64169f87d77bb7a87d3cde8774133f072505e57351cdc3b94f0b54f5d74aabb5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe
Size

168KB
MD5

9fd755f0ef9ba95ccfac155c33daf1c2
SHA1

5a69abdae3a4fc2a0d9eb40dbaad08e812b09c85
SHA256

64169f87d77bb7a87d3cde8774133f072505e57351cdc3b94f0b54f5d74aabb5
SHA512

979177270787720a6b43c86cf54b92796295061b0cf9382d30f8bac7254143ca847961991edbabfc6124be5ea1eec9f616c8601cbc9e58e68f41e1f0af22f8fc
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023435-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002343f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e5bb-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002339c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e5bb-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023394-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e5bb-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023394-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233a4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023394-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233a4-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023396-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65963597-B46E-4297-871A-950586952C4A}\stubpath = "C:\\Windows\\{65963597-B46E-4297-871A-950586952C4A}.exe"	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5280055F-EC46-4f1c-A42F-F9752F946E70}	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF883B0-3149-4f00-9997-34050CCFDFA4}	{860601F9-60C9-405f-9020-99A581759108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FD0BC04-E56A-4c33-A243-46AC31E9F193}	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860601F9-60C9-405f-9020-99A581759108}\stubpath = "C:\\Windows\\{860601F9-60C9-405f-9020-99A581759108}.exe"	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58576582-7957-441a-8F52-09215EBA0C45}	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5280055F-EC46-4f1c-A42F-F9752F946E70}\stubpath = "C:\\Windows\\{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe"	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}	{65963597-B46E-4297-871A-950586952C4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}\stubpath = "C:\\Windows\\{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe"	{65963597-B46E-4297-871A-950586952C4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FD0BC04-E56A-4c33-A243-46AC31E9F193}\stubpath = "C:\\Windows\\{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe"	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F927D390-5322-45a3-8DDE-5B271BFA42F4}	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F927D390-5322-45a3-8DDE-5B271BFA42F4}\stubpath = "C:\\Windows\\{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe"	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{860601F9-60C9-405f-9020-99A581759108}	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58576582-7957-441a-8F52-09215EBA0C45}\stubpath = "C:\\Windows\\{58576582-7957-441a-8F52-09215EBA0C45}.exe"	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7083BC0-3A97-4dd9-BD20-93976097A464}	{58576582-7957-441a-8F52-09215EBA0C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7083BC0-3A97-4dd9-BD20-93976097A464}\stubpath = "C:\\Windows\\{F7083BC0-3A97-4dd9-BD20-93976097A464}.exe"	{58576582-7957-441a-8F52-09215EBA0C45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65963597-B46E-4297-871A-950586952C4A}	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}\stubpath = "C:\\Windows\\{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe"	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}\stubpath = "C:\\Windows\\{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe"	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}\stubpath = "C:\\Windows\\{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe"	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EF883B0-3149-4f00-9997-34050CCFDFA4}\stubpath = "C:\\Windows\\{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe"	{860601F9-60C9-405f-9020-99A581759108}.exe

Executes dropped EXE 12 IoCs

pid	Process
3788	{65963597-B46E-4297-871A-950586952C4A}.exe
1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe
2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe
2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe
5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe
4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe
2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe
4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe
2128	{860601F9-60C9-405f-9020-99A581759108}.exe
5028	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe
2732	{58576582-7957-441a-8F52-09215EBA0C45}.exe
4396	{F7083BC0-3A97-4dd9-BD20-93976097A464}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe
File created	C:\Windows\{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe
File created	C:\Windows\{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe	{860601F9-60C9-405f-9020-99A581759108}.exe
File created	C:\Windows\{58576582-7957-441a-8F52-09215EBA0C45}.exe	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe
File created	C:\Windows\{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe	{65963597-B46E-4297-871A-950586952C4A}.exe
File created	C:\Windows\{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe
File created	C:\Windows\{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe
File created	C:\Windows\{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe
File created	C:\Windows\{65963597-B46E-4297-871A-950586952C4A}.exe	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe
File created	C:\Windows\{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe
File created	C:\Windows\{860601F9-60C9-405f-9020-99A581759108}.exe	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe
File created	C:\Windows\{F7083BC0-3A97-4dd9-BD20-93976097A464}.exe	{58576582-7957-441a-8F52-09215EBA0C45}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4744	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3788	{65963597-B46E-4297-871A-950586952C4A}.exe
Token: SeIncBasePriorityPrivilege	1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe
Token: SeIncBasePriorityPrivilege	2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe
Token: SeIncBasePriorityPrivilege	2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe
Token: SeIncBasePriorityPrivilege	5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe
Token: SeIncBasePriorityPrivilege	4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe
Token: SeIncBasePriorityPrivilege	2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe
Token: SeIncBasePriorityPrivilege	4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe
Token: SeIncBasePriorityPrivilege	2128	{860601F9-60C9-405f-9020-99A581759108}.exe
Token: SeIncBasePriorityPrivilege	5028	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe
Token: SeIncBasePriorityPrivilege	2732	{58576582-7957-441a-8F52-09215EBA0C45}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3788	4744	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe	98
PID 4744 wrote to memory of 3788	4744	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe	98
PID 4744 wrote to memory of 3788	4744	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe	98
PID 4744 wrote to memory of 1944	4744	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe	99
PID 4744 wrote to memory of 1944	4744	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe	99
PID 4744 wrote to memory of 1944	4744	2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe	99
PID 3788 wrote to memory of 1628	3788	{65963597-B46E-4297-871A-950586952C4A}.exe	102
PID 3788 wrote to memory of 1628	3788	{65963597-B46E-4297-871A-950586952C4A}.exe	102
PID 3788 wrote to memory of 1628	3788	{65963597-B46E-4297-871A-950586952C4A}.exe	102
PID 3788 wrote to memory of 4396	3788	{65963597-B46E-4297-871A-950586952C4A}.exe	103
PID 3788 wrote to memory of 4396	3788	{65963597-B46E-4297-871A-950586952C4A}.exe	103
PID 3788 wrote to memory of 4396	3788	{65963597-B46E-4297-871A-950586952C4A}.exe	103
PID 1628 wrote to memory of 2372	1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe	106
PID 1628 wrote to memory of 2372	1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe	106
PID 1628 wrote to memory of 2372	1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe	106
PID 1628 wrote to memory of 4536	1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe	107
PID 1628 wrote to memory of 4536	1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe	107
PID 1628 wrote to memory of 4536	1628	{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe	107
PID 2372 wrote to memory of 2104	2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe	108
PID 2372 wrote to memory of 2104	2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe	108
PID 2372 wrote to memory of 2104	2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe	108
PID 2372 wrote to memory of 1076	2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe	109
PID 2372 wrote to memory of 1076	2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe	109
PID 2372 wrote to memory of 1076	2372	{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe	109
PID 2104 wrote to memory of 5020	2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe	110
PID 2104 wrote to memory of 5020	2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe	110
PID 2104 wrote to memory of 5020	2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe	110
PID 2104 wrote to memory of 3568	2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe	111
PID 2104 wrote to memory of 3568	2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe	111
PID 2104 wrote to memory of 3568	2104	{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe	111
PID 5020 wrote to memory of 4956	5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe	115
PID 5020 wrote to memory of 4956	5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe	115
PID 5020 wrote to memory of 4956	5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe	115
PID 5020 wrote to memory of 4336	5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe	116
PID 5020 wrote to memory of 4336	5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe	116
PID 5020 wrote to memory of 4336	5020	{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe	116
PID 4956 wrote to memory of 2516	4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe	117
PID 4956 wrote to memory of 2516	4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe	117
PID 4956 wrote to memory of 2516	4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe	117
PID 4956 wrote to memory of 1568	4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe	118
PID 4956 wrote to memory of 1568	4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe	118
PID 4956 wrote to memory of 1568	4956	{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe	118
PID 2516 wrote to memory of 4712	2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe	119
PID 2516 wrote to memory of 4712	2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe	119
PID 2516 wrote to memory of 4712	2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe	119
PID 2516 wrote to memory of 1904	2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe	120
PID 2516 wrote to memory of 1904	2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe	120
PID 2516 wrote to memory of 1904	2516	{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe	120
PID 4712 wrote to memory of 2128	4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe	127
PID 4712 wrote to memory of 2128	4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe	127
PID 4712 wrote to memory of 2128	4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe	127
PID 4712 wrote to memory of 4356	4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe	128
PID 4712 wrote to memory of 4356	4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe	128
PID 4712 wrote to memory of 4356	4712	{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe	128
PID 2128 wrote to memory of 5028	2128	{860601F9-60C9-405f-9020-99A581759108}.exe	129
PID 2128 wrote to memory of 5028	2128	{860601F9-60C9-405f-9020-99A581759108}.exe	129
PID 2128 wrote to memory of 5028	2128	{860601F9-60C9-405f-9020-99A581759108}.exe	129
PID 2128 wrote to memory of 4816	2128	{860601F9-60C9-405f-9020-99A581759108}.exe	130
PID 2128 wrote to memory of 4816	2128	{860601F9-60C9-405f-9020-99A581759108}.exe	130
PID 2128 wrote to memory of 4816	2128	{860601F9-60C9-405f-9020-99A581759108}.exe	130
PID 5028 wrote to memory of 2732	5028	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe	131
PID 5028 wrote to memory of 2732	5028	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe	131
PID 5028 wrote to memory of 2732	5028	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe	131
PID 5028 wrote to memory of 920	5028	{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_9fd755f0ef9ba95ccfac155c33daf1c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\{65963597-B46E-4297-871A-950586952C4A}.exe
  C:\Windows\{65963597-B46E-4297-871A-950586952C4A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe
    C:\Windows\{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe
      C:\Windows\{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe
        
        C:\Windows\{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe
        
        C:\Windows\{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe
        
        C:\Windows\{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe
        
        C:\Windows\{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe
        
        C:\Windows\{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{860601F9-60C9-405f-9020-99A581759108}.exe
        
        C:\Windows\{860601F9-60C9-405f-9020-99A581759108}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe
        
        C:\Windows\{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{58576582-7957-441a-8F52-09215EBA0C45}.exe
        
        C:\Windows\{58576582-7957-441a-8F52-09215EBA0C45}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\{F7083BC0-3A97-4dd9-BD20-93976097A464}.exe
        
        C:\Windows\{F7083BC0-3A97-4dd9-BD20-93976097A464}.exe
        13⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58576~1.EXE > nul
        13⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF88~1.EXE > nul
        12⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86060~1.EXE > nul
        11⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52800~1.EXE > nul
        10⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F927D~1.EXE > nul
        9⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9F19~1.EXE > nul
        8⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FD0B~1.EXE > nul
        7⤵
        
        PID:4336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FC34~1.EXE > nul
        6⤵
        
        PID:3568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA7A8~1.EXE > nul
        5⤵
        
        PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D6F~1.EXE > nul
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65963~1.EXE > nul
    3⤵
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FC341AB-FE5D-4e9a-A821-5116173C4B2C}.exe

Filesize
168KB

MD5
5197b6829c3d537c1e32040585b0548a

SHA1
524d5bbc3355f144b20235fa4842a4dfbbefbf00

SHA256
d90ca5cdc8323fc7b765efa2e984605853be61ea95a70a37f6c3f1b8d59141bc

SHA512
12abb174ab9b90373661dc6ce5e1351363b41f0c3dd469c37673dba59f479354450dd99207fa1c8b1972b06c1f2c3c0fa87a0cd8c0e8bac2068cb3364c73db84

Download Submit
C:\Windows\{2EF883B0-3149-4f00-9997-34050CCFDFA4}.exe

Filesize
168KB

MD5
18f29c1402bbc22b301670f27be12c6b

SHA1
6205f7bb603a3f2ba2c7706311b0de162e96a0d4

SHA256
bfdd339724f984a205eec52da3ebdd64f0567a650af966f5c5d1400b9a1c6edc

SHA512
8de0682e32c03c4b7a93a6aa3311424dba429d54a96c09c611654232351844843285391b1d808068595aca984228519a74d7ed1d867c36c155d02e904e117326

Download Submit
C:\Windows\{5280055F-EC46-4f1c-A42F-F9752F946E70}.exe

Filesize
168KB

MD5
391ef50df2c04b6928884da24d1ee96e

SHA1
28b3dc8b6ce17caf93924acc4c6b06a1a03df2b3

SHA256
46be495816849285580b0ae7410abd712d0c617d6976f89e7bffcfaa6639d026

SHA512
b527264708b123d653f76459c72df855cd93d62e0129e7cc7d3e1d843255b8f154eca728ac95031bcc153aa79e5d04a6f00baf19db37f5fdb420e57bfecb3df9

Download Submit
C:\Windows\{58576582-7957-441a-8F52-09215EBA0C45}.exe

Filesize
168KB

MD5
7aed45c21cea358ac303f8cd083d9efe

SHA1
019ea3ea89cdfc91ee6ee38cb65e5a04c6920133

SHA256
f8d374d73cf627b527307cd8115d65a301a344d73cb93abbf802930ac66d0710

SHA512
b6e688b43ee0c9e6d59827206ab835d4e6e27f1c5cb6a1284eac93748d2e3e1d8151691d6ff63f0b9e57b0c552a37ea814f38d4a284f5763e03cd57ea99e9dc7

Download Submit
C:\Windows\{65963597-B46E-4297-871A-950586952C4A}.exe

Filesize
168KB

MD5
99c7e331c77b65d69670ef33167444af

SHA1
8175cc538e8f073cb7791c62a7ce1369c9168fbe

SHA256
8faa0b381537ea2e910f930a7b9f1e726364122c976073c0634ebde1d2a2adae

SHA512
14a81a8198ba2c411b3075faf3cb69e9d100480ca92163b7e01fd1c78cee7091c53360524d6e401666cbc919f52942f90c3202da9556c6cbba3f502a2831cac5

Download Submit
C:\Windows\{6FD0BC04-E56A-4c33-A243-46AC31E9F193}.exe

Filesize
168KB

MD5
b44f876d3f9d74b46b136e8b8103041a

SHA1
79febd55da11a3a328897bb16c23041cfe23b468

SHA256
d47d0a883fd70c8f3712b88a5e091a16672f31baebc2e7935f4c62c0fa1eb1ee

SHA512
eaa5f78b003e5feb7e0d6c242affe58477e94a0d60c37c5202d56e8612c73c7b1f524a33be3e07e6382ebcdb1941ff1ebddd7a9a531e63594fc9b819ccf8d19d

Download Submit
C:\Windows\{860601F9-60C9-405f-9020-99A581759108}.exe

Filesize
168KB

MD5
223d0b23ca2ef309a3f1e35c7076a35a

SHA1
ac1ade92beb2096a89fbcf1e0b48d711bb8ddce0

SHA256
5c7534bdf707e69c05c54dceb14090d0a0ba502f066ed7d4038125e53e36ffb4

SHA512
fe6dad36c4e4520189617facfefdcd812fbca698bfca0331db5d93918d99c17e7b107044fb3a133500f126091616a0ebda6fe26bbd108f3d80ff9a3e64da1170

Download Submit
C:\Windows\{C3D6F729-D362-4d23-A1EA-0CD64F3A25B4}.exe

Filesize
168KB

MD5
a73d51f6d843f18139390281fdd51692

SHA1
02295abd2f784b66ebdcc3772a544652d0135bda

SHA256
8904300c8d5549c5925524b4eb18de692f36ad87e1de43f1864e3c3c9ef116ab

SHA512
862e46dd6543ae92709c2a6da5af46226507b7aa708ffeedb6e90f4a9e3a1de3bcf9b650cac6a04c6a67fe9d3c8b3549744db8e0de7ae8f2991e7800bc29246b

Download Submit
C:\Windows\{CA7A8855-997D-46bc-A31B-BE5B8E5DC10D}.exe

Filesize
168KB

MD5
70480cc6c952357e93e423286eec33a9

SHA1
46e8b532004aeaa1c4d306be63b86c3a845bf6c3

SHA256
35c17339eafa38cd10d7e29a3c8d738a815b2e94a2c82298b5a4009a7c1b1997

SHA512
3262bd47cb318c2729f1012ebd8c42bcbbec86c515d3b7be371926741730a678e212fc9b92ad7b0873e9e6b9b398cde8bd814616c4cab377e91a406d2370b090

Download Submit
C:\Windows\{F7083BC0-3A97-4dd9-BD20-93976097A464}.exe

Filesize
168KB

MD5
6a3d59eafc0c73ddaf52d0c9d7403b61

SHA1
3510dffdda409372dc1408cfe3b0f682edb933c5

SHA256
ade281b773aa147a3817cc38d128bc4b0757396d25b34bd6cab23e873b7da21f

SHA512
407e62175e4fb952af9e34f7e97406bf79bb102258ea042b7d59df893dcdd1620fe5bf46cfb3dcce734f4a1a95988aff690f084fa6897e3a7ede1f9193b9b1d6

Download Submit
C:\Windows\{F927D390-5322-45a3-8DDE-5B271BFA42F4}.exe

Filesize
168KB

MD5
289c0eea645be8a3b801b73809b6a4fb

SHA1
e752b0c14a776d7a14dcbf59e84c50aca442ba56

SHA256
66d0b1439983c4d192963d497150e3d87428e1155b3d3e5c7e241b72d6ff43bc

SHA512
cd967d5088cd1a178af879c43ef3b4c09ebc9a6b7f5930c8b73c88e59b3c2b9f11fcdb3f98a4f34b4c5e502e7b0fea9980056530e1238c334ab322c141299c2d

Download Submit
C:\Windows\{F9F19072-EE05-45c0-A9DA-FA93BD2DA74E}.exe

Filesize
168KB

MD5
df226e0bc61c58bf51a0e9b10e488d4e

SHA1
7d812a82e4a811c39741f77494b1cac08db61374

SHA256
5ade6eb3dd318c93e347b90ed2c20cfa2a6c7d1e8b17d0a0362c27577661c198

SHA512
56759722452755bb2b0dbb78dbd047007c014965187be25d71783305f5629d8ab224365fd81b315c0a9e6d00f8c5ae308021f5d8448ad509c4ac91c8393ad78d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads