e2ee34db55d7d63f269bb1b59c25ed80eedcb155398bba40405c1712a5483bbc

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 12:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe
Size

197KB
MD5

a8554c515c841b4476c5146fe08fca38
SHA1

bbecd5e34992652f934a76a294e22e50af028d6f
SHA256

e2ee34db55d7d63f269bb1b59c25ed80eedcb155398bba40405c1712a5483bbc
SHA512

370ec91778945512a0b863cad9e861227177efb59763e8eae584c6b67c5ed58c6f06b580421e864bb224e81b4e442e64f1a5a1290613859b2cae96067db67c06
SSDEEP

3072:jEGh0okl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ec-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012255-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA64C65-B749-4781-B068-527EAB852A7D}\stubpath = "C:\\Windows\\{DEA64C65-B749-4781-B068-527EAB852A7D}.exe"	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00E8050B-2E4E-4ede-AA50-172E5F48775C}	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69560382-8405-4682-B3C9-EBC21579D6B7}	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}\stubpath = "C:\\Windows\\{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe"	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}\stubpath = "C:\\Windows\\{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe"	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97148CB8-9C93-46b2-A968-095AC48B7973}	{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA64C65-B749-4781-B068-527EAB852A7D}	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}	{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C44FEE4D-9D70-43c1-B33A-905F799D16AA}	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C44FEE4D-9D70-43c1-B33A-905F799D16AA}\stubpath = "C:\\Windows\\{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe"	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69560382-8405-4682-B3C9-EBC21579D6B7}\stubpath = "C:\\Windows\\{69560382-8405-4682-B3C9-EBC21579D6B7}.exe"	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97148CB8-9C93-46b2-A968-095AC48B7973}\stubpath = "C:\\Windows\\{97148CB8-9C93-46b2-A968-095AC48B7973}.exe"	{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}\stubpath = "C:\\Windows\\{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe"	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00E8050B-2E4E-4ede-AA50-172E5F48775C}\stubpath = "C:\\Windows\\{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe"	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84D28553-F110-46b5-BDD6-6C5806FE7240}	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84D28553-F110-46b5-BDD6-6C5806FE7240}\stubpath = "C:\\Windows\\{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe"	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}\stubpath = "C:\\Windows\\{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe"	{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B470C5E-11C6-44df-B539-AC871DED6C08}	{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B470C5E-11C6-44df-B539-AC871DED6C08}\stubpath = "C:\\Windows\\{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe"	{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe
2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe
2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe
1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe
2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe
276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe
1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe
2772	{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe
2372	{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe
2252	{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe
2240	{97148CB8-9C93-46b2-A968-095AC48B7973}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe
File created	C:\Windows\{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe
File created	C:\Windows\{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe
File created	C:\Windows\{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe	{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe
File created	C:\Windows\{97148CB8-9C93-46b2-A968-095AC48B7973}.exe	{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe
File created	C:\Windows\{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe
File created	C:\Windows\{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe
File created	C:\Windows\{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe
File created	C:\Windows\{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe	{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe
File created	C:\Windows\{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe
File created	C:\Windows\{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe
Token: SeIncBasePriorityPrivilege	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe
Token: SeIncBasePriorityPrivilege	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe
Token: SeIncBasePriorityPrivilege	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe
Token: SeIncBasePriorityPrivilege	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe
Token: SeIncBasePriorityPrivilege	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe
Token: SeIncBasePriorityPrivilege	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe
Token: SeIncBasePriorityPrivilege	2772	{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe
Token: SeIncBasePriorityPrivilege	2372	{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe
Token: SeIncBasePriorityPrivilege	2252	{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2072	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	28
PID 1904 wrote to memory of 2072	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	28
PID 1904 wrote to memory of 2072	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	28
PID 1904 wrote to memory of 2072	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	28
PID 1904 wrote to memory of 2724	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	29
PID 1904 wrote to memory of 2724	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	29
PID 1904 wrote to memory of 2724	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	29
PID 1904 wrote to memory of 2724	1904	2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe	29
PID 2072 wrote to memory of 2712	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	30
PID 2072 wrote to memory of 2712	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	30
PID 2072 wrote to memory of 2712	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	30
PID 2072 wrote to memory of 2712	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	30
PID 2072 wrote to memory of 3000	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	31
PID 2072 wrote to memory of 3000	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	31
PID 2072 wrote to memory of 3000	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	31
PID 2072 wrote to memory of 3000	2072	{DEA64C65-B749-4781-B068-527EAB852A7D}.exe	31
PID 2712 wrote to memory of 2864	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	33
PID 2712 wrote to memory of 2864	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	33
PID 2712 wrote to memory of 2864	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	33
PID 2712 wrote to memory of 2864	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	33
PID 2712 wrote to memory of 2632	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	32
PID 2712 wrote to memory of 2632	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	32
PID 2712 wrote to memory of 2632	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	32
PID 2712 wrote to memory of 2632	2712	{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe	32
PID 2864 wrote to memory of 1908	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	36
PID 2864 wrote to memory of 1908	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	36
PID 2864 wrote to memory of 1908	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	36
PID 2864 wrote to memory of 1908	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	36
PID 2864 wrote to memory of 2920	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	37
PID 2864 wrote to memory of 2920	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	37
PID 2864 wrote to memory of 2920	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	37
PID 2864 wrote to memory of 2920	2864	{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe	37
PID 1908 wrote to memory of 2964	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	38
PID 1908 wrote to memory of 2964	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	38
PID 1908 wrote to memory of 2964	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	38
PID 1908 wrote to memory of 2964	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	38
PID 1908 wrote to memory of 3060	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	39
PID 1908 wrote to memory of 3060	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	39
PID 1908 wrote to memory of 3060	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	39
PID 1908 wrote to memory of 3060	1908	{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe	39
PID 2964 wrote to memory of 276	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	41
PID 2964 wrote to memory of 276	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	41
PID 2964 wrote to memory of 276	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	41
PID 2964 wrote to memory of 276	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	41
PID 2964 wrote to memory of 1692	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	40
PID 2964 wrote to memory of 1692	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	40
PID 2964 wrote to memory of 1692	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	40
PID 2964 wrote to memory of 1692	2964	{69560382-8405-4682-B3C9-EBC21579D6B7}.exe	40
PID 276 wrote to memory of 1508	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	42
PID 276 wrote to memory of 1508	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	42
PID 276 wrote to memory of 1508	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	42
PID 276 wrote to memory of 1508	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	42
PID 276 wrote to memory of 584	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	43
PID 276 wrote to memory of 584	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	43
PID 276 wrote to memory of 584	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	43
PID 276 wrote to memory of 584	276	{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe	43
PID 1508 wrote to memory of 2772	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	44
PID 1508 wrote to memory of 2772	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	44
PID 1508 wrote to memory of 2772	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	44
PID 1508 wrote to memory of 2772	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	44
PID 1508 wrote to memory of 1304	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	45
PID 1508 wrote to memory of 1304	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	45
PID 1508 wrote to memory of 1304	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	45
PID 1508 wrote to memory of 1304	1508	{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_a8554c515c841b4476c5146fe08fca38_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\{DEA64C65-B749-4781-B068-527EAB852A7D}.exe
  C:\Windows\{DEA64C65-B749-4781-B068-527EAB852A7D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe
    C:\Windows\{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C44FE~1.EXE > nul
      4⤵
      PID:2632
  - - C:\Windows\{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe
      C:\Windows\{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe
        
        C:\Windows\{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\{69560382-8405-4682-B3C9-EBC21579D6B7}.exe
        
        C:\Windows\{69560382-8405-4682-B3C9-EBC21579D6B7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69560~1.EXE > nul
        7⤵
        
        PID:1692
        
        C:\Windows\{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe
        
        C:\Windows\{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe
        
        C:\Windows\{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe
        
        C:\Windows\{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe
        
        C:\Windows\{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe
        
        C:\Windows\{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{97148CB8-9C93-46b2-A968-095AC48B7973}.exe
        
        C:\Windows\{97148CB8-9C93-46b2-A968-095AC48B7973}.exe
        12⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B470~1.EXE > nul
        12⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23614~1.EXE > nul
        11⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBF7C~1.EXE > nul
        10⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84D28~1.EXE > nul
        9⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CE35~1.EXE > nul
        8⤵
        
        PID:584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00E80~1.EXE > nul
        6⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B72A3~1.EXE > nul
        5⤵
        
        PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA64~1.EXE > nul
    3⤵
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00E8050B-2E4E-4ede-AA50-172E5F48775C}.exe

Filesize
197KB

MD5
2ee715a477834fcd0776375fe80c6090

SHA1
e8baf65c5da540928f963010516944d8d169ff18

SHA256
71cb75a4b1ef212c3a3081a3f15385de312afca38713193f2ac3eaafdf065047

SHA512
ef48ffd47d2657d37f17d3cdf6b70020c2724ba19782a4462f48572364d8246603ebcd7f7f0d37447d5ef7ceb1785231858e81abc724e0e8bd46dbe04b64b3a9

Download Submit
C:\Windows\{236146B3-3F1D-4499-B2AA-D358E1EE3DC9}.exe

Filesize
197KB

MD5
2f4fdd53ac98c944cfe5358e1aee98e5

SHA1
d826eb030736af91de0b7b6a0f087cba4a7c2b92

SHA256
6ac4e43e4418ebcd59ba5ab060a33188df1b06ba9918f235afc11eac1c793da0

SHA512
c18fd98ed64884d947e4b59013ec1cf4bf52e03219dde948eefbadfba5502ba248f7b08f1aa2362aa8bfbed3b4af7fb6afa3488ed218b8962b0b9d53ab52ff54

Download Submit
C:\Windows\{4B470C5E-11C6-44df-B539-AC871DED6C08}.exe

Filesize
197KB

MD5
c0157104e43be0cb96e19e3cdc3c562f

SHA1
0d33ef07401293a1b93c356c820ec32690e01cff

SHA256
0eb2e421efe5600c57d96b35317c342c52994402d8ee2bf680275cd83c886b46

SHA512
eda13e48b99b9350601456e096c98a7c961fd4eb46aaf207193e5238f662cecb14a2c1d052500f64f65d1da977c09865b56bac728eb04663f60d95971116b350

Download Submit
C:\Windows\{5CE357E9-4B1C-4bf4-874E-E11F24EBCD01}.exe

Filesize
197KB

MD5
50ea41645971ea947468a212329ce249

SHA1
51332ea300fb2c7df139c9b77145acf59b2df684

SHA256
afc3c1cc6678cfe315b92ac94d0d3095956677c629863ac457eadab0e9885238

SHA512
1d6aaeee391c181d59a22ef4e3c65a6df6bc3df9312d880c5bb7d9c82fef0fb616ae1a0ce4bf0aaafe94798a5f53ede3a91ff4bae76eaed44725235098490d19

Download Submit
C:\Windows\{69560382-8405-4682-B3C9-EBC21579D6B7}.exe

Filesize
197KB

MD5
12b477a9108062b3ea25f26ebb30e98b

SHA1
43cc41e19b42e247ee88c287cdeaae01a276dae6

SHA256
6acbee83ad91fad1ba648a0ad35b35e9aa800d10528be840a62d84c566bd20a5

SHA512
a535ee992397331bd2e1e700599125f4f45077fe1abfa71fb28bc2d60f2f0a465cff03b2e0bc14acab8ffdc18552e6c74c960e42995d0579caffc8013445b634

Download Submit
C:\Windows\{84D28553-F110-46b5-BDD6-6C5806FE7240}.exe

Filesize
197KB

MD5
21b1fdc4f5713a42f2eff733010df0ac

SHA1
878cf98f2287fa04c6bf2b3618ccc91d8880d36d

SHA256
5ab63d5f9230ca1312a0745c032ecb7758cc8f87af2ab02c0fdb7003cb4484f9

SHA512
76a7fd22b83f4c63f02349522200c74d8e6e0a6c3e7c41e5c5cb6cdff80749b884541a0994558116350e8efa58b221fe3cb67221751ff837f717013b779c4c80

Download Submit
C:\Windows\{97148CB8-9C93-46b2-A968-095AC48B7973}.exe

Filesize
197KB

MD5
ed656d87d20a71504d69a142c12d9c80

SHA1
6415c428ef9fc19143a57e147fa8b77782d033aa

SHA256
dda8e0ef0510621312f8c2ee331811c1f50e7ab1a5da00e93e82eb27894b0699

SHA512
918b3ad4c824deb7c4e3140f58e9d6e36e173af9235b0c55358e82130cf23472918598b36560f576b98aa8f1f2450351ca2be2981a368168887cc77a3df0bf13

Download Submit
C:\Windows\{B72A3160-FD26-4d59-9FB0-05FAA8EAD515}.exe

Filesize
197KB

MD5
0c355ea25d6a6657c56ad9ad74335911

SHA1
b08e452afccdbc5feb6562139b1e9ff635b32291

SHA256
5cbc73beda2b2a46808ca7c92a8946893e02273cedf1f3bfe7928c5038811308

SHA512
ee35e16668ab5226c284a1425422813eb274d77a81542f4a3e26918536d44bfe0915a9b92c442f0c1626f5ee5f6228f5d918aa55f91a3b095b8d1b26b196f7aa

Download Submit
C:\Windows\{C44FEE4D-9D70-43c1-B33A-905F799D16AA}.exe

Filesize
197KB

MD5
eef83c9df96f67511da628bc01f6a3b9

SHA1
0daf95494eb69b25c169697c5474970f470da8db

SHA256
0939d5b38a65ea8399ffd906c229d83a00610bffb0da65ae1bfa21c1f8e76829

SHA512
7b189d62ff1bab38decb6a5f117959879fe027b2a5fb37b1541f2f042259234c02fb67335c84ef980ec169d64a0bf65aba22721a30db7c66de0c122c090700e9

Download Submit
C:\Windows\{DEA64C65-B749-4781-B068-527EAB852A7D}.exe

Filesize
197KB

MD5
831f328a0beeca21e107f5a3f74e972d

SHA1
38d78e1e77b360a62cef01a37dc906f3a01ec992

SHA256
a21a6ff5a072e33a59fbb09324098f84ffca928772c7f2b298de31ce505184b6

SHA512
965eecfa35eb31c0cb7e1cc1ced10908064e0af91a805c35fbfe548cf717e9e4901b43f0fe3840fa14e6352346cc9e08ddc96a1fe5b2ee29075ab49a019785a5

Download Submit
C:\Windows\{EBF7C7D3-1BD7-4b81-8CF9-DA86902719E3}.exe

Filesize
197KB

MD5
a21e18547142bdc07a6718ae305e56fa

SHA1
588f07c1f8847b8c4e039610bc94afd93014edec

SHA256
6ac2f9a62d2bbe0a306e1d5e35ed97c1970d925d5487eb9d549531ab8d5b14b5

SHA512
a6ca4efce77bef1f43f1be119d668c32847e45b10c77b7e72336aa0f54430321dccb8b6e52ab4474be526d691a4e8d7a97ffc4fe9af45d6723fb4219823ecd14

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads