1404acab721ea21fdc222bcc5338131544fdbbea91f25501ac504fd8340aac41

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe
Size

168KB
MD5

e743916065ec3e813bdfc95dcfbaebb1
SHA1

9046a0fd2184be49ee5e99851090a0c21842dcb3
SHA256

1404acab721ea21fdc222bcc5338131544fdbbea91f25501ac504fd8340aac41
SHA512

5daa6f2e99ddbe08728b719c116b134869f32681737d47c5606e72beafa624e5ab1e7f3e1da1fbc653c09b3f8448ac7df4a423a517e4410ab47fc74f5cf0b8e2
SSDEEP

1536:1EGh0oqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012120-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002f00000001325f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012120-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00300000000132f2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012120-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012120-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012120-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F0F463-E823-42c8-A547-9F229AD17BB8}	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}\stubpath = "C:\\Windows\\{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe"	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}	{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E0F1236-466D-4db0-9114-9014E27190AA}	{017B9086-8C86-484a-8C87-24B5A012486A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E0F1236-466D-4db0-9114-9014E27190AA}\stubpath = "C:\\Windows\\{6E0F1236-466D-4db0-9114-9014E27190AA}.exe"	{017B9086-8C86-484a-8C87-24B5A012486A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}\stubpath = "C:\\Windows\\{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}.exe"	{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86F0EC94-21A3-4432-93E7-ADE45DD3B650}\stubpath = "C:\\Windows\\{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe"	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A60D801-1A23-4238-BF8D-1BAED561A488}\stubpath = "C:\\Windows\\{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe"	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F0F463-E823-42c8-A547-9F229AD17BB8}\stubpath = "C:\\Windows\\{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe"	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{017B9086-8C86-484a-8C87-24B5A012486A}\stubpath = "C:\\Windows\\{017B9086-8C86-484a-8C87-24B5A012486A}.exe"	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}	{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F3397B-C043-4e96-8C37-24B1513C48DF}\stubpath = "C:\\Windows\\{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe"	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}\stubpath = "C:\\Windows\\{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe"	{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{376742FD-7081-47c5-BF80-DB9A057B00CB}	{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86F0EC94-21A3-4432-93E7-ADE45DD3B650}	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A60D801-1A23-4238-BF8D-1BAED561A488}	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}\stubpath = "C:\\Windows\\{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe"	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{017B9086-8C86-484a-8C87-24B5A012486A}	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F3397B-C043-4e96-8C37-24B1513C48DF}	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{376742FD-7081-47c5-BF80-DB9A057B00CB}\stubpath = "C:\\Windows\\{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe"	{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe
2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe
2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe
1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe
2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe
1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe
304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe
2152	{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe
3004	{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe
2560	{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe
1400	{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe
File created	C:\Windows\{017B9086-8C86-484a-8C87-24B5A012486A}.exe	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe
File created	C:\Windows\{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe	{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe
File created	C:\Windows\{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe
File created	C:\Windows\{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe
File created	C:\Windows\{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe
File created	C:\Windows\{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	{017B9086-8C86-484a-8C87-24B5A012486A}.exe
File created	C:\Windows\{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe
File created	C:\Windows\{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe	{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe
File created	C:\Windows\{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}.exe	{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe
File created	C:\Windows\{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe
Token: SeIncBasePriorityPrivilege	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe
Token: SeIncBasePriorityPrivilege	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe
Token: SeIncBasePriorityPrivilege	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe
Token: SeIncBasePriorityPrivilege	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe
Token: SeIncBasePriorityPrivilege	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe
Token: SeIncBasePriorityPrivilege	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe
Token: SeIncBasePriorityPrivilege	2152	{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe
Token: SeIncBasePriorityPrivilege	3004	{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe
Token: SeIncBasePriorityPrivilege	2560	{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2772	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	28
PID 2248 wrote to memory of 2772	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	28
PID 2248 wrote to memory of 2772	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	28
PID 2248 wrote to memory of 2772	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	28
PID 2248 wrote to memory of 3064	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	29
PID 2248 wrote to memory of 3064	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	29
PID 2248 wrote to memory of 3064	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	29
PID 2248 wrote to memory of 3064	2248	2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe	29
PID 2772 wrote to memory of 2216	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	30
PID 2772 wrote to memory of 2216	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	30
PID 2772 wrote to memory of 2216	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	30
PID 2772 wrote to memory of 2216	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	30
PID 2772 wrote to memory of 2688	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	31
PID 2772 wrote to memory of 2688	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	31
PID 2772 wrote to memory of 2688	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	31
PID 2772 wrote to memory of 2688	2772	{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe	31
PID 2216 wrote to memory of 2856	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	32
PID 2216 wrote to memory of 2856	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	32
PID 2216 wrote to memory of 2856	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	32
PID 2216 wrote to memory of 2856	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	32
PID 2216 wrote to memory of 2684	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	33
PID 2216 wrote to memory of 2684	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	33
PID 2216 wrote to memory of 2684	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	33
PID 2216 wrote to memory of 2684	2216	{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe	33
PID 2856 wrote to memory of 1976	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	36
PID 2856 wrote to memory of 1976	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	36
PID 2856 wrote to memory of 1976	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	36
PID 2856 wrote to memory of 1976	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	36
PID 2856 wrote to memory of 1640	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	37
PID 2856 wrote to memory of 1640	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	37
PID 2856 wrote to memory of 1640	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	37
PID 2856 wrote to memory of 1640	2856	{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe	37
PID 1976 wrote to memory of 2780	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	38
PID 1976 wrote to memory of 2780	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	38
PID 1976 wrote to memory of 2780	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	38
PID 1976 wrote to memory of 2780	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	38
PID 1976 wrote to memory of 2812	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	39
PID 1976 wrote to memory of 2812	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	39
PID 1976 wrote to memory of 2812	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	39
PID 1976 wrote to memory of 2812	1976	{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe	39
PID 2780 wrote to memory of 1776	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	40
PID 2780 wrote to memory of 1776	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	40
PID 2780 wrote to memory of 1776	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	40
PID 2780 wrote to memory of 1776	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	40
PID 2780 wrote to memory of 2108	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	41
PID 2780 wrote to memory of 2108	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	41
PID 2780 wrote to memory of 2108	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	41
PID 2780 wrote to memory of 2108	2780	{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe	41
PID 1776 wrote to memory of 304	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	42
PID 1776 wrote to memory of 304	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	42
PID 1776 wrote to memory of 304	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	42
PID 1776 wrote to memory of 304	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	42
PID 1776 wrote to memory of 624	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	43
PID 1776 wrote to memory of 624	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	43
PID 1776 wrote to memory of 624	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	43
PID 1776 wrote to memory of 624	1776	{017B9086-8C86-484a-8C87-24B5A012486A}.exe	43
PID 304 wrote to memory of 2152	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	44
PID 304 wrote to memory of 2152	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	44
PID 304 wrote to memory of 2152	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	44
PID 304 wrote to memory of 2152	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	44
PID 304 wrote to memory of 1204	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	45
PID 304 wrote to memory of 1204	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	45
PID 304 wrote to memory of 1204	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	45
PID 304 wrote to memory of 1204	304	{6E0F1236-466D-4db0-9114-9014E27190AA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e743916065ec3e813bdfc95dcfbaebb1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe
  C:\Windows\{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe
    C:\Windows\{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe
      C:\Windows\{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe
        
        C:\Windows\{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe
        
        C:\Windows\{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{017B9086-8C86-484a-8C87-24B5A012486A}.exe
        
        C:\Windows\{017B9086-8C86-484a-8C87-24B5A012486A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{6E0F1236-466D-4db0-9114-9014E27190AA}.exe
        
        C:\Windows\{6E0F1236-466D-4db0-9114-9014E27190AA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe
        
        C:\Windows\{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe
        
        C:\Windows\{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe
        
        C:\Windows\{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}.exe
        
        C:\Windows\{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37674~1.EXE > nul
        12⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA4DD~1.EXE > nul
        11⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F33~1.EXE > nul
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E0F1~1.EXE > nul
        9⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{017B9~1.EXE > nul
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2A6D~1.EXE > nul
        7⤵
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2A1~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F0F~1.EXE > nul
        5⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5A60D~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86F0E~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{017B9086-8C86-484a-8C87-24B5A012486A}.exe

Filesize
168KB

MD5
d0665ee114c01c4db1e86b97d90eb220

SHA1
a14ad23ab8c5565cc436f6c84588518e6cbcccb5

SHA256
3b59f209a78dbb9f1e3e1e4bcc6527b9aa61c6c35aba1fd56455ce8f9612c305

SHA512
966036c75cda00ca31b5929a325e3b226445bf48b4180c1a87989b090512e16bf9729e17925119b7d9d72e2c84c2503edaee2cd27df32d35aa6d17d0d04a2071

Download Submit
C:\Windows\{1DB99B2A-36A5-465e-9B96-7599D23AF4F9}.exe

Filesize
168KB

MD5
1d504e02f1dede03b78c14cae713c7b0

SHA1
76f2fbf56c564875c6d8fd77a72cd5ea7ff87e88

SHA256
4e18822f6325b636fcbd6e46bc89fcde9b00037429cb8a9c7edb6dce93f25ca1

SHA512
80b19046ef6c7463e2d8336ebe67f88be96a84824d2ae8a84c03c6c5658739f6efdf71051d4f26bdf7d21ae1675d5fa39ecc587c8d9d4a9ed4c43c00bd80ba8f

Download Submit
C:\Windows\{376742FD-7081-47c5-BF80-DB9A057B00CB}.exe

Filesize
168KB

MD5
4e14b7a427b1caf0d9127ceef0818e85

SHA1
dfe41e20eb9b4ecf4f0a48a8a9b1c62f3c3eacd3

SHA256
0ceaebeb40e23d29eeae591edc5cd1ceb9276d293382b5630732356bf44f20de

SHA512
dab2e3681c94e8f32053b961a85b332f7431d64634aef18662bb5fbea9577bf99313455b97544173cc1d5327130936ba2b5cd980fe583108448f9e1a9e205b21

Download Submit
C:\Windows\{44F0F463-E823-42c8-A547-9F229AD17BB8}.exe

Filesize
168KB

MD5
24f22c19fdfbed5e816a3ea055479a09

SHA1
d5dadcd42d37541372116e731fc1ca058f4d1f71

SHA256
6542e1f419693eed54517b9b3a74825abf7608a2cc040677511eb469413a0ea1

SHA512
28fa7fb90b4361435bb389a959d940251f0013a14fa46b60b831597053174da61ff69faf136e9cedeccdc057eb7b5440dd6e12bcf5fa0982435249b819b43d64

Download Submit
C:\Windows\{5A60D801-1A23-4238-BF8D-1BAED561A488}.exe

Filesize
168KB

MD5
a32ca53fcf07435209c99cff390d9d76

SHA1
b3b5626d137b8cebcc640b98fbe6560edf8e8365

SHA256
3771fde124c726fee23e73a79ba6429bebe7946e6671d4f5f6f197e1b946a25e

SHA512
a10957ab771631c15aa18f897c1b7c7b00ffb26162f66a530f6d1fee8df9e79fdc36d28a5fe40cb5b1ac9b4cbdbd5dc2d8b87f1c670cc12246edca4d9b6244fb

Download Submit
C:\Windows\{6E0F1236-466D-4db0-9114-9014E27190AA}.exe

Filesize
168KB

MD5
ca36a69915d85df7af151fcb5635aeab

SHA1
6062d21317c53a1a8d59533f2f7968449497c40b

SHA256
d22cb2060bb2c7d9e24f80c2d2a1aa0e1ed2a3d5d403217618d636f5d788dc56

SHA512
5fb8522da6bd54383461992c3f1e08786d07de453b9df8aaf63e5c590c00934ee728ca3aab6612c342790a698ebbfb8118680ce352fb37b739889075775d5cb8

Download Submit
C:\Windows\{86F0EC94-21A3-4432-93E7-ADE45DD3B650}.exe

Filesize
168KB

MD5
4d96e2dec2b1f387925906e01f9c51c6

SHA1
e1d72c06769fd08cb8211a286de68711a0235a3d

SHA256
6644e371a529264d4e287c547ac9b5ccb9f383ca3b7b5d43e5f3035c47b5e72a

SHA512
a6c628c08752ce52ff25e6b4262113fa307ae90387db55ef7775a8da40cd5e4de22dfccebdd7c4d8a6076b28127771c1a657d17a567d908aa62507b48c55d03f

Download Submit
C:\Windows\{91F3397B-C043-4e96-8C37-24B1513C48DF}.exe

Filesize
168KB

MD5
85dea12fb71fae2ec85bc88908682fc8

SHA1
6677ba59b9b31b0d0ca0afe429f38381dcbe7aba

SHA256
0f06308f30669cf539989cc4b1f0d29f2e976433817bd3bb5603b60af8d4affc

SHA512
148dbd46fa881272e1c1827ab419b02ba17b28b6f47b12be376218cdee047102bc55fdc702b0bf4a87983dc15b1d6e58b6f77c7ce085985dc6a85b52a9a694da

Download Submit
C:\Windows\{9E2A1694-8719-4cdd-B6E5-A7149EA8965A}.exe

Filesize
168KB

MD5
3fa262e11554a149bad54a1e0c036947

SHA1
a444d6ee466c8005377296a003acebbf9ff1297f

SHA256
b78548723a44c5e4cc9deacfad10bf1d9615dcb5daf4569c508731389ed171d1

SHA512
21f61f8cb573b020677d4ff9720b2bf58db6789291eca37f3522b6afdce03d6e6bb34d360c446218fe0d4eb0d0c249378fd91d50c26d47c5f07c0bdd69af255e

Download Submit
C:\Windows\{F2A6DB05-5C88-4dab-9D9E-7FE50B5AAA44}.exe

Filesize
168KB

MD5
bb748606291a684d551f56313eb07f24

SHA1
2b04ef3f29056b7cb17483f8c5356c180c4175b5

SHA256
6251adb10bba28c1dac89c1ddac1091cf764d7b3c72aff03a074fa3795f70e2a

SHA512
f47182e27570178c158daee3e8b102dfc3b7b2f7c97aaac70b8bcf209dc89a11309cccf5bc9217dc804280184c51653c65de345082c596f89dbb68ae652b0246

Download Submit
C:\Windows\{FA4DD051-A9D9-42e2-A508-9C83DA801ACA}.exe

Filesize
168KB

MD5
6de5c93b85e62fd052d8deab6f100499

SHA1
548f534da047cc3e04e747ef798cd2dd0f2da304

SHA256
d4f568aebead03d4573cff13b570990145bbc2e22bf16150db6a4072127e9312

SHA512
b442988f094cc49d882a1228f1d8716fc958c16af761d066f5384715962fccf73f675c9e8f0f283c887d550ee1c62798224308b83bc35672a0b2d63ee5d6e9f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads