ff826b09fbc2df8659ddf31569675fcf7948253175110f0abbb6bca4f4bb4543

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe
Size

216KB
MD5

97a782d8b0a7402b28c7e618310a8ddc
SHA1

454ca0ba92c192145b9c7bdc12c9ecaf7163f089
SHA256

ff826b09fbc2df8659ddf31569675fcf7948253175110f0abbb6bca4f4bb4543
SHA512

3c6c60edd6b647c28e10ca601362177a6227d6a33de7607c3b9ecd429bdf128dfc8438440f6d9c4d77f0e4ef4f9ce83dc38901baded4893702d13c029745f5a9
SSDEEP

3072:jEGh0oxl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG3lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023410-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023418-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e74c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023418-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e74c-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023418-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e74c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023418-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e74c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023415-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D39377-FB67-4533-953B-2B44AE88272A}	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B02167-6837-497e-9BCD-6CCA522D72B5}\stubpath = "C:\\Windows\\{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe"	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363659BA-6989-49a2-B335-7D9665093567}	{212B4177-74B7-4de3-898F-085B9993D05B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363659BA-6989-49a2-B335-7D9665093567}\stubpath = "C:\\Windows\\{363659BA-6989-49a2-B335-7D9665093567}.exe"	{212B4177-74B7-4de3-898F-085B9993D05B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D39377-FB67-4533-953B-2B44AE88272A}\stubpath = "C:\\Windows\\{C4D39377-FB67-4533-953B-2B44AE88272A}.exe"	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}\stubpath = "C:\\Windows\\{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}.exe"	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}\stubpath = "C:\\Windows\\{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe"	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F98C5AF-A720-42f9-8ACB-91D684783131}	{363659BA-6989-49a2-B335-7D9665093567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F98C5AF-A720-42f9-8ACB-91D684783131}\stubpath = "C:\\Windows\\{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe"	{363659BA-6989-49a2-B335-7D9665093567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85D94F31-9775-4e6c-B23C-9C01674DF231}\stubpath = "C:\\Windows\\{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe"	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B02167-6837-497e-9BCD-6CCA522D72B5}	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{212B4177-74B7-4de3-898F-085B9993D05B}	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{212B4177-74B7-4de3-898F-085B9993D05B}\stubpath = "C:\\Windows\\{212B4177-74B7-4de3-898F-085B9993D05B}.exe"	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51580A4-CFFB-4287-A13C-C3893856587D}	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85D94F31-9775-4e6c-B23C-9C01674DF231}	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51580A4-CFFB-4287-A13C-C3893856587D}\stubpath = "C:\\Windows\\{E51580A4-CFFB-4287-A13C-C3893856587D}.exe"	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}\stubpath = "C:\\Windows\\{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe"	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B8C35AE-F518-42ec-A416-175928BB0133}	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B8C35AE-F518-42ec-A416-175928BB0133}\stubpath = "C:\\Windows\\{0B8C35AE-F518-42ec-A416-175928BB0133}.exe"	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe

Executes dropped EXE 11 IoCs

pid	Process
2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe
1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe
1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe
924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe
4100	{363659BA-6989-49a2-B335-7D9665093567}.exe
3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe
2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe
4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe
1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe
3848	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe
116	{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe
File created	C:\Windows\{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe
File created	C:\Windows\{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe	{363659BA-6989-49a2-B335-7D9665093567}.exe
File created	C:\Windows\{E51580A4-CFFB-4287-A13C-C3893856587D}.exe	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe
File created	C:\Windows\{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe
File created	C:\Windows\{212B4177-74B7-4de3-898F-085B9993D05B}.exe	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe
File created	C:\Windows\{363659BA-6989-49a2-B335-7D9665093567}.exe	{212B4177-74B7-4de3-898F-085B9993D05B}.exe
File created	C:\Windows\{0B8C35AE-F518-42ec-A416-175928BB0133}.exe	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe
File created	C:\Windows\{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe
File created	C:\Windows\{C4D39377-FB67-4533-953B-2B44AE88272A}.exe	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe
File created	C:\Windows\{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}.exe	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3336	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe
Token: SeIncBasePriorityPrivilege	1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe
Token: SeIncBasePriorityPrivilege	1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe
Token: SeIncBasePriorityPrivilege	924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe
Token: SeIncBasePriorityPrivilege	4100	{363659BA-6989-49a2-B335-7D9665093567}.exe
Token: SeIncBasePriorityPrivilege	3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe
Token: SeIncBasePriorityPrivilege	2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe
Token: SeIncBasePriorityPrivilege	4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe
Token: SeIncBasePriorityPrivilege	1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe
Token: SeIncBasePriorityPrivilege	3848	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 2380	3336	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe	89
PID 3336 wrote to memory of 2380	3336	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe	89
PID 3336 wrote to memory of 2380	3336	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe	89
PID 3336 wrote to memory of 4984	3336	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe	90
PID 3336 wrote to memory of 4984	3336	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe	90
PID 3336 wrote to memory of 4984	3336	2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe	90
PID 2380 wrote to memory of 1808	2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe	91
PID 2380 wrote to memory of 1808	2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe	91
PID 2380 wrote to memory of 1808	2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe	91
PID 2380 wrote to memory of 4024	2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe	92
PID 2380 wrote to memory of 4024	2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe	92
PID 2380 wrote to memory of 4024	2380	{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe	92
PID 1808 wrote to memory of 1076	1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe	95
PID 1808 wrote to memory of 1076	1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe	95
PID 1808 wrote to memory of 1076	1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe	95
PID 1808 wrote to memory of 764	1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe	96
PID 1808 wrote to memory of 764	1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe	96
PID 1808 wrote to memory of 764	1808	{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe	96
PID 1076 wrote to memory of 924	1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe	98
PID 1076 wrote to memory of 924	1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe	98
PID 1076 wrote to memory of 924	1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe	98
PID 1076 wrote to memory of 4020	1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe	99
PID 1076 wrote to memory of 4020	1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe	99
PID 1076 wrote to memory of 4020	1076	{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe	99
PID 924 wrote to memory of 4100	924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe	100
PID 924 wrote to memory of 4100	924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe	100
PID 924 wrote to memory of 4100	924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe	100
PID 924 wrote to memory of 1556	924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe	101
PID 924 wrote to memory of 1556	924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe	101
PID 924 wrote to memory of 1556	924	{212B4177-74B7-4de3-898F-085B9993D05B}.exe	101
PID 4100 wrote to memory of 3204	4100	{363659BA-6989-49a2-B335-7D9665093567}.exe	102
PID 4100 wrote to memory of 3204	4100	{363659BA-6989-49a2-B335-7D9665093567}.exe	102
PID 4100 wrote to memory of 3204	4100	{363659BA-6989-49a2-B335-7D9665093567}.exe	102
PID 4100 wrote to memory of 1040	4100	{363659BA-6989-49a2-B335-7D9665093567}.exe	103
PID 4100 wrote to memory of 1040	4100	{363659BA-6989-49a2-B335-7D9665093567}.exe	103
PID 4100 wrote to memory of 1040	4100	{363659BA-6989-49a2-B335-7D9665093567}.exe	103
PID 3204 wrote to memory of 2500	3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe	104
PID 3204 wrote to memory of 2500	3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe	104
PID 3204 wrote to memory of 2500	3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe	104
PID 3204 wrote to memory of 4732	3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe	105
PID 3204 wrote to memory of 4732	3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe	105
PID 3204 wrote to memory of 4732	3204	{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe	105
PID 2500 wrote to memory of 4448	2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe	106
PID 2500 wrote to memory of 4448	2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe	106
PID 2500 wrote to memory of 4448	2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe	106
PID 2500 wrote to memory of 4380	2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe	107
PID 2500 wrote to memory of 4380	2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe	107
PID 2500 wrote to memory of 4380	2500	{0B8C35AE-F518-42ec-A416-175928BB0133}.exe	107
PID 4448 wrote to memory of 1572	4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe	108
PID 4448 wrote to memory of 1572	4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe	108
PID 4448 wrote to memory of 1572	4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe	108
PID 4448 wrote to memory of 3516	4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe	109
PID 4448 wrote to memory of 3516	4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe	109
PID 4448 wrote to memory of 3516	4448	{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe	109
PID 1572 wrote to memory of 3848	1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe	110
PID 1572 wrote to memory of 3848	1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe	110
PID 1572 wrote to memory of 3848	1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe	110
PID 1572 wrote to memory of 2628	1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe	111
PID 1572 wrote to memory of 2628	1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe	111
PID 1572 wrote to memory of 2628	1572	{C4D39377-FB67-4533-953B-2B44AE88272A}.exe	111
PID 3848 wrote to memory of 116	3848	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe	112
PID 3848 wrote to memory of 116	3848	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe	112
PID 3848 wrote to memory of 116	3848	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe	112
PID 3848 wrote to memory of 2760	3848	{E51580A4-CFFB-4287-A13C-C3893856587D}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_97a782d8b0a7402b28c7e618310a8ddc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe
  C:\Windows\{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe
    C:\Windows\{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe
      C:\Windows\{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\{212B4177-74B7-4de3-898F-085B9993D05B}.exe
        
        C:\Windows\{212B4177-74B7-4de3-898F-085B9993D05B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
      - C:\Windows\{363659BA-6989-49a2-B335-7D9665093567}.exe
        
        C:\Windows\{363659BA-6989-49a2-B335-7D9665093567}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe
        
        C:\Windows\{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\{0B8C35AE-F518-42ec-A416-175928BB0133}.exe
        
        C:\Windows\{0B8C35AE-F518-42ec-A416-175928BB0133}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe
        
        C:\Windows\{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{C4D39377-FB67-4533-953B-2B44AE88272A}.exe
        
        C:\Windows\{C4D39377-FB67-4533-953B-2B44AE88272A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{E51580A4-CFFB-4287-A13C-C3893856587D}.exe
        
        C:\Windows\{E51580A4-CFFB-4287-A13C-C3893856587D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}.exe
        
        C:\Windows\{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}.exe
        12⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5158~1.EXE > nul
        12⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4D39~1.EXE > nul
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85D94~1.EXE > nul
        10⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B8C3~1.EXE > nul
        9⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F98C~1.EXE > nul
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36365~1.EXE > nul
        7⤵
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{212B4~1.EXE > nul
        6⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBA47~1.EXE > nul
        5⤵
        
        PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{28B02~1.EXE > nul
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA32~1.EXE > nul
    3⤵
    PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B8C35AE-F518-42ec-A416-175928BB0133}.exe

Filesize
216KB

MD5
efd2b9109b2ce9bc7e292b9087d82de4

SHA1
80d53d80a6083820220798824c6be946f1dccda8

SHA256
f7c2ecb79b487da7ab72ef529aaf786363134bdb467d7179503b18ae0068f456

SHA512
05249d302e84efd2b7206cb153b966a81b431685c4b2dc750d529ed6a945e167f209094c1136b57511baf91616933f241ea67830692ad611417670370ce34681

Download Submit
C:\Windows\{1DA32E82-2FF5-4afe-BBAF-83EA858286E8}.exe

Filesize
216KB

MD5
0d7bbb14e097dcf0833d7580c140644b

SHA1
99a2817a4520822cfa7df78461bbfec2c11073f9

SHA256
55368a04a9e1b8b156d9642e1e22d8832cf57bb7e7102496e78a28c45b689447

SHA512
1f1b92809c29fad66d2eb59b194b9f18326537e76ab41a1583a17324202943415d22bcc6b79cec314a89c826fd037bbffb2c74bd0bd0ab8887dcecfb088cd3c4

Download Submit
C:\Windows\{1F98C5AF-A720-42f9-8ACB-91D684783131}.exe

Filesize
216KB

MD5
49ae0ace9e042f5011f8d5c9833465d9

SHA1
2227dc361ac4780ce6181090205fba321fadcbc8

SHA256
950dd9cb679d33ac63de3ce52be0b1f407ff1ca5a1ac76f02c0bc58a8f06a14c

SHA512
aac47b82c4123e1492cb260acd86d1b546963256b9b96c0a01bc9ad7d0b4445f2573a2219a9d787a0cd5df8bb6208a0dc4e655161a02837bca10f099526b5fe9

Download Submit
C:\Windows\{212B4177-74B7-4de3-898F-085B9993D05B}.exe

Filesize
216KB

MD5
6a147d66dc57bc92c01de6c6270c1af4

SHA1
2b5d8f13a624a73bec0e8a0a3b7015711aabeec1

SHA256
e11720999b0c3d755293107ca054e9a8d9ae81b16e97d6bb2e64ea7725d06b31

SHA512
872efb80e9f246ad973e045fafbeb43ffb92a5d7d40d9d567119ea22fb784b6e3abf04580eac65e5e238203cebba86d2c7740331edc2c83092fb69aea2eb6135

Download Submit
C:\Windows\{28B02167-6837-497e-9BCD-6CCA522D72B5}.exe

Filesize
216KB

MD5
04b7c80fcb89e81151631337d08be648

SHA1
c1650ecc36d426a0118bc246443d7cff099d8177

SHA256
e1073c70bf25836adf158a2e1fa665765bb6f7bb77b00a24294f9c9d2d9ba318

SHA512
4438156ec58ff52c1b4ab2c64b1264bac9b6250063dc9b63450e0db428a025479e62bc144430a1ed0bfb894467405be393deb57bfb0f135eeffb03e090d7b8f5

Download Submit
C:\Windows\{363659BA-6989-49a2-B335-7D9665093567}.exe

Filesize
216KB

MD5
174608260851383a62cceedeb36439cb

SHA1
1163c102d13064d95f56311965a995d69416537c

SHA256
a9e3abbc7812bcec29404b2658927ff07d56418d62f0f77437473fe835983e9c

SHA512
fcb64f149a0ac387d84d7bca6abdd0333d67451592ee8b34de4ee8ec14c0b2fe313aeeecc6c2c2b1c3d3d9a5299296e6dbb9ebc407dc80f39ac70d015114cab2

Download Submit
C:\Windows\{85D94F31-9775-4e6c-B23C-9C01674DF231}.exe

Filesize
216KB

MD5
b721002041d926ad773d99ad7fd12802

SHA1
ebb9611f6dbeddd8f2784cb8dc2d98b0ef5a59de

SHA256
857082f51acc38f148e9bb99bfbe374490278b3246d1cd113af100067c5c980b

SHA512
a78f9ab6c886ca83a0429554e2c3d81a2ad8cba3528cce0b4a9c9e4adba59b6b138c40822a4e3612b6bbc4d2955731b16563b82b34e958620c3de6bf17e951d7

Download Submit
C:\Windows\{9C0B52EE-F5FA-4a9c-82B5-DFBB7B33B3C8}.exe

Filesize
216KB

MD5
bb425b223bddbfd0fb8cfd6076050ad8

SHA1
ea88b84d269f9c74934d2d377f6abfa797bc8101

SHA256
4171b0bfd8a7e448d5a89f5baaa3bf79b4bc6c4d632f9d462c1f406cc092556b

SHA512
49092b555600c72d915475e07e9816d0ae849b258036da55535f9007565dfdc26083d5a4ff4c0bec5ee03e1816ebf381f3fc6ecc7a2662cb606f9aae39e9a556

Download Submit
C:\Windows\{C4D39377-FB67-4533-953B-2B44AE88272A}.exe

Filesize
216KB

MD5
6534dc47cb0818a55f860f1694dc17de

SHA1
152798098ed6b18ab713681c9c83b5bb111132a9

SHA256
272a737c0df3b14d166262e7ec1806d96c43747897a78f5cf52e26044a4e9f9e

SHA512
1d910c4fbd69727a0cc033b061ddb7ed47d4bf3ea0af2b23d11d522bf8bfd3e4e87c7a5c97d66ab0c8343a5ff718ae42e0d0e64a0eb0e707c2712d30b6a68b54

Download Submit
C:\Windows\{E51580A4-CFFB-4287-A13C-C3893856587D}.exe

Filesize
216KB

MD5
71c2fee9f2670b5974d6e7226184770a

SHA1
313942614806dca0affaccadf5123774efa56900

SHA256
2f6521ab7dd9c749a372428047b70c43f899d5e944dfacc10c9e42146a238f77

SHA512
1468ab26e5dee8c9fc9a419e6cd148b00b881b47adafca4d956920ef0979fd4b6cbf8bcd7f4d369936720a8ac24c251f4086636e107b3bdfc987c9300c5c4ad9

Download Submit
C:\Windows\{FBA476BA-C68C-4177-A3DD-50A4BD614DF5}.exe

Filesize
216KB

MD5
f0cb1a36469cb81743371ec03a4c2b0e

SHA1
7c0dbb56bc42d0f1da81cd2a3e0d826d3bca90d1

SHA256
4e0abfd299c1de565efd4047de27858b7c6f92903b7477a0689fc4be0ae054a1

SHA512
f0c27f59aa6ff6f43391238ddb2999f6273519f95724e5f8f09817f3b47344738c7ea342f185ecfc4c8bd779b6be06feb6458f080073f67fdd4c6fa986190a8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads