Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
-
Size
408KB
-
MD5
60519da15958b25e42df8453c8d8608d
-
SHA1
bd54a40bdff07aef1ce2c870492368b064982458
-
SHA256
620766325486b4b603153ed34ab08978e3da9627f47f0b56623d4ef551b23671
-
SHA512
badebc03c40bb371ec5748115c4dfd8ebbaa639034d524fbc1a631e3bd756ebfb380873957281c6443d97ddefed8bf77a935ce07dee37f35d578b96c95359c06
-
SSDEEP
3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGvldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x0008000000023236-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023237-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002323f-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023143-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002323f-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023143-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002323f-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000023143-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002323f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e000000023143-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002323b-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}\stubpath = "C:\\Windows\\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe" {B17A416D-A83C-4226-BD76-03C874EED344}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}\stubpath = "C:\\Windows\\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe" {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD77BBF-E7DB-49b6-8174-839B8225FABB} 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}\stubpath = "C:\\Windows\\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe" 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B17A416D-A83C-4226-BD76-03C874EED344}\stubpath = "C:\\Windows\\{B17A416D-A83C-4226-BD76-03C874EED344}.exe" {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}\stubpath = "C:\\Windows\\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe" {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49} {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A754E4-E0CD-4a63-8965-AEF17971FB57} {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}\stubpath = "C:\\Windows\\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe" {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2EB825-DCB5-4f93-AE85-DE25677523EA} {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{558D66EA-34A4-426e-A7BB-6E728C6A0712}\stubpath = "C:\\Windows\\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe" {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC84F65-B632-4c1a-96B7-E1E529832E55}\stubpath = "C:\\Windows\\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe" {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}\stubpath = "C:\\Windows\\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe" {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A} {CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2} {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A}\stubpath = "C:\\Windows\\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A}.exe" {CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{558D66EA-34A4-426e-A7BB-6E728C6A0712} {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC84F65-B632-4c1a-96B7-E1E529832E55} {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B} {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}\stubpath = "C:\\Windows\\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe" {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}\stubpath = "C:\\Windows\\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe" {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B17A416D-A83C-4226-BD76-03C874EED344} {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9} {B17A416D-A83C-4226-BD76-03C874EED344}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD} {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe -
Executes dropped EXE 11 IoCs
pid Process 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe 2612 {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe 4952 {CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe File created C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe File created C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe File created C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe File created C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe {B17A416D-A83C-4226-BD76-03C874EED344}.exe File created C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe File created C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe File created C:\Windows\{8BC51157-FFCF-4d66-BC27-65D38F1AF43A}.exe {CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe File created C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe File created C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe File created C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe File created C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1580 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe Token: SeIncBasePriorityPrivilege 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe Token: SeIncBasePriorityPrivilege 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe Token: SeIncBasePriorityPrivilege 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe Token: SeIncBasePriorityPrivilege 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe Token: SeIncBasePriorityPrivilege 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe Token: SeIncBasePriorityPrivilege 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe Token: SeIncBasePriorityPrivilege 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe Token: SeIncBasePriorityPrivilege 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe Token: SeIncBasePriorityPrivilege 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe Token: SeIncBasePriorityPrivilege 2612 {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4768 1580 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 92 PID 1580 wrote to memory of 4768 1580 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 92 PID 1580 wrote to memory of 4768 1580 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 92 PID 1580 wrote to memory of 1740 1580 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 93 PID 1580 wrote to memory of 1740 1580 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 93 PID 1580 wrote to memory of 1740 1580 2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe 93 PID 4768 wrote to memory of 3628 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 94 PID 4768 wrote to memory of 3628 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 94 PID 4768 wrote to memory of 3628 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 94 PID 4768 wrote to memory of 4664 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 95 PID 4768 wrote to memory of 4664 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 95 PID 4768 wrote to memory of 4664 4768 {CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe 95 PID 3628 wrote to memory of 1972 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe 98 PID 3628 wrote to memory of 1972 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe 98 PID 3628 wrote to memory of 1972 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe 98 PID 3628 wrote to memory of 4392 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe 99 PID 3628 wrote to memory of 4392 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe 99 PID 3628 wrote to memory of 4392 3628 {558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe 99 PID 1972 wrote to memory of 4332 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe 101 PID 1972 wrote to memory of 4332 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe 101 PID 1972 wrote to memory of 4332 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe 101 PID 1972 wrote to memory of 2040 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe 102 PID 1972 wrote to memory of 2040 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe 102 PID 1972 wrote to memory of 2040 1972 {EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe 102 PID 4332 wrote to memory of 5000 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe 103 PID 4332 wrote to memory of 5000 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe 103 PID 4332 wrote to memory of 5000 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe 103 PID 4332 wrote to memory of 2420 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe 104 PID 4332 wrote to memory of 2420 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe 104 PID 4332 wrote to memory of 2420 4332 {B17A416D-A83C-4226-BD76-03C874EED344}.exe 104 PID 5000 wrote to memory of 3216 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe 105 PID 5000 wrote to memory of 3216 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe 105 PID 5000 wrote to memory of 3216 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe 105 PID 5000 wrote to memory of 2556 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe 106 PID 5000 wrote to memory of 2556 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe 106 PID 5000 wrote to memory of 2556 5000 {729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe 106 PID 3216 wrote to memory of 2304 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe 107 PID 3216 wrote to memory of 2304 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe 107 PID 3216 wrote to memory of 2304 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe 107 PID 3216 wrote to memory of 1684 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe 108 PID 3216 wrote to memory of 1684 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe 108 PID 3216 wrote to memory of 1684 3216 {06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe 108 PID 2304 wrote to memory of 3888 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe 109 PID 2304 wrote to memory of 3888 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe 109 PID 2304 wrote to memory of 3888 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe 109 PID 2304 wrote to memory of 2464 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe 110 PID 2304 wrote to memory of 2464 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe 110 PID 2304 wrote to memory of 2464 2304 {509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe 110 PID 3888 wrote to memory of 5004 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe 111 PID 3888 wrote to memory of 5004 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe 111 PID 3888 wrote to memory of 5004 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe 111 PID 3888 wrote to memory of 5100 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe 112 PID 3888 wrote to memory of 5100 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe 112 PID 3888 wrote to memory of 5100 3888 {77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe 112 PID 5004 wrote to memory of 2612 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe 113 PID 5004 wrote to memory of 2612 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe 113 PID 5004 wrote to memory of 2612 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe 113 PID 5004 wrote to memory of 4628 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe 114 PID 5004 wrote to memory of 4628 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe 114 PID 5004 wrote to memory of 4628 5004 {3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe 114 PID 2612 wrote to memory of 4952 2612 {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe 115 PID 2612 wrote to memory of 4952 2612 {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe 115 PID 2612 wrote to memory of 4952 2612 {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe 115 PID 2612 wrote to memory of 1028 2612 {F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exeC:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exeC:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exeC:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exeC:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exeC:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exeC:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exeC:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exeC:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exeC:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exeC:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exeC:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
PID:4952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1A75~1.EXE > nul12⤵PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3DCD6~1.EXE > nul11⤵PID:4628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{77CB8~1.EXE > nul10⤵PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{50959~1.EXE > nul9⤵PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{06ADE~1.EXE > nul8⤵PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{729AD~1.EXE > nul7⤵PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B17A4~1.EXE > nul6⤵PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFC84~1.EXE > nul5⤵PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{558D6~1.EXE > nul4⤵PID:4392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CCD77~1.EXE > nul3⤵PID:4664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5f8cdaed21a8b002179a39d0ff888dfd7
SHA19c48eb0f44ae3dfc12b5a73909235205285fbef8
SHA256177c9fa341083b4100f70e1528718ba0fd5fe95e5751a3f11fbccdf9a742ff43
SHA5128777ae8d97445b78a7de9b1fec648a3625e99a1b6d27e59ac15a43d32c1a22dc653d1e9d56148041599fdab96c392860cd871ff1761629a2367f837a6c988193
-
Filesize
408KB
MD5c60865db9dc7cec55eeb4b031cb623bb
SHA13793a5776ac32e42dd0137c511f01499b19acf31
SHA25630d9918665979210ae8088b0b8917a2587c8134f47395e6c91972c5bf43b7108
SHA51203d285b39ecb30618418e55aa2a11596a823f783d1cb0b5b288297f150b61d477f7f5b6c157fc31b797c9d866396122a732480f93c93371eefc5de670f928270
-
Filesize
408KB
MD5de2a3345e71bbfe2e1e0ae0e7117cb2b
SHA1e3e87fbc6ffeba0c27d8ec355d05f03870e4206b
SHA256d9cd32e79b9252c7de95008894c36f5156ded46e9f11cc37d03995a47c65da0b
SHA512cd365f548a507bc2ebf31041a71d2da2d9f02965bc83cf89538b533073cdc033ac2f5d1cc554478087b8b658ef160534105ffa51c37d81bc7880eabbb416593b
-
Filesize
408KB
MD52497466caab534f89f8df00398c9f42b
SHA15abb0260b3041f4e7abb026c79aada6b17adcecc
SHA2566c1e2ccdca6cb783e31d0283d061842345329b028df00be04dd6fa01d399f5e7
SHA512e521fd7de442bff2ee20b275397e71dcb46079c99ff79040c7be5a1ea4f5b578b8c2a01cf88f17d040d02d8938aff945e819382c557f75921da27549990752b7
-
Filesize
408KB
MD5fa906f0320cd43ca254b88858ea380bb
SHA166ef744ef0702a04b61a847277790e3b606c91af
SHA2565b4ec02fc08942aafe18aba8dc678d746d0db5a2c61edf5472ffa521b52cf385
SHA5120aa5ca3976572d857cfb7eba254f5ff22fa862ff5dd68ebf23f0193973cbc43e997bad54986ac75df07a726c5146d84c7a5a376b0338082c79cf7d9f9a1adb80
-
Filesize
408KB
MD538840202eda6e5361a340efc55616d22
SHA15c604014c232c5341ee604af65bcb7b4e22ce470
SHA256a48cd787ce82587c64974a523fedd97accd142adcde15aba9acb4c2411c0b579
SHA512ea8d6db81bd06bae687c9998f253a806aca1fcb1b8a8c6388d1a1a632e5977ef28e06ee14c53eea92b69e23f2f2d5361e0bf6ae18985b067d04e4099a285a61a
-
Filesize
408KB
MD55a2182df51dcdc9373e80db8898774b3
SHA19bd01b4ef25721dacc17bc6c8bbf5d82b573169e
SHA256e55c9e1f281d321f9dfe6176ade0c1615339551b58faa152219792cc8d101e3d
SHA512e72c750acb6606c837b1e1504824400da4b512656b5806ce2d965a5f08adaa496d871fb10ae1467d7b79586ff48132bcfc8fa0492b192c0fe6cee0f12c070c2c
-
Filesize
408KB
MD581320bdc8cbc7973873ef338cb7066d1
SHA16bfb3cb89e056fa6385b67e42a4f77c0cda4827f
SHA2561cd7d72d316024796e93e2f8ea848dd456063f3e572d0fb9507c6e94470911bb
SHA51271fa3d276fb20ceaeb1211458ca5e1fa331244ebd42c8edbfac57af81ceb6b978c02a1334e82215b5400c5e32d2cb6875c092c3e040e0d11325a5df8c4584b37
-
Filesize
408KB
MD5a085988fcb2df201bc8e1e3a678b97f6
SHA107feca3eb52f2f15b18c3ce53efc056e29ce453f
SHA25661e1ee1d51776e0d31e3d9f62c452a9190c8186f85d4d7e733fb2caa0e149a63
SHA512949e335c44bdcd256fd8b46ddd13be1863913591c996ca2038bb222b55b87675967643e7dd3c28da9d24400c70c470f581b0269d0323afe4fee1e941c27ea31f
-
Filesize
408KB
MD578f6e86f4ad600d4760dc1b8b95b640d
SHA13187b172307de9c91049366f82ba1178801ed67c
SHA25661833cf64da0c8e940d25429994c6f1aa6c6bbc33de4c1662239f2a933c6d34a
SHA5121226dc7c201ecfa85954e29da61833e80e82f19848e4137eb2e5000464a479cf79c37946845cfeee44d0c9feff1bc1798f45ed664383380426dbc118e38529a5
-
Filesize
408KB
MD5f1bc830f25b0209f05e65544de850fbc
SHA171cc48993ad9abfaea655e3141f8c114c8719529
SHA256f68e6701bea65de2e7f2a6a4a7ef94848527a1a142123c56f9ae8cd2283ccd71
SHA512d33d9dea7cb7ed742da7e4c73da874899acd1961f383b10eabf5fa66a1f13f0520375e62942be99986d2c4e7c87b3222cab7188dd4ae7cc7a50a2c96e38a3990