eaca20c4a8c4d1fe88a6593428ea4ca1435aef1d63e07772977c84042eff214f

Analysis

max time kernel
157s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 11:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe
Size

408KB
MD5

745c66c09b9f15caa0e17a067067d5d7
SHA1

6e36f552b1aa27e7feecf2abaa1babae7566869d
SHA256

eaca20c4a8c4d1fe88a6593428ea4ca1435aef1d63e07772977c84042eff214f
SHA512

b6d1fabd38c90e33ee63170341a7ffe0cf67687b556a285127f40f7d184a11c2b7b0d661d3afb5143caf484befc9505d11c42d4fd6445e8b6e12a222814d6dae
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGildOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022775-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002310f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023117-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002311a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023117-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A195D3EE-F293-4b28-B293-F49C1205A684}	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}\stubpath = "C:\\Windows\\{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe"	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{212AFCF1-F70C-46a3-8117-A643F25852B7}\stubpath = "C:\\Windows\\{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe"	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E927C03D-B229-4a98-970E-03A459982CCF}\stubpath = "C:\\Windows\\{E927C03D-B229-4a98-970E-03A459982CCF}.exe"	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD11F145-4A83-4052-ABFF-CF9012BD7891}	{E927C03D-B229-4a98-970E-03A459982CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD11F145-4A83-4052-ABFF-CF9012BD7891}\stubpath = "C:\\Windows\\{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe"	{E927C03D-B229-4a98-970E-03A459982CCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A195D3EE-F293-4b28-B293-F49C1205A684}\stubpath = "C:\\Windows\\{A195D3EE-F293-4b28-B293-F49C1205A684}.exe"	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}\stubpath = "C:\\Windows\\{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe"	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA204C83-A34D-42b2-897A-3FCD672E6378}\stubpath = "C:\\Windows\\{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe"	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{212AFCF1-F70C-46a3-8117-A643F25852B7}	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3E934D-2657-428f-A323-FD1BC01557BC}	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A68AEFD-B896-466c-9410-F2E12996C347}\stubpath = "C:\\Windows\\{9A68AEFD-B896-466c-9410-F2E12996C347}.exe"	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3E934D-2657-428f-A323-FD1BC01557BC}\stubpath = "C:\\Windows\\{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe"	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA204C83-A34D-42b2-897A-3FCD672E6378}	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}\stubpath = "C:\\Windows\\{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe"	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A68AEFD-B896-466c-9410-F2E12996C347}	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E927C03D-B229-4a98-970E-03A459982CCF}	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731FB456-B2D7-43fd-B568-1BE7C825A76B}	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731FB456-B2D7-43fd-B568-1BE7C825A76B}\stubpath = "C:\\Windows\\{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe"	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe

Executes dropped EXE 11 IoCs

pid	Process
3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe
3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe
656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe
4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe
4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe
4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe
4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe
3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe
2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe
2496	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe
4848	{A195D3EE-F293-4b28-B293-F49C1205A684}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe
File created	C:\Windows\{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe
File created	C:\Windows\{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe
File created	C:\Windows\{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe
File created	C:\Windows\{A195D3EE-F293-4b28-B293-F49C1205A684}.exe	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe
File created	C:\Windows\{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe
File created	C:\Windows\{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe
File created	C:\Windows\{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe
File created	C:\Windows\{9A68AEFD-B896-466c-9410-F2E12996C347}.exe	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe
File created	C:\Windows\{E927C03D-B229-4a98-970E-03A459982CCF}.exe	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe
File created	C:\Windows\{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe	{E927C03D-B229-4a98-970E-03A459982CCF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	484	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe
Token: SeIncBasePriorityPrivilege	3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe
Token: SeIncBasePriorityPrivilege	656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe
Token: SeIncBasePriorityPrivilege	4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe
Token: SeIncBasePriorityPrivilege	4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe
Token: SeIncBasePriorityPrivilege	4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe
Token: SeIncBasePriorityPrivilege	4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe
Token: SeIncBasePriorityPrivilege	3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe
Token: SeIncBasePriorityPrivilege	2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe
Token: SeIncBasePriorityPrivilege	2496	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 3140	484	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe	87
PID 484 wrote to memory of 3140	484	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe	87
PID 484 wrote to memory of 3140	484	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe	87
PID 484 wrote to memory of 4376	484	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe	88
PID 484 wrote to memory of 4376	484	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe	88
PID 484 wrote to memory of 4376	484	2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe	88
PID 3140 wrote to memory of 3588	3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe	96
PID 3140 wrote to memory of 3588	3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe	96
PID 3140 wrote to memory of 3588	3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe	96
PID 3140 wrote to memory of 528	3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe	97
PID 3140 wrote to memory of 528	3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe	97
PID 3140 wrote to memory of 528	3140	{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe	97
PID 3588 wrote to memory of 656	3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe	100
PID 3588 wrote to memory of 656	3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe	100
PID 3588 wrote to memory of 656	3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe	100
PID 3588 wrote to memory of 4980	3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe	101
PID 3588 wrote to memory of 4980	3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe	101
PID 3588 wrote to memory of 4980	3588	{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe	101
PID 656 wrote to memory of 4584	656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe	102
PID 656 wrote to memory of 4584	656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe	102
PID 656 wrote to memory of 4584	656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe	102
PID 656 wrote to memory of 2540	656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe	103
PID 656 wrote to memory of 2540	656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe	103
PID 656 wrote to memory of 2540	656	{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe	103
PID 4584 wrote to memory of 4772	4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe	104
PID 4584 wrote to memory of 4772	4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe	104
PID 4584 wrote to memory of 4772	4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe	104
PID 4584 wrote to memory of 2588	4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe	105
PID 4584 wrote to memory of 2588	4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe	105
PID 4584 wrote to memory of 2588	4584	{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe	105
PID 4772 wrote to memory of 4000	4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe	106
PID 4772 wrote to memory of 4000	4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe	106
PID 4772 wrote to memory of 4000	4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe	106
PID 4772 wrote to memory of 1940	4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe	107
PID 4772 wrote to memory of 1940	4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe	107
PID 4772 wrote to memory of 1940	4772	{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe	107
PID 4000 wrote to memory of 4236	4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe	108
PID 4000 wrote to memory of 4236	4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe	108
PID 4000 wrote to memory of 4236	4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe	108
PID 4000 wrote to memory of 1944	4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe	109
PID 4000 wrote to memory of 1944	4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe	109
PID 4000 wrote to memory of 1944	4000	{9A68AEFD-B896-466c-9410-F2E12996C347}.exe	109
PID 4236 wrote to memory of 3468	4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe	110
PID 4236 wrote to memory of 3468	4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe	110
PID 4236 wrote to memory of 3468	4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe	110
PID 4236 wrote to memory of 1768	4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe	111
PID 4236 wrote to memory of 1768	4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe	111
PID 4236 wrote to memory of 1768	4236	{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe	111
PID 3468 wrote to memory of 2612	3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe	113
PID 3468 wrote to memory of 2612	3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe	113
PID 3468 wrote to memory of 2612	3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe	113
PID 3468 wrote to memory of 1452	3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe	112
PID 3468 wrote to memory of 1452	3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe	112
PID 3468 wrote to memory of 1452	3468	{E927C03D-B229-4a98-970E-03A459982CCF}.exe	112
PID 2612 wrote to memory of 2496	2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe	115
PID 2612 wrote to memory of 2496	2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe	115
PID 2612 wrote to memory of 2496	2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe	115
PID 2612 wrote to memory of 4672	2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe	114
PID 2612 wrote to memory of 4672	2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe	114
PID 2612 wrote to memory of 4672	2612	{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe	114
PID 2496 wrote to memory of 4848	2496	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe	116
PID 2496 wrote to memory of 4848	2496	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe	116
PID 2496 wrote to memory of 4848	2496	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe	116
PID 2496 wrote to memory of 1640	2496	{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_745c66c09b9f15caa0e17a067067d5d7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe
  C:\Windows\{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe
    C:\Windows\{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe
      C:\Windows\{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Windows\{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe
        
        C:\Windows\{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe
        
        C:\Windows\{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{9A68AEFD-B896-466c-9410-F2E12996C347}.exe
        
        C:\Windows\{9A68AEFD-B896-466c-9410-F2E12996C347}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe
        
        C:\Windows\{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{E927C03D-B229-4a98-970E-03A459982CCF}.exe
        
        C:\Windows\{E927C03D-B229-4a98-970E-03A459982CCF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E927C~1.EXE > nul
        10⤵
        
        PID:1452
        
        C:\Windows\{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe
        
        C:\Windows\{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD11F~1.EXE > nul
        11⤵
        
        PID:4672
        
        C:\Windows\{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe
        
        C:\Windows\{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{A195D3EE-F293-4b28-B293-F49C1205A684}.exe
        
        C:\Windows\{A195D3EE-F293-4b28-B293-F49C1205A684}.exe
        12⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{731FB~1.EXE > nul
        12⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{212AF~1.EXE > nul
        9⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A68A~1.EXE > nul
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD17F~1.EXE > nul
        7⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA204~1.EXE > nul
        6⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F3E9~1.EXE > nul
        5⤵
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C5464~1.EXE > nul
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31EDF~1.EXE > nul
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F3E934D-2657-428f-A323-FD1BC01557BC}.exe

Filesize
408KB

MD5
568deeebb2d458d2ce4dd1136f0336a4

SHA1
03829f5324743e2107c10dcdcb815929f3d3ea9f

SHA256
268a3fbcc30a63d99b2334365fbc130c9854f7c42d6f126d8bf6fdbbb073b4ca

SHA512
ea9ff8b213048229c43243a0125f1f504b5c6659d6f2f9424366529848eb0a1a216c0506336564f27dba5c380fc408dd69544fa8ddf8f393147bc6b6e8f3bd1e

Download Submit
C:\Windows\{212AFCF1-F70C-46a3-8117-A643F25852B7}.exe

Filesize
408KB

MD5
dae2380da40876abf557f1a59e4080e2

SHA1
a6408c7c988bc385fa95010191faf95fa8642485

SHA256
18ac2033bc364921757221f334b32d8c6d90421d6ae34cc6cfa19cabb23c1f54

SHA512
a091810891b5155663bb2a189cca55a146ce69a50b24215d8cab2d062a88c34db43b4a10f80c23240403db225d64c4594300172fec1aaf23a0d30a79f27d3014

Download Submit
C:\Windows\{31EDF5BC-3CC0-41fc-B6C4-58A340F66653}.exe

Filesize
408KB

MD5
dfac3dcfa5fe686a6718c856db7bc733

SHA1
94300c8279e3197d04651fca710485312f5588a8

SHA256
4c578669435adc0f860b7cbbb6d16331ebcad280cc51ed75d88693917fad8802

SHA512
740ae380d9977bbd4ac125c7226ca24f91f527980f9639fcc6dcfba60029f14d9a82e974e7cea3c5579a8e516a02e1965e5a2fd92ba541f077e71b9e3cd7b854

Download Submit
C:\Windows\{731FB456-B2D7-43fd-B568-1BE7C825A76B}.exe

Filesize
408KB

MD5
a796d986e764ce0b85109b001da0ddc0

SHA1
1cd81a79f9db83bd25005dcd5d5261a915745081

SHA256
0252da35120153b30bd0d8798dee3f440a74b31abc2a2877f2e9c47e673d7339

SHA512
e9c0668c527094ec082d1ced13c04e7f474162598e210b4b59d57811b344731ea8bff7f8cfe4cccd8669ff0dfd490fcc5738ee0841cb0399555fb4ccec1b1438

Download Submit
C:\Windows\{9A68AEFD-B896-466c-9410-F2E12996C347}.exe

Filesize
408KB

MD5
ec330c428bbaef4ad4e282d205a6f3e3

SHA1
35070045258c33c127b4709c741c889d9a9c1a3c

SHA256
5f45abe9d23fba4953e3bd1ee8ab122054190d32e64b7d00834867b628ce9c03

SHA512
d4e8a1f4e3e338c6478748996e600f523b30737f48ee681baa5a7f05caf1e9d020af8a284751ebc8699ea0724cc0d21f70ed5ebb8e15497dbc5aee64d56efcb4

Download Submit
C:\Windows\{A195D3EE-F293-4b28-B293-F49C1205A684}.exe

Filesize
408KB

MD5
524588aa62f86f3ba250ddd013e1e6d8

SHA1
55169ca8cc4913679aba8fa4573d80840b19351b

SHA256
470e8685af2b61fe845b6b5a3349d90b2b97e553b2a5af54ac240ba53f73efbe

SHA512
e6ffb3a9fb2d2e37046247003df8acaea696f319a7570aa23ca84a85f0d1f9eee7bd8691d957f5f889797956acdf353c2c7728bb257a9436e0b10a6ab5fa8c47

Download Submit
C:\Windows\{BD11F145-4A83-4052-ABFF-CF9012BD7891}.exe

Filesize
408KB

MD5
90dab61717872fc7f4f10c46c73d6605

SHA1
49dc882ffbedd57eac784549d743a166f848a898

SHA256
4618ab07de5a701dd9d95e3b0514318121114056e4255a7b23267dedc6996661

SHA512
de1186972b0cc49f4be5ea1e60fb28c2d55e87318b2ff72a1aa4fb507127d89b9507a4c5393e9be22374c6e1b5bb37af7da04cca182a25c2b248b9d760c35170

Download Submit
C:\Windows\{C546487E-D10C-4d0a-84FF-9B9BDBF79C50}.exe

Filesize
408KB

MD5
e668057e8b62040190ff9f03daaebda6

SHA1
e4ebe2bdd0ffee398e85d8cc7ffb39b97815d725

SHA256
3c5549097ed882cc1226399350f1059575e2cdbcca7676f031e6453dff7624f2

SHA512
88e07b847614d3b72142bde674f675d82300a24fdf159dfbcdd4680ae1d75a20a7aba8c1c867f1f1430698b90e0e92da3318421d32ee2e40bcec2d123954beff

Download Submit
C:\Windows\{CD17F4BF-A64C-4f45-AA04-F6A25CFAB55B}.exe

Filesize
408KB

MD5
5580948208848c4615c8c9361c33f7bf

SHA1
dbf9b399ebcd7fc49c6933600e899b9d8ccb3c83

SHA256
fe18c1e1adc4eade91855b0ae7bef47fa740d3c9e47128d95e9e62561f21d7a4

SHA512
71a85e5a5e0d57edade31392a80d63d7040ea639b7ea37645c5752ad231b213fc3a60e36772c7006d2522e252fe0de9faf058d3296192e0826338b7b63c3e420

Download Submit
C:\Windows\{DA204C83-A34D-42b2-897A-3FCD672E6378}.exe

Filesize
408KB

MD5
969f1ece6a80e42ac955ee44fd052191

SHA1
5ee460698008ff750256e8d304babb95dc63c170

SHA256
6873c9932211bbe79dba55e90d5eb9cfc56f9787538dec9a8d9fdd676ceb6841

SHA512
589924cf49688f87397935cc8e2256cdfabcbe92355cb269371c3195eae863d360f1ada374eea4dca67d789e4cf6841c4646fdf3c353ed5e62542b30e925d064

Download Submit
C:\Windows\{E927C03D-B229-4a98-970E-03A459982CCF}.exe

Filesize
408KB

MD5
dde469aac4721f707ad39ac74981a529

SHA1
ac83614ce968d20bf8b64f2b271fca132ac889fe

SHA256
3607008ef332b1cef546bba7e69240633bf14ffc0a7d4c0dbccad889509f893d

SHA512
0cff07224bc4abcd18026a359dd5bbf5ebff2fe12d64b989eedab0fcaa2844cf2259bf236d7f5b70db87ec2fed305ff04acb25f2c335fa970535b445bb7a8278

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads