f740bc992f87f6e6d6af3b6d88d61b92adb59e03eeb6f605f6a8b945bda63fc6

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 17:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Size

408KB
MD5

19ac4565f46841411a12a6b4e51f5a14
SHA1

20b7d0f0368134b00e21c69c0e5db1352fff68b2
SHA256

f740bc992f87f6e6d6af3b6d88d61b92adb59e03eeb6f605f6a8b945bda63fc6
SHA512

ed3e710e2f80df509c46ce8f79cfd92c8b63b1b5f3cc1b0320dda513e814392c92b450027f44a5cf3813d16f7af57576eae9bf2ff6d7fa6995f2fc83dc008f29
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGSldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e75f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fe-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e75f-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e75f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e75f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383B3EF7-29F9-46ef-AB22-496BC70A865A}\stubpath = "C:\\Windows\\{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe"	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B56EE234-95EA-4a1f-819A-BE0B55612840}\stubpath = "C:\\Windows\\{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe"	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D770E384-4108-43fb-A96D-F99084DAD254}	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C074DC76-6206-4983-992F-8A0E16ADD6ED}	{D770E384-4108-43fb-A96D-F99084DAD254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{982D033A-4966-405c-A469-4FC99428B128}	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDAF94F-2556-4445-8D16-5EF01477C720}	{982D033A-4966-405c-A469-4FC99428B128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFFCA928-7B7C-4e00-88BC-EB4215F24171}	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}\stubpath = "C:\\Windows\\{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe"	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B56EE234-95EA-4a1f-819A-BE0B55612840}	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C074DC76-6206-4983-992F-8A0E16ADD6ED}\stubpath = "C:\\Windows\\{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe"	{D770E384-4108-43fb-A96D-F99084DAD254}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188FE642-0AE6-4365-AFB0-DA7D6214CC57}\stubpath = "C:\\Windows\\{188FE642-0AE6-4365-AFB0-DA7D6214CC57}.exe"	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27E750C1-57BA-41d2-A176-73A620F78C06}	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{383B3EF7-29F9-46ef-AB22-496BC70A865A}	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}\stubpath = "C:\\Windows\\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe"	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DDAF94F-2556-4445-8D16-5EF01477C720}\stubpath = "C:\\Windows\\{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe"	{982D033A-4966-405c-A469-4FC99428B128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188FE642-0AE6-4365-AFB0-DA7D6214CC57}	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27E750C1-57BA-41d2-A176-73A620F78C06}\stubpath = "C:\\Windows\\{27E750C1-57BA-41d2-A176-73A620F78C06}.exe"	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFFCA928-7B7C-4e00-88BC-EB4215F24171}\stubpath = "C:\\Windows\\{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe"	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D770E384-4108-43fb-A96D-F99084DAD254}\stubpath = "C:\\Windows\\{D770E384-4108-43fb-A96D-F99084DAD254}.exe"	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{982D033A-4966-405c-A469-4FC99428B128}\stubpath = "C:\\Windows\\{982D033A-4966-405c-A469-4FC99428B128}.exe"	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe

Executes dropped EXE 11 IoCs

pid	Process
3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe
1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe
1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe
3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe
1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe
4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe
4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe
3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe
3972	{982D033A-4966-405c-A469-4FC99428B128}.exe
4932	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe
116	{188FE642-0AE6-4365-AFB0-DA7D6214CC57}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe
File created	C:\Windows\{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe
File created	C:\Windows\{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe	{D770E384-4108-43fb-A96D-F99084DAD254}.exe
File created	C:\Windows\{982D033A-4966-405c-A469-4FC99428B128}.exe	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe
File created	C:\Windows\{188FE642-0AE6-4365-AFB0-DA7D6214CC57}.exe	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe
File created	C:\Windows\{27E750C1-57BA-41d2-A176-73A620F78C06}.exe	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
File created	C:\Windows\{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe
File created	C:\Windows\{D770E384-4108-43fb-A96D-F99084DAD254}.exe	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe
File created	C:\Windows\{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe	{982D033A-4966-405c-A469-4FC99428B128}.exe
File created	C:\Windows\{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe
File created	C:\Windows\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4528	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe
Token: SeIncBasePriorityPrivilege	1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe
Token: SeIncBasePriorityPrivilege	1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe
Token: SeIncBasePriorityPrivilege	3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe
Token: SeIncBasePriorityPrivilege	1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe
Token: SeIncBasePriorityPrivilege	4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe
Token: SeIncBasePriorityPrivilege	4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe
Token: SeIncBasePriorityPrivilege	3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe
Token: SeIncBasePriorityPrivilege	3972	{982D033A-4966-405c-A469-4FC99428B128}.exe
Token: SeIncBasePriorityPrivilege	4932	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3076	4528	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	90
PID 4528 wrote to memory of 3076	4528	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	90
PID 4528 wrote to memory of 3076	4528	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	90
PID 4528 wrote to memory of 1780	4528	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	91
PID 4528 wrote to memory of 1780	4528	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	91
PID 4528 wrote to memory of 1780	4528	2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe	91
PID 3076 wrote to memory of 1100	3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe	94
PID 3076 wrote to memory of 1100	3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe	94
PID 3076 wrote to memory of 1100	3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe	94
PID 3076 wrote to memory of 3512	3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe	95
PID 3076 wrote to memory of 3512	3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe	95
PID 3076 wrote to memory of 3512	3076	{27E750C1-57BA-41d2-A176-73A620F78C06}.exe	95
PID 1100 wrote to memory of 1776	1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe	98
PID 1100 wrote to memory of 1776	1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe	98
PID 1100 wrote to memory of 1776	1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe	98
PID 1100 wrote to memory of 2016	1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe	97
PID 1100 wrote to memory of 2016	1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe	97
PID 1100 wrote to memory of 2016	1100	{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe	97
PID 1776 wrote to memory of 3732	1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe	99
PID 1776 wrote to memory of 3732	1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe	99
PID 1776 wrote to memory of 3732	1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe	99
PID 1776 wrote to memory of 1064	1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe	100
PID 1776 wrote to memory of 1064	1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe	100
PID 1776 wrote to memory of 1064	1776	{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe	100
PID 3732 wrote to memory of 1512	3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe	101
PID 3732 wrote to memory of 1512	3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe	101
PID 3732 wrote to memory of 1512	3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe	101
PID 3732 wrote to memory of 4852	3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe	102
PID 3732 wrote to memory of 4852	3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe	102
PID 3732 wrote to memory of 4852	3732	{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe	102
PID 1512 wrote to memory of 4392	1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe	104
PID 1512 wrote to memory of 4392	1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe	104
PID 1512 wrote to memory of 4392	1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe	104
PID 1512 wrote to memory of 2600	1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe	103
PID 1512 wrote to memory of 2600	1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe	103
PID 1512 wrote to memory of 2600	1512	{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe	103
PID 4392 wrote to memory of 4776	4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe	106
PID 4392 wrote to memory of 4776	4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe	106
PID 4392 wrote to memory of 4776	4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe	106
PID 4392 wrote to memory of 1336	4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe	105
PID 4392 wrote to memory of 1336	4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe	105
PID 4392 wrote to memory of 1336	4392	{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe	105
PID 4776 wrote to memory of 3760	4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe	108
PID 4776 wrote to memory of 3760	4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe	108
PID 4776 wrote to memory of 3760	4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe	108
PID 4776 wrote to memory of 4040	4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe	107
PID 4776 wrote to memory of 4040	4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe	107
PID 4776 wrote to memory of 4040	4776	{D770E384-4108-43fb-A96D-F99084DAD254}.exe	107
PID 3760 wrote to memory of 3972	3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe	110
PID 3760 wrote to memory of 3972	3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe	110
PID 3760 wrote to memory of 3972	3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe	110
PID 3760 wrote to memory of 4660	3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe	109
PID 3760 wrote to memory of 4660	3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe	109
PID 3760 wrote to memory of 4660	3760	{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe	109
PID 3972 wrote to memory of 4932	3972	{982D033A-4966-405c-A469-4FC99428B128}.exe	112
PID 3972 wrote to memory of 4932	3972	{982D033A-4966-405c-A469-4FC99428B128}.exe	112
PID 3972 wrote to memory of 4932	3972	{982D033A-4966-405c-A469-4FC99428B128}.exe	112
PID 3972 wrote to memory of 5108	3972	{982D033A-4966-405c-A469-4FC99428B128}.exe	111
PID 3972 wrote to memory of 5108	3972	{982D033A-4966-405c-A469-4FC99428B128}.exe	111
PID 3972 wrote to memory of 5108	3972	{982D033A-4966-405c-A469-4FC99428B128}.exe	111
PID 4932 wrote to memory of 116	4932	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe	113
PID 4932 wrote to memory of 116	4932	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe	113
PID 4932 wrote to memory of 116	4932	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe	113
PID 4932 wrote to memory of 3988	4932	{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_19ac4565f46841411a12a6b4e51f5a14_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\{27E750C1-57BA-41d2-A176-73A620F78C06}.exe
  C:\Windows\{27E750C1-57BA-41d2-A176-73A620F78C06}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe
    C:\Windows\{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFFCA~1.EXE > nul
      4⤵
      PID:2016
  - - C:\Windows\{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe
      C:\Windows\{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe
        
        C:\Windows\{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe
        
        C:\Windows\{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B56EE~1.EXE > nul
        7⤵
        
        PID:2600
        
        C:\Windows\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe
        
        C:\Windows\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C9F0~1.EXE > nul
        8⤵
        
        PID:1336
        
        C:\Windows\{D770E384-4108-43fb-A96D-F99084DAD254}.exe
        
        C:\Windows\{D770E384-4108-43fb-A96D-F99084DAD254}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D770E~1.EXE > nul
        9⤵
        
        PID:4040
        
        C:\Windows\{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe
        
        C:\Windows\{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C074D~1.EXE > nul
        10⤵
        
        PID:4660
        
        C:\Windows\{982D033A-4966-405c-A469-4FC99428B128}.exe
        
        C:\Windows\{982D033A-4966-405c-A469-4FC99428B128}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{982D0~1.EXE > nul
        11⤵
        
        PID:5108
        
        C:\Windows\{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe
        
        C:\Windows\{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{188FE642-0AE6-4365-AFB0-DA7D6214CC57}.exe
        
        C:\Windows\{188FE642-0AE6-4365-AFB0-DA7D6214CC57}.exe
        12⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{188FE~1.EXE > nul
        13⤵
        
        PID:396
        
        C:\Windows\{E58100BC-8D3F-4a48-8C13-40BB2D9963D8}.exe
        
        C:\Windows\{E58100BC-8D3F-4a48-8C13-40BB2D9963D8}.exe
        13⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DDAF~1.EXE > nul
        12⤵
        
        PID:3988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{383B3~1.EXE > nul
        6⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B1D3~1.EXE > nul
        5⤵
        
        PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27E75~1.EXE > nul
    3⤵
    PID:3512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{188FE642-0AE6-4365-AFB0-DA7D6214CC57}.exe

Filesize
408KB

MD5
251419bc0e7de82bf6a2a13880e91a98

SHA1
11c7dea0d132a864dea8864d6c764c92927c7bec

SHA256
79b96e63d126c242b0c17ea704c76e83b49ad48707c4d84157af474134fa474a

SHA512
79be17eb9397ba9e380ffce9041ed601ea13721f782e4e32eb6416e512f7120bc07290b906fa65b54eb4a2316da001e93055f80062e58e9cb8c13c8f18f1c03d

Download Submit
C:\Windows\{27E750C1-57BA-41d2-A176-73A620F78C06}.exe

Filesize
408KB

MD5
97568a41d6fa5721ec9c2ddd61e5e5bd

SHA1
4fe4f82a2e728fa366bc228fe1532ad1f8c434c7

SHA256
8db84b4b4d45fc9240ad51804a328fc537939a8c59e779ec53723c6d8a2bb1b4

SHA512
eb27ed00243713d09006adebbd9e2167ddbcff3894f67047a4a26bfe6c13732a310581d3c19f3397fa82d5745285cbe1d360fb25c2b718d351bfbacea49b879f

Download Submit
C:\Windows\{383B3EF7-29F9-46ef-AB22-496BC70A865A}.exe

Filesize
408KB

MD5
16dbaff4f22ed650e6a16e1afd281b4d

SHA1
dad5fd95d3a0041e3f3b3343c233671d88b5feae

SHA256
159708b10464724a2ee63fb8cf7c268e98bfca203d2d3eee93af6c198765b924

SHA512
8efefb81468ef614deac7b0690367d1c79e583ba37e94f8e6841a81887a7616c99ec5400bdc2a0839b74b627f9be94c69eda8f47bd416d9bbf136194ed0b6626

Download Submit
C:\Windows\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe

Filesize
264KB

MD5
952ab3c00444af6ad75facb0f4f0b822

SHA1
db8693598afaa8e1bda1ba2afe73c7a635f5fa93

SHA256
394ee774af6a1c2f7ba9eaf2e144f02a0e1b87f5da404e4681e59efdf745e142

SHA512
ad58f914f04d15f304728da4c52154d154475a00af553dd15fece0cb04741c50c471ea8f9f713dbc38f3d65655f36d8decb2ac0ba393db6391ece57c652bb45d

Download Submit
C:\Windows\{5C9F0DB6-E598-4714-96A6-EB234E89E34C}.exe

Filesize
408KB

MD5
7c1b6fd2f993148fd5acee15adff1300

SHA1
849002d661ce71c021ed49adfe291c3dabd3ab02

SHA256
4ca1dd3f3eb0612fdfabf24835fa9534f1801c85c2982872a6b925465119eb85

SHA512
55414206758ed478a37da53a9062180e3a16cf8e9c8281ffc189e20c9b6ffc1f17596a6698bbe33374e824ad32fc57cec1c8021dec8e2abee2313621f43a26e8

Download Submit
C:\Windows\{5DDAF94F-2556-4445-8D16-5EF01477C720}.exe

Filesize
408KB

MD5
eb75696f79bb5a9e00c593f144046dbc

SHA1
8c1879302077a287480896abb614054230181f40

SHA256
18f2f781a03d9bb41b8719578ff37cdc438a7e772bbf36d68e3e7590f07e9638

SHA512
bf7fed46b576c1b2fa47b50255f4f2be8df1ed3fb47c4dc96cf1b1484558ed427b9db5a4fea90455c2837df6ba5dd351b1db8d3a85f64694820b4a8176227565

Download Submit
C:\Windows\{7B1D3533-E70C-462e-8EEF-54AA6164B9E1}.exe

Filesize
408KB

MD5
c358c3ebab187aca54620d75f6e21271

SHA1
640ea0a4e604e7963e0b96bcb75de7dcd144bcf7

SHA256
032404ee71bf942ba9fd81324282c8e0470519192eb5f0e4ef7263f5d44ebb2d

SHA512
91b75b040762330544da7d032c49f866d752dd6af61179881c2a7f9a82550ea2d8d8f52aa07a30ad5c504b818dfffb04ee3679079935eac96533aa579ae09b57

Download Submit
C:\Windows\{982D033A-4966-405c-A469-4FC99428B128}.exe

Filesize
408KB

MD5
518d225ca22ac71e754ecbe2dee350e0

SHA1
7b9ef847f81e4424b0381cfa09477021878211cf

SHA256
2ef17f8fc041ff68e045baedef9c3122d5ea720923fb0102c44b16844cd66381

SHA512
750ce9409c295d9f582101168653861f697a447f5df35aadca4144ba578e740d3bb0383913d5441ca0f466ec5fb620cd699b397f141318b8200cd37b834e73e3

Download Submit
C:\Windows\{B56EE234-95EA-4a1f-819A-BE0B55612840}.exe

Filesize
408KB

MD5
bf9d58d269955757d3947a86cceb16f0

SHA1
37bbc45d9ddd41f890b7f33f15427acf4e3a2011

SHA256
ee731c423a19fea8c2323dc30d9c52f6e069f14d6d4d0fd67f4b47d7bbde4d32

SHA512
e14ddd705656ed1e9fcd7fcd057854358836367bbbe2ba31568783ea527cc0971e2f3789f2284e1729aafdbb1b1f71824cebfe9da43a8e91935b41b255cd6de0

Download Submit
C:\Windows\{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe

Filesize
403KB

MD5
640273ffe6e047d2c10fc878354d8ae9

SHA1
c09d7e5a484ad6dbe920878f47a673cc04781204

SHA256
c9155381a8568abc01d32d454bf7438dc724eda529296354f921f99f8099f098

SHA512
9216b4a826de5755a5c443c7b422d7702921e1325c0edc6a77eee2a8e1c9361e2c641452ba1ea613d1c180f76afd8d55954a4d438b69215bec339e0b2f8deff8

Download Submit
C:\Windows\{C074DC76-6206-4983-992F-8A0E16ADD6ED}.exe

Filesize
326KB

MD5
a60004ffcea1b28c292be774dcebe4b0

SHA1
2ad013eaa21704eaf808f27635e245fc9bc9a803

SHA256
7b6e7dc372dae047ca5946af8ce42edd47c9ef84eaad119582e0e4c4c7128ec4

SHA512
1fd4f1c2792f724b9b275bf3b320d6c88c207c87064ed587567e6c7f4e4232a8af48387f8cc4b987d31da52400242dcb2b6642f2a8a3c494aa56d41c7df823bd

Download Submit
C:\Windows\{D770E384-4108-43fb-A96D-F99084DAD254}.exe

Filesize
408KB

MD5
cbd07f8ce34f20348e138ab4b08d5978

SHA1
9ea8762d8ff50978b6635f013957bbc682d520ca

SHA256
6a51065ce17c00fe18111d2840050f5da3968004f1290971f3839e72eca644ee

SHA512
6ae9c85b004f6eafce1c1a092fd6f7ac751608347492c930c59ee4c1025a9cfde8dd21e18c2288f163f6ab18c711a7465f115583a47762fdc0ec1c6496b41bfe

Download Submit
C:\Windows\{E58100BC-8D3F-4a48-8C13-40BB2D9963D8}.exe

Filesize
408KB

MD5
cab60e2faeb8cef5a507d4350d391799

SHA1
6e666d93d89a15925ddcff5686840f2ad8684f53

SHA256
a4027eaf2234025b8572a2e43d7d4376b4b92d4f648e4b586e45a5829293f555

SHA512
146965bde9675093cb54e20bb325fe082be9f7005d28d77696d25cac8f08e2d7b90d861e82b836ba954a40ca2241fb30d0cb1f9374d919b16d2fdf8f98ea34bf

Download Submit
C:\Windows\{FFFCA928-7B7C-4e00-88BC-EB4215F24171}.exe

Filesize
408KB

MD5
7782cf5e03d322c0dff0b9fe450bb04e

SHA1
9020c9ebb7bc132e5732ee3b89c77b06b0b08f07

SHA256
1f6f7163e9497f47f5661233f0bc31efd4a3bb1a68093f29ee2aefc36e4dc3a6

SHA512
df5dfeb0ec55bde61a156d9fd38cecb87e18c3233bb81bf3bfcb7bf13efe1afaa9d88d66cba03cfb0c7ddbf7a749ca374056fe2c8510b1dbdcfebc0ba1109e06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads