Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
-
Size
197KB
-
MD5
0da03db861609ce5d2f7075059c41f71
-
SHA1
11001db7b0c0a83612e91587aa621e17ab36b309
-
SHA256
4825ad8c88f1fbb6a19c34a89ebd938b91f8341cb30cdb7cf216757b57c1001e
-
SHA512
718cbda8488a15c19a4cb21b2c5666c639e662c88fac4a081c14b6cc95e64f6190aee42e70f273f6d38183fc90eb03c3897b887b5f35f0cbbea46b59182832ac
-
SSDEEP
3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGflEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
resource yara_rule behavioral1/files/0x000c000000012254-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a0000000122b8-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012254-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00300000000143fd-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012254-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012254-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-62.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012254-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}\stubpath = "C:\\Windows\\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe" 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}\stubpath = "C:\\Windows\\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe" {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08BD3BBB-6CB2-4525-BC03-B43296437F33} {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7} {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}\stubpath = "C:\\Windows\\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe" {63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4} {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08BD3BBB-6CB2-4525-BC03-B43296437F33}\stubpath = "C:\\Windows\\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe" {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}\stubpath = "C:\\Windows\\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe" {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47029E8-60DC-41f1-886E-2679C02B46F3}\stubpath = "C:\\Windows\\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe" {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086} {A47029E8-60DC-41f1-886E-2679C02B46F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C022BA33-3522-42fc-A99E-80F6E8CA601B} {DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C022BA33-3522-42fc-A99E-80F6E8CA601B}\stubpath = "C:\\Windows\\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe" {DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0} {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}\stubpath = "C:\\Windows\\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe" {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}\stubpath = "C:\\Windows\\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe" {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8} {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}\stubpath = "C:\\Windows\\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe" {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47029E8-60DC-41f1-886E-2679C02B46F3} {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}\stubpath = "C:\\Windows\\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe" {A47029E8-60DC-41f1-886E-2679C02B46F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1} 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54} {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F} {63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe -
Deletes itself 1 IoCs
pid Process 1684 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 2400 {A47029E8-60DC-41f1-886E-2679C02B46F3}.exe 2920 {63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe 336 {DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe 688 {C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe File created C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe File created C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe File created C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe File created C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe File created C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe File created C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe File created C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe File created C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe {A47029E8-60DC-41f1-886E-2679C02B46F3}.exe File created C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe {63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe File created C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe {DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe Token: SeIncBasePriorityPrivilege 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe Token: SeIncBasePriorityPrivilege 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe Token: SeIncBasePriorityPrivilege 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe Token: SeIncBasePriorityPrivilege 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe Token: SeIncBasePriorityPrivilege 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe Token: SeIncBasePriorityPrivilege 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe Token: SeIncBasePriorityPrivilege 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe Token: SeIncBasePriorityPrivilege 2400 {A47029E8-60DC-41f1-886E-2679C02B46F3}.exe Token: SeIncBasePriorityPrivilege 2920 {63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe Token: SeIncBasePriorityPrivilege 336 {DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 1516 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 28 PID 1632 wrote to memory of 1516 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 28 PID 1632 wrote to memory of 1516 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 28 PID 1632 wrote to memory of 1516 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 28 PID 1632 wrote to memory of 1684 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 29 PID 1632 wrote to memory of 1684 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 29 PID 1632 wrote to memory of 1684 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 29 PID 1632 wrote to memory of 1684 1632 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 29 PID 1516 wrote to memory of 2636 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 30 PID 1516 wrote to memory of 2636 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 30 PID 1516 wrote to memory of 2636 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 30 PID 1516 wrote to memory of 2636 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 30 PID 1516 wrote to memory of 2652 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 31 PID 1516 wrote to memory of 2652 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 31 PID 1516 wrote to memory of 2652 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 31 PID 1516 wrote to memory of 2652 1516 {1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe 31 PID 2636 wrote to memory of 2540 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 32 PID 2636 wrote to memory of 2540 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 32 PID 2636 wrote to memory of 2540 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 32 PID 2636 wrote to memory of 2540 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 32 PID 2636 wrote to memory of 2684 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 33 PID 2636 wrote to memory of 2684 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 33 PID 2636 wrote to memory of 2684 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 33 PID 2636 wrote to memory of 2684 2636 {8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe 33 PID 2540 wrote to memory of 2592 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 36 PID 2540 wrote to memory of 2592 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 36 PID 2540 wrote to memory of 2592 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 36 PID 2540 wrote to memory of 2592 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 36 PID 2540 wrote to memory of 2900 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 37 PID 2540 wrote to memory of 2900 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 37 PID 2540 wrote to memory of 2900 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 37 PID 2540 wrote to memory of 2900 2540 {08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe 37 PID 2592 wrote to memory of 2412 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 38 PID 2592 wrote to memory of 2412 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 38 PID 2592 wrote to memory of 2412 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 38 PID 2592 wrote to memory of 2412 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 38 PID 2592 wrote to memory of 2700 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 39 PID 2592 wrote to memory of 2700 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 39 PID 2592 wrote to memory of 2700 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 39 PID 2592 wrote to memory of 2700 2592 {366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe 39 PID 2412 wrote to memory of 920 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 40 PID 2412 wrote to memory of 920 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 40 PID 2412 wrote to memory of 920 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 40 PID 2412 wrote to memory of 920 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 40 PID 2412 wrote to memory of 1860 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 41 PID 2412 wrote to memory of 1860 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 41 PID 2412 wrote to memory of 1860 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 41 PID 2412 wrote to memory of 1860 2412 {36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe 41 PID 920 wrote to memory of 1716 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 42 PID 920 wrote to memory of 1716 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 42 PID 920 wrote to memory of 1716 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 42 PID 920 wrote to memory of 1716 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 42 PID 920 wrote to memory of 2344 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 43 PID 920 wrote to memory of 2344 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 43 PID 920 wrote to memory of 2344 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 43 PID 920 wrote to memory of 2344 920 {A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe 43 PID 1716 wrote to memory of 2400 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 44 PID 1716 wrote to memory of 2400 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 44 PID 1716 wrote to memory of 2400 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 44 PID 1716 wrote to memory of 2400 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 44 PID 1716 wrote to memory of 1972 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 45 PID 1716 wrote to memory of 1972 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 45 PID 1716 wrote to memory of 1972 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 45 PID 1716 wrote to memory of 1972 1716 {4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exeC:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exeC:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exeC:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exeC:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exeC:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exeC:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exeC:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exeC:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exeC:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exeC:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exeC:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe12⤵
- Executes dropped EXE
PID:688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DF668~1.EXE > nul12⤵PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{63EE5~1.EXE > nul11⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A4702~1.EXE > nul10⤵PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4462F~1.EXE > nul9⤵PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A9E4A~1.EXE > nul8⤵PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36F2B~1.EXE > nul7⤵PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{366BB~1.EXE > nul6⤵PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{08BD3~1.EXE > nul5⤵PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8EA8A~1.EXE > nul4⤵PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1310E~1.EXE > nul3⤵PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD54dd52e8a894023e4c061c970561dc232
SHA15e0ba6ed2a726d38f733877c055c13c5157f4c75
SHA256a5d4240b9817ca0fc143b40a8a435903598209675eccd53c855e2c2a2a496213
SHA5124235d06b4f3655112d36dfb67520d4a7900b39a44a963a35d60f78c913dbc01c44682a8a79fb9a6be71d44062e48707b0a77e56645b9a445d1db91a20d433beb
-
Filesize
197KB
MD5bf5893a05cac81266ebf0d6fb8b4c11c
SHA1a766204b20e07f0bca823fadb7e38080db5efe00
SHA256120c3c9085cff9bbd5db2bcbe7e357df6dba4718959d8cf484d4a4d6efce55dc
SHA5123c12b41806b250e283598cdfb5d00823d619a1274e638c9f92b8d137fb41d8a51bd7086eb0e944dc1be13deb356c337db5257d50d35093b832760dd5e00384c6
-
Filesize
197KB
MD59ac5901230132c027412b44f54a0e257
SHA19100d2d7fe2916ee1a722aac8bf89422e0e37815
SHA256960837b6f5c71ed52d9d350f80beb307ea0e790c6494484c06f4db97f894dd2c
SHA5128fc7d8bb42a2d8b28d562547a60ecaaba61e8c3f11f9d22ae5f39edbd2c3e5d7bc6a9c1ce13827ed0d017674224d4f21b91aa2b347c0cea6eed58ce1a3c69d91
-
Filesize
197KB
MD59a4df72d514601a3dbdcd44f29c28708
SHA1e8c9a7ce05eabedcb6466c421c129540f451279b
SHA256879a60f6b27897dd1486e681b54d7635f1cbe9c56f69606511fc1573ccc5eb9d
SHA5123a934e80ac23b6fe55032c05469a453c9171eaf7a3c7870f9707cbbe41671f55b03a563e52e6b440a3c29197b117c92b0fb1d66a38e613a9d020d5e43cc107c5
-
Filesize
58KB
MD545b305bdd37c97273ae1ec96d3db6899
SHA186cf38fb9c0fd9411cdec9f9552e12f0906e0a68
SHA2560c80e797a7452198fab95feb1184ef11c18670c92b01be99e5f4bb7badb41436
SHA512a1a7b9c3ef353bc0f7ee591a1cd30c49cd50159886b0da120302d5b97cbda90e4c9cdf9fac058f6dee3f257eb41c3e5ef0faea5b1a22a55cc57c602d5ae64a9c
-
Filesize
197KB
MD597eca6bb2e82095fc1b4ad37aad34c4f
SHA1bb652ce2b3e0770fa5cacd4da40a13dc72777b67
SHA256e0b0bcded9355370bc65734decabcf97cf920026c1e5ac767daafeb077abda4b
SHA51237c2b3b38966242eca4eab8931ac94beaee60ca1bdb6cb86719ba6d7ffaae0d53f3b086b76275cc856337a16e5fa1db24c73cbaf6003fed9fe522b4e875f5206
-
Filesize
197KB
MD5355aafac59eae3c8d6028b44822bb8b2
SHA1f05b6bf032d7dc2a5e56e2bca00eefa06bfd3d26
SHA25619627490c00de9143b078c3f027e1b2d03e75ccf313613f57648ec69439a6dbe
SHA51263bb502885765bf1d21618159f6943719030a9301a331c26452273b1cf91797b28487db8edb38b44f11706118d37f487be58aee527de19642064fb10c7ed0ac7
-
Filesize
162KB
MD5e1695743024df604140a61181bae51fc
SHA1d5b203f56963314db28e7273de38548754e6dbf2
SHA2569713ae2d0c7dc8f5b204144def75068e2faeb76d4db70212a1d2d300d1b78ca5
SHA51279e7393f9e690a7fd2df4abc99abce127c204a5a74f8c3ded07dba0108ede7e9c1b630acf81a062618968fead1082db5b7bc9a0becf9b0a057d5e90263078968
-
Filesize
197KB
MD50a405ef5b6c6a85df73cda88b782d0b9
SHA12f484c4603d305af7bdf10cf1a3f2f1fa345bd9a
SHA256605d45be6ac9a5c22bb20795ef002dfa24695b9b68d58ed45f8266db200d4457
SHA5128089dc66df0c0553695ffd9634bcb2c727f992da007d9e845df1d1e86718e53c2a03c23903e78cc0fe844e52549e7a26501179b216b496b13ac6c624fe4049f4
-
Filesize
197KB
MD597be8a348ae2e835fefcba831b1c97bc
SHA19d4d3c6521041c269cd6118fd96066ddd14af7aa
SHA256a060c9bf3d5c6acd45ecd0fa34724bc0b43d2835988adb47bf57e426dd7f992c
SHA512f146a51b6cabfd2440d70b09a747ee2a02f415503ad16b60f07d9b0996ff2c064a2486786ed053fa114be08a64bdf9756fe7624f94c3b2e31eca70a5797b04e1
-
Filesize
197KB
MD5ac9ab5a456d663231ba2407492d2eddf
SHA17a6f6e4ca8c4bee1060555ddc2009bb564e74d96
SHA2565ef8ae8de119e858043392dae9733b6fb1078afc4b836940d45458264eea0996
SHA5128555bfd89866362c2e205a38b67ffcea67c3ffb29d0793de168936fb63c316dbf810ffee35bb520b7ada604144933fa247b123c8c13bdf4b4b50b057c43cf1cd
-
Filesize
197KB
MD52fd17add3928887ea89e93f448867163
SHA11a89311d494a8309295d417f372febd9225a26d7
SHA25677901ab2afecb8fcda8bd3a79d40983e75ded7562021b2265231a850d38b6a25
SHA512b85421fe6cf71dcef830fb40087dc5baf96dea8160a71ce5022e9647a2324c16a65dc9a8e35d2916500548da1ba714df6b4871047dfb4e0e8048113d1771a298
-
Filesize
197KB
MD57a7ad37f6f336e30ddb3f37aa4300917
SHA199f79c54d61aada85fab3884fc241327e32af862
SHA2562bd8a6e89bb3888ca900d151877c303873a9de11803ce797e392c87a52853b26
SHA5125f8aeba4c490572333f4ece215422daf358ade01a3c30bb36778695a0b0de55b3fd8106afba6737bb60cec2a006cf2a009e247ba0ee69e1eb626a9b9a2854482