Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
-
Size
168KB
-
MD5
635a3c6b18af3c5dd32a436fb72efa92
-
SHA1
08a6d06c96872312e9ca0002face7a846d47e040
-
SHA256
e1770ead4434b67171cf14b48930772591b925b0fd06f781d53dde21a5047f8f
-
SHA512
c6282bbfbf9b4681735aa2dea1652ea8daf81c9d4e9f06ca5805f04f4b88176d0740bf6575d38dce4518131266cf226f1c5f5494f8f656d257a1c116f435f8ff
-
SSDEEP
1536:1EGh0otlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0otlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral1/files/0x000c0000000122ac-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b00000001413f-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d0000000122ac-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d0000000122ac-20.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0003000000004ed5-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f2-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed5-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000500000000b1f2-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed5-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000600000000b1f2-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed5-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000700000000b1f2-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDC3F28-D195-40e2-9513-B31F1A550752}\stubpath = "C:\\Windows\\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe" {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519F376A-387B-494b-A982-E828120E8DBF} {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}\stubpath = "C:\\Windows\\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe" {5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A623A6-99EE-48df-BD56-14CB72A4135E} {9620189A-815C-4339-A780-1A80A60BBE49}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70} {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280661BB-7D54-4bde-A92A-F6B0E228E8B9} {519F376A-387B-494b-A982-E828120E8DBF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}\stubpath = "C:\\Windows\\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe" {519F376A-387B-494b-A982-E828120E8DBF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D1A74DF-F84C-421e-B870-E26F163FDFEB} {5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0} 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}\stubpath = "C:\\Windows\\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe" {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D026D140-6467-44d7-A8DC-B6DC105EC22B}\stubpath = "C:\\Windows\\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe" {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE0751-5E1F-4704-97E7-C09704D66E62}\stubpath = "C:\\Windows\\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe" {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDC3F28-D195-40e2-9513-B31F1A550752} {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519F376A-387B-494b-A982-E828120E8DBF}\stubpath = "C:\\Windows\\{519F376A-387B-494b-A982-E828120E8DBF}.exe" {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}\stubpath = "C:\\Windows\\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe" {280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9620189A-815C-4339-A780-1A80A60BBE49}\stubpath = "C:\\Windows\\{9620189A-815C-4339-A780-1A80A60BBE49}.exe" {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A623A6-99EE-48df-BD56-14CB72A4135E}\stubpath = "C:\\Windows\\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe" {9620189A-815C-4339-A780-1A80A60BBE49}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D026D140-6467-44d7-A8DC-B6DC105EC22B} {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE0751-5E1F-4704-97E7-C09704D66E62} {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3} {280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}\stubpath = "C:\\Windows\\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe" 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9620189A-815C-4339-A780-1A80A60BBE49} {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe -
Deletes itself 1 IoCs
pid Process 2568 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 1180 {519F376A-387B-494b-A982-E828120E8DBF}.exe 2064 {280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe 1728 {5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe 3024 {5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe File created C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe {519F376A-387B-494b-A982-E828120E8DBF}.exe File created C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe {280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe File created C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe {5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe File created C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe File created C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe File created C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe File created C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe File created C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe {9620189A-815C-4339-A780-1A80A60BBE49}.exe File created C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe File created C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe Token: SeIncBasePriorityPrivilege 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe Token: SeIncBasePriorityPrivilege 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe Token: SeIncBasePriorityPrivilege 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe Token: SeIncBasePriorityPrivilege 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe Token: SeIncBasePriorityPrivilege 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe Token: SeIncBasePriorityPrivilege 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe Token: SeIncBasePriorityPrivilege 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe Token: SeIncBasePriorityPrivilege 1180 {519F376A-387B-494b-A982-E828120E8DBF}.exe Token: SeIncBasePriorityPrivilege 2064 {280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe Token: SeIncBasePriorityPrivilege 1728 {5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2148 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 28 PID 2940 wrote to memory of 2148 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 28 PID 2940 wrote to memory of 2148 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 28 PID 2940 wrote to memory of 2148 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 28 PID 2940 wrote to memory of 2568 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 29 PID 2940 wrote to memory of 2568 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 29 PID 2940 wrote to memory of 2568 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 29 PID 2940 wrote to memory of 2568 2940 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 29 PID 2148 wrote to memory of 2704 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 30 PID 2148 wrote to memory of 2704 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 30 PID 2148 wrote to memory of 2704 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 30 PID 2148 wrote to memory of 2704 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 30 PID 2148 wrote to memory of 2552 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 31 PID 2148 wrote to memory of 2552 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 31 PID 2148 wrote to memory of 2552 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 31 PID 2148 wrote to memory of 2552 2148 {2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe 31 PID 2704 wrote to memory of 2824 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 32 PID 2704 wrote to memory of 2824 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 32 PID 2704 wrote to memory of 2824 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 32 PID 2704 wrote to memory of 2824 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 32 PID 2704 wrote to memory of 2960 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 33 PID 2704 wrote to memory of 2960 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 33 PID 2704 wrote to memory of 2960 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 33 PID 2704 wrote to memory of 2960 2704 {9620189A-815C-4339-A780-1A80A60BBE49}.exe 33 PID 2824 wrote to memory of 2028 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 36 PID 2824 wrote to memory of 2028 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 36 PID 2824 wrote to memory of 2028 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 36 PID 2824 wrote to memory of 2028 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 36 PID 2824 wrote to memory of 2380 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 37 PID 2824 wrote to memory of 2380 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 37 PID 2824 wrote to memory of 2380 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 37 PID 2824 wrote to memory of 2380 2824 {48A623A6-99EE-48df-BD56-14CB72A4135E}.exe 37 PID 2028 wrote to memory of 2748 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 38 PID 2028 wrote to memory of 2748 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 38 PID 2028 wrote to memory of 2748 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 38 PID 2028 wrote to memory of 2748 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 38 PID 2028 wrote to memory of 1592 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 39 PID 2028 wrote to memory of 1592 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 39 PID 2028 wrote to memory of 1592 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 39 PID 2028 wrote to memory of 1592 2028 {59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe 39 PID 2748 wrote to memory of 1368 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 40 PID 2748 wrote to memory of 1368 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 40 PID 2748 wrote to memory of 1368 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 40 PID 2748 wrote to memory of 1368 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 40 PID 2748 wrote to memory of 1028 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 41 PID 2748 wrote to memory of 1028 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 41 PID 2748 wrote to memory of 1028 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 41 PID 2748 wrote to memory of 1028 2748 {D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe 41 PID 1368 wrote to memory of 744 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 42 PID 1368 wrote to memory of 744 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 42 PID 1368 wrote to memory of 744 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 42 PID 1368 wrote to memory of 744 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 42 PID 1368 wrote to memory of 268 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 43 PID 1368 wrote to memory of 268 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 43 PID 1368 wrote to memory of 268 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 43 PID 1368 wrote to memory of 268 1368 {11DE0751-5E1F-4704-97E7-C09704D66E62}.exe 43 PID 744 wrote to memory of 1180 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 44 PID 744 wrote to memory of 1180 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 44 PID 744 wrote to memory of 1180 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 44 PID 744 wrote to memory of 1180 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 44 PID 744 wrote to memory of 876 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 45 PID 744 wrote to memory of 876 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 45 PID 744 wrote to memory of 876 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 45 PID 744 wrote to memory of 876 744 {DDDC3F28-D195-40e2-9513-B31F1A550752}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exeC:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exeC:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exeC:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exeC:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exeC:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exeC:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exeC:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exeC:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exeC:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exeC:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exeC:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe12⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5BB35~1.EXE > nul12⤵PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{28066~1.EXE > nul11⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{519F3~1.EXE > nul10⤵PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DDDC3~1.EXE > nul9⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{11DE0~1.EXE > nul8⤵PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D026D~1.EXE > nul7⤵PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59E02~1.EXE > nul6⤵PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{48A62~1.EXE > nul5⤵PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{96201~1.EXE > nul4⤵PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BDAD~1.EXE > nul3⤵PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD518fdba0988a5dd2de9eb98bbb572ea9c
SHA10887fdd173e6ae1f9b037162010d1cbf0200cc9d
SHA25691f6dd0bd869389b0c9e229752f865fdee6c4e79cc43eff0f781bfb04f0308fb
SHA5121a4441a9e1d3ae75e8a2ba0ca1a5dd0261879708024aba4ab2c21f1261c5645f69863247f9c078b34f3ddc30dbe3d015b2b1100f998d3d13a5f4a000179730c6
-
Filesize
168KB
MD5fe4a6d0c22c44068f7803dcab3a96568
SHA1c9745466e18b269a0e38d2a576e71b52e13a6782
SHA25607b9c3187a4b47caec0394a4df5204414e593ed9b58559c32f78286aa2a40410
SHA5128005f1b56d9c0285f739fc3cfd6260746d9e67463eeb931ab375b5679135b633621023a3d4520168c417c69a682c5fab930e399b0f9f07cc780f61b2da6ba459
-
Filesize
168KB
MD55963a98cba84b3ffaa652656e7ff3b36
SHA102a1ec5356b4be995a0bede0e080893a95a4ae2a
SHA2566535d2cc4e2ffff6195fd1caffd6787f590543ab24fe3519ffba2d2702028ae0
SHA512ff8299317111eed0f268e9db02e3cea6d2f6aa0fca5f156268e086544c522e4cea79f7078906226c4257780286f1ea406a3db71f732a9fea8b6f3470aa0f0417
-
Filesize
168KB
MD578bcb17a5b8d448dad01d472c3a1b316
SHA18b05e812bf6d767040b260f523056274c445cd0e
SHA25693b9e37516556b52907555ba4ce660ec1aaa9fecade5c7b05878537eeb601923
SHA5121e0cbe90c6cf156958af8c732503dd9c2437f452806930df56388ce1f3f3768e3554ffd8d6bc0ad0016c32d60a101c794e50ccc01bd8e95eeabfd39ad2f53d4d
-
Filesize
2KB
MD5ce885b255b68d43e4d2f5b4bff54092a
SHA1b70d044e341957b9ca2b8a2d2c24632bd17e10f8
SHA2569d63eb3d1f85ce76a31eb296acefb3e83c03e18f2eab97ca4cebf86ed7d930e6
SHA51219eed145dd3a240dab5dc48df7ccd201c6e0945e602ffaff9c4f1fa5049746b31e3f825fa967cf73c67f4e2ff3ea04c7b3f5425b2e303c8e6a1ba1aee5f01d0b
-
Filesize
168KB
MD5d8ce69150ce05a24cccf6e64cf5c44c4
SHA1448330ebd731b9beb328328417c475b5fcd45dd3
SHA256ead9fad789778163a2f94efc4cc3cc09ff8763cf91db5742fc9a617c75ce01c5
SHA5126e76fa4cd38c26fa1fce8ea2252ae97cb77fe6e0ea9e808350a6197cc6b6c36c206eb8ff9e01756610630fcc8d1a0f5d7ffe483ab35fae9a5015b70fd59f25d7
-
Filesize
168KB
MD5d73b9ff44106e9fa946359d23322770c
SHA1fc411966f148a5afdbdedde6c3ba8d72d7d836f6
SHA256e3b13eaae672131948ead3a84715a80263810bcae8cf222aab0381a930af07fd
SHA512ded1dec3babb863513517800b4a0d79993c1b0dd5e00e73d8bac631f511e06e908da36732b7f4d853c07c74007ea059994f71f28e6389d16c9aa4667ce98c22a
-
Filesize
168KB
MD54da6c58211f1f4d34d3e99dc9a650eb3
SHA1f1f9ad71c6b263608ced44271217b16e08089c64
SHA256f88542cdca85621d4d532ce478913f76b712933b5475da4af0c5e70b89c4a50e
SHA51259c31466891fb6e9cf37855108b7ec3b2f34454652d3f449493794d5ca83a3e80b4cbe2581bea889cc793c78fd8e8f7922008dedeb87ae309eee2c4dcc9482e7
-
Filesize
168KB
MD504063d1dad94043fa83f9badfea491e0
SHA1ec644ab0cb485cb0d236b43ba21f8b7edd7e5a70
SHA256cb39be57be9a042d9430c4575d3a5be58d5e9a2b1f330bfc86fd7f2aae7c6302
SHA512c1c04956c4bc06db7cdd4b26b0f9a64995b9490cae6db72a4f50013b45d584d27cdc588f7e407c711cce2759547432414e6fb93f617795948009da019a2f384a
-
Filesize
168KB
MD52d3d34d59943f301cbaf0929bf7a33ff
SHA1197d3dde2a59a3285f9886d408e53bbb279b70c8
SHA256b8f0f89d4bbb1f440caff44ce1458408cf831b969e80e9ea54bd2a16fda7b1c0
SHA512f06fad1ba31a0ba1448cd799459e2a6f7feaa68fdcdbcabe4dcd82b27eee481cd35c742917e569828986d3da6c2e28e71cb5bd936d8ebac38a95c0e2bf84fdbe
-
Filesize
168KB
MD556772c9b8a787db82e43c44a52342ef1
SHA1743f3f1cace888e90b782b423341ef71648e9920
SHA256c69d49b8cfb5922f7be62b51931122f0f22c10d7f71bf5311bbf6c65c6a72541
SHA512e126a765f64d47d769aaf77a4d102a31845d0074b2ab0b318d49f2756acca73a0efdc073d8ca8958bd19575f0194580399ec2b680d767d0f2100fe02494f99c1
-
Filesize
168KB
MD507bb153b34b0a38a304cb57f69080589
SHA19652b4d8d70634df20aa843455dfa24e0d8a80a4
SHA256934f6f27bff80d8fa16df5fa1168ac0c8fec2e910fc9f5126ab2fbbde394257e
SHA51298a160c1f374446d50fe11f59a8dff15ba41ceb6ea4067bd9073b355da756a418f178cb3e224311a994bee6cb1901127811d104aa06ef160c96f771ad3156b77