64b8ea43b8e01a7d26218ffd978b50522b468b397e1c7abc2a0053e96540a2ca

Analysis

max time kernel
155s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe
Size

168KB
MD5

aecff9c7bcf17235e27b7eb094342b77
SHA1

b3411fa20ba689d3a4202617fcbdcecedcf473f0
SHA256

64b8ea43b8e01a7d26218ffd978b50522b468b397e1c7abc2a0053e96540a2ca
SHA512

9385972905ef1e96909ee6b3d28c972cb8cea3828e31010f1b443992405b5e9b348378c68c59e4d685e09095164456bc8e0cbce0da9774a7583090cc99f313c2
SSDEEP

1536:1EGh0ogwli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000800000002324b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023252-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023259-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002325e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016fa5-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000026-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19C12021-BC43-4ab8-995D-3430EE807FDB}\stubpath = "C:\\Windows\\{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe"	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}\stubpath = "C:\\Windows\\{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe"	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}\stubpath = "C:\\Windows\\{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe"	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00F49B20-25E8-4d60-873E-C043095F6D71}	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1174F619-2C04-439d-BE48-2900F549739A}\stubpath = "C:\\Windows\\{1174F619-2C04-439d-BE48-2900F549739A}.exe"	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534782FF-346E-425e-B9C0-5F404C8D3DD7}	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534782FF-346E-425e-B9C0-5F404C8D3DD7}\stubpath = "C:\\Windows\\{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe"	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19C12021-BC43-4ab8-995D-3430EE807FDB}	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00F49B20-25E8-4d60-873E-C043095F6D71}\stubpath = "C:\\Windows\\{00F49B20-25E8-4d60-873E-C043095F6D71}.exe"	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3771B770-07AF-46eb-A59A-7BD5C9077172}	{1174F619-2C04-439d-BE48-2900F549739A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30DE225D-699A-468a-9B2D-C22E46C03AF0}	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30DE225D-699A-468a-9B2D-C22E46C03AF0}\stubpath = "C:\\Windows\\{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe"	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1174F619-2C04-439d-BE48-2900F549739A}	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3771B770-07AF-46eb-A59A-7BD5C9077172}\stubpath = "C:\\Windows\\{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe"	{1174F619-2C04-439d-BE48-2900F549739A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}\stubpath = "C:\\Windows\\{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}.exe"	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}\stubpath = "C:\\Windows\\{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe"	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}\stubpath = "C:\\Windows\\{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe"	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe

Executes dropped EXE 11 IoCs

pid	Process
4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe
3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe
3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe
2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe
1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe
3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe
2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe
5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe
4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe
4148	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe
788	{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe
File created	C:\Windows\{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe
File created	C:\Windows\{1174F619-2C04-439d-BE48-2900F549739A}.exe	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe
File created	C:\Windows\{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}.exe	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe
File created	C:\Windows\{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe
File created	C:\Windows\{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe
File created	C:\Windows\{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe
File created	C:\Windows\{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe
File created	C:\Windows\{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe
File created	C:\Windows\{00F49B20-25E8-4d60-873E-C043095F6D71}.exe	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe
File created	C:\Windows\{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe	{1174F619-2C04-439d-BE48-2900F549739A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3500	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe
Token: SeIncBasePriorityPrivilege	3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe
Token: SeIncBasePriorityPrivilege	3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe
Token: SeIncBasePriorityPrivilege	2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe
Token: SeIncBasePriorityPrivilege	1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe
Token: SeIncBasePriorityPrivilege	3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe
Token: SeIncBasePriorityPrivilege	2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe
Token: SeIncBasePriorityPrivilege	5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe
Token: SeIncBasePriorityPrivilege	4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe
Token: SeIncBasePriorityPrivilege	4148	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4456	3500	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe	92
PID 3500 wrote to memory of 4456	3500	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe	92
PID 3500 wrote to memory of 4456	3500	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe	92
PID 3500 wrote to memory of 4584	3500	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe	93
PID 3500 wrote to memory of 4584	3500	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe	93
PID 3500 wrote to memory of 4584	3500	2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe	93
PID 4456 wrote to memory of 3852	4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe	97
PID 4456 wrote to memory of 3852	4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe	97
PID 4456 wrote to memory of 3852	4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe	97
PID 4456 wrote to memory of 3080	4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe	98
PID 4456 wrote to memory of 3080	4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe	98
PID 4456 wrote to memory of 3080	4456	{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe	98
PID 3852 wrote to memory of 3748	3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe	103
PID 3852 wrote to memory of 3748	3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe	103
PID 3852 wrote to memory of 3748	3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe	103
PID 3852 wrote to memory of 956	3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe	104
PID 3852 wrote to memory of 956	3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe	104
PID 3852 wrote to memory of 956	3852	{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe	104
PID 3748 wrote to memory of 2864	3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe	105
PID 3748 wrote to memory of 2864	3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe	105
PID 3748 wrote to memory of 2864	3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe	105
PID 3748 wrote to memory of 2252	3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe	106
PID 3748 wrote to memory of 2252	3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe	106
PID 3748 wrote to memory of 2252	3748	{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe	106
PID 2864 wrote to memory of 1800	2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe	107
PID 2864 wrote to memory of 1800	2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe	107
PID 2864 wrote to memory of 1800	2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe	107
PID 2864 wrote to memory of 2984	2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe	108
PID 2864 wrote to memory of 2984	2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe	108
PID 2864 wrote to memory of 2984	2864	{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe	108
PID 1800 wrote to memory of 3144	1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe	109
PID 1800 wrote to memory of 3144	1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe	109
PID 1800 wrote to memory of 3144	1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe	109
PID 1800 wrote to memory of 4872	1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe	110
PID 1800 wrote to memory of 4872	1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe	110
PID 1800 wrote to memory of 4872	1800	{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe	110
PID 3144 wrote to memory of 2076	3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe	111
PID 3144 wrote to memory of 2076	3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe	111
PID 3144 wrote to memory of 2076	3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe	111
PID 3144 wrote to memory of 1980	3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe	112
PID 3144 wrote to memory of 1980	3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe	112
PID 3144 wrote to memory of 1980	3144	{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe	112
PID 2076 wrote to memory of 5052	2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe	113
PID 2076 wrote to memory of 5052	2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe	113
PID 2076 wrote to memory of 5052	2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe	113
PID 2076 wrote to memory of 3916	2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe	114
PID 2076 wrote to memory of 3916	2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe	114
PID 2076 wrote to memory of 3916	2076	{00F49B20-25E8-4d60-873E-C043095F6D71}.exe	114
PID 5052 wrote to memory of 4732	5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe	115
PID 5052 wrote to memory of 4732	5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe	115
PID 5052 wrote to memory of 4732	5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe	115
PID 5052 wrote to memory of 4104	5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe	116
PID 5052 wrote to memory of 4104	5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe	116
PID 5052 wrote to memory of 4104	5052	{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe	116
PID 4732 wrote to memory of 4148	4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe	117
PID 4732 wrote to memory of 4148	4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe	117
PID 4732 wrote to memory of 4148	4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe	117
PID 4732 wrote to memory of 4380	4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe	118
PID 4732 wrote to memory of 4380	4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe	118
PID 4732 wrote to memory of 4380	4732	{1174F619-2C04-439d-BE48-2900F549739A}.exe	118
PID 4148 wrote to memory of 788	4148	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe	119
PID 4148 wrote to memory of 788	4148	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe	119
PID 4148 wrote to memory of 788	4148	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe	119
PID 4148 wrote to memory of 1796	4148	{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_aecff9c7bcf17235e27b7eb094342b77_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe
  C:\Windows\{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe
    C:\Windows\{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe
      C:\Windows\{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe
        
        C:\Windows\{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe
        
        C:\Windows\{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe
        
        C:\Windows\{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\{00F49B20-25E8-4d60-873E-C043095F6D71}.exe
        
        C:\Windows\{00F49B20-25E8-4d60-873E-C043095F6D71}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe
        
        C:\Windows\{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{1174F619-2C04-439d-BE48-2900F549739A}.exe
        
        C:\Windows\{1174F619-2C04-439d-BE48-2900F549739A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe
        
        C:\Windows\{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}.exe
        
        C:\Windows\{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}.exe
        12⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3771B~1.EXE > nul
        12⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1174F~1.EXE > nul
        11⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36FF3~1.EXE > nul
        10⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00F49~1.EXE > nul
        9⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30DE2~1.EXE > nul
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E4CF~1.EXE > nul
        7⤵
        
        PID:4872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C29DF~1.EXE > nul
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19C12~1.EXE > nul
        5⤵
        
        PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53478~1.EXE > nul
      4⤵
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72B07~1.EXE > nul
    3⤵
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00F49B20-25E8-4d60-873E-C043095F6D71}.exe

Filesize
168KB

MD5
917a7c167d46f085c01111c94b5369a6

SHA1
02e0b9dd2f77860d613c847114c42b9b80964944

SHA256
32f5b0a1f54ba44cd1ae6d78fac7a99a12438f8033d157a955af9828b642a624

SHA512
baaea05e491f1b8e603603f6de252a8a3016523f620078a2a59291b033d99d6ffacb9be39d87b838e0e548f3027f92ce8e96e071ad74a913e2162543b75d3352

Download Submit
C:\Windows\{0799F9DF-CA5C-49bf-AA81-26B87562D3FA}.exe

Filesize
168KB

MD5
1cabde3416cfc8d7a0a871468ca56f60

SHA1
17a7b8e40207f6aca743b848af7f762d385e2c8a

SHA256
033ffb8f2437bd72836f0347caac9b07272d45ae4a0abd0c9598616e133aa6a3

SHA512
0fec8fdae11dba346f5d9924e72da12ac37af8ccf3784255a66cb80c98f070f0dacbbe28b16d2588b5c31fcfaa86053cceb4ee3a0c0f9263f02d243972f00818

Download Submit
C:\Windows\{1174F619-2C04-439d-BE48-2900F549739A}.exe

Filesize
168KB

MD5
3345295e85444b78ed6918baca3d64f0

SHA1
b521fb398a08ce07184f1dfcbab9ec61a00f722b

SHA256
f956e98f1167bd460393be199494d828040fab721536f4918500f61584e35c28

SHA512
8f9da8fe724a9598549d898a7f53d2a831f2a37d11c5606ebef9a53db731c85befca1e204787eae502b67ab2fad1067b44d35c3ebf24b198ff2f62bd530e5f9f

Download Submit
C:\Windows\{19C12021-BC43-4ab8-995D-3430EE807FDB}.exe

Filesize
168KB

MD5
636cbdcba0f72e77d63435fae5a147fb

SHA1
4a438d9e72058f127dcdc50bb893a4abb1aca195

SHA256
40df27991957eea9a8a5b67cd8f46a135dc67e0cb8ce94676187cfedc04e32fa

SHA512
1a7933f937f49b69e4b749e4c23941a9fe0013e76192040d8fbcb91b62cb4afb297d60be0d80488a99e06d1705456d96102e1c69f319791612b6558f2d6b9125

Download Submit
C:\Windows\{2E4CFA84-B97E-459a-B60B-43FFB5612AC1}.exe

Filesize
168KB

MD5
b41aa98d986dbbf284554016249688b2

SHA1
fc7f1b797eaa465f1b829a2fc0a816fef4380fcc

SHA256
64e147b9162129d02048876344a4deffec0959c0fc076fe6637560ab886f13a3

SHA512
c1750eac658cd96261b2f3963204158e0e23c1be5d036c355b28ed7f18647d15311a7c6178493ff3723f5614420557cdcf7ea55549206c3872228616e3845f9f

Download Submit
C:\Windows\{30DE225D-699A-468a-9B2D-C22E46C03AF0}.exe

Filesize
168KB

MD5
6fe2f5b8c9ecfbb91eea2f53dabf2476

SHA1
fd3b79174d248daca154b60572c59e294c2728f4

SHA256
49777958d515460d288c5e3aa06e9870a2ccc0a37e6c19f9de814811b70147f1

SHA512
92b16776667fcd5aa1b88e77ea53ebbbac40678605713c70d02017bb6e21ade09b0c7a9d2e2fb091bad313b8cea2679dc5ca6edd35632a23951a991db53fffc5

Download Submit
C:\Windows\{36FF3B5E-8B41-4264-ADEF-BF0D5B14F1A1}.exe

Filesize
168KB

MD5
2443061adbdf8d4afa1a2fda0cf6f2fb

SHA1
79585299e55cc3bff63cf829235a713da3c45ee3

SHA256
f2544e8b953c8c14f711c8a72b34283ea76e1f633529ac3cff440584c3b187ff

SHA512
38b059cbf167cfd25f73b222ef7fa69a4b3042c7acdd1bd3c82f38d02c370a219bb101090b4e416d7eecce7c122d2888966ccf53407daffc32a68fd63869ecb7

Download Submit
C:\Windows\{3771B770-07AF-46eb-A59A-7BD5C9077172}.exe

Filesize
168KB

MD5
e60ec4b4e0bdbad9fba6ebad5df70328

SHA1
919043abf4ddf6ca8999161c7167e843e452142d

SHA256
c9ad6a685969bb86117fdaec54957ce1e8831334f652ce8705bd3ae7b7999f9c

SHA512
01a78336b781914d01b1d3c1b601cb67735135a94d0bf32f694adac623b5b206d1fcb11c778bfe3bb8cf2cf50cb3ed8d1ea2f9d53a320414f9c770bcfedab7d1

Download Submit
C:\Windows\{534782FF-346E-425e-B9C0-5F404C8D3DD7}.exe

Filesize
168KB

MD5
3d5629d8023a95f223f6d9ef72c7b3be

SHA1
fa68f3de9553709169987998008c9b01f6ec250f

SHA256
570cfc27900cd76b972061ece1c068ef7bf48731bb7007e9274e78836a20c8cf

SHA512
42cb464e62c9e213cb6e6d51ae1abaa48ac1398f2fd21a2e3631b588344a097cbf45aa89d8bce18af04f82d121d26ac5ab8ff5ec525ca5576f108aee20c098a1

Download Submit
C:\Windows\{72B0764F-8261-43dd-B6F9-E0DA45E4DA53}.exe

Filesize
168KB

MD5
36449f6916fa5d073ce5b2075927f378

SHA1
f91d1394bbab98ffaa54e966838129bcbd9d8717

SHA256
4b0612a1612012e536e8da61202cc5655f0301cd81ec30127ae6b9ad1e7d26f6

SHA512
498385971ee82034ea89efc07c24297aa853de6f1d223c93930c70cc63fffb2002ee36d1a81f4cd4d4c48ebd85c84ec46d1d223f75f13784f1e3ffa5db465b04

Download Submit
C:\Windows\{C29DFD5D-DFBA-4b4c-BA1B-3FA52172CC54}.exe

Filesize
168KB

MD5
1fda8b92af3425287dcd56568eb5dbf2

SHA1
1c10b9f6a542b4552561cf73ee3593d1a271e164

SHA256
1e8771a74db78ec51a5f1b893d75906e7eef74a0c2a2e29e0f2f1d47ae98ffb2

SHA512
b5c195e52a2827b07d65d1d85bde4e6841a79c66124c39f86b48f594be0d8b0fba482ed736299d1f5087c2429c771f20d1d5affda28743a72f767a59053fd85e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads