1fcc677219df60f6759f7e799b5bb64dab2544da6b60991ae3e0507db3ca81d6

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Size

197KB
MD5

625441720e99715e4899c50ce94c9c3d
SHA1

de740b07fc7d576413e3e2be82d7b6db77e900de
SHA256

1fcc677219df60f6759f7e799b5bb64dab2544da6b60991ae3e0507db3ca81d6
SHA512

e59b6783b570cf2954c201053c46e48f39250871db9f880667248e6554761daa63816f68cea15fb297669a6c80e3f1c3343b23a380055b0976b0b4b820e55f41
SSDEEP

3072:jEGh0oYl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 7 IoCs

resource	yara_rule
behavioral2/files/0x000900000002327a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002327d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-24.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000026-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}\stubpath = "C:\\Windows\\{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe"	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04ECF59E-7082-4cc9-A451-C94474F76BEC}	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}	{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}\stubpath = "C:\\Windows\\{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}.exe"	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159CB49B-F924-49cc-90DF-B19F65C96EA5}\stubpath = "C:\\Windows\\{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe"	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}\stubpath = "C:\\Windows\\{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe"	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159CB49B-F924-49cc-90DF-B19F65C96EA5}	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04ECF59E-7082-4cc9-A451-C94474F76BEC}\stubpath = "C:\\Windows\\{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe"	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}\stubpath = "C:\\Windows\\{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe"	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}\stubpath = "C:\\Windows\\{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe"	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}\stubpath = "C:\\Windows\\{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe"	{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe

Executes dropped EXE 7 IoCs

pid	Process
4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe
1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe
4520	{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe
2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe
1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe
3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe
2032	{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe
File created	C:\Windows\{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe
File created	C:\Windows\{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}.exe	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe
File created	C:\Windows\{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
File created	C:\Windows\{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe
File created	C:\Windows\{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe
File created	C:\Windows\{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4504	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe
Token: SeIncBasePriorityPrivilege	1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe
Token: SeIncBasePriorityPrivilege	3128	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe
Token: SeIncBasePriorityPrivilege	2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe
Token: SeIncBasePriorityPrivilege	1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe
Token: SeIncBasePriorityPrivilege	3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4316	4504	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	96
PID 4504 wrote to memory of 4316	4504	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	96
PID 4504 wrote to memory of 4316	4504	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	96
PID 4504 wrote to memory of 2912	4504	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	97
PID 4504 wrote to memory of 2912	4504	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	97
PID 4504 wrote to memory of 2912	4504	2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe	97
PID 4316 wrote to memory of 1796	4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe	102
PID 4316 wrote to memory of 1796	4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe	102
PID 4316 wrote to memory of 1796	4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe	102
PID 4316 wrote to memory of 2080	4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe	103
PID 4316 wrote to memory of 2080	4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe	103
PID 4316 wrote to memory of 2080	4316	{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe	103
PID 1796 wrote to memory of 4520	1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe	107
PID 1796 wrote to memory of 4520	1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe	107
PID 1796 wrote to memory of 4520	1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe	107
PID 1796 wrote to memory of 4424	1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe	108
PID 1796 wrote to memory of 4424	1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe	108
PID 1796 wrote to memory of 4424	1796	{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe	108
PID 3128 wrote to memory of 2332	3128	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe	111
PID 3128 wrote to memory of 2332	3128	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe	111
PID 3128 wrote to memory of 2332	3128	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe	111
PID 3128 wrote to memory of 5016	3128	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe	112
PID 3128 wrote to memory of 5016	3128	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe	112
PID 3128 wrote to memory of 5016	3128	{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe	112
PID 2332 wrote to memory of 1400	2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe	113
PID 2332 wrote to memory of 1400	2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe	113
PID 2332 wrote to memory of 1400	2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe	113
PID 2332 wrote to memory of 4676	2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe	114
PID 2332 wrote to memory of 4676	2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe	114
PID 2332 wrote to memory of 4676	2332	{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe	114
PID 1400 wrote to memory of 3068	1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe	115
PID 1400 wrote to memory of 3068	1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe	115
PID 1400 wrote to memory of 3068	1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe	115
PID 1400 wrote to memory of 3112	1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe	116
PID 1400 wrote to memory of 3112	1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe	116
PID 1400 wrote to memory of 3112	1400	{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe	116
PID 3068 wrote to memory of 2032	3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe	117
PID 3068 wrote to memory of 2032	3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe	117
PID 3068 wrote to memory of 2032	3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe	117
PID 3068 wrote to memory of 2500	3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe	118
PID 3068 wrote to memory of 2500	3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe	118
PID 3068 wrote to memory of 2500	3068	{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_625441720e99715e4899c50ce94c9c3d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe
  C:\Windows\{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe
    C:\Windows\{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe
      C:\Windows\{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      PID:4520
    - - C:\Windows\{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe
        
        C:\Windows\{2201EE6F-1C3C-44be-9C87-8ABFB88D548E}.exe
        5⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe
        
        C:\Windows\{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe
        
        C:\Windows\{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe
        
        C:\Windows\{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}.exe
        
        C:\Windows\{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}.exe
        9⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05526~1.EXE > nul
        9⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11CAD~1.EXE > nul
        8⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0BFA~1.EXE > nul
        7⤵
        
        PID:4676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2201E~1.EXE > nul
        6⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F48F1~1.EXE > nul
        5⤵
        
        PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04ECF~1.EXE > nul
      4⤵
      PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{159CB~1.EXE > nul
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04ECF59E-7082-4cc9-A451-C94474F76BEC}.exe

Filesize
197KB

MD5
9ac77660956bab088376d82ce11a7a17

SHA1
80b7125d7b98639630b7ce772ef00c24339454fe

SHA256
db2b41f79654b42b273ac8e1ff5d150e120292faaf79a3371a995f0d7b1eb6b3

SHA512
58124fc37f718c396d62c6b262d64bea718c950ed1459924f93fb95f59effbb87c0606112d94a4c09a4d7dcec848c8e5c9b4c4f8100b42a83eb5eac53393edbb

Download Submit
C:\Windows\{055267C7-CE12-4eff-B9E9-2400E7EF8AF3}.exe

Filesize
197KB

MD5
12a67128000add8e29b6f175b6ea9b7e

SHA1
da18efa26ccd7961c5cc58fb5271b17f8b0d057d

SHA256
6772c41a59a3a3b8a1325af9b7017e4a61b8cce01c8b163008f76bb9f111ac3f

SHA512
750357b35b4892a37ce022876871fd5c0e2ddafb559e788b3cf0b37d4f9879f1ec733819be6bec89462e74451b073edfec099f0020ca34d370800832e0a23138

Download Submit
C:\Windows\{11CAD5AF-7F1C-438a-B064-33E4E1219DB2}.exe

Filesize
197KB

MD5
e12e8d36867ebe6cd4dfb76818ad0745

SHA1
2bd5a4400dba914bef95103fca8faab760f0b67d

SHA256
a2f7ec112f91086d6342d53312c7c19eb9c0ee7ecb0a0262514ffac7fafea801

SHA512
2ebfdd719434d1a142461a0e1eaf7c3a1064ac4f0c4c6ec64219d628032b5e3da8bb1c3f58ea6603896c77886e11c5141b1e298a186b3ca33ac5b93c22dc8fef

Download Submit
C:\Windows\{159CB49B-F924-49cc-90DF-B19F65C96EA5}.exe

Filesize
197KB

MD5
6b15028ad8f96182da41be7717327d98

SHA1
24458c30fbfacb2903350ea60bce3e65e91f3f14

SHA256
24e7feee4c7cf98136899d23f3916eef327e18d4197f44c4faf995a32f02d1d5

SHA512
a2f46e5a783598c90da2e8b419b5d0a7be1a4121b556de39e64bdc20066ffaa451d94f44b8aabd190040f9d1ad45dfb0b81912447f3d0d6abf52f6e1efba9233

Download Submit
C:\Windows\{BABB55ED-FD66-4d8d-AC85-C8C018964EAE}.exe

Filesize
197KB

MD5
f2027d2b0f274f5a5af54246ea84a97d

SHA1
8d56311b98053746b1de4859f3909a8087be841e

SHA256
eeeb33ef1881b95d3e3c3b6b81a8900af879e607ede7bead992b8393b7547653

SHA512
4339be329f74bc4b8b9b03911b03a12dcedefff775bc3a787143f87b1faec14fb60d90adb8342d78ad288537fa75ff99dbe011408645a6e6fb041cdd9e918a43

Download Submit
C:\Windows\{C0BFA12B-6CE8-42db-92E5-8DF3022E4AA4}.exe

Filesize
197KB

MD5
cbc9d7e177b13abf8acbcd6b8eb38b74

SHA1
e8d89698c323ac4e21ff1b04d0ad8f79e06135e7

SHA256
c060b1c0d6e3cdf0f3771981d222680cc172b1b7b98ae0ad47cebb4e28bd2632

SHA512
a8be201d28b5f88de6802383e852072bc22dfbcd1703d18dd1c3d1215fa55fbf7ad8ca194396eaa749827221a4a2e8b4a2464d6c0be656720b8d0a28629aad69

Download Submit
C:\Windows\{F48F1EB6-C90F-487b-AE2E-800AB25BC64C}.exe

Filesize
197KB

MD5
b4182987f2a38315b5ebb805fa526f83

SHA1
8bdeb939a2643c92be497f311a2b17b0cb5a014f

SHA256
e937b2d40f37a7cdf5b11d59e2525736b505cd751c86937201b6ad1daa71832d

SHA512
c814e518edee9fb773c024c12f7b192f97af0d5d95a0a617434e58ea9230308667befa111c79ded523063adf7215c54ce2a003ce8372e0c5706714d743fe2882

Download Submit
memory/4520-11-0x00000000039F0000-0x0000000003ACB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads