Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe
-
Size
197KB
-
MD5
07df5cc6838f279930c33904c850e1db
-
SHA1
db9fad254bcead8c4c6d5c66633b4ed7ef9d46d4
-
SHA256
20c1f5b05d5cb43caee71a2c91870af3415c008102ab0f54d480f1df4f615b1e
-
SHA512
3c706f99aac39d42683dc38e62f9b9e251f5811d6c0fcdc5e50647a73c2bae1dc26e06bdaf973ebd9c4d108e5c531fd5a03728b43d9fa5387abadf998c45b9b1
-
SSDEEP
3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG8lEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0006000000022e9f-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023267-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002327d-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023136-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002327d-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023136-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002327d-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023136-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002327d-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023136-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002327a-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023136-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C} {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188CFD5D-417E-455a-80FE-4036922037E3} {27279475-5E18-4255-BA3F-39DB88883C10}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5} {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}\stubpath = "C:\\Windows\\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe" {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B52BA59-1776-425f-89E6-7DB4A83B6079} {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E17A66C-776A-416d-83B7-A9EBD28AE784}\stubpath = "C:\\Windows\\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe" {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}\stubpath = "C:\\Windows\\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe" {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188CFD5D-417E-455a-80FE-4036922037E3}\stubpath = "C:\\Windows\\{188CFD5D-417E-455a-80FE-4036922037E3}.exe" {27279475-5E18-4255-BA3F-39DB88883C10}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B} {188CFD5D-417E-455a-80FE-4036922037E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}\stubpath = "C:\\Windows\\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe" {188CFD5D-417E-455a-80FE-4036922037E3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41079BEB-0797-4979-B8B4-1463829E8964} 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E233E4B6-F8F1-4162-9080-DA5239FAB902}\stubpath = "C:\\Windows\\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe" {41079BEB-0797-4979-B8B4-1463829E8964}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0} {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55327C1F-113D-415c-B775-53944E266C8B} {9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41079BEB-0797-4979-B8B4-1463829E8964}\stubpath = "C:\\Windows\\{41079BEB-0797-4979-B8B4-1463829E8964}.exe" 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E17A66C-776A-416d-83B7-A9EBD28AE784} {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27279475-5E18-4255-BA3F-39DB88883C10}\stubpath = "C:\\Windows\\{27279475-5E18-4255-BA3F-39DB88883C10}.exe" {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}\stubpath = "C:\\Windows\\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe" {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B52BA59-1776-425f-89E6-7DB4A83B6079}\stubpath = "C:\\Windows\\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe" {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27279475-5E18-4255-BA3F-39DB88883C10} {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E233E4B6-F8F1-4162-9080-DA5239FAB902} {41079BEB-0797-4979-B8B4-1463829E8964}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4599676F-2902-46ca-BA9C-808AECC7B0D9} {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4599676F-2902-46ca-BA9C-808AECC7B0D9}\stubpath = "C:\\Windows\\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe" {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe -
Executes dropped EXE 11 IoCs
pid Process 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe 4620 {188CFD5D-417E-455a-80FE-4036922037E3}.exe 2324 {9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe File created C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe File created C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe File created C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe {41079BEB-0797-4979-B8B4-1463829E8964}.exe File created C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe File created C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe File created C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe File created C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe File created C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe File created C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe {27279475-5E18-4255-BA3F-39DB88883C10}.exe File created C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe {188CFD5D-417E-455a-80FE-4036922037E3}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3948 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe Token: SeIncBasePriorityPrivilege 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe Token: SeIncBasePriorityPrivilege 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe Token: SeIncBasePriorityPrivilege 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe Token: SeIncBasePriorityPrivilege 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe Token: SeIncBasePriorityPrivilege 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe Token: SeIncBasePriorityPrivilege 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe Token: SeIncBasePriorityPrivilege 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe Token: SeIncBasePriorityPrivilege 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe Token: SeIncBasePriorityPrivilege 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe Token: SeIncBasePriorityPrivilege 4620 {188CFD5D-417E-455a-80FE-4036922037E3}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3948 wrote to memory of 5896 3948 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 100 PID 3948 wrote to memory of 5896 3948 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 100 PID 3948 wrote to memory of 5896 3948 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 100 PID 3948 wrote to memory of 5952 3948 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 101 PID 3948 wrote to memory of 5952 3948 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 101 PID 3948 wrote to memory of 5952 3948 2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe 101 PID 5896 wrote to memory of 6020 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe 102 PID 5896 wrote to memory of 6020 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe 102 PID 5896 wrote to memory of 6020 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe 102 PID 5896 wrote to memory of 5500 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe 103 PID 5896 wrote to memory of 5500 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe 103 PID 5896 wrote to memory of 5500 5896 {41079BEB-0797-4979-B8B4-1463829E8964}.exe 103 PID 6020 wrote to memory of 5876 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe 106 PID 6020 wrote to memory of 5876 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe 106 PID 6020 wrote to memory of 5876 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe 106 PID 6020 wrote to memory of 1660 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe 107 PID 6020 wrote to memory of 1660 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe 107 PID 6020 wrote to memory of 1660 6020 {E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe 107 PID 5876 wrote to memory of 116 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe 110 PID 5876 wrote to memory of 116 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe 110 PID 5876 wrote to memory of 116 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe 110 PID 5876 wrote to memory of 224 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe 111 PID 5876 wrote to memory of 224 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe 111 PID 5876 wrote to memory of 224 5876 {4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe 111 PID 116 wrote to memory of 4160 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe 112 PID 116 wrote to memory of 4160 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe 112 PID 116 wrote to memory of 4160 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe 112 PID 116 wrote to memory of 1280 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe 113 PID 116 wrote to memory of 1280 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe 113 PID 116 wrote to memory of 1280 116 {8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe 113 PID 4160 wrote to memory of 2640 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe 114 PID 4160 wrote to memory of 2640 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe 114 PID 4160 wrote to memory of 2640 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe 114 PID 4160 wrote to memory of 3936 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe 115 PID 4160 wrote to memory of 3936 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe 115 PID 4160 wrote to memory of 3936 4160 {A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe 115 PID 2640 wrote to memory of 2472 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe 116 PID 2640 wrote to memory of 2472 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe 116 PID 2640 wrote to memory of 2472 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe 116 PID 2640 wrote to memory of 3744 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe 117 PID 2640 wrote to memory of 3744 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe 117 PID 2640 wrote to memory of 3744 2640 {7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe 117 PID 2472 wrote to memory of 2192 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe 118 PID 2472 wrote to memory of 2192 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe 118 PID 2472 wrote to memory of 2192 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe 118 PID 2472 wrote to memory of 1652 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe 119 PID 2472 wrote to memory of 1652 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe 119 PID 2472 wrote to memory of 1652 2472 {8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe 119 PID 2192 wrote to memory of 3728 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe 120 PID 2192 wrote to memory of 3728 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe 120 PID 2192 wrote to memory of 3728 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe 120 PID 2192 wrote to memory of 4836 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe 121 PID 2192 wrote to memory of 4836 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe 121 PID 2192 wrote to memory of 4836 2192 {59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe 121 PID 3728 wrote to memory of 4620 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe 122 PID 3728 wrote to memory of 4620 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe 122 PID 3728 wrote to memory of 4620 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe 122 PID 3728 wrote to memory of 1648 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe 123 PID 3728 wrote to memory of 1648 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe 123 PID 3728 wrote to memory of 1648 3728 {27279475-5E18-4255-BA3F-39DB88883C10}.exe 123 PID 4620 wrote to memory of 2324 4620 {188CFD5D-417E-455a-80FE-4036922037E3}.exe 124 PID 4620 wrote to memory of 2324 4620 {188CFD5D-417E-455a-80FE-4036922037E3}.exe 124 PID 4620 wrote to memory of 2324 4620 {188CFD5D-417E-455a-80FE-4036922037E3}.exe 124 PID 4620 wrote to memory of 5084 4620 {188CFD5D-417E-455a-80FE-4036922037E3}.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exeC:\Windows\{41079BEB-0797-4979-B8B4-1463829E8964}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5896 -
C:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exeC:\Windows\{E233E4B6-F8F1-4162-9080-DA5239FAB902}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6020 -
C:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exeC:\Windows\{4599676F-2902-46ca-BA9C-808AECC7B0D9}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exeC:\Windows\{8CB0203D-56F6-4a66-954B-D9AD934A0DB5}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exeC:\Windows\{A9B475B0-0156-4578-ADCB-91EAC79DFFF0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exeC:\Windows\{7B52BA59-1776-425f-89E6-7DB4A83B6079}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exeC:\Windows\{8E17A66C-776A-416d-83B7-A9EBD28AE784}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exeC:\Windows\{59AFDDD4-18FF-4d0d-91AE-73D597F2539C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exeC:\Windows\{27279475-5E18-4255-BA3F-39DB88883C10}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exeC:\Windows\{188CFD5D-417E-455a-80FE-4036922037E3}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exeC:\Windows\{9C34C1CC-B3E7-4b49-99AE-7C8FB001316B}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:2324 -
C:\Windows\{55327C1F-113D-415c-B775-53944E266C8B}.exeC:\Windows\{55327C1F-113D-415c-B775-53944E266C8B}.exe13⤵PID:5756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9C34C~1.EXE > nul13⤵PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{188CF~1.EXE > nul12⤵PID:5084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{27279~1.EXE > nul11⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59AFD~1.EXE > nul10⤵PID:4836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8E17A~1.EXE > nul9⤵PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B52B~1.EXE > nul8⤵PID:3744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A9B47~1.EXE > nul7⤵PID:3936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8CB02~1.EXE > nul6⤵PID:1280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45996~1.EXE > nul5⤵PID:224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E233E~1.EXE > nul4⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{41079~1.EXE > nul3⤵PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD573696f50ba20f50033bd42c69de24135
SHA12e357efd09d5d403f401fcffcf8e347d14f9df6a
SHA2561e07fe01c0b2c1f5e04a133ecde1f41ed0ef09ddcc17c8a338a431ca12c1c3ec
SHA5128f7f2310cd3a6e2f31c64b16e85dd5ae296163d273768a1eeedabb2c84bd7fcb6e5fc726477f1b136a36649d4c8b773b036c397c9752c0ae704c3085c423007f
-
Filesize
197KB
MD506d7e288e2e225274a6ee9dec1697e4c
SHA1e016fde46fc695f6e48c0e65cbf59651950aad96
SHA2568500afb1e76a1ea7f1b9de82ccaef5112a6c56f81f73979d516c84ef9625efe4
SHA512d8029ed11d3139269de76e9324122b9c2c6f43e94759c5cbd6ac123f5f560d5e2f8d1bab0d04382f9fc7323a44c68cde9a24742b7a585f918202b181ac09c7f3
-
Filesize
197KB
MD588d04b107bcd3eab68613f40a428af6e
SHA107bea16a9870b6f3d8752b94130ff7f496e529a2
SHA256459a15d91b42da890e8897d0e783b7fc19a64bb6aee19739f82eacb0f0a7cc7e
SHA51271faf1118bb18b7ae19e1386358ebcbce8df10705c53de3600d7f3e1acff3e8b8cf1ffef441c34fb2b028e7924f6dee6d84671886fea1891686fd3858f005505
-
Filesize
197KB
MD54c7d8353aa8d61ff84eb2c0fab2ff149
SHA19d8e735da283193eb01b08eb7b8365f013da48ab
SHA2562835115d6f4fc52845ff17225223ac5e4c5075b85e78c98dec593b28ca05feaa
SHA5120cf99664468e7fd18d7d858b7d6a16c908377911a5d2029121215628339f674bfd7ba31b85f7ad55511a04f99057460f15ea9643f73ce488de9da68ef49cb92e
-
Filesize
132KB
MD5ad16bd8b7f8f1a1e6c12118c8581ee92
SHA17febe6500a84f840fd11320c549f3d10f20d125e
SHA25643bc36a9bc431b87ad5dd2beb73bd8bda833c29297bce02d48c1391e1f40207c
SHA51205b63192e0476225f1f2ff8e0ca1ea696023b21bbb7badd8d41dd6243981bf076a257b5834c85c2e1652b40db09815d37a654bbe8aa3b231fd3ae398102f005f
-
Filesize
197KB
MD5d50272bbdabf94c656c963302f32597b
SHA1b728abe3c9b15fc28ee4241f816c1d27b22a03fe
SHA25609779308126d9add168f09852e50350d942c884cd0a4dd4641a107e3a564b22a
SHA51230c5fe480317ceac07f5a39de022850a41e574b4be9d436e08a5e9cf4fa46d4331c3cef435860f1f7d7a166911ace7eb2a05aa5348bd8e077a53d0323a1c53fe
-
Filesize
197KB
MD50f6e1d9e5c5f76acce46c1f187d87f74
SHA1969c2cc845e19700104172035b0cfc52a7de6e2d
SHA256e385df1415ec7e531b1551e24fec5f74a2b32810ce7ca17b48bfa8935cb35338
SHA51289a54b2b9a612fc0db58c2eb51d275814741c9148e2e286a614af7cd5d345ace2d993fcf02cd89c6c0bb5693074d77152c968edd1c998cc7bf8b1aece7dbe6ba
-
Filesize
197KB
MD597f79c95fe30860ca9d17bb71ed413c9
SHA1da25338feb702ad9d3dee1a720fe8f3af55ee812
SHA2569d4d65b0f9d820e74031a514b2c3b9f2e7c93c74d1f62470eae06c2b455f0237
SHA512aa953d28d626a3dcae07b57178507dce4077eb42f0e7fdbf09e25c745c75e01b680e2eda14cddcc71f31fa69a293f373bf09bbd2bd6a1d3f8a497c0c1341c4cb
-
Filesize
197KB
MD5c3835bb14faad522fe804fe3aa286a30
SHA144b240695643419d2929ffb8c6393bbec3dfb759
SHA25682bfc0025d2c168b404912fbd2cf1cac3d7ece6a8322a378f11051916eef17f1
SHA5128425341a3916309c6275e93580922bc05016320016855a194c346fcea6c449d4e005f5a80bcb7625537f5d575ea9300b2bc9fa031fa0329bf88a4ba427ca2af3
-
Filesize
197KB
MD5b27a9e4d1be9a28d4c3e2dbd9125b28e
SHA1d629e1f9faf3b11200d327b945a825429716ce5c
SHA2564d9dacd4345cc77aa2db7cfeda3fe243a4bec0b02f5077a6e848407ec021666f
SHA512da0984d0160f29dfb26e8e80b19df029ef620e580df99cbfa3b5fb5b7c55bf2f070f069067bde2a5f294acb33c43724534e2c41317d7835aa8b2a5c00cd85b15
-
Filesize
197KB
MD59a86691eceab19743ba7daac40099ddd
SHA1f8319320e6644c490871a176d16bcc86eb599f72
SHA256b91ed8fc47fd914ebd22c1b39a61a18f2c56769a7fbba299f432a4856bb67346
SHA512b4d0d08e7a042ce0df084508e84a4e1529109b7cbdb040c9ad7d2c87a26c5686462d509af28de57b7aebb8d5cc696649d2f0bb33db31200b9f4a0b4050198c7b
-
Filesize
197KB
MD53bcf5d071e436d662733535c8f93ed4a
SHA1274eadeb3ae84ee63d0c90c38bf19565ce3249b5
SHA256de718c7ad1cd9df737b96dec285c41a5d2d02283d5c2d4db9ae1d1e6dc335fae
SHA512e869ba2dc6fe2a93f79ca42f8e6d575a19b8512ebfca65720becf2c6fafd8f09d2adcc5f70c01dd65ee8b01b99cf252dc7c6191fdcdd1c20d05eaddfb73d2182