22eb551e10a17923d9f1dadc82a4368348e79d4731ff62dfb4d4875b1ec38fc9

Analysis

max time kernel
168s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Size

408KB
MD5

2a01eda4306ac7376ebdd725380cadce
SHA1

1a5c369374ffa7ef2e870ee034e98c111b9b3959
SHA256

22eb551e10a17923d9f1dadc82a4368348e79d4731ff62dfb4d4875b1ec38fc9
SHA512

51bf8db2ed30df3cbddd5419469fb275e947fe7624e46635869935630cb2d18256edd321a6831bcaf6bc4d1765d670fa3ade4355288a8a724f75bb7190cd5477
SSDEEP

3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGKldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 9 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f7-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023203-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f7-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022770-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320a-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022770-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022777-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022770-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146D6BF8-106F-4db4-94A6-06BF3B4B171B}\stubpath = "C:\\Windows\\{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe"	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9050932D-81DC-4c59-8C97-973712EF2F86}	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}\stubpath = "C:\\Windows\\{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe"	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}\stubpath = "C:\\Windows\\{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe"	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAFD215-0828-46e9-A074-6B372919C8E4}	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DD09BE-C716-4667-BE93-107C1B2B51C8}\stubpath = "C:\\Windows\\{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe"	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9050932D-81DC-4c59-8C97-973712EF2F86}\stubpath = "C:\\Windows\\{9050932D-81DC-4c59-8C97-973712EF2F86}.exe"	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}\stubpath = "C:\\Windows\\{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}.exe"	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DD09BE-C716-4667-BE93-107C1B2B51C8}	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B83AE387-2C9C-4b93-968C-9A0082BB4A42}	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B83AE387-2C9C-4b93-968C-9A0082BB4A42}\stubpath = "C:\\Windows\\{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe"	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EAFD215-0828-46e9-A074-6B372919C8E4}\stubpath = "C:\\Windows\\{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe"	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8597B265-F952-4f54-BE99-44122EABF8C8}	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8597B265-F952-4f54-BE99-44122EABF8C8}\stubpath = "C:\\Windows\\{8597B265-F952-4f54-BE99-44122EABF8C8}.exe"	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146D6BF8-106F-4db4-94A6-06BF3B4B171B}	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe

Executes dropped EXE 9 IoCs

pid	Process
3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe
2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe
876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe
4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe
708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe
2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe
3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe
3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe
1364	{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe
File created	C:\Windows\{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe
File created	C:\Windows\{9050932D-81DC-4c59-8C97-973712EF2F86}.exe	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe
File created	C:\Windows\{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe
File created	C:\Windows\{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe
File created	C:\Windows\{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe
File created	C:\Windows\{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}.exe	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe
File created	C:\Windows\{8597B265-F952-4f54-BE99-44122EABF8C8}.exe	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
File created	C:\Windows\{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5032	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe
Token: SeIncBasePriorityPrivilege	2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe
Token: SeIncBasePriorityPrivilege	876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe
Token: SeIncBasePriorityPrivilege	4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe
Token: SeIncBasePriorityPrivilege	708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe
Token: SeIncBasePriorityPrivilege	2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe
Token: SeIncBasePriorityPrivilege	3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe
Token: SeIncBasePriorityPrivilege	3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3836	5032	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	94
PID 5032 wrote to memory of 3836	5032	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	94
PID 5032 wrote to memory of 3836	5032	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	94
PID 5032 wrote to memory of 2308	5032	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	95
PID 5032 wrote to memory of 2308	5032	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	95
PID 5032 wrote to memory of 2308	5032	2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe	95
PID 3836 wrote to memory of 2816	3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe	97
PID 3836 wrote to memory of 2816	3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe	97
PID 3836 wrote to memory of 2816	3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe	97
PID 3836 wrote to memory of 4316	3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe	98
PID 3836 wrote to memory of 4316	3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe	98
PID 3836 wrote to memory of 4316	3836	{8597B265-F952-4f54-BE99-44122EABF8C8}.exe	98
PID 2816 wrote to memory of 876	2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe	100
PID 2816 wrote to memory of 876	2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe	100
PID 2816 wrote to memory of 876	2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe	100
PID 2816 wrote to memory of 3176	2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe	99
PID 2816 wrote to memory of 3176	2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe	99
PID 2816 wrote to memory of 3176	2816	{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe	99
PID 876 wrote to memory of 4224	876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe	101
PID 876 wrote to memory of 4224	876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe	101
PID 876 wrote to memory of 4224	876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe	101
PID 876 wrote to memory of 2428	876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe	102
PID 876 wrote to memory of 2428	876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe	102
PID 876 wrote to memory of 2428	876	{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe	102
PID 4224 wrote to memory of 708	4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe	107
PID 4224 wrote to memory of 708	4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe	107
PID 4224 wrote to memory of 708	4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe	107
PID 4224 wrote to memory of 4136	4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe	106
PID 4224 wrote to memory of 4136	4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe	106
PID 4224 wrote to memory of 4136	4224	{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe	106
PID 708 wrote to memory of 2264	708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe	108
PID 708 wrote to memory of 2264	708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe	108
PID 708 wrote to memory of 2264	708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe	108
PID 708 wrote to memory of 4896	708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe	109
PID 708 wrote to memory of 4896	708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe	109
PID 708 wrote to memory of 4896	708	{9050932D-81DC-4c59-8C97-973712EF2F86}.exe	109
PID 2264 wrote to memory of 3056	2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe	110
PID 2264 wrote to memory of 3056	2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe	110
PID 2264 wrote to memory of 3056	2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe	110
PID 2264 wrote to memory of 1116	2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe	111
PID 2264 wrote to memory of 1116	2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe	111
PID 2264 wrote to memory of 1116	2264	{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe	111
PID 3056 wrote to memory of 3336	3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe	112
PID 3056 wrote to memory of 3336	3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe	112
PID 3056 wrote to memory of 3336	3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe	112
PID 3056 wrote to memory of 4420	3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe	113
PID 3056 wrote to memory of 4420	3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe	113
PID 3056 wrote to memory of 4420	3056	{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe	113
PID 3336 wrote to memory of 1364	3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe	114
PID 3336 wrote to memory of 1364	3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe	114
PID 3336 wrote to memory of 1364	3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe	114
PID 3336 wrote to memory of 3100	3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe	115
PID 3336 wrote to memory of 3100	3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe	115
PID 3336 wrote to memory of 3100	3336	{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_2a01eda4306ac7376ebdd725380cadce_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\{8597B265-F952-4f54-BE99-44122EABF8C8}.exe
  C:\Windows\{8597B265-F952-4f54-BE99-44122EABF8C8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe
    C:\Windows\{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{146D6~1.EXE > nul
      4⤵
      PID:3176
  - - C:\Windows\{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe
      C:\Windows\{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe
        
        C:\Windows\{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B83AE~1.EXE > nul
        6⤵
        
        PID:4136
      - C:\Windows\{9050932D-81DC-4c59-8C97-973712EF2F86}.exe
        
        C:\Windows\{9050932D-81DC-4c59-8C97-973712EF2F86}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe
        
        C:\Windows\{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe
        
        C:\Windows\{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe
        
        C:\Windows\{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}.exe
        
        C:\Windows\{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}.exe
        10⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EAFD~1.EXE > nul
        10⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8A35~1.EXE > nul
        9⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F812E~1.EXE > nul
        8⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90509~1.EXE > nul
        7⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24DD0~1.EXE > nul
        5⤵
        
        PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8597B~1.EXE > nul
    3⤵
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{146D6BF8-106F-4db4-94A6-06BF3B4B171B}.exe

Filesize
408KB

MD5
2b4872afc02f5cbd8f82f3ab0e648752

SHA1
8f8a263119cf3226ba9a4780597c60e159d77718

SHA256
d722456fd9c8e302717e0250fd69f82f48ab05c832888b94de8c23eeb2087224

SHA512
ea57416cf42795c749b7bb4b397511ddb3e0662d2aceb339f11060e7042ad0911536e610643c6f95a54c4e6ae629989b587ffdf1865ca9a3c374ae07a6a387ef

Download Submit
C:\Windows\{19DEBAB0-8111-469a-BAC1-35EDEFC89A6B}.exe

Filesize
408KB

MD5
99951ec57f8efc283158291ff4ca4411

SHA1
1d56c31fdbe04b39dbcb6dabf7e7280d8ded1626

SHA256
ae6efd1c75f1654039cb5285ba82351aeec9fb7156a9404c6d456b3eb15fdf0a

SHA512
85dbc8fcc01f84feab74587552306622cb7da9c3fda9ceeb62a6081e64feb1894e546ebee6c246266ba4f8941c664cda179f531a4abb2ec97fc43eb2d1e93818

Download Submit
C:\Windows\{24DD09BE-C716-4667-BE93-107C1B2B51C8}.exe

Filesize
408KB

MD5
45d3af591bce82ee01fa83145daff919

SHA1
7d05003dc0e070f57f4fdd73c6edccd3b5885438

SHA256
e4b83970c2ab6356eb1407ab27ee60bff051a4b7d1dc3c34ef2dc2686f3b9387

SHA512
0485c3ae4a78186848f015da6110175872edfc5203c0aa3189ab58238fd5cbac5748fc7cd04480cd1dda4af6a257d1ad65839abc87dc3d68c7a2ef2ff4c15f23

Download Submit
C:\Windows\{2EAFD215-0828-46e9-A074-6B372919C8E4}.exe

Filesize
408KB

MD5
d95f3e1f292159b26167cc2887cea0d6

SHA1
e0fa5098aa6ab7b070fca041c8d1b20ce6e4a025

SHA256
947d2a4a758b00ab8f34ec50f4f4ea753e4c6107990ef445f6fb9a1d83cf909e

SHA512
63b7bf1db0a148e49811b6f1dfc6944e72e63713e901544b6b7e34ea4dc5d340e636a73d8047a7751d85f488cc33db859bf9cf5f1b24e55f521d0e60646d2acb

Download Submit
C:\Windows\{8597B265-F952-4f54-BE99-44122EABF8C8}.exe

Filesize
408KB

MD5
02f86c81e46311db650dc406fc30d0b9

SHA1
7c695aacaec2219a3229d74f551bc2667b27b766

SHA256
9aac086865603e90f80f76725800d2b78a8c023a240b8c73fe8d2898dc0e7a37

SHA512
df7e52038600339d3c4e33ff28ded8705f0d578ea8a9cd622ba9db7bcb11ed21be5e6d86e104dec0e05104651cb0c9290dae66e24d119825d400753aebacbe3a

Download Submit
C:\Windows\{9050932D-81DC-4c59-8C97-973712EF2F86}.exe

Filesize
408KB

MD5
b34ec2edba56c50c0ed294821237cef8

SHA1
ed2fec600f93cc7697f46ada68fb019849c8d81d

SHA256
7e196bd8e87e30bdce22cf14e9b70a4f18849ad14e3f20edde1ded4bddde1f26

SHA512
d6e8fff435b7b834f9aaa9aed5a18295c6ce9b4daa954ddfcd28273b3b475849867f67c16b0a48d8c2086329da0bf7885a00b142180edeaf700aec71348ed030

Download Submit
C:\Windows\{A8A352A0-29BB-4bcc-BF89-80E21DFA470C}.exe

Filesize
408KB

MD5
734aeecf8f95c3cffd12c9ad65691d29

SHA1
080bc23cc7c9fc8da484b63128844bd5755663b8

SHA256
ea9f26bd04a6c70ab26c3925cd8b6f24385a421d318229098417a4641e1dbd82

SHA512
3e4bc1938ac31d963e78c5479a91818aa6e295fe32c2997d1a043a623e9802fc346b4b984d14cbbc44eb91126c8581df850c02f6f59dde718ce6272787eb23d0

Download Submit
C:\Windows\{B83AE387-2C9C-4b93-968C-9A0082BB4A42}.exe

Filesize
408KB

MD5
6d30efdf324f7a15fef556a540248870

SHA1
cecabe38143af34b2dad5648a676919ff753360e

SHA256
5b4466e88cf0b36868019896bf02a2be9b6ebb170115bc42390acde5563bccaa

SHA512
fa67eb3ead7a320ef33b3cd9fbe44ea263d4b1cb957e1bda528b649e53aac97d20c5b24c0d431951daa79a733f9756e01a53e9e2cc04fa57be6ebcb5316eebf1

Download Submit
C:\Windows\{F812E9A3-A30B-4cb1-A8E8-BA113FFE6CD9}.exe

Filesize
408KB

MD5
6ce5f176603c101b56d897b2e69e2d27

SHA1
6e22fcbff1977db101329d12fa3150e7119e9da3

SHA256
11e896dc01b6f8de7c128b8c09e9d6ea0a6f31623891f0c1983e9252637dfb5b

SHA512
bb832e5b4236663a6455ca0e847e1ffae9132d23167fad41f17e4732ded6d50adc330136c5bce4e8ffd099b43c9cd550e290901893a733885748996cc31070d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads