eebdd1d4b422a9a6b7549d5dd2ae15f3f746420f6b9f964aa861f8d60c634cbd

Analysis

max time kernel
112s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe
Size

380KB
MD5

99137d5a5a4f7164d19fc43992909ab3
SHA1

8af1ed97175debe661e338af8943d3edb663cf9e
SHA256

eebdd1d4b422a9a6b7549d5dd2ae15f3f746420f6b9f964aa861f8d60c634cbd
SHA512

6369a22bdcb9379a88a09b8f720cbb3ed46bc33e0a2c6797901d2f04708f6f730439b8dfce16b14a54c1ae64949a03795c8c7f3a61d376c36f32a4f562edf631
SSDEEP

3072:mEGh0oKlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233fc-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f6-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023404-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016935-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023404-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016935-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023404-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016935-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023404-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016935-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023401-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016935-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016935-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}\stubpath = "C:\\Windows\\{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe"	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0762B6B0-1610-4c16-B139-8471F1DE8427}	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80B8C039-A0C2-48df-984D-D03EE4992882}	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80B8C039-A0C2-48df-984D-D03EE4992882}\stubpath = "C:\\Windows\\{80B8C039-A0C2-48df-984D-D03EE4992882}.exe"	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E174C73-B7BE-4b4f-80ED-5120870AF49C}\stubpath = "C:\\Windows\\{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe"	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE88EBD1-725D-425f-A215-BD008E863413}	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE88EBD1-725D-425f-A215-BD008E863413}\stubpath = "C:\\Windows\\{FE88EBD1-725D-425f-A215-BD008E863413}.exe"	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA06B17-A481-4a85-99C5-42561147EBA2}	{FE88EBD1-725D-425f-A215-BD008E863413}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C2796A0-6394-4795-929F-DA66CD6AFEF2}\stubpath = "C:\\Windows\\{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe"	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA06B17-A481-4a85-99C5-42561147EBA2}\stubpath = "C:\\Windows\\{CBA06B17-A481-4a85-99C5-42561147EBA2}.exe"	{FE88EBD1-725D-425f-A215-BD008E863413}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}\stubpath = "C:\\Windows\\{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe"	{12CF827B-D759-436a-AFD2-708245CA4860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12CF827B-D759-436a-AFD2-708245CA4860}	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12CF827B-D759-436a-AFD2-708245CA4860}\stubpath = "C:\\Windows\\{12CF827B-D759-436a-AFD2-708245CA4860}.exe"	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}	{12CF827B-D759-436a-AFD2-708245CA4860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0762B6B0-1610-4c16-B139-8471F1DE8427}\stubpath = "C:\\Windows\\{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe"	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E174C73-B7BE-4b4f-80ED-5120870AF49C}	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C2796A0-6394-4795-929F-DA66CD6AFEF2}	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe

Executes dropped EXE 9 IoCs

pid	Process
1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe
4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe
3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe
2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe
3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe
652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe
4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe
4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe
4896	{CBA06B17-A481-4a85-99C5-42561147EBA2}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FE88EBD1-725D-425f-A215-BD008E863413}.exe	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe
File created	C:\Windows\{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe
File created	C:\Windows\{12CF827B-D759-436a-AFD2-708245CA4860}.exe	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe
File created	C:\Windows\{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe
File created	C:\Windows\{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe
File created	C:\Windows\{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe	{12CF827B-D759-436a-AFD2-708245CA4860}.exe
File created	C:\Windows\{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe
File created	C:\Windows\{80B8C039-A0C2-48df-984D-D03EE4992882}.exe	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe
File created	C:\Windows\{CBA06B17-A481-4a85-99C5-42561147EBA2}.exe	{FE88EBD1-725D-425f-A215-BD008E863413}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2996	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe
Token: SeIncBasePriorityPrivilege	4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe
Token: SeIncBasePriorityPrivilege	3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe
Token: SeIncBasePriorityPrivilege	2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe
Token: SeIncBasePriorityPrivilege	3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe
Token: SeIncBasePriorityPrivilege	652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe
Token: SeIncBasePriorityPrivilege	4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe
Token: SeIncBasePriorityPrivilege	4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1500	2996	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe	89
PID 2996 wrote to memory of 1500	2996	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe	89
PID 2996 wrote to memory of 1500	2996	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe	89
PID 2996 wrote to memory of 364	2996	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe	90
PID 2996 wrote to memory of 364	2996	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe	90
PID 2996 wrote to memory of 364	2996	2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe	90
PID 1500 wrote to memory of 4828	1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe	91
PID 1500 wrote to memory of 4828	1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe	91
PID 1500 wrote to memory of 4828	1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe	91
PID 1500 wrote to memory of 3488	1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe	92
PID 1500 wrote to memory of 3488	1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe	92
PID 1500 wrote to memory of 3488	1500	{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe	92
PID 4828 wrote to memory of 3888	4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe	95
PID 4828 wrote to memory of 3888	4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe	95
PID 4828 wrote to memory of 3888	4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe	95
PID 4828 wrote to memory of 4536	4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe	96
PID 4828 wrote to memory of 4536	4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe	96
PID 4828 wrote to memory of 4536	4828	{12CF827B-D759-436a-AFD2-708245CA4860}.exe	96
PID 3888 wrote to memory of 2660	3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe	98
PID 3888 wrote to memory of 2660	3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe	98
PID 3888 wrote to memory of 2660	3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe	98
PID 3888 wrote to memory of 4824	3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe	99
PID 3888 wrote to memory of 4824	3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe	99
PID 3888 wrote to memory of 4824	3888	{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe	99
PID 2660 wrote to memory of 3448	2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe	100
PID 2660 wrote to memory of 3448	2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe	100
PID 2660 wrote to memory of 3448	2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe	100
PID 2660 wrote to memory of 2852	2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe	101
PID 2660 wrote to memory of 2852	2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe	101
PID 2660 wrote to memory of 2852	2660	{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe	101
PID 3448 wrote to memory of 652	3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe	102
PID 3448 wrote to memory of 652	3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe	102
PID 3448 wrote to memory of 652	3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe	102
PID 3448 wrote to memory of 2588	3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe	103
PID 3448 wrote to memory of 2588	3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe	103
PID 3448 wrote to memory of 2588	3448	{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe	103
PID 652 wrote to memory of 4564	652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe	104
PID 652 wrote to memory of 4564	652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe	104
PID 652 wrote to memory of 4564	652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe	104
PID 652 wrote to memory of 4740	652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe	105
PID 652 wrote to memory of 4740	652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe	105
PID 652 wrote to memory of 4740	652	{80B8C039-A0C2-48df-984D-D03EE4992882}.exe	105
PID 4564 wrote to memory of 4064	4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe	106
PID 4564 wrote to memory of 4064	4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe	106
PID 4564 wrote to memory of 4064	4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe	106
PID 4564 wrote to memory of 3604	4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe	107
PID 4564 wrote to memory of 3604	4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe	107
PID 4564 wrote to memory of 3604	4564	{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe	107
PID 4064 wrote to memory of 4896	4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe	108
PID 4064 wrote to memory of 4896	4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe	108
PID 4064 wrote to memory of 4896	4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe	108
PID 4064 wrote to memory of 1620	4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe	109
PID 4064 wrote to memory of 1620	4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe	109
PID 4064 wrote to memory of 1620	4064	{FE88EBD1-725D-425f-A215-BD008E863413}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe
  C:\Windows\{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\{12CF827B-D759-436a-AFD2-708245CA4860}.exe
    C:\Windows\{12CF827B-D759-436a-AFD2-708245CA4860}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe
      C:\Windows\{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Windows\{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe
        
        C:\Windows\{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe
        
        C:\Windows\{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\{80B8C039-A0C2-48df-984D-D03EE4992882}.exe
        
        C:\Windows\{80B8C039-A0C2-48df-984D-D03EE4992882}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe
        
        C:\Windows\{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{FE88EBD1-725D-425f-A215-BD008E863413}.exe
        
        C:\Windows\{FE88EBD1-725D-425f-A215-BD008E863413}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\{CBA06B17-A481-4a85-99C5-42561147EBA2}.exe
        
        C:\Windows\{CBA06B17-A481-4a85-99C5-42561147EBA2}.exe
        10⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\{D8AC157A-9669-4b1f-9337-1BE171D271B1}.exe
        
        C:\Windows\{D8AC157A-9669-4b1f-9337-1BE171D271B1}.exe
        11⤵
        
        PID:3332
        
        C:\Windows\{5EFB135B-F04C-4eaf-9006-859BB87F4642}.exe
        
        C:\Windows\{5EFB135B-F04C-4eaf-9006-859BB87F4642}.exe
        12⤵
        
        PID:2524
        
        C:\Windows\{DCF03CE8-B01A-4918-9EE1-0D6941BBD43E}.exe
        
        C:\Windows\{DCF03CE8-B01A-4918-9EE1-0D6941BBD43E}.exe
        13⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EFB1~1.EXE > nul
        13⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8AC1~1.EXE > nul
        12⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBA06~1.EXE > nul
        11⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE88E~1.EXE > nul
        10⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E174~1.EXE > nul
        9⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80B8C~1.EXE > nul
        8⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0762B~1.EXE > nul
        7⤵
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{050CE~1.EXE > nul
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A175A~1.EXE > nul
        5⤵
        
        PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{12CF8~1.EXE > nul
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6C279~1.EXE > nul
    3⤵
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{050CEACA-81FC-4189-A0CD-DEF7DF7AC5B1}.exe

Filesize
380KB

MD5
8e02f523e2165fce213611d463d93298

SHA1
46b3a13023b85f3af9ef8cb98de17f843897e3b3

SHA256
66481b573548e94098574316e80ffba9e750834bf3b0909365de4df5a45d2a8e

SHA512
32adf025ce73a02bc9a451df3d7003f9c8622c83878ab9d4f35ff3d476fde430d50826dd18cbaac4257d9b36980f3affd49f2a06c80365a64b851a282172cef2

Download Submit
C:\Windows\{0762B6B0-1610-4c16-B139-8471F1DE8427}.exe

Filesize
380KB

MD5
9416a7a3132b847edc085166cd758194

SHA1
9d70d0950d5ad66cc7633f1f2124e336fa97c22a

SHA256
1155671b8117fef04409352aa8bd0ba1616547411dfdfa0dec5c211cb74ed043

SHA512
213c6af3c14e9725e65f281dd53ae544a38d6e5c1af3ba88cff5c218b14951063e0832fe09e97f95a0e80073772501eb42b38052b8d3ce5777f324bb6548cf9d

Download Submit
C:\Windows\{0E174C73-B7BE-4b4f-80ED-5120870AF49C}.exe

Filesize
380KB

MD5
e19ad03057bcbb6ea89fbab65dfb1e65

SHA1
14f8d214e7e0ccb66f569be927bd15f60902f5ca

SHA256
faded05a31424006d637c66e8bc084144e65858d619e76bcd04ff37c9546a34e

SHA512
729f252ef90876a71aa0d045dff57bd4fb9f4b96ac73b3c8eb67096b2f1e979b5d21729e322c426e797640804af8e9bbc04bbc830c9dabbfb8a590b9eea4357b

Download Submit
C:\Windows\{12CF827B-D759-436a-AFD2-708245CA4860}.exe

Filesize
380KB

MD5
6afdb5f781efd109187d769d6756381c

SHA1
d3b3abcbd9679519ef27d955f75c950e2555df4f

SHA256
30abe5dc5984eb90ee32de870b1e3dd74042e1da5c2be7be8ecb505dafbb1933

SHA512
fb3b141bafd1d41bceac73210f88afce32ed9905e03a67af70e1a6fecb67ba534fe2872cf3cb673459289e63881cecdc57dfc484110af0883bb82c897a3d02f3

Download Submit
C:\Windows\{5EFB135B-F04C-4eaf-9006-859BB87F4642}.exe

Filesize
380KB

MD5
acb15a162d6c6e2f2d78fc661a9f4c01

SHA1
721ec2c67feb37230c148219944a9759162f2b1f

SHA256
f9275fcf8c99c69d08a3622de93ef024505cf444a12aebf462177f8533eed635

SHA512
8750cedf58d423b7f1cc3f36f159ad7e06e7ad985e076d9e51d91ad02895bbce71314a36711f14eb4bd5124fb27e2b2fce4b3b2a3824369662375b7225c014be

Download Submit
C:\Windows\{6C2796A0-6394-4795-929F-DA66CD6AFEF2}.exe

Filesize
380KB

MD5
68f449d1e3ce365efb72a2c4f17b7927

SHA1
2026a8876556254d3ab91b90d5ec816453304fce

SHA256
6a905b0e4f2ff9da99874243f1efd28bfd6b5271c5a4ae2a03e5d5cba13be54f

SHA512
8f0abdb333bd9327baaddfebd6686cd95da3ee56af8867ff84dcbc1439bfb63454b7c04188324e3a55d91b62a658456b3ad46f94dfd44df725717ead4b983654

Download Submit
C:\Windows\{80B8C039-A0C2-48df-984D-D03EE4992882}.exe

Filesize
380KB

MD5
42e05c2d2f74c54c07120186ca613529

SHA1
4c8c0feaaacc92c81adc3e69a89f1cd99eecc7c6

SHA256
fb5727d86a0fb74f5bbe677148a6181e7e5b0dab55af70e51c3a5f38e4f6619b

SHA512
4eec87d46c1c5e9fdbc7938043850c085e4465000043cd17a810a2e3fd4233a27a9bec6383d7c4b00c25277ebc2399af9204c2c6c265a3fb227b381f2ed65c58

Download Submit
C:\Windows\{A175ADF5-8DE6-46ee-85BD-572EDAEFBD3A}.exe

Filesize
380KB

MD5
caef6c1b40c14a96d8c31c45286d6b96

SHA1
5f470c3044959563318ed1c0d8b8e07bac485e06

SHA256
3d48b5dbcf0488e1ecac09c65170e5c84f8415eeaf4f65b237a48a188957dce1

SHA512
bca39b7823a362e6ab5e6738aaab757ef1a00e8f85a477ebb39d6a2a2747df0471de8ab3883ab1639de8d497238febc2406dd345f21ce279d749abf8c91b0672

Download Submit
C:\Windows\{CBA06B17-A481-4a85-99C5-42561147EBA2}.exe

Filesize
380KB

MD5
58a5bc6c1837ca9f5134fb9fe8a71299

SHA1
e9715977b53bc3beb3e7b954545f1fab642c6635

SHA256
fdaa87995b2eab75444f64333ce4c9a2a9ba938f62acdda82e03cce1ba766f4f

SHA512
632b59178fce4614f674bf9bf717b66f2b4450c04cdcc2e0fa5ddd9060f7c3b5ee1021b49e9392f18fc6f187e03b6d0035efc95544382abbafb841f723e7c3bc

Download Submit
C:\Windows\{D8AC157A-9669-4b1f-9337-1BE171D271B1}.exe

Filesize
380KB

MD5
8cd1201d2b51e7f97f1e34aec150df5c

SHA1
25acc1ff3be5be40f83c55a5908fb87292926067

SHA256
0e43b948b26ab4f9b931312c3e91a141ecbe7c7a44afb03773cbf79d23cd21c7

SHA512
ff96321e8d436ea727f25d8afb463b72bcf5e905d5e4a599f6a232418e124a3bee6a2175481a051bb3c1c293d87f75f9827dc1e1e99822e247d45b649125ca23

Download Submit
C:\Windows\{DCF03CE8-B01A-4918-9EE1-0D6941BBD43E}.exe

Filesize
317KB

MD5
58e1a0b502406402469d2258650e341f

SHA1
c6000bd208e89a9a99687afac49850e5d4074996

SHA256
b85129493cc35f7a0b4fd7f65bef394bcd34f275e8ca61611c6264055ef2e463

SHA512
f3e18121b859073e2763dd9d80a466de9140a1d1f1ab26f913b90382cb67db284446205130b636bd8c99ad5c66a20f0d50daee128520b95162607c387ce7618d

Download Submit
C:\Windows\{DCF03CE8-B01A-4918-9EE1-0D6941BBD43E}.exe

Filesize
215KB

MD5
3c3bf78e3e2a8ec3015291416325bc8b

SHA1
e584cdd4571007fcc4bedc0e610bf108a0593c86

SHA256
402e611a244ed07211ef45c1dd7f912e8c9b8f548a600fe817238fba433dd731

SHA512
64f946e87fe84d603883dbdccfc5c267b4644ae021152e2e07eefc4b49d508a7cc1b59f7097d1cf4ba0668887061801b283953123e2137bac7ed35ae49256905

Download Submit
C:\Windows\{FE88EBD1-725D-425f-A215-BD008E863413}.exe

Filesize
380KB

MD5
07e1f7bf17b3dfc08cfa890baaf3ff49

SHA1
25aaa111dd746dfe19669291c1f1d199849bb861

SHA256
a6c7aba39d747eec09cd7bf04bb0bf2311c4cf4a2d3fd651dca3b55d72a9adfd

SHA512
472bf270915366218749a5768c03aeeab0f55f5780cecd91fb3fbcabd28b817188453f737b180039dcd27e00a9b3187019cd60008e55070bf192bee7913332ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads