1db6972133a60dd292868216b8b8dbfd383540092088609fe8f3e9c978636ef1

Analysis

max time kernel
174s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Size

180KB
MD5

ca9f6bdece87de190988dcd214e5634c
SHA1

ae4fbc94c51dc80b11496613cf6c2171edbe9428
SHA256

1db6972133a60dd292868216b8b8dbfd383540092088609fe8f3e9c978636ef1
SHA512

72483505fd70112d38ca3010a9fc2cd5c29cddde7cd1a065a691a09d23be46699fe5fc956c84cb6416575ede77da0fbdb3f5d3bbe6018b1f1e6d5ce25943c1ff
SSDEEP

3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGdl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023207-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023200-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023208-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023213-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023208-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000000037-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}	{2A659760-526B-4202-B696-21B5DB602D31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54469100-0B30-44bf-A95F-CF485A84534B}	{3D45A126-8324-4f59-BC19-D8467096527A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}\stubpath = "C:\\Windows\\{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe"	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40265D30-05BD-4b5d-92FF-91696223F878}	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A237620A-B8E9-408a-9B00-7E7677B0AE9A}\stubpath = "C:\\Windows\\{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe"	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43355F3F-4A55-4896-A8B0-076C6136B120}\stubpath = "C:\\Windows\\{43355F3F-4A55-4896-A8B0-076C6136B120}.exe"	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54469100-0B30-44bf-A95F-CF485A84534B}\stubpath = "C:\\Windows\\{54469100-0B30-44bf-A95F-CF485A84534B}.exe"	{3D45A126-8324-4f59-BC19-D8467096527A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{128CECAA-90BF-4b96-85A4-84B47C1FB523}\stubpath = "C:\\Windows\\{128CECAA-90BF-4b96-85A4-84B47C1FB523}.exe"	{54469100-0B30-44bf-A95F-CF485A84534B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40265D30-05BD-4b5d-92FF-91696223F878}\stubpath = "C:\\Windows\\{40265D30-05BD-4b5d-92FF-91696223F878}.exe"	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A237620A-B8E9-408a-9B00-7E7677B0AE9A}	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A659760-526B-4202-B696-21B5DB602D31}	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A659760-526B-4202-B696-21B5DB602D31}\stubpath = "C:\\Windows\\{2A659760-526B-4202-B696-21B5DB602D31}.exe"	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}\stubpath = "C:\\Windows\\{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe"	{2A659760-526B-4202-B696-21B5DB602D31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54EE31C7-6541-487b-8892-9669847F063B}	{40265D30-05BD-4b5d-92FF-91696223F878}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54EE31C7-6541-487b-8892-9669847F063B}\stubpath = "C:\\Windows\\{54EE31C7-6541-487b-8892-9669847F063B}.exe"	{40265D30-05BD-4b5d-92FF-91696223F878}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}\stubpath = "C:\\Windows\\{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe"	{54EE31C7-6541-487b-8892-9669847F063B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43355F3F-4A55-4896-A8B0-076C6136B120}	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{128CECAA-90BF-4b96-85A4-84B47C1FB523}	{54469100-0B30-44bf-A95F-CF485A84534B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}	{54EE31C7-6541-487b-8892-9669847F063B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D45A126-8324-4f59-BC19-D8467096527A}	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D45A126-8324-4f59-BC19-D8467096527A}\stubpath = "C:\\Windows\\{3D45A126-8324-4f59-BC19-D8467096527A}.exe"	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe

Executes dropped EXE 11 IoCs

pid	Process
5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe
3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe
2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe
3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe
2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe
1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe
4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe
4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe
560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe
3156	{54469100-0B30-44bf-A95F-CF485A84534B}.exe
1036	{128CECAA-90BF-4b96-85A4-84B47C1FB523}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2A659760-526B-4202-B696-21B5DB602D31}.exe	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe
File created	C:\Windows\{3D45A126-8324-4f59-BC19-D8467096527A}.exe	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe
File created	C:\Windows\{54469100-0B30-44bf-A95F-CF485A84534B}.exe	{3D45A126-8324-4f59-BC19-D8467096527A}.exe
File created	C:\Windows\{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
File created	C:\Windows\{40265D30-05BD-4b5d-92FF-91696223F878}.exe	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe
File created	C:\Windows\{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe	{54EE31C7-6541-487b-8892-9669847F063B}.exe
File created	C:\Windows\{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe
File created	C:\Windows\{54EE31C7-6541-487b-8892-9669847F063B}.exe	{40265D30-05BD-4b5d-92FF-91696223F878}.exe
File created	C:\Windows\{43355F3F-4A55-4896-A8B0-076C6136B120}.exe	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe
File created	C:\Windows\{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe	{2A659760-526B-4202-B696-21B5DB602D31}.exe
File created	C:\Windows\{128CECAA-90BF-4b96-85A4-84B47C1FB523}.exe	{54469100-0B30-44bf-A95F-CF485A84534B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4744	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe
Token: SeIncBasePriorityPrivilege	3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe
Token: SeIncBasePriorityPrivilege	2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe
Token: SeIncBasePriorityPrivilege	3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe
Token: SeIncBasePriorityPrivilege	2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe
Token: SeIncBasePriorityPrivilege	1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe
Token: SeIncBasePriorityPrivilege	4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe
Token: SeIncBasePriorityPrivilege	4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe
Token: SeIncBasePriorityPrivilege	560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe
Token: SeIncBasePriorityPrivilege	3156	{54469100-0B30-44bf-A95F-CF485A84534B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 5108	4744	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	91
PID 4744 wrote to memory of 5108	4744	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	91
PID 4744 wrote to memory of 5108	4744	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	91
PID 4744 wrote to memory of 2696	4744	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	92
PID 4744 wrote to memory of 2696	4744	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	92
PID 4744 wrote to memory of 2696	4744	2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe	92
PID 5108 wrote to memory of 3448	5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe	95
PID 5108 wrote to memory of 3448	5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe	95
PID 5108 wrote to memory of 3448	5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe	95
PID 5108 wrote to memory of 2480	5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe	96
PID 5108 wrote to memory of 2480	5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe	96
PID 5108 wrote to memory of 2480	5108	{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe	96
PID 3448 wrote to memory of 2628	3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe	98
PID 3448 wrote to memory of 2628	3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe	98
PID 3448 wrote to memory of 2628	3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe	98
PID 3448 wrote to memory of 5104	3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe	99
PID 3448 wrote to memory of 5104	3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe	99
PID 3448 wrote to memory of 5104	3448	{40265D30-05BD-4b5d-92FF-91696223F878}.exe	99
PID 2628 wrote to memory of 3692	2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe	103
PID 2628 wrote to memory of 3692	2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe	103
PID 2628 wrote to memory of 3692	2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe	103
PID 2628 wrote to memory of 2096	2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe	104
PID 2628 wrote to memory of 2096	2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe	104
PID 2628 wrote to memory of 2096	2628	{54EE31C7-6541-487b-8892-9669847F063B}.exe	104
PID 3692 wrote to memory of 2116	3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe	105
PID 3692 wrote to memory of 2116	3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe	105
PID 3692 wrote to memory of 2116	3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe	105
PID 3692 wrote to memory of 2424	3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe	106
PID 3692 wrote to memory of 2424	3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe	106
PID 3692 wrote to memory of 2424	3692	{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe	106
PID 2116 wrote to memory of 1556	2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe	107
PID 2116 wrote to memory of 1556	2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe	107
PID 2116 wrote to memory of 1556	2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe	107
PID 2116 wrote to memory of 4832	2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe	108
PID 2116 wrote to memory of 4832	2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe	108
PID 2116 wrote to memory of 4832	2116	{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe	108
PID 1556 wrote to memory of 4296	1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe	109
PID 1556 wrote to memory of 4296	1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe	109
PID 1556 wrote to memory of 4296	1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe	109
PID 1556 wrote to memory of 4292	1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe	110
PID 1556 wrote to memory of 4292	1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe	110
PID 1556 wrote to memory of 4292	1556	{43355F3F-4A55-4896-A8B0-076C6136B120}.exe	110
PID 4296 wrote to memory of 4540	4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe	111
PID 4296 wrote to memory of 4540	4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe	111
PID 4296 wrote to memory of 4540	4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe	111
PID 4296 wrote to memory of 244	4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe	112
PID 4296 wrote to memory of 244	4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe	112
PID 4296 wrote to memory of 244	4296	{2A659760-526B-4202-B696-21B5DB602D31}.exe	112
PID 4540 wrote to memory of 560	4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe	114
PID 4540 wrote to memory of 560	4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe	114
PID 4540 wrote to memory of 560	4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe	114
PID 4540 wrote to memory of 2240	4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe	115
PID 4540 wrote to memory of 2240	4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe	115
PID 4540 wrote to memory of 2240	4540	{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe	115
PID 560 wrote to memory of 3156	560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe	116
PID 560 wrote to memory of 3156	560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe	116
PID 560 wrote to memory of 3156	560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe	116
PID 560 wrote to memory of 5024	560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe	117
PID 560 wrote to memory of 5024	560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe	117
PID 560 wrote to memory of 5024	560	{3D45A126-8324-4f59-BC19-D8467096527A}.exe	117
PID 3156 wrote to memory of 1036	3156	{54469100-0B30-44bf-A95F-CF485A84534B}.exe	118
PID 3156 wrote to memory of 1036	3156	{54469100-0B30-44bf-A95F-CF485A84534B}.exe	118
PID 3156 wrote to memory of 1036	3156	{54469100-0B30-44bf-A95F-CF485A84534B}.exe	118
PID 3156 wrote to memory of 4092	3156	{54469100-0B30-44bf-A95F-CF485A84534B}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_ca9f6bdece87de190988dcd214e5634c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe
  C:\Windows\{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\{40265D30-05BD-4b5d-92FF-91696223F878}.exe
    C:\Windows\{40265D30-05BD-4b5d-92FF-91696223F878}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\{54EE31C7-6541-487b-8892-9669847F063B}.exe
      C:\Windows\{54EE31C7-6541-487b-8892-9669847F063B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe
        
        C:\Windows\{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe
        
        C:\Windows\{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{43355F3F-4A55-4896-A8B0-076C6136B120}.exe
        
        C:\Windows\{43355F3F-4A55-4896-A8B0-076C6136B120}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{2A659760-526B-4202-B696-21B5DB602D31}.exe
        
        C:\Windows\{2A659760-526B-4202-B696-21B5DB602D31}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe
        
        C:\Windows\{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{3D45A126-8324-4f59-BC19-D8467096527A}.exe
        
        C:\Windows\{3D45A126-8324-4f59-BC19-D8467096527A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\{54469100-0B30-44bf-A95F-CF485A84534B}.exe
        
        C:\Windows\{54469100-0B30-44bf-A95F-CF485A84534B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\{128CECAA-90BF-4b96-85A4-84B47C1FB523}.exe
        
        C:\Windows\{128CECAA-90BF-4b96-85A4-84B47C1FB523}.exe
        12⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54469~1.EXE > nul
        12⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D45A~1.EXE > nul
        11⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E13C5~1.EXE > nul
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A659~1.EXE > nul
        9⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43355~1.EXE > nul
        8⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2376~1.EXE > nul
        7⤵
        
        PID:4832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DAEE~1.EXE > nul
        6⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54EE3~1.EXE > nul
        5⤵
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{40265~1.EXE > nul
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BB848~1.EXE > nul
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{128CECAA-90BF-4b96-85A4-84B47C1FB523}.exe

Filesize
180KB

MD5
bca65f55e0600d47cf88bced73092b1e

SHA1
9cbc5c49955d44d2334eadf20547e71aa8a7d397

SHA256
aafb02b8a904d6cd448c5a84cf40b3efba4a4362c0739a78356fac2f2e78d1c7

SHA512
724f251362a87b89ce455a61dc9e4b221dc6b7b707a1101a506f05aebedcffbc722605e6218322edfd1a22a7d901d1e5c57c10b898190587880710669fd2abae

Download Submit
C:\Windows\{2A659760-526B-4202-B696-21B5DB602D31}.exe

Filesize
180KB

MD5
1a1d2575182c8042ca8419c438ebd618

SHA1
0c322a43390c3b03c847c48c56c4523d56b77ef3

SHA256
c25e13c171db61d14b6ad413419ff83ecf9d0c2877694a5967b85094114dc2a3

SHA512
4fd325e291635830418efeff73b26b293c030a0bae40f2f2dc6ffdbf8b0585e27e00de333afd098950da26a402d8e72004326a5d423e86613756b3ea173483fc

Download Submit
C:\Windows\{2DAEE749-54C8-4a26-B656-AA3A8A8C7ED1}.exe

Filesize
180KB

MD5
d5635bb29732f45aa837f04e0dbd9c08

SHA1
52471371647e341e219817ffe44a275cfd7b02ee

SHA256
c680498669ac64f2725ae3a4d3b982cae85c1026b597526fb69d705d6da7f7d9

SHA512
70b5b865586d4d0716185b7ede912f972cd2af4e44b5b5b5413e4d6c147731a8c390cd2e6cb3c8689f67339309d1ecf0043dbf58120405bf4f5e5377b2e5c674

Download Submit
C:\Windows\{3D45A126-8324-4f59-BC19-D8467096527A}.exe

Filesize
180KB

MD5
d40565615c7f03686f3f226043ad9f3a

SHA1
e26f1f061c40bd320e15d1df9dd5c0ee68adaf4d

SHA256
0d2f9b02792279b2de26524ebe6946d2f07c34d04966772990128a806eb6db76

SHA512
2ec7dadc13ade49584a86b56a9f825822f55529f387487a444a9d0987b03392d4cff818f66d1a1d223d9251f061cd937ea5bcb0d9e82652c6fcfb755fa5264e9

Download Submit
C:\Windows\{40265D30-05BD-4b5d-92FF-91696223F878}.exe

Filesize
180KB

MD5
966385a5a5fe717d140df99031f7e2e3

SHA1
815ee59ff80f573c04fdfd1ffa5ac394b2358147

SHA256
504bf5ec503b9f543a31d85411749f89d0d31d1e191c70c58fc6834644335ea0

SHA512
a23f09449a53eefa957ee44a6a9cc0bcd7c5b310e1751359ca6ae39cb1c8a09f1bb054aafee0f892ae541f5f2bd0eeef81941620b223c4fa032d8b164bc55cd7

Download Submit
C:\Windows\{43355F3F-4A55-4896-A8B0-076C6136B120}.exe

Filesize
180KB

MD5
f0a8eee5cf5b3a51e14322b8e85f30c5

SHA1
27e67cb0514761bc4df606c4ca69eaa1184b9738

SHA256
163845fe3766dcf620eaf7aef62824bf3ce0de2f8b0db0b81cc90e77c1cabd5d

SHA512
67f7bb9d09ac107617fd1679be4658945c63d0474bfba889143088600a921b74355b4a25e6ee8b53b92425068c567d7a2d997d8211e080ed33b1ebe628c71277

Download Submit
C:\Windows\{54469100-0B30-44bf-A95F-CF485A84534B}.exe

Filesize
180KB

MD5
fd75cefe43fd086c4cfcc52ec27f35f2

SHA1
412f6b790bcfbd93b79402c246a1928ff70e1c8d

SHA256
35e597eefd1eee66fd1ec0c7e21b24c2cfc54c9f2d0ab688dae0ce359bf37c7d

SHA512
2b941e4e4d7668363d8de01be60ae5158e799c013f50d7c260e7519d2536f856867f109857961dfa2510ac4464d6706f9d53daba3659e5058680cc401262010c

Download Submit
C:\Windows\{54EE31C7-6541-487b-8892-9669847F063B}.exe

Filesize
180KB

MD5
18cbb89fe11dd5f6674a6b9d485c872a

SHA1
caf6a999cba9a984b84d2da137a2e1dd105cb07a

SHA256
4dfcf838955e38d9df1c48b60a01fdd11d6da88bb933856dd66dc5449206efad

SHA512
818adc0f423cadbd105c4dddaac18282075269d2dc1b372fd6ff107f3d652f4bf635e9e398381868098127be82b422e9e722f5568aba3cbe1c741bd3abe8ae68

Download Submit
C:\Windows\{A237620A-B8E9-408a-9B00-7E7677B0AE9A}.exe

Filesize
180KB

MD5
8a2a87b3bd714cec343e19e7a62cf736

SHA1
9861814005d607c2635b334d849b9f7e69ac1dd2

SHA256
0cb07fc606361e438a47fde73ec9514b6edda234bfac3aa8caf3dba70f331c56

SHA512
0c7f3ff9b2f2ebc8ffd5d40379558726e528ee49ccb6193e34f89f1029bfe947cb34ce75ec0c3edb1c60a805f467a06b1c524581e2cbc876a9fac719d20bcd2c

Download Submit
C:\Windows\{BB848353-B85D-4c69-BC4E-FA343AEB1DB9}.exe

Filesize
180KB

MD5
ab01fd4b026ec4aa43b981a856bc1251

SHA1
b5a9c2ecd8263d71dbca4df6a1bf73977fcd6fee

SHA256
8f662803b433d6864fd0a14c14b69adf7f9f5bd680b3841916f7d9c8419a2472

SHA512
cfa1b63f123891fde7d406a53308c6667328e3054f3d8352055a5228d17ad1ab8f18903afa6cb1ca650107f4b227189a8f5a315eaa4fcb5087f0019419dab72c

Download Submit
C:\Windows\{E13C5386-2419-46ea-8291-BDC1EDB0CEBB}.exe

Filesize
180KB

MD5
9aef66db5a674b1df3daa79d7eb18a0e

SHA1
862bd6d2b0218ad7494907dcd4898e680aa3583a

SHA256
48355fee5bd15f1dc4f8a32dfc4af5f3b7473d6dd5d7a65803aa86a131d84dae

SHA512
b5d79aba664a15cb323df4d5d7f886b959d67c24a5b2aaf91670a809a541fa71a7eb46834aaa4a5b8fcba7341afc61469b138117df5691e516e3ee34076ad23d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads