aeb2415ed40f66403ba78f3494acbf4d359d14fea1b0113c680d00b94839de28

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Size

372KB
MD5

03571f00c7c703f977a75c7e950f9950
SHA1

5dfa5d40499305be9b68c59bc86517b98b2e593f
SHA256

aeb2415ed40f66403ba78f3494acbf4d359d14fea1b0113c680d00b94839de28
SHA512

a179b1d3b7aae99b4c74fdb099143b8fd90d4c94b849bf95004aaff3af422fbd6facfbb5f90d853cc58e36226a875f5b2c00f74b47d6f03e5657ddacf0841ebb
SSDEEP

3072:CEGh0oelMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGMlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012241-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015a2d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015a2d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015a2d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c52-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015c7c-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015cb9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015c7c-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}\stubpath = "C:\\Windows\\{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe"	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70986BF8-0B40-48ec-8104-3422F686CC89}	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D7A543B-933F-481b-A481-534E01C5D63D}	{86DB3A35-6B8A-4688-8883-84401196D528}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D7A543B-933F-481b-A481-534E01C5D63D}\stubpath = "C:\\Windows\\{6D7A543B-933F-481b-A481-534E01C5D63D}.exe"	{86DB3A35-6B8A-4688-8883-84401196D528}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}\stubpath = "C:\\Windows\\{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe"	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4598607F-62EC-4c02-B467-5F420AA8E666}\stubpath = "C:\\Windows\\{4598607F-62EC-4c02-B467-5F420AA8E666}.exe"	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}\stubpath = "C:\\Windows\\{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}.exe"	{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70986BF8-0B40-48ec-8104-3422F686CC89}\stubpath = "C:\\Windows\\{70986BF8-0B40-48ec-8104-3422F686CC89}.exe"	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4598607F-62EC-4c02-B467-5F420AA8E666}	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC92025-9E19-420f-B36F-7DDF7A66EF47}	{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D550A832-ECBE-4b6b-935F-AD8764081EF6}	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}\stubpath = "C:\\Windows\\{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe"	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664E424C-E15D-4695-9C35-08E97D27D0CE}\stubpath = "C:\\Windows\\{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe"	{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC92025-9E19-420f-B36F-7DDF7A66EF47}\stubpath = "C:\\Windows\\{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe"	{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86DB3A35-6B8A-4688-8883-84401196D528}	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86DB3A35-6B8A-4688-8883-84401196D528}\stubpath = "C:\\Windows\\{86DB3A35-6B8A-4688-8883-84401196D528}.exe"	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D550A832-ECBE-4b6b-935F-AD8764081EF6}\stubpath = "C:\\Windows\\{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe"	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{664E424C-E15D-4695-9C35-08E97D27D0CE}	{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}	{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe

Deletes itself 1 IoCs

pid	Process
2480	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe
2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe
2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe
1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe
2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe
2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe
284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe
1244	{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe
1740	{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe
3044	{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe
2060	{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe
File created	C:\Windows\{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe
File created	C:\Windows\{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe
File created	C:\Windows\{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
File created	C:\Windows\{86DB3A35-6B8A-4688-8883-84401196D528}.exe	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe
File created	C:\Windows\{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe
File created	C:\Windows\{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe	{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe
File created	C:\Windows\{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe	{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe
File created	C:\Windows\{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}.exe	{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe
File created	C:\Windows\{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	{86DB3A35-6B8A-4688-8883-84401196D528}.exe
File created	C:\Windows\{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe
Token: SeIncBasePriorityPrivilege	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe
Token: SeIncBasePriorityPrivilege	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe
Token: SeIncBasePriorityPrivilege	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe
Token: SeIncBasePriorityPrivilege	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe
Token: SeIncBasePriorityPrivilege	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe
Token: SeIncBasePriorityPrivilege	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe
Token: SeIncBasePriorityPrivilege	1244	{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe
Token: SeIncBasePriorityPrivilege	1740	{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe
Token: SeIncBasePriorityPrivilege	3044	{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2072	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	28
PID 1184 wrote to memory of 2072	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	28
PID 1184 wrote to memory of 2072	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	28
PID 1184 wrote to memory of 2072	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	28
PID 1184 wrote to memory of 2480	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	29
PID 1184 wrote to memory of 2480	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	29
PID 1184 wrote to memory of 2480	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	29
PID 1184 wrote to memory of 2480	1184	2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe	29
PID 2072 wrote to memory of 2540	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	30
PID 2072 wrote to memory of 2540	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	30
PID 2072 wrote to memory of 2540	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	30
PID 2072 wrote to memory of 2540	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	30
PID 2072 wrote to memory of 2608	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	31
PID 2072 wrote to memory of 2608	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	31
PID 2072 wrote to memory of 2608	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	31
PID 2072 wrote to memory of 2608	2072	{70986BF8-0B40-48ec-8104-3422F686CC89}.exe	31
PID 2540 wrote to memory of 2532	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	34
PID 2540 wrote to memory of 2532	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	34
PID 2540 wrote to memory of 2532	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	34
PID 2540 wrote to memory of 2532	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	34
PID 2540 wrote to memory of 2448	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	35
PID 2540 wrote to memory of 2448	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	35
PID 2540 wrote to memory of 2448	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	35
PID 2540 wrote to memory of 2448	2540	{86DB3A35-6B8A-4688-8883-84401196D528}.exe	35
PID 2532 wrote to memory of 1964	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	36
PID 2532 wrote to memory of 1964	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	36
PID 2532 wrote to memory of 1964	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	36
PID 2532 wrote to memory of 1964	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	36
PID 2532 wrote to memory of 2888	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	37
PID 2532 wrote to memory of 2888	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	37
PID 2532 wrote to memory of 2888	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	37
PID 2532 wrote to memory of 2888	2532	{6D7A543B-933F-481b-A481-534E01C5D63D}.exe	37
PID 1964 wrote to memory of 2376	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	38
PID 1964 wrote to memory of 2376	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	38
PID 1964 wrote to memory of 2376	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	38
PID 1964 wrote to memory of 2376	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	38
PID 1964 wrote to memory of 1004	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	39
PID 1964 wrote to memory of 1004	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	39
PID 1964 wrote to memory of 1004	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	39
PID 1964 wrote to memory of 1004	1964	{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe	39
PID 2376 wrote to memory of 2352	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	40
PID 2376 wrote to memory of 2352	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	40
PID 2376 wrote to memory of 2352	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	40
PID 2376 wrote to memory of 2352	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	40
PID 2376 wrote to memory of 1988	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	41
PID 2376 wrote to memory of 1988	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	41
PID 2376 wrote to memory of 1988	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	41
PID 2376 wrote to memory of 1988	2376	{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe	41
PID 2352 wrote to memory of 284	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	42
PID 2352 wrote to memory of 284	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	42
PID 2352 wrote to memory of 284	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	42
PID 2352 wrote to memory of 284	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	42
PID 2352 wrote to memory of 1992	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	43
PID 2352 wrote to memory of 1992	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	43
PID 2352 wrote to memory of 1992	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	43
PID 2352 wrote to memory of 1992	2352	{4598607F-62EC-4c02-B467-5F420AA8E666}.exe	43
PID 284 wrote to memory of 1244	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	44
PID 284 wrote to memory of 1244	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	44
PID 284 wrote to memory of 1244	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	44
PID 284 wrote to memory of 1244	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	44
PID 284 wrote to memory of 968	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	45
PID 284 wrote to memory of 968	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	45
PID 284 wrote to memory of 968	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	45
PID 284 wrote to memory of 968	284	{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_03571f00c7c703f977a75c7e950f9950_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\{70986BF8-0B40-48ec-8104-3422F686CC89}.exe
  C:\Windows\{70986BF8-0B40-48ec-8104-3422F686CC89}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\{86DB3A35-6B8A-4688-8883-84401196D528}.exe
    C:\Windows\{86DB3A35-6B8A-4688-8883-84401196D528}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{6D7A543B-933F-481b-A481-534E01C5D63D}.exe
      C:\Windows\{6D7A543B-933F-481b-A481-534E01C5D63D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe
        
        C:\Windows\{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe
        
        C:\Windows\{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{4598607F-62EC-4c02-B467-5F420AA8E666}.exe
        
        C:\Windows\{4598607F-62EC-4c02-B467-5F420AA8E666}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe
        
        C:\Windows\{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe
        
        C:\Windows\{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe
        
        C:\Windows\{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe
        
        C:\Windows\{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}.exe
        
        C:\Windows\{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EC92~1.EXE > nul
        12⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{664E4~1.EXE > nul
        11⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DEB7~1.EXE > nul
        10⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BD40~1.EXE > nul
        9⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45986~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D94B~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D550A~1.EXE > nul
        6⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D7A5~1.EXE > nul
        5⤵
        
        PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{86DB3~1.EXE > nul
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70986~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DEB7AA3-B8CD-4ae5-A7C8-4200A7E23092}.exe

Filesize
372KB

MD5
9bc0e78c1fb5341cb0ccb6120e1263f9

SHA1
d14b5bb58f7f9ecc6a309b91e851b269e67c4ca2

SHA256
02a3edd7188a06c6fc23d1c0c509ae1e8dfee609481d12d3cf8443d969a262f1

SHA512
9319abeb2619ae561528b36670a3db966a18c3a7334c904b7e7793187bb8222a8808e32674e5782cbb988d7365209c3859b1d1c44daf3a74c89f645cf99d7cba

Download Submit
C:\Windows\{3BD40F7F-5E51-4a24-98AC-0CBF278C45A3}.exe

Filesize
372KB

MD5
9ddedb6076de48de291a7f8f9af8b31c

SHA1
5403837b74ec97a535d794a096a79eedfe1b6e8b

SHA256
0002d339117e1e3edace50b774901b0f09ded9cbc6b04905d2b61eec9a6940f8

SHA512
a235dc226411118594fea781ec2e57b954b62724a5aec2c7c2821add408e167e5ba934184c39e5267330cbedff78abe3b92d12fdddc45ecf7116b93aff3afbee

Download Submit
C:\Windows\{3D94BE58-13F1-4b1a-8F86-D4AB78092E3C}.exe

Filesize
372KB

MD5
1befc48ade7f90da1e182be5c24a95d1

SHA1
ed961785080e76661d1431e70b120153b33e333f

SHA256
4d4f6e8d71c415304ba983379a20cb7b6a67074fb2957fa8cc17c02ccedf9529

SHA512
3a31cd382b7ada52f93c1b2fb0be8842ceccd55e9d58fad8d5b6dc12c26573d69b919afc67a35687129e83a596001efc2d80da21e5a3434bae62f64799ac62ca

Download Submit
C:\Windows\{4598607F-62EC-4c02-B467-5F420AA8E666}.exe

Filesize
372KB

MD5
d71abb2a809f1be8afca0ceae7f8d556

SHA1
564d08a5fb7b32b47edcf7b2556b464e2a4d9a9c

SHA256
873f2aae56498dcd082579c49300a5b3b7f8e805474788fd507faf7c9f6b014c

SHA512
d0c6f3d29b73ccfae78c54266e6eadefcfe88bf62c41fc9a64089bad563f21c76ae36f89c2957d646666876efdc3306ef745deef889e01a0d55bda379f2fd9aa

Download Submit
C:\Windows\{664E424C-E15D-4695-9C35-08E97D27D0CE}.exe

Filesize
372KB

MD5
251062f1982f0278c969b770d4e6ded1

SHA1
6185553750936ace29d7e68ea0ddf3b0d5f5bf76

SHA256
f8c6b7682c97b0349791d8cf5cbf31500208421b92278b7ba7c0189fbda2e760

SHA512
1940e86d3c4247e3b56b37f4b5a65461cb4ae3b1483f63d5ea65a90feb20f4ac8757f630d2288447ba8bf0ecc22af563fceedb70d9f453dfcb6a348544559ba0

Download Submit
C:\Windows\{6D7A543B-933F-481b-A481-534E01C5D63D}.exe

Filesize
372KB

MD5
146461e39c4876439a61f9d7a2309918

SHA1
14b11833d14335cbbcab73b192155fc0c5db1c13

SHA256
ad5ebc0b54517cfeaca650e167b36993d15174e0dab2523fc1071cc643894799

SHA512
d51a2cdd544fce9c8ca66ef09f08ca81512c0598aade2e8b59ad74b14094f7f96cd0e18b3d6a88ff4a9da0b7869eb9ffd4f0795143573bd1940531a8411ef5e5

Download Submit
C:\Windows\{70986BF8-0B40-48ec-8104-3422F686CC89}.exe

Filesize
372KB

MD5
15f693f90b97341fbda8e2a547cfed8b

SHA1
696ee37e8ce115dff6e6a0d869e256fec4621f8c

SHA256
1b7da44cf10e0b1d2dedcd97822561229f2e1ef2b4caf11fdfae2503e345fbbf

SHA512
e193834827bb5962684402818bf7816e3c92dbd5ea1263908dcdfd1d40ad1331a526ddf3ec30ee5159aca64c44a8ca9f2d36b505c929d574cfb26a13db9ddeac

Download Submit
C:\Windows\{86DB3A35-6B8A-4688-8883-84401196D528}.exe

Filesize
372KB

MD5
8c548fa884f822143d4f575e9829f3f7

SHA1
7609dea440acf1cb670c9f662edabf552a941e05

SHA256
4344c2c23e1e4c5c26790c0e5698b56461d37e701a4fb182b2ecd8d5de83934d

SHA512
8c4138300445d60e5c1077f07aa2cb349507c84aeaedfc786a1755b8f5a8650ddb00d93e3bb5f216efb0c59e2066196e34e7cba1c1306709cffd3a3f435b2f47

Download Submit
C:\Windows\{8EC92025-9E19-420f-B36F-7DDF7A66EF47}.exe

Filesize
372KB

MD5
a559cfd5b3451252ea683fc8139b9d02

SHA1
9e12b4506d38bf277dbc5df6e0bb9b0c73f2d452

SHA256
cd83d57edf2e7e2f679c21e3f003b26342a3c0a0e3ed414b9f789f8e5fccfe32

SHA512
0f3a1d074fb85cc8b36326d4972ff4073b77e0b99e2df8be161b12d82828f40d8da42017447090807f370ef877a88d06326be464cded7aeca306abf86a1c0477

Download Submit
C:\Windows\{D550A832-ECBE-4b6b-935F-AD8764081EF6}.exe

Filesize
372KB

MD5
3ca3d1b9982777ffe6827620aa7f7ae8

SHA1
9e8349becf678beb7af8f0072fbccd6a44922516

SHA256
b01ed5061e876df4ef100b239f927c1fc80af1fa437a42a52d03bd6c92fa69c3

SHA512
a10630cd6cee61fc499b3c0083434b124ea5cae767ba8e22cf8cc163f30f175694890b4b17b7b8156ef7c42763117f81c2bc59978f585f31d688297bd780bbfc

Download Submit
C:\Windows\{E2EFF60D-53D9-4c86-BBF1-F0B4DC4AFD6B}.exe

Filesize
372KB

MD5
01565e786f67ea6409a61dcd8eeef089

SHA1
4ec64be4ec93bc48b68b0cb087ec1505138d2fd1

SHA256
237362f5d9d8a708c424cecd380336e363009bc7d35ceb7a1dc7d6ace4cd68a4

SHA512
f3560dfcd6fcec6c99a19a1802d182287b6237fc821e839ff4abcdf659d2df999c912a67eb878ee4e5ab1cd188fb880f07426d4cddad86eb0456a61a991ccd93

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads