c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Size

168KB
MD5

213624e4547432f6b8e30670eddaafc9
SHA1

3a65c13e112b200bc4b67ea846169c4fd2dc4fd0
SHA256

c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7
SHA512

a79af212a2e163c933dbdf6817b10dceec888af00cb24f9660fc20e7d0f58278e3a979af5d3d33786c9d4828b8be93014f1f01bd9c1de1bcf28fcfb8e1688b5c
SSDEEP

1536:1EGh0oEli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oEliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023392-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233a0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023429-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000232ae-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023429-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000232ae-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023429-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023397-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023399-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023397-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023436-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023397-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}\stubpath = "C:\\Windows\\{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe"	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873EFC61-5D37-4c38-BFE8-CD01D532539D}	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D23EB018-6F1F-4a49-8351-2D23282782D9}\stubpath = "C:\\Windows\\{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe"	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C3F551E-A889-4993-9A0C-32A3CAAA5698}\stubpath = "C:\\Windows\\{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe"	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AB4A419-9864-4ec2-BA28-0F5842E188D5}\stubpath = "C:\\Windows\\{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe"	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FDDE200-767F-499b-9B00-1AA2D418645D}	{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}\stubpath = "C:\\Windows\\{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe"	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C3F551E-A889-4993-9A0C-32A3CAAA5698}	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}\stubpath = "C:\\Windows\\{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe"	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75A9C215-377C-44a5-8CEB-C4D85123B0CF}\stubpath = "C:\\Windows\\{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe"	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75A9C215-377C-44a5-8CEB-C4D85123B0CF}	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AB4A419-9864-4ec2-BA28-0F5842E188D5}	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FDDE200-767F-499b-9B00-1AA2D418645D}\stubpath = "C:\\Windows\\{5FDDE200-767F-499b-9B00-1AA2D418645D}.exe"	{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873EFC61-5D37-4c38-BFE8-CD01D532539D}\stubpath = "C:\\Windows\\{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe"	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D23EB018-6F1F-4a49-8351-2D23282782D9}	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}\stubpath = "C:\\Windows\\{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe"	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}\stubpath = "C:\\Windows\\{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe"	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}\stubpath = "C:\\Windows\\{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe"	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe
2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe
5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe
436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe
1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe
1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe
4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe
3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe
4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe
4472	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe
1952	{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe
2424	{5FDDE200-767F-499b-9B00-1AA2D418645D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe
File created	C:\Windows\{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe
File created	C:\Windows\{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe
File created	C:\Windows\{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe
File created	C:\Windows\{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe
File created	C:\Windows\{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe
File created	C:\Windows\{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe
File created	C:\Windows\{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe
File created	C:\Windows\{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe
File created	C:\Windows\{5FDDE200-767F-499b-9B00-1AA2D418645D}.exe	{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe
File created	C:\Windows\{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
File created	C:\Windows\{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2024	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
Token: SeIncBasePriorityPrivilege	1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe
Token: SeIncBasePriorityPrivilege	2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe
Token: SeIncBasePriorityPrivilege	5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe
Token: SeIncBasePriorityPrivilege	436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe
Token: SeIncBasePriorityPrivilege	1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe
Token: SeIncBasePriorityPrivilege	1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe
Token: SeIncBasePriorityPrivilege	4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe
Token: SeIncBasePriorityPrivilege	3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe
Token: SeIncBasePriorityPrivilege	4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe
Token: SeIncBasePriorityPrivilege	4472	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe
Token: SeIncBasePriorityPrivilege	1952	{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1072	2024	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	98
PID 2024 wrote to memory of 1072	2024	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	98
PID 2024 wrote to memory of 1072	2024	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	98
PID 2024 wrote to memory of 3548	2024	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	99
PID 2024 wrote to memory of 3548	2024	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	99
PID 2024 wrote to memory of 3548	2024	c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe	99
PID 1072 wrote to memory of 2196	1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe	100
PID 1072 wrote to memory of 2196	1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe	100
PID 1072 wrote to memory of 2196	1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe	100
PID 1072 wrote to memory of 1916	1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe	101
PID 1072 wrote to memory of 1916	1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe	101
PID 1072 wrote to memory of 1916	1072	{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe	101
PID 2196 wrote to memory of 5012	2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe	104
PID 2196 wrote to memory of 5012	2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe	104
PID 2196 wrote to memory of 5012	2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe	104
PID 2196 wrote to memory of 3796	2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe	105
PID 2196 wrote to memory of 3796	2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe	105
PID 2196 wrote to memory of 3796	2196	{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe	105
PID 5012 wrote to memory of 436	5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe	106
PID 5012 wrote to memory of 436	5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe	106
PID 5012 wrote to memory of 436	5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe	106
PID 5012 wrote to memory of 1260	5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe	107
PID 5012 wrote to memory of 1260	5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe	107
PID 5012 wrote to memory of 1260	5012	{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe	107
PID 436 wrote to memory of 1060	436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe	109
PID 436 wrote to memory of 1060	436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe	109
PID 436 wrote to memory of 1060	436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe	109
PID 436 wrote to memory of 3656	436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe	110
PID 436 wrote to memory of 3656	436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe	110
PID 436 wrote to memory of 3656	436	{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe	110
PID 1060 wrote to memory of 1080	1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe	111
PID 1060 wrote to memory of 1080	1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe	111
PID 1060 wrote to memory of 1080	1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe	111
PID 1060 wrote to memory of 1864	1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe	112
PID 1060 wrote to memory of 1864	1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe	112
PID 1060 wrote to memory of 1864	1060	{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe	112
PID 1080 wrote to memory of 4420	1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe	113
PID 1080 wrote to memory of 4420	1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe	113
PID 1080 wrote to memory of 4420	1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe	113
PID 1080 wrote to memory of 1448	1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe	114
PID 1080 wrote to memory of 1448	1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe	114
PID 1080 wrote to memory of 1448	1080	{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe	114
PID 4420 wrote to memory of 3624	4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe	121
PID 4420 wrote to memory of 3624	4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe	121
PID 4420 wrote to memory of 3624	4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe	121
PID 4420 wrote to memory of 3912	4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe	122
PID 4420 wrote to memory of 3912	4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe	122
PID 4420 wrote to memory of 3912	4420	{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe	122
PID 3624 wrote to memory of 4484	3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe	123
PID 3624 wrote to memory of 4484	3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe	123
PID 3624 wrote to memory of 4484	3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe	123
PID 3624 wrote to memory of 4528	3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe	124
PID 3624 wrote to memory of 4528	3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe	124
PID 3624 wrote to memory of 4528	3624	{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe	124
PID 4484 wrote to memory of 4472	4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe	125
PID 4484 wrote to memory of 4472	4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe	125
PID 4484 wrote to memory of 4472	4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe	125
PID 4484 wrote to memory of 4820	4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe	126
PID 4484 wrote to memory of 4820	4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe	126
PID 4484 wrote to memory of 4820	4484	{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe	126
PID 4472 wrote to memory of 1952	4472	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe	129
PID 4472 wrote to memory of 1952	4472	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe	129
PID 4472 wrote to memory of 1952	4472	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe	129
PID 4472 wrote to memory of 732	4472	{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe	130

C:\Users\Admin\AppData\Local\Temp\c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe
"C:\Users\Admin\AppData\Local\Temp\c01d8c10fc3471a126736e3baa5a5e2526ef756d53b913c6be8f9a2c2f635eb7.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe
  C:\Windows\{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe
    C:\Windows\{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe
      C:\Windows\{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe
        
        C:\Windows\{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe
        
        C:\Windows\{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe
        
        C:\Windows\{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe
        
        C:\Windows\{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe
        
        C:\Windows\{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe
        
        C:\Windows\{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe
        
        C:\Windows\{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe
        
        C:\Windows\{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\{5FDDE200-767F-499b-9B00-1AA2D418645D}.exe
        
        C:\Windows\{5FDDE200-767F-499b-9B00-1AA2D418645D}.exe
        13⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AB4A~1.EXE > nul
        13⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAAE3~1.EXE > nul
        12⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75A9C~1.EXE > nul
        11⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF368~1.EXE > nul
        10⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB5E4~1.EXE > nul
        9⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C3F5~1.EXE > nul
        8⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D23EB~1.EXE > nul
        7⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A3EC~1.EXE > nul
        6⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{873EF~1.EXE > nul
        5⤵
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C32D~1.EXE > nul
      4⤵
      PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BDBA7~1.EXE > nul
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C01D8C~1.EXE > nul
  2⤵
  PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5FDDE200-767F-499b-9B00-1AA2D418645D}.exe

Filesize
168KB

MD5
c2c61fce565263189647b5974fccf3f2

SHA1
b62d1071833af5b9f2bd19aac2f69c62da5bb895

SHA256
9d520b391bdc9fb37129ac1f5da4e07a443e18e62fc64c660741a07a2b87d4cb

SHA512
1a3149a529584b0cbcf86fc85684447188c5e1ace61fc028c82b7e7fc7231a5ff52cdf0c6a2316636f841a65fba30cbc19a7ee24de4858c26f8d62633f89716a

Download Submit
C:\Windows\{75A9C215-377C-44a5-8CEB-C4D85123B0CF}.exe

Filesize
168KB

MD5
fa2f1a1912f75e616e6bb035f4510ff0

SHA1
8b275b76a5764f3974818c9e02ac9c63c63f84c2

SHA256
9ea7e7f58047c8581a39579ebe85ad215930e8bcf822533f5a593a64ca8ebb2d

SHA512
3506d6bbe8377d019e2ddc7a11021c483c46b6f487a9d11640821abdc628f0e3582cde26a543c6f1b9cdc1f4a15c35d2fe325666419e4c0e22ed6e9a5fd2be0b

Download Submit
C:\Windows\{7AB4A419-9864-4ec2-BA28-0F5842E188D5}.exe

Filesize
168KB

MD5
be0641f7cc9f89130b8eb58f0650a010

SHA1
17819a89817da1ff0f0078daace2572a8fd81648

SHA256
3d0298ef2a911e3aed7991528e32530772ea451c48d3a6f73e6acc9c5818241c

SHA512
c64a55ffedf7e5c25e2043f5d93c2c8a9be1448fb240291eb302d9740b7fbe29c67de2884ad4a08b78fc10d64ebcb1723b063faec457bd2565f63b89718cf215

Download Submit
C:\Windows\{7C32D40B-8D9D-4f97-99FD-7E5ADB6EFD9C}.exe

Filesize
168KB

MD5
8d5fed0dce6ec7d033bc87706393df99

SHA1
e3c66aff963293e1d8a55a41fe1b8497c40bf5fc

SHA256
12c564b4b09b98c7e548816c84372c7d6ed8f4921fabc6fa8e5c04a71c0d5ffd

SHA512
afd5d9722fca368024ffcdd1761853bfece0eaaf663b2b7a1f894d3a21aba0c4b9b37491323a80893369fdeff63a23b1fb5b0458f13e194799d70e26dc7e3ff5

Download Submit
C:\Windows\{7C3F551E-A889-4993-9A0C-32A3CAAA5698}.exe

Filesize
168KB

MD5
fc6b11ef3eff1b809488197694c835f5

SHA1
4912e3f8d7874d803dd5af7341421a38070551b7

SHA256
5016cb2e7c479b729efa240caa504d13f2fd604759635108b61fbcd0662575ca

SHA512
0887e1ef680707721205f612a4f0da964bb3d0707ec2cbba43fbdbbe7a33dfa1163432e5bfd8ab74c7483503aae79067951aa336a6725bf74ebf94be9344df98

Download Submit
C:\Windows\{873EFC61-5D37-4c38-BFE8-CD01D532539D}.exe

Filesize
168KB

MD5
08a91ac796cfc8cf7fe5d528fb99db6f

SHA1
3f78bf842e7d3db8a88c7d43571c365010abecd9

SHA256
27c1e8608783fb7c924ad36b786efd3997bbef61d2776c0b458b46af5091bd8a

SHA512
b7681a8aa54fb243af89ff04177a19d7b028c5c737c16638458cf2da38ce5871b01e304515ffd7c4b734e2f601e6f83d1bff8db7668c206bdac3efd07b0e0a96

Download Submit
C:\Windows\{9A3EC5D4-3C24-46b5-B344-8147F72B4B94}.exe

Filesize
168KB

MD5
86c0f1a9808af19f312d8342ab1800b0

SHA1
7f9ed657a81124cfbf709307ed9441c9aa939130

SHA256
e16d8591328d6c2f9a1ddd8f9a55919bed38d935781a59040ce981dc3543f4ed

SHA512
9cbf0c8dafa743578d2fa284ddba3a64fe2d6973af1dfc6d3fecddefb5bf983ceeb86c48a3e8d0245a130acddffbce25a46d5f033c4d5ae3c69d581e97947681

Download Submit
C:\Windows\{AB5E42D4-DA59-4a28-842B-7C5F1FF1C084}.exe

Filesize
168KB

MD5
4387af4f265e858c88cec81210e7efb3

SHA1
81e16b9beb1df0049c7bb5b994c57c96ae786544

SHA256
606304a03e9f8c4066853025d96ef37c2af9a3635371a79582e551ed0d21ec3b

SHA512
c3bc74dbd48679fe864d0d9d40d2bcea526ea23b676fd7d8f08cfdc8f082d9c47b6672677c42543b85b501d4584384ade6f68a0eb213a47681d1f4140e78729a

Download Submit
C:\Windows\{BDBA7BF5-144C-4ee9-8FB6-A28D9205E6AE}.exe

Filesize
168KB

MD5
22a6bacdfce06bf4cff1db3a9b42bf36

SHA1
2539110664cd1b76f2929908c1f2c0b7b5447cc0

SHA256
f0ccc149e2a5c0c9551591948cf7e9cf9863a9f86ce0854ab8731f52a5039308

SHA512
b368b648ebefafe1ea15ff9478c42cce59a6f33d3e1785ba7dee256f0f920ae8507be166236e92e11dee70f8a774a631d79dd72c8fafa63e07b48ab7ce75c892

Download Submit
C:\Windows\{D23EB018-6F1F-4a49-8351-2D23282782D9}.exe

Filesize
168KB

MD5
4b20d89428d68b9ca00ac255c0992b96

SHA1
928babe4dcf5c34267ce32f6e65b9d1a5dad7ad4

SHA256
75fd163e5686213eddaafa220e65f9220f179a42594723e57fb75ef784c7fb16

SHA512
c32b821d76195a633ef563bb94505d3f487d791175743b9ff659fa481341a6e9f1e296f6e22c269d39367387c80bce4be0e79b173143144297f35715b3ea34ef

Download Submit
C:\Windows\{DAAE3A47-F6E8-41c5-A02F-2530BC0AFB30}.exe

Filesize
168KB

MD5
7284c97f21602f792bb2d8bb09a93586

SHA1
b4c064c439da39ddd5f91adc7265e0ebe0d00f6e

SHA256
eed71b430e8842429738e5f94d02d63a1923a126cd04f0f1415bf19f366285e1

SHA512
df6404ab8dba6b9a54efe2512f1285b5674a88b363c38a46cdd8307afaff4a605bb6c0f6e36ee5dc33b8a622ad64444e5db3137082aabfa4078b972ed6f9ff49

Download Submit
C:\Windows\{DF368784-92FE-4aac-89F5-BE1DA0CA9A8F}.exe

Filesize
168KB

MD5
aec7925c8ac2058510620f54a243badd

SHA1
56be9b77f7be0e91c4fcda31baa5ef4cdf62646f

SHA256
7d18fd6d28d733b548c67af38f44f81917b67bed868472c3b562fafe57d00767

SHA512
c1d65edb592c6382cf15da5fea7569731663d98940cd6b60b62f8be3c660a105defefb1cfb3fc464a57266b2019f829dc0fc426a8331414d9d5163343efdeaa9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads