2be2af95d009ff1a3f02f970b0a61f4d366fcfc7d16e294461b5308b406874e3

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Size

216KB
MD5

330dd73facdc2b18c38725b1ae19561c
SHA1

b877298cf2d39e029a05723b512373e0d44b2c8d
SHA256

2be2af95d009ff1a3f02f970b0a61f4d366fcfc7d16e294461b5308b406874e3
SHA512

3e6cfca8f064c41612be91045a53ddd542103fe5087aa9e396996fbbdc95df754cbcca6df4cf07d6760acaea8a37d528697a40225804eabf4b3d97657083cf53
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGQlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012259-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000144b8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012259-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012259-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012259-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012259-60.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012259-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}\stubpath = "C:\\Windows\\{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe"	{FA3A4265-079E-41d9-B956-E36CB6003643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C5E21D-DCBD-4319-943D-D17FF6884DDB}\stubpath = "C:\\Windows\\{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe"	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63132766-0E59-4e37-8025-2025E120B4BC}\stubpath = "C:\\Windows\\{63132766-0E59-4e37-8025-2025E120B4BC}.exe"	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}\stubpath = "C:\\Windows\\{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe"	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C5E21D-DCBD-4319-943D-D17FF6884DDB}	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{435D932F-F800-4445-B465-F2CDE36F29D7}	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}\stubpath = "C:\\Windows\\{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe"	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}	{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050A79CB-E7E7-4b01-B251-97968B357AAE}\stubpath = "C:\\Windows\\{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe"	{63132766-0E59-4e37-8025-2025E120B4BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}\stubpath = "C:\\Windows\\{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}.exe"	{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1999001-DCEA-429e-80D2-7EBF398FCF4C}	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1999001-DCEA-429e-80D2-7EBF398FCF4C}\stubpath = "C:\\Windows\\{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe"	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{435D932F-F800-4445-B465-F2CDE36F29D7}\stubpath = "C:\\Windows\\{435D932F-F800-4445-B465-F2CDE36F29D7}.exe"	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}\stubpath = "C:\\Windows\\{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe"	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63132766-0E59-4e37-8025-2025E120B4BC}	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{050A79CB-E7E7-4b01-B251-97968B357AAE}	{63132766-0E59-4e37-8025-2025E120B4BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3A4265-079E-41d9-B956-E36CB6003643}	{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3A4265-079E-41d9-B956-E36CB6003643}\stubpath = "C:\\Windows\\{FA3A4265-079E-41d9-B956-E36CB6003643}.exe"	{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}	{FA3A4265-079E-41d9-B956-E36CB6003643}.exe

Executes dropped EXE 11 IoCs

pid	Process
852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe
2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe
2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe
2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe
2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe
2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe
2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe
1668	{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe
2920	{FA3A4265-079E-41d9-B956-E36CB6003643}.exe
1220	{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe
1472	{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe
File created	C:\Windows\{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	{63132766-0E59-4e37-8025-2025E120B4BC}.exe
File created	C:\Windows\{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe
File created	C:\Windows\{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe	{FA3A4265-079E-41d9-B956-E36CB6003643}.exe
File created	C:\Windows\{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}.exe	{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe
File created	C:\Windows\{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
File created	C:\Windows\{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe
File created	C:\Windows\{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe
File created	C:\Windows\{63132766-0E59-4e37-8025-2025E120B4BC}.exe	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe
File created	C:\Windows\{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe
File created	C:\Windows\{FA3A4265-079E-41d9-B956-E36CB6003643}.exe	{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe
Token: SeIncBasePriorityPrivilege	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe
Token: SeIncBasePriorityPrivilege	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe
Token: SeIncBasePriorityPrivilege	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe
Token: SeIncBasePriorityPrivilege	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe
Token: SeIncBasePriorityPrivilege	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe
Token: SeIncBasePriorityPrivilege	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe
Token: SeIncBasePriorityPrivilege	1668	{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe
Token: SeIncBasePriorityPrivilege	2920	{FA3A4265-079E-41d9-B956-E36CB6003643}.exe
Token: SeIncBasePriorityPrivilege	1220	{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 852	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	28
PID 2368 wrote to memory of 852	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	28
PID 2368 wrote to memory of 852	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	28
PID 2368 wrote to memory of 852	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	28
PID 2368 wrote to memory of 2312	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	29
PID 2368 wrote to memory of 2312	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	29
PID 2368 wrote to memory of 2312	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	29
PID 2368 wrote to memory of 2312	2368	2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe	29
PID 852 wrote to memory of 2528	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	30
PID 852 wrote to memory of 2528	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	30
PID 852 wrote to memory of 2528	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	30
PID 852 wrote to memory of 2528	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	30
PID 852 wrote to memory of 2504	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	31
PID 852 wrote to memory of 2504	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	31
PID 852 wrote to memory of 2504	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	31
PID 852 wrote to memory of 2504	852	{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe	31
PID 2528 wrote to memory of 2512	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	32
PID 2528 wrote to memory of 2512	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	32
PID 2528 wrote to memory of 2512	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	32
PID 2528 wrote to memory of 2512	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	32
PID 2528 wrote to memory of 2728	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	33
PID 2528 wrote to memory of 2728	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	33
PID 2528 wrote to memory of 2728	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	33
PID 2528 wrote to memory of 2728	2528	{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe	33
PID 2512 wrote to memory of 2908	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	36
PID 2512 wrote to memory of 2908	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	36
PID 2512 wrote to memory of 2908	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	36
PID 2512 wrote to memory of 2908	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	36
PID 2512 wrote to memory of 1420	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	37
PID 2512 wrote to memory of 1420	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	37
PID 2512 wrote to memory of 1420	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	37
PID 2512 wrote to memory of 1420	2512	{435D932F-F800-4445-B465-F2CDE36F29D7}.exe	37
PID 2908 wrote to memory of 2584	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	38
PID 2908 wrote to memory of 2584	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	38
PID 2908 wrote to memory of 2584	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	38
PID 2908 wrote to memory of 2584	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	38
PID 2908 wrote to memory of 1916	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	39
PID 2908 wrote to memory of 1916	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	39
PID 2908 wrote to memory of 1916	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	39
PID 2908 wrote to memory of 1916	2908	{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe	39
PID 2584 wrote to memory of 2640	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	40
PID 2584 wrote to memory of 2640	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	40
PID 2584 wrote to memory of 2640	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	40
PID 2584 wrote to memory of 2640	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	40
PID 2584 wrote to memory of 2032	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	41
PID 2584 wrote to memory of 2032	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	41
PID 2584 wrote to memory of 2032	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	41
PID 2584 wrote to memory of 2032	2584	{63132766-0E59-4e37-8025-2025E120B4BC}.exe	41
PID 2640 wrote to memory of 2784	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	42
PID 2640 wrote to memory of 2784	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	42
PID 2640 wrote to memory of 2784	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	42
PID 2640 wrote to memory of 2784	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	42
PID 2640 wrote to memory of 2720	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	43
PID 2640 wrote to memory of 2720	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	43
PID 2640 wrote to memory of 2720	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	43
PID 2640 wrote to memory of 2720	2640	{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe	43
PID 2784 wrote to memory of 1668	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	44
PID 2784 wrote to memory of 1668	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	44
PID 2784 wrote to memory of 1668	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	44
PID 2784 wrote to memory of 1668	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	44
PID 2784 wrote to memory of 1680	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	45
PID 2784 wrote to memory of 1680	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	45
PID 2784 wrote to memory of 1680	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	45
PID 2784 wrote to memory of 1680	2784	{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_330dd73facdc2b18c38725b1ae19561c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe
  C:\Windows\{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe
    C:\Windows\{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\{435D932F-F800-4445-B465-F2CDE36F29D7}.exe
      C:\Windows\{435D932F-F800-4445-B465-F2CDE36F29D7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe
        
        C:\Windows\{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\{63132766-0E59-4e37-8025-2025E120B4BC}.exe
        
        C:\Windows\{63132766-0E59-4e37-8025-2025E120B4BC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe
        
        C:\Windows\{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe
        
        C:\Windows\{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe
        
        C:\Windows\{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\{FA3A4265-079E-41d9-B956-E36CB6003643}.exe
        
        C:\Windows\{FA3A4265-079E-41d9-B956-E36CB6003643}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe
        
        C:\Windows\{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}.exe
        
        C:\Windows\{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}.exe
        12⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF7F7~1.EXE > nul
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA3A4~1.EXE > nul
        11⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB429~1.EXE > nul
        10⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{215BD~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{050A7~1.EXE > nul
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63132~1.EXE > nul
        7⤵
        
        PID:2032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC17~1.EXE > nul
        6⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{435D9~1.EXE > nul
        5⤵
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1999~1.EXE > nul
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{57C5E~1.EXE > nul
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{050A79CB-E7E7-4b01-B251-97968B357AAE}.exe

Filesize
216KB

MD5
c2a6cd4f6ddb116938a00144d6f3fb5d

SHA1
16389affb1ec0da997681277607d50d0cda8a766

SHA256
d01305aa17e7fba086b58b7520ad4100b59b546177b28f341fee1e6f6eb9eeb9

SHA512
ccb24344bb63d379126e95d5fb5836c56db6fced2fc79b458005a855099c2a35e4dd08bc24a10077afe414639c869c9b01aa69c6b09987c76f28be535c65d67a

Download Submit
C:\Windows\{215BD7DA-98F2-4dad-A1F3-FF59025F1EF2}.exe

Filesize
216KB

MD5
865bc02990104d9acec5a24ce29b2b8a

SHA1
9d0012a808e6776064488724e0ccc37ddbf3e162

SHA256
e9890c251d39094a440a3046fc566329c58916f0a57b2310a9d96b6acb68fe21

SHA512
f3919f1b6ffa18e599dc025c236531ef43b4add0b7d0b160d773c34fac8cc0861210016d7479233f1f8cf4312e20bbd8c86163a0f87ff242e68c23d3f946937a

Download Submit
C:\Windows\{3A3EE5EA-B83E-4bde-8AAB-C592D873EB79}.exe

Filesize
216KB

MD5
0836d0d083b63d32a67bba3c4e2d05e5

SHA1
1a2af2702f17b5944b8d360a7c38e94e512ef351

SHA256
7e25e1db20147b22ca28e58b18d7e83532dd8133004a614e10c72f3e29b0ea8f

SHA512
200100129bcb783451ac6eeaf502cbdaf240f357bcf94ffd4d149b421f2d38165dd97e616a1b7f66d8464ba4cac08990766eb93027b3d53025997709fc8b468c

Download Submit
C:\Windows\{435D932F-F800-4445-B465-F2CDE36F29D7}.exe

Filesize
216KB

MD5
c1ce692a0d50d1897e7eccc1e185b059

SHA1
400196bca57e4179ff20878d38220e802fe7da0d

SHA256
0197f002a1b09df54f24fc98aa0b7bd3345c53c9ae18ada8e9bb38feff6b247c

SHA512
7cef25bd22413c1f9f411de7b9b229feba5e4411fa0f36bfc4aa5b593fb20d717689484eaca65dd7c9171fea8f3e5210e7615c09fda1cb08a1c3481a7f21e86d

Download Submit
C:\Windows\{57C5E21D-DCBD-4319-943D-D17FF6884DDB}.exe

Filesize
216KB

MD5
295fc94a32cf3ed0305820ef851a7359

SHA1
5ad545bdc455efb45cb0cd2960f6846616640072

SHA256
96446fb1bc08ea645b11876108d697291e8de3126f687cd78fa3cd64e22d6670

SHA512
6c8bd70f099c20b52ef0f8f0c403a78e18f966999ea89002ec65510cada9c607959e36e2bc3f33c758faffacea5a8b96f8cdf78379e97cca392aad91e149a8a7

Download Submit
C:\Windows\{63132766-0E59-4e37-8025-2025E120B4BC}.exe

Filesize
216KB

MD5
c413cca7f85ef3a785f3e9efe6f4735a

SHA1
0a85379912a4e6d70964dbbdecc6b80f7cbbdae1

SHA256
a452076697c2188d0b1d1fdef8339c2af4210daae45750fce4656c743906941a

SHA512
aacc750115ae203565887b95dea9ea9859807c183d1523b98e2afabfe0dc66741e0782a6f89cb9dcaace58fc2a42a2878c031ca410e0d03278f76e19ce7dcaf9

Download Submit
C:\Windows\{AB429DA7-5EDC-4608-865E-2FAE6071CAA5}.exe

Filesize
216KB

MD5
9d60f60446a9fdab105423b807e4b16d

SHA1
b7e160d8e5a8610998f40f77f634ae0c594dfa56

SHA256
8be290ba3293e6083788110ca51d6889c47a2edad843d5b81aa1408b9e4aedcd

SHA512
b13d5d574de9f23795217b317e73e37574d790e8564c0cc9223718816345207de265dc5e363a25fd851845107ed557486f43211689b138e8282324742010ef50

Download Submit
C:\Windows\{AEC1781D-2CEB-4b72-9620-C77CF5179CDA}.exe

Filesize
216KB

MD5
d7892fb8ef22ab480c678e1c5b221ee4

SHA1
4ff85a677853939979d6869e98956a52d977cb1f

SHA256
d3a159a30295089c751d3e08595a1616d3a5a663d5a71c51163164dca22a51f9

SHA512
2e48526b3a5186d1cd259eda291e258579db2876ffc50a6dd5db5028841f68eb75b57f80af9e0e8c39c195a5aa032225562dfede698764c020bc53d9df56e037

Download Submit
C:\Windows\{AF7F7340-552D-4c41-ADB8-E67E15EEB0CD}.exe

Filesize
216KB

MD5
481e94efe635bcb39fbb0d466dac73cb

SHA1
b750c0ec89922f5110b498204bb0ffd82f3379ef

SHA256
d111d37147a1ce7237fc1459de5d2dccc7abbfd11d346ed3d890085dd82c33cf

SHA512
64aa7ff0a9a6f3c9dd5784d512f97b8acd31a02a981a9da4834e8ad7f2f48a11330bdc2720abaac5d4ab378d0173263c8952a9d9aa2413d2b0dafb8fb6fb0dab

Download Submit
C:\Windows\{B1999001-DCEA-429e-80D2-7EBF398FCF4C}.exe

Filesize
216KB

MD5
fbcafea7dc070b32a37e5dbdd554aaa4

SHA1
fd1c6138791e5c3a3bf0e224c75a63f500c750a2

SHA256
00ceb36fce691546da93d03d432d736691194e69054c4eb6d36fb4b926d6741a

SHA512
6feaed58d3d7ba7bccc80f40819a76b60334c517e55474b87a1cf2466881f4bc7e5627436c09500c0494235fc2c11728c187de601f08e4037a94eb736d9502c6

Download Submit
C:\Windows\{FA3A4265-079E-41d9-B956-E36CB6003643}.exe

Filesize
216KB

MD5
a6970ff3ac70c6990368c6eeb2ac20ae

SHA1
7a55f5bd5742bd8bda7b1573ff053ea247b172ce

SHA256
8427e2d8dbcb4b2245e7a5efdec77c83019def10092be2bfd76b21f1732d5d6d

SHA512
f667c93c99b69c5ba9361d5acc45721467025ec7eed1244c65fdf5d970611cad29d9d915f5d59fbd6f1fa933ddd7256c64e9f28eeb8ae382834dbc0eb2ad868b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads