30a78201993d93727a43786e808580a929cc80fb3a8e4b7273483b5e59a4292c

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe
Size

168KB
MD5

ff3dacf987bb913da901e6ca6077f6bf
SHA1

3f80bf5796b2e0cd5937b2bcf68bba72bafc7cde
SHA256

30a78201993d93727a43786e808580a929cc80fb3a8e4b7273483b5e59a4292c
SHA512

dcd0665f6d2b5c0fc6624edd927defc8e408002c43b7e3adbbe993557d58e562db3a114962f5e11d3a744fb313ac0966c066bf86b78528a523973ff6f90e13dd
SSDEEP

1536:1EGh0o2lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o2lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e2c0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023134-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023134-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002313d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C2E72AD-370F-4858-A65A-1E4A229AA223}	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C2E72AD-370F-4858-A65A-1E4A229AA223}\stubpath = "C:\\Windows\\{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe"	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA2C289E-1FED-4743-A23F-BA9E60645F6C}	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA2C289E-1FED-4743-A23F-BA9E60645F6C}\stubpath = "C:\\Windows\\{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe"	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C16B04FD-FFC8-4074-A872-764852507A14}\stubpath = "C:\\Windows\\{C16B04FD-FFC8-4074-A872-764852507A14}.exe"	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9EDA97D-02E5-475e-95EA-9C32923C7D73}\stubpath = "C:\\Windows\\{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe"	{C16B04FD-FFC8-4074-A872-764852507A14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE5EF8B-5C31-4365-BF23-6D298E72263F}	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A02368A1-FCBC-4b42-9ADE-989B809544AB}	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BB2B00-913C-4988-AB1B-2D721F24C62B}	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE5EF8B-5C31-4365-BF23-6D298E72263F}\stubpath = "C:\\Windows\\{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe"	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BB2B00-913C-4988-AB1B-2D721F24C62B}\stubpath = "C:\\Windows\\{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe"	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}\stubpath = "C:\\Windows\\{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe"	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6038B453-31C6-4f3b-8A63-F59E6FEC8043}	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9EDA97D-02E5-475e-95EA-9C32923C7D73}	{C16B04FD-FFC8-4074-A872-764852507A14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}\stubpath = "C:\\Windows\\{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe"	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6038B453-31C6-4f3b-8A63-F59E6FEC8043}\stubpath = "C:\\Windows\\{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe"	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C16B04FD-FFC8-4074-A872-764852507A14}	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAFB2E20-46CE-4296-AE2F-28A728B8500F}	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAFB2E20-46CE-4296-AE2F-28A728B8500F}\stubpath = "C:\\Windows\\{AAFB2E20-46CE-4296-AE2F-28A728B8500F}.exe"	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A02368A1-FCBC-4b42-9ADE-989B809544AB}\stubpath = "C:\\Windows\\{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe"	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe
2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe
2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe
4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe
1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe
1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe
1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe
1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe
3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe
4912	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe
2184	{AAFB2E20-46CE-4296-AE2F-28A728B8500F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C16B04FD-FFC8-4074-A872-764852507A14}.exe	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe
File created	C:\Windows\{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe	{C16B04FD-FFC8-4074-A872-764852507A14}.exe
File created	C:\Windows\{AAFB2E20-46CE-4296-AE2F-28A728B8500F}.exe	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe
File created	C:\Windows\{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe
File created	C:\Windows\{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe
File created	C:\Windows\{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe
File created	C:\Windows\{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe
File created	C:\Windows\{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe
File created	C:\Windows\{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe
File created	C:\Windows\{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe
File created	C:\Windows\{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3448	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe
Token: SeIncBasePriorityPrivilege	2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe
Token: SeIncBasePriorityPrivilege	2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe
Token: SeIncBasePriorityPrivilege	4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe
Token: SeIncBasePriorityPrivilege	1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe
Token: SeIncBasePriorityPrivilege	1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe
Token: SeIncBasePriorityPrivilege	1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe
Token: SeIncBasePriorityPrivilege	1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe
Token: SeIncBasePriorityPrivilege	3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe
Token: SeIncBasePriorityPrivilege	4912	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 384	3448	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe	83
PID 3448 wrote to memory of 384	3448	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe	83
PID 3448 wrote to memory of 384	3448	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe	83
PID 3448 wrote to memory of 1808	3448	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe	84
PID 3448 wrote to memory of 1808	3448	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe	84
PID 3448 wrote to memory of 1808	3448	2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe	84
PID 384 wrote to memory of 2128	384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe	93
PID 384 wrote to memory of 2128	384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe	93
PID 384 wrote to memory of 2128	384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe	93
PID 384 wrote to memory of 5100	384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe	94
PID 384 wrote to memory of 5100	384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe	94
PID 384 wrote to memory of 5100	384	{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe	94
PID 2128 wrote to memory of 2196	2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe	95
PID 2128 wrote to memory of 2196	2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe	95
PID 2128 wrote to memory of 2196	2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe	95
PID 2128 wrote to memory of 2452	2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe	96
PID 2128 wrote to memory of 2452	2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe	96
PID 2128 wrote to memory of 2452	2128	{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe	96
PID 2196 wrote to memory of 4360	2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe	97
PID 2196 wrote to memory of 4360	2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe	97
PID 2196 wrote to memory of 4360	2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe	97
PID 2196 wrote to memory of 4036	2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe	98
PID 2196 wrote to memory of 4036	2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe	98
PID 2196 wrote to memory of 4036	2196	{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe	98
PID 4360 wrote to memory of 1416	4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe	99
PID 4360 wrote to memory of 1416	4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe	99
PID 4360 wrote to memory of 1416	4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe	99
PID 4360 wrote to memory of 1260	4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe	100
PID 4360 wrote to memory of 1260	4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe	100
PID 4360 wrote to memory of 1260	4360	{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe	100
PID 1416 wrote to memory of 1856	1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe	101
PID 1416 wrote to memory of 1856	1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe	101
PID 1416 wrote to memory of 1856	1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe	101
PID 1416 wrote to memory of 1536	1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe	102
PID 1416 wrote to memory of 1536	1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe	102
PID 1416 wrote to memory of 1536	1416	{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe	102
PID 1856 wrote to memory of 1984	1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe	103
PID 1856 wrote to memory of 1984	1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe	103
PID 1856 wrote to memory of 1984	1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe	103
PID 1856 wrote to memory of 3324	1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe	104
PID 1856 wrote to memory of 3324	1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe	104
PID 1856 wrote to memory of 3324	1856	{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe	104
PID 1984 wrote to memory of 1180	1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe	105
PID 1984 wrote to memory of 1180	1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe	105
PID 1984 wrote to memory of 1180	1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe	105
PID 1984 wrote to memory of 1716	1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe	106
PID 1984 wrote to memory of 1716	1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe	106
PID 1984 wrote to memory of 1716	1984	{C16B04FD-FFC8-4074-A872-764852507A14}.exe	106
PID 1180 wrote to memory of 3280	1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe	107
PID 1180 wrote to memory of 3280	1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe	107
PID 1180 wrote to memory of 3280	1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe	107
PID 1180 wrote to memory of 1848	1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe	108
PID 1180 wrote to memory of 1848	1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe	108
PID 1180 wrote to memory of 1848	1180	{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe	108
PID 3280 wrote to memory of 4912	3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe	109
PID 3280 wrote to memory of 4912	3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe	109
PID 3280 wrote to memory of 4912	3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe	109
PID 3280 wrote to memory of 3128	3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe	110
PID 3280 wrote to memory of 3128	3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe	110
PID 3280 wrote to memory of 3128	3280	{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe	110
PID 4912 wrote to memory of 2184	4912	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe	112
PID 4912 wrote to memory of 2184	4912	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe	112
PID 4912 wrote to memory of 2184	4912	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe	112
PID 4912 wrote to memory of 2344	4912	{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_ff3dacf987bb913da901e6ca6077f6bf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe
  C:\Windows\{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe
    C:\Windows\{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe
      C:\Windows\{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe
        
        C:\Windows\{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe
        
        C:\Windows\{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe
        
        C:\Windows\{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{C16B04FD-FFC8-4074-A872-764852507A14}.exe
        
        C:\Windows\{C16B04FD-FFC8-4074-A872-764852507A14}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe
        
        C:\Windows\{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe
        
        C:\Windows\{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe
        
        C:\Windows\{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87BB2~1.EXE > nul
        12⤵
        
        PID:2344
        
        C:\Windows\{AAFB2E20-46CE-4296-AE2F-28A728B8500F}.exe
        
        C:\Windows\{AAFB2E20-46CE-4296-AE2F-28A728B8500F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BE5E~1.EXE > nul
        11⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9EDA~1.EXE > nul
        10⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C16B0~1.EXE > nul
        9⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6038B~1.EXE > nul
        8⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA2C2~1.EXE > nul
        7⤵
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D258D~1.EXE > nul
        6⤵
        
        PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C2E7~1.EXE > nul
        5⤵
        
        PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A09A~1.EXE > nul
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A0236~1.EXE > nul
    3⤵
    PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BE5EF8B-5C31-4365-BF23-6D298E72263F}.exe

Filesize
168KB

MD5
7f3c7e11e90fea35b9cb1549099925cd

SHA1
c1612e5acbb9879474f34ac1c9e89efe37c4778e

SHA256
ea9737357a8fb77cb596b9fc0bf6a94c716d05778c29a644485ac4d6a718c20d

SHA512
124e47ac0378e312fc65034870a4b02e544d7738f99f73d4c6bf8c6549b02f75ee0f4b12e0e9738e5b320b2af429715087861c970cc691ae43bc8be485b8491a

Download Submit
C:\Windows\{6038B453-31C6-4f3b-8A63-F59E6FEC8043}.exe

Filesize
168KB

MD5
b7296ff1d15fe94b86ebf9970a6f9f83

SHA1
25b04232b637841ae95f65d1df25bc205cfc7d12

SHA256
d429f27109e932d5af4c3fd9685642f398d1c98beb6f757416d1c671a02b2c24

SHA512
e82e698257f8cec3b65302c00b69e9d266f61b23284a1d15ebad3b7fbe726ac51062af5fc58ee3d02633d95c65c7cf0446613fb1ce08899687efb4d0ed1c998c

Download Submit
C:\Windows\{7C2E72AD-370F-4858-A65A-1E4A229AA223}.exe

Filesize
168KB

MD5
7625dc278d12f34fc9d00dbce3aef8e5

SHA1
1a7a6320ba44f232d333c9a6dc595da148eea818

SHA256
2caf2f818712d088739f567bfec251f7b42b877ed1950dbf56d7204acce415ba

SHA512
cfb41f862a4e0268e271e71c963c0836cecb2127ccca110b23dfd8806ffda74c233324cb948a7b22e28a7bbfa471c52180bb77661986c402d6638770afd0f1fb

Download Submit
C:\Windows\{87BB2B00-913C-4988-AB1B-2D721F24C62B}.exe

Filesize
168KB

MD5
d3fce727ffd0c508bf3e0964a208ad30

SHA1
17d1fcb60d17eb298159acde966c51902816d61f

SHA256
00eba1b7005eb1593c04968e3a9c9f387f22a45bb854c81d39446194468398ad

SHA512
4b3c7d90706579591fe0f992f7410290b08d50e169c22561c10624c4232fe71e50830e882c6d600040eb4a7a583de65b924cc1e51a8380d7c5f971709e75d7cb

Download Submit
C:\Windows\{9A09A6A1-76CC-43e6-8AE9-53777E30F7B1}.exe

Filesize
168KB

MD5
005fb2e0d2c5969ffc605ea40d9466d5

SHA1
1e78bb30c9e98ff15564e81c5c47d5f556bf35b6

SHA256
3a3ebbf9d30eb2ede1c9dcd6557fa0f28316ab99a7cd0446be03848de17ab493

SHA512
9ec78334085787befd533d7787de4c25cb6127637438d1d4d378ca994b4e666e3b546dbe03882caf487a7296bfd43b80e52a2f58494c070baa7abe65f64535f1

Download Submit
C:\Windows\{A02368A1-FCBC-4b42-9ADE-989B809544AB}.exe

Filesize
168KB

MD5
2cf89d59dd85234426e2889ad03ae965

SHA1
14cc3705f2b4589d9f7334ceac051ac3e591a3a7

SHA256
b0c02e8986f90b807cd2c858e48d2f524a4869178c04e22acfff184a36a37480

SHA512
16b98e25134e099a7ce3955f95f6055d0ba22af2b4e519f520741a77afdb8ea0c9e0f14311bda03fd17178435d9954cf9813e7cb22c4a32d235fe90b01761981

Download Submit
C:\Windows\{AAFB2E20-46CE-4296-AE2F-28A728B8500F}.exe

Filesize
168KB

MD5
c5b550e69ff2a37ef1b6269f833c5bca

SHA1
32db80f98b2c0dea44ed2216ec485cbcddeba1db

SHA256
fad403f994d207f3785b39e9be6fd650e1177f4b10be64b23982e39bfa2c1182

SHA512
ebff65126626eccdf5a3e5af2b7c25e3a03973fb200505fbfb4548be4498bdb903cc69547d4ac8ff9d0f5ec514735a52db91378a78624703fb45eefd527e759a

Download Submit
C:\Windows\{B9EDA97D-02E5-475e-95EA-9C32923C7D73}.exe

Filesize
168KB

MD5
c19496edd1d87b2e8ae96050d4662a4a

SHA1
ae40da90146c533cb26528f48183aefcc9186f80

SHA256
816479ec7930b7579a74e4174aab52a826263a51945cb6645e1d006bfd39e349

SHA512
9b979a092b33b18618de8daad55468838a2a25d160e4089860a4bab4d2a447b9f64591b7e663051f76472f536fbc528fb19f965fe9f1d780df4b6a7a4d30610e

Download Submit
C:\Windows\{C16B04FD-FFC8-4074-A872-764852507A14}.exe

Filesize
168KB

MD5
eee6e52170b74b8cdc39e2c1ecd9c2a2

SHA1
a4dc5489d2b345592fda8c2a9e00d783c31ed55c

SHA256
b35502e862a5bbf76dc8f458e2c026936b797199e907f14714badc82eeb9c9e1

SHA512
3f7b677dbd9a64fe4f90f5935d7a2f9474cc27a581a37fa10409e2d7a9a1451e28d0fc8ec2916b18808e4a8d1b71d2d28f80af99d279e2cecc266ec668d02ca8

Download Submit
C:\Windows\{D258D9A3-3200-4f9e-889A-EEBF1C20CC7C}.exe

Filesize
168KB

MD5
84b0b324e65d52013bb0f07ce7ef203a

SHA1
6b22c11b3971628b0be87b4a929ff1f893e3d9be

SHA256
2baaf5e08fde2b0b7c38ccc818d267e2b112e1d074556b651b9946ec3ba97ba8

SHA512
816bb3249423c9dbfe5ede5429abe876dcc372bb55b28bf1501037447081d582c255a24031bf57284722187975a94a7954bb908ffbf37c15ab81e15fb76f7da3

Download Submit
C:\Windows\{FA2C289E-1FED-4743-A23F-BA9E60645F6C}.exe

Filesize
168KB

MD5
f3a64157b8b085c7874f967a932befc8

SHA1
e73587a09ed2675cb242d63c115b3906046f5fc1

SHA256
5fa9ffb6fc451d9c259d53d0f179df3cd06de6b2f1d413d9494746c53b9d30eb

SHA512
8d48051a9ed6d7e15b8038bfe99cab9483ce779f64779438f526c4208e3e186e282d32958d7f12b4d7f5ff78701caf328a3e4c4d53745275671c9f9831604309

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads