f33aaf21960cf8dd1b74d6f2a03be6f1672e541282128333eb4fc7b61c6cec9fe264adbe015d71f2eb85b09393adc64f1cd53d554d013f9b593

Download Submit
C:\Windows\{69BD7B72-D4F2-4aeb-B30F-99491BE3EFEE}.exe

Filesize
408KB

MD5
439f4815bdb5a51e69b10709891156fe

SHA1
10b11b820c505321ad84a4b89a4cc1762726059a

SHA256
88545b05a5e60ba58c298ebd29aa6c4fbd030ddee3162b90d0b5b2e6158e248c

SHA512
c8e20cfe233b5b508c7df148fda20c905dddd2e427637eccff3b8622947dfb916d091476de429ac06ce75c2be97f9a4b24770edf98a7952c527087d19c7d97a0

Download Submit
C:\Windows\{999BA0DC-74D8-4c68-AFA8-49E5DEAA5BD4}.exe

Filesize
408KB

MD5
dc53cfd35d40fdd503c8387fbf8f5034

SHA1
a01156a3e7754471856143fa7473c13f55265e22

SHA256
4ddfa28e391639e1a25c77f597215e5b8b9dbecce95be75807b7bfb1a880ecc0

SHA512
58015682c03d5a6f790ce7146bd5d623f0af6eafb65b829cbaa1f0e99e9de5966b4cc2b98b2b17b016ab27a97d087072e969c6abd8eb0acba84de65775418ee3

Download Submit
C:\Windows\{A2096729-6A14-417c-84A9-FABC8B119506}.exe

Filesize
408KB

MD5
03db26637a99706c4706b72510065349

SHA1
aea68bb0bf2706f7863fe649be416668f04ac5a1

SHA256
9437965e5cb221071a3debed0500daacb1a2e9f337d5c20f7f16a1506843bcaf

SHA512
446ee236483c117da1c21bb2ef778c94bf9e3d821ed33b5fe9673ee1baa73f5eabfa1e32f14bdaf6bcfb0851da3fc183bbefa59ded5cbdc6afbcecef71030ab4

Download Submit
C:\Windows\{B31609A1-BD60-42f3-B2E9-3AF3968E1765}.exe

Filesize
408KB

MD5
8afd358cd5ca138fd305ede61198d214

SHA1
537effc81536d5c74c7120a2f753e90e7043d3be

SHA256
40a39c2ae228971dd535866ecfee7a31da85724be1f8b37a59587deaa40fbb8a

SHA512
bbd0631990af674dd44591d1097f0536fd06cfc1bd727c630fc9afcef206407350519ac597058f10a435c699e618f0a3eebcb1310e12aed22db0aba35add92b0

Download Submit
C:\Windows\{B51BB0A5-977F-4989-B888-04C597E62E55}.exe

Filesize
408KB

MD5
89280d15fe0a1a72e40bee474fd1513e

SHA1
b57f764084cc819c227b30096b874287a183baa7

SHA256
e80bca136721f870aa83320dfaa2cb62dc9cf136bbeb57f17c53045bfc342507

SHA512
5c15d61febb79322f666f731706ea38dfc99bb450abf2fce3728fd25bd3cbff679ea3c6b3e9cdc39444b97a87d04245288352ac52c23aa79d2e36a2585630eca

Download Submit
C:\Windows\{E6B72D6C-8754-4451-8321-E9B20F9B5194}.exe

Filesize
408KB

MD5
c46ab898465999293c90b6a33d36257d

SHA1
1fc23cfe7a1e3f54e6527b3ab69cb85e3954f789

SHA256
0d1de63a0120d56d2e84c79e1a778ab295dc587654e465f7a51f26753adc0b81

SHA512
d7da4dd273a4ab2e17823706687747642be1d82ae03e320ef72f1983b3d434b5290a3152e48aaaa2d6d1baaceca4a81eaedf18bd36ad3d3f285e022d24d8679d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads