0910745bd01af359946bf17db619b615d00eaa9bf70d952151662e814b0b9a48

Analysis

max time kernel
149s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Size

204KB
MD5

7ca0161aca2ca34ff0309b7161b36f19
SHA1

a5c0bccd468bf3c5374148a8f2daace8a9617bf8
SHA256

0910745bd01af359946bf17db619b615d00eaa9bf70d952151662e814b0b9a48
SHA512

3ff6fdff816ddd958834cffbadbf5a9fc3f95a4f9e4b2b5f2ca8f3424fd013b24bed92e3a577a32d24069e11202e69a500ea5c45dc3d3e8eae95e742a6e298ac
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022ac3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022ac6-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233e9-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ed-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233f3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233ed-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233ed-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f3-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233ed-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f3-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233ed-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C4D520-824E-42a7-8E13-9A6CC6966A6E}	{78D03A56-207A-4f08-8D35-0640A1345189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C4D520-824E-42a7-8E13-9A6CC6966A6E}\stubpath = "C:\\Windows\\{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe"	{78D03A56-207A-4f08-8D35-0640A1345189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C78428-A01D-4c73-B990-0243ED41C2BB}\stubpath = "C:\\Windows\\{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe"	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3981222C-A6E5-4437-B0FB-758318478AFD}	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3981222C-A6E5-4437-B0FB-758318478AFD}\stubpath = "C:\\Windows\\{3981222C-A6E5-4437-B0FB-758318478AFD}.exe"	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F384B562-2BC9-4134-BF2E-9A2C22E63B44}	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F384B562-2BC9-4134-BF2E-9A2C22E63B44}\stubpath = "C:\\Windows\\{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe"	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78D03A56-207A-4f08-8D35-0640A1345189}\stubpath = "C:\\Windows\\{78D03A56-207A-4f08-8D35-0640A1345189}.exe"	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F57AF896-E3EA-43d3-821E-FE429A4C38B3}	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F57AF896-E3EA-43d3-821E-FE429A4C38B3}\stubpath = "C:\\Windows\\{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe"	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73646546-CE54-4201-BFF0-F60A3E61182E}\stubpath = "C:\\Windows\\{73646546-CE54-4201-BFF0-F60A3E61182E}.exe"	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BDF065A-0689-48f9-935D-BC0524C583E1}\stubpath = "C:\\Windows\\{8BDF065A-0689-48f9-935D-BC0524C583E1}.exe"	{73646546-CE54-4201-BFF0-F60A3E61182E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF09D5D-0256-4319-AB9F-B97FE00F133E}\stubpath = "C:\\Windows\\{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe"	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}\stubpath = "C:\\Windows\\{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe"	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA153566-78B2-47b3-865B-BC09DB2A273A}	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C78428-A01D-4c73-B990-0243ED41C2BB}	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF09D5D-0256-4319-AB9F-B97FE00F133E}	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A91A2DA-E079-4949-AFF3-C3E59AF21175}	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA153566-78B2-47b3-865B-BC09DB2A273A}\stubpath = "C:\\Windows\\{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe"	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78D03A56-207A-4f08-8D35-0640A1345189}	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73646546-CE54-4201-BFF0-F60A3E61182E}	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A91A2DA-E079-4949-AFF3-C3E59AF21175}\stubpath = "C:\\Windows\\{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe"	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BDF065A-0689-48f9-935D-BC0524C583E1}	{73646546-CE54-4201-BFF0-F60A3E61182E}.exe

Executes dropped EXE 12 IoCs

pid	Process
440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe
1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe
5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe
532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe
1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe
4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe
2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe
2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe
4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe
2596	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe
1584	{73646546-CE54-4201-BFF0-F60A3E61182E}.exe
1636	{8BDF065A-0689-48f9-935D-BC0524C583E1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe
File created	C:\Windows\{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe
File created	C:\Windows\{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe
File created	C:\Windows\{8BDF065A-0689-48f9-935D-BC0524C583E1}.exe	{73646546-CE54-4201-BFF0-F60A3E61182E}.exe
File created	C:\Windows\{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
File created	C:\Windows\{3981222C-A6E5-4437-B0FB-758318478AFD}.exe	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe
File created	C:\Windows\{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe
File created	C:\Windows\{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe	{78D03A56-207A-4f08-8D35-0640A1345189}.exe
File created	C:\Windows\{73646546-CE54-4201-BFF0-F60A3E61182E}.exe	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe
File created	C:\Windows\{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe
File created	C:\Windows\{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe
File created	C:\Windows\{78D03A56-207A-4f08-8D35-0640A1345189}.exe	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3744	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
Token: SeIncBasePriorityPrivilege	440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe
Token: SeIncBasePriorityPrivilege	1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe
Token: SeIncBasePriorityPrivilege	5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe
Token: SeIncBasePriorityPrivilege	532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe
Token: SeIncBasePriorityPrivilege	1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe
Token: SeIncBasePriorityPrivilege	4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe
Token: SeIncBasePriorityPrivilege	2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe
Token: SeIncBasePriorityPrivilege	2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe
Token: SeIncBasePriorityPrivilege	4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe
Token: SeIncBasePriorityPrivilege	2596	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe
Token: SeIncBasePriorityPrivilege	1584	{73646546-CE54-4201-BFF0-F60A3E61182E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 440	3744	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	86
PID 3744 wrote to memory of 440	3744	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	86
PID 3744 wrote to memory of 440	3744	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	86
PID 3744 wrote to memory of 4076	3744	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	87
PID 3744 wrote to memory of 4076	3744	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	87
PID 3744 wrote to memory of 4076	3744	2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe	87
PID 440 wrote to memory of 1792	440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe	88
PID 440 wrote to memory of 1792	440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe	88
PID 440 wrote to memory of 1792	440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe	88
PID 440 wrote to memory of 4496	440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe	89
PID 440 wrote to memory of 4496	440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe	89
PID 440 wrote to memory of 4496	440	{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe	89
PID 1792 wrote to memory of 5028	1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe	92
PID 1792 wrote to memory of 5028	1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe	92
PID 1792 wrote to memory of 5028	1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe	92
PID 1792 wrote to memory of 4404	1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe	93
PID 1792 wrote to memory of 4404	1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe	93
PID 1792 wrote to memory of 4404	1792	{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe	93
PID 5028 wrote to memory of 532	5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe	98
PID 5028 wrote to memory of 532	5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe	98
PID 5028 wrote to memory of 532	5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe	98
PID 5028 wrote to memory of 3868	5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe	99
PID 5028 wrote to memory of 3868	5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe	99
PID 5028 wrote to memory of 3868	5028	{3981222C-A6E5-4437-B0FB-758318478AFD}.exe	99
PID 532 wrote to memory of 1516	532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe	101
PID 532 wrote to memory of 1516	532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe	101
PID 532 wrote to memory of 1516	532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe	101
PID 532 wrote to memory of 3552	532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe	102
PID 532 wrote to memory of 3552	532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe	102
PID 532 wrote to memory of 3552	532	{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe	102
PID 1516 wrote to memory of 4160	1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe	103
PID 1516 wrote to memory of 4160	1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe	103
PID 1516 wrote to memory of 4160	1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe	103
PID 1516 wrote to memory of 1180	1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe	104
PID 1516 wrote to memory of 1180	1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe	104
PID 1516 wrote to memory of 1180	1516	{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe	104
PID 4160 wrote to memory of 2516	4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe	105
PID 4160 wrote to memory of 2516	4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe	105
PID 4160 wrote to memory of 2516	4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe	105
PID 4160 wrote to memory of 2448	4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe	106
PID 4160 wrote to memory of 2448	4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe	106
PID 4160 wrote to memory of 2448	4160	{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe	106
PID 2516 wrote to memory of 2720	2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe	107
PID 2516 wrote to memory of 2720	2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe	107
PID 2516 wrote to memory of 2720	2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe	107
PID 2516 wrote to memory of 4772	2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe	108
PID 2516 wrote to memory of 4772	2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe	108
PID 2516 wrote to memory of 4772	2516	{78D03A56-207A-4f08-8D35-0640A1345189}.exe	108
PID 2720 wrote to memory of 4812	2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe	109
PID 2720 wrote to memory of 4812	2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe	109
PID 2720 wrote to memory of 4812	2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe	109
PID 2720 wrote to memory of 4508	2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe	110
PID 2720 wrote to memory of 4508	2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe	110
PID 2720 wrote to memory of 4508	2720	{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe	110
PID 4812 wrote to memory of 2596	4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe	111
PID 4812 wrote to memory of 2596	4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe	111
PID 4812 wrote to memory of 2596	4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe	111
PID 4812 wrote to memory of 2268	4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe	112
PID 4812 wrote to memory of 2268	4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe	112
PID 4812 wrote to memory of 2268	4812	{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe	112
PID 2596 wrote to memory of 1584	2596	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe	113
PID 2596 wrote to memory of 1584	2596	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe	113
PID 2596 wrote to memory of 1584	2596	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe	113
PID 2596 wrote to memory of 1216	2596	{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_7ca0161aca2ca34ff0309b7161b36f19_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe
  C:\Windows\{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe
    C:\Windows\{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\{3981222C-A6E5-4437-B0FB-758318478AFD}.exe
      C:\Windows\{3981222C-A6E5-4437-B0FB-758318478AFD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe
        
        C:\Windows\{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe
        
        C:\Windows\{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe
        
        C:\Windows\{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\{78D03A56-207A-4f08-8D35-0640A1345189}.exe
        
        C:\Windows\{78D03A56-207A-4f08-8D35-0640A1345189}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe
        
        C:\Windows\{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe
        
        C:\Windows\{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe
        
        C:\Windows\{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{73646546-CE54-4201-BFF0-F60A3E61182E}.exe
        
        C:\Windows\{73646546-CE54-4201-BFF0-F60A3E61182E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\{8BDF065A-0689-48f9-935D-BC0524C583E1}.exe
        
        C:\Windows\{8BDF065A-0689-48f9-935D-BC0524C583E1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73646~1.EXE > nul
        13⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F57AF~1.EXE > nul
        12⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C78~1.EXE > nul
        11⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C4D~1.EXE > nul
        10⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78D03~1.EXE > nul
        9⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA153~1.EXE > nul
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C63FA~1.EXE > nul
        7⤵
        
        PID:1180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F384B~1.EXE > nul
        6⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39812~1.EXE > nul
        5⤵
        
        PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A91A~1.EXE > nul
      4⤵
      PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CEF09~1.EXE > nul
    3⤵
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29C78428-A01D-4c73-B990-0243ED41C2BB}.exe

Filesize
204KB

MD5
655b3921017b69476628295b733e7275

SHA1
cdb5b8f0bafbe1a1b10825c502df88711266391d

SHA256
5d3d1a1b1d4422582b4f0bd1d5b0c95475041fd01e60b16702025e7ae38111c7

SHA512
b9ddac8172e47eaa4f902e9d03a1d4f57ea36b75e37879b65d3b2c5beab56745997df82c78b53cb50192cb3f44d02a3f323a469da535aa30cc48190963ede8d6

Download Submit
C:\Windows\{3981222C-A6E5-4437-B0FB-758318478AFD}.exe

Filesize
204KB

MD5
f0be24fc9411184161eed1690422a587

SHA1
000efc9d77ce9a468fa90425fc113908d64a534a

SHA256
5ce57c7bf9f30ad53760694ab0a1156000c41ea71cbe04c993b1cd086338d43b

SHA512
56cc62d76380898134a983df902717fc0fe797f37e6e8279908bb3b8a0c500c4f5464f417635b3db2b899bdb62e95ced0a8b51f81a45e0818e1208e51f6a75c6

Download Submit
C:\Windows\{49C4D520-824E-42a7-8E13-9A6CC6966A6E}.exe

Filesize
204KB

MD5
8d7d137afe19eb0fee614f75cb724331

SHA1
7e7ecaaef1ba53119fb0288b10c04a1932a0caf2

SHA256
a327656d768f74870524f0e2ca425257dfc7d79ada08821f9cdb733282a37fd8

SHA512
15c531b26871e0107d7468c9bb390712b5d6301549819bc9a4fe328e18e8bd89866ddd7d5a15bcfed852cd0478408ac425c2edc36ee0bb3d902c50f271709e5e

Download Submit
C:\Windows\{73646546-CE54-4201-BFF0-F60A3E61182E}.exe

Filesize
204KB

MD5
e73f073b596679cf69a81b8ae4297a12

SHA1
3194fd95408411ac91903e07939dde7602e35335

SHA256
730101f1d714b2e720a51c56a42d3361f2ee36b6cffb45c3347d94dc77fe87ac

SHA512
7b27af8466ae1f93c304ea20fb0d426326c88a77e1c73cf9d66e20d1d0c19ab109a2362d92f88fcb4bf1a06cd8f22aaeaa0826b20caa7459a59c7d59ba56f94c

Download Submit
C:\Windows\{78D03A56-207A-4f08-8D35-0640A1345189}.exe

Filesize
204KB

MD5
19d449e22c2225fce29a3500d8c26f2b

SHA1
91ff0b4419968e1aa00a9d8e1e186443aa3c6420

SHA256
9c1398ddc257a3a64efd87256b82fe1fecdf81de821cd3cb512e8ee958333605

SHA512
6c04fb2c0d90189ddfc7c852ceb6e511c7a5400ec25f5cc58530f9848008eb596dd2dea0b5e53d9daf45e9725a1b0379fc9e4a6707b9e925ffe78efcfebb18a5

Download Submit
C:\Windows\{8BDF065A-0689-48f9-935D-BC0524C583E1}.exe

Filesize
204KB

MD5
1488cc50703782c66a9665119fafb46a

SHA1
1787724b0f0611bc4d475001008beb92abc04af3

SHA256
bbd7cd8b8bfa12615afd79ca449d695ca1aa596856deb4fe482290bf38b3e8fd

SHA512
136d6ab870ed1945bd37ebf5a0e6ef8a2a9c373ee3a4f0ec4dfca9c1599262e63683be4bbc1740abec098d7856f8623b3d06afa93d32fa805b95c8511de1fc5b

Download Submit
C:\Windows\{9A91A2DA-E079-4949-AFF3-C3E59AF21175}.exe

Filesize
204KB

MD5
3cbe8e9ff4891f176d0d98a0ec677226

SHA1
34d95993d645449ad297248ec271ebcbbb4a1c0a

SHA256
22a985747d1b5e2b013141f37991d7648022631edfa275b9c2ebaecc714977ef

SHA512
908ec67c460243bb01adeec88d5f36fd0aa7936282d781b549cb01eea414baa5c7e9e687ec41b71f62cc59994bfce79c1168766b7a50aaf1826072151944dd6d

Download Submit
C:\Windows\{C63FAA65-3DFA-4b23-AD95-B0A1428B45D9}.exe

Filesize
204KB

MD5
09fc576b8768a2cf2d8f27234c791aaa

SHA1
1d05ae9702dc60525cc0113fe7f6b4a1a802f73d

SHA256
0a446330975975f9cf4b8bc00e88d11f2386e04f3b8cd792133c6c6b63e970e5

SHA512
db7f8de6556ba35d5fafe39c1cb87d3c1661f0d2e7847b62ad661cfd9d2b46de7c44eb6627e5f664c623d9d881e6644ace6163701d022994d91c67935555b389

Download Submit
C:\Windows\{CA153566-78B2-47b3-865B-BC09DB2A273A}.exe

Filesize
204KB

MD5
46fd2aaa1712f0a0355d356af716f2c0

SHA1
7e3d7afab78c5ea70ac06465d32b923636708358

SHA256
e4d5855c66a20cb2237aeb2acd3476274daea5039cb741faeb78b2af5282d5b4

SHA512
20fd15551ed39a9a629a3820ada681feb3cfa152ef053edc10a3c6e76b457597761d256b8acd49c3daf5438b5b46cd62a55ec9196e903f105ce8802a62307257

Download Submit
C:\Windows\{CEF09D5D-0256-4319-AB9F-B97FE00F133E}.exe

Filesize
204KB

MD5
e3882dba8a8acea31fcd69de303bbbf8

SHA1
85d6e8a4fd116eb23f7d48fe682bc3d42ecb0952

SHA256
364cc33b392c0d036900f9f1b5376694a83fd298dd89f80a2a7f94dce6509cf6

SHA512
8de4dc56002c37be3b8ee2b1bdaded79b97ff56dd965c26949d8ac8828932a96cd78a96ba1f04173c85787f805830a91a01af3a9ed181f65a98d04a2e5d5a961

Download Submit
C:\Windows\{F384B562-2BC9-4134-BF2E-9A2C22E63B44}.exe

Filesize
204KB

MD5
605a3971ae68a1e013a5072a5ca5b5c1

SHA1
9d1d40c2a3d164a9383666086bda1faba99746c1

SHA256
7925778e4e4966df09d2fc46361c14d3cc8623b3a79eb3867bce84894fe8cab8

SHA512
0e21473506ce4e3eb62e569a07865983dfdcb0f54bf1aa54cf413e8591e252dd9a69a3dc297fd800f3b07ec62d6ac9b37c8e0ab3b88cf505ff50c4891403d75f

Download Submit
C:\Windows\{F57AF896-E3EA-43d3-821E-FE429A4C38B3}.exe

Filesize
204KB

MD5
cfd93ae0b061caffb5edeec14c764014

SHA1
25edb62c60766fe1bc2a9e2ed58362260c59267a

SHA256
66cf810f6080fd53fa7e0ade9e3d914130676b5ee84a6a722c6dd8fbf9b65e73

SHA512
0178dd07c40de12dbd9d6792d1d424116ce80572d4cf247780ce2919264fab6ebc08a96659e70cd08977307d4a28dcdd85d419ee78bd5627c447b2f6b735a813

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads