Analysis
-
max time kernel
178s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
-
Size
168KB
-
MD5
635a3c6b18af3c5dd32a436fb72efa92
-
SHA1
08a6d06c96872312e9ca0002face7a846d47e040
-
SHA256
e1770ead4434b67171cf14b48930772591b925b0fd06f781d53dde21a5047f8f
-
SHA512
c6282bbfbf9b4681735aa2dea1652ea8daf81c9d4e9f06ca5805f04f4b88176d0740bf6575d38dce4518131266cf226f1c5f5494f8f656d257a1c116f435f8ff
-
SSDEEP
1536:1EGh0otlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0otlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 9 IoCs
resource yara_rule behavioral2/files/0x0007000000023244-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002322e-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002323b-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e768-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b00000002323b-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e768-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c00000002323b-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000500000001e768-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d00000002323b-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F37E9A3-C738-48fe-B59D-BD2082FE3051} {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}\stubpath = "C:\\Windows\\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe" {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858AB40B-0C5D-485a-937A-81F60B45E79D}\stubpath = "C:\\Windows\\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe" {27AB6528-A448-4be0-84B3-B15D4137180F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5} {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}\stubpath = "C:\\Windows\\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe" {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF} {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AB6528-A448-4be0-84B3-B15D4137180F} 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AB6528-A448-4be0-84B3-B15D4137180F}\stubpath = "C:\\Windows\\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe" 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3535E9-8060-499d-85FD-985CB9624787}\stubpath = "C:\\Windows\\{FB3535E9-8060-499d-85FD-985CB9624787}.exe" {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A5E11B-1FCC-42cd-A857-E015C86B513F} {FB3535E9-8060-499d-85FD-985CB9624787}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}\stubpath = "C:\\Windows\\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe" {FB3535E9-8060-499d-85FD-985CB9624787}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2} {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}\stubpath = "C:\\Windows\\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe" {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362236B6-37AA-497b-9F3A-E79D52D10E33} {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362236B6-37AA-497b-9F3A-E79D52D10E33}\stubpath = "C:\\Windows\\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe" {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858AB40B-0C5D-485a-937A-81F60B45E79D} {27AB6528-A448-4be0-84B3-B15D4137180F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3535E9-8060-499d-85FD-985CB9624787} {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}\stubpath = "C:\\Windows\\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe" {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe -
Executes dropped EXE 9 IoCs
pid Process 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe 1324 {FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe File created C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe File created C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe File created C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe {27AB6528-A448-4be0-84B3-B15D4137180F}.exe File created C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe {FB3535E9-8060-499d-85FD-985CB9624787}.exe File created C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe File created C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe File created C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe File created C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3748 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe Token: SeIncBasePriorityPrivilege 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe Token: SeIncBasePriorityPrivilege 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe Token: SeIncBasePriorityPrivilege 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe Token: SeIncBasePriorityPrivilege 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe Token: SeIncBasePriorityPrivilege 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe Token: SeIncBasePriorityPrivilege 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe Token: SeIncBasePriorityPrivilege 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe Token: SeIncBasePriorityPrivilege 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3748 wrote to memory of 4436 3748 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 92 PID 3748 wrote to memory of 4436 3748 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 92 PID 3748 wrote to memory of 4436 3748 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 92 PID 3748 wrote to memory of 208 3748 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 93 PID 3748 wrote to memory of 208 3748 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 93 PID 3748 wrote to memory of 208 3748 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe 93 PID 4436 wrote to memory of 3088 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe 95 PID 4436 wrote to memory of 3088 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe 95 PID 4436 wrote to memory of 3088 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe 95 PID 4436 wrote to memory of 4380 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe 96 PID 4436 wrote to memory of 4380 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe 96 PID 4436 wrote to memory of 4380 4436 {27AB6528-A448-4be0-84B3-B15D4137180F}.exe 96 PID 3088 wrote to memory of 224 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe 98 PID 3088 wrote to memory of 224 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe 98 PID 3088 wrote to memory of 224 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe 98 PID 3088 wrote to memory of 4992 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe 99 PID 3088 wrote to memory of 4992 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe 99 PID 3088 wrote to memory of 4992 3088 {858AB40B-0C5D-485a-937A-81F60B45E79D}.exe 99 PID 224 wrote to memory of 3548 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe 100 PID 224 wrote to memory of 3548 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe 100 PID 224 wrote to memory of 3548 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe 100 PID 224 wrote to memory of 4192 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe 101 PID 224 wrote to memory of 4192 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe 101 PID 224 wrote to memory of 4192 224 {F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe 101 PID 3548 wrote to memory of 2656 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe 102 PID 3548 wrote to memory of 2656 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe 102 PID 3548 wrote to memory of 2656 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe 102 PID 3548 wrote to memory of 3916 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe 103 PID 3548 wrote to memory of 3916 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe 103 PID 3548 wrote to memory of 3916 3548 {4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe 103 PID 2656 wrote to memory of 4324 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe 104 PID 2656 wrote to memory of 4324 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe 104 PID 2656 wrote to memory of 4324 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe 104 PID 2656 wrote to memory of 4432 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe 105 PID 2656 wrote to memory of 4432 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe 105 PID 2656 wrote to memory of 4432 2656 {FB3535E9-8060-499d-85FD-985CB9624787}.exe 105 PID 4324 wrote to memory of 3884 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe 106 PID 4324 wrote to memory of 3884 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe 106 PID 4324 wrote to memory of 3884 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe 106 PID 4324 wrote to memory of 2660 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe 107 PID 4324 wrote to memory of 2660 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe 107 PID 4324 wrote to memory of 2660 4324 {E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe 107 PID 3884 wrote to memory of 5000 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe 108 PID 3884 wrote to memory of 5000 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe 108 PID 3884 wrote to memory of 5000 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe 108 PID 3884 wrote to memory of 2404 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe 109 PID 3884 wrote to memory of 2404 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe 109 PID 3884 wrote to memory of 2404 3884 {EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe 109 PID 5000 wrote to memory of 1324 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe 110 PID 5000 wrote to memory of 1324 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe 110 PID 5000 wrote to memory of 1324 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe 110 PID 5000 wrote to memory of 3440 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe 111 PID 5000 wrote to memory of 3440 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe 111 PID 5000 wrote to memory of 3440 5000 {362236B6-37AA-497b-9F3A-E79D52D10E33}.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exeC:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exeC:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exeC:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exeC:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exeC:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exeC:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exeC:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exeC:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exeC:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe10⤵
- Executes dropped EXE
PID:1324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36223~1.EXE > nul10⤵PID:3440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFC88~1.EXE > nul9⤵PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E8A5E~1.EXE > nul8⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FB353~1.EXE > nul7⤵PID:4432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F37E~1.EXE > nul6⤵PID:3916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F4C3E~1.EXE > nul5⤵PID:4192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{858AB~1.EXE > nul4⤵PID:4992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{27AB6~1.EXE > nul3⤵PID:4380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD580b0abcb082d91d4bc9b758185f5a7fc
SHA1619d17c84eedfb4e260c284fb2f0b6777db4cc80
SHA256cd4a6d297c643207782ade5e00319cf394bc43acd34dcf197ea6c65c67f8925b
SHA512fe16615944c8cfefd207674fe453693fb38a6f4b5b8a3446769c2456caef321f9a912eb95017a0aae561fde3539e34d09a1a19f20fc45632ee6a6a0b1fc490d4
-
Filesize
168KB
MD5bb9bb0787d340588e4321717d25f4448
SHA1dfc0ffc7a44c40098709c612ae20e8ca28ff62a8
SHA256833693c5faa31cddd7c1a7f58c3e23ac324bbab86a44fecc40c2e1c67e7a74e0
SHA512346e3e48942d280ebf1e54647ce8bd45350613292c34a110aa28ed86d0e8e33bf94449960aaaba16b0038289b4f0de6de7fcfde1c34e7ba76e4cd17fee384b62
-
Filesize
168KB
MD5fb032d75e69fc91738a0a970e10ca438
SHA16f45843e2ebd65c7eb4be9c8431e47a6fc8b1ef7
SHA256b80b48b7374811a235a0d377508f0b8a09a9ec094d2f9f0ea6646230a9620acc
SHA5126cb2925fe4bb3b61a2bbf2b131b9070b60e496009836361c081d1aeaf52730e54361d08a8a02ff9e69a402028f5324764b505ac6ac2b6ff54ee8f4f6ec8ac4e9
-
Filesize
168KB
MD5f314fb6dcc91d777e9f8fdabdc8b41fb
SHA1f22d8ebad4319da351818f5112525327647f2fec
SHA2569c628763541afdba653b5302f097187ed23942da3b9085e4044e7ab6388b1eb9
SHA51248b1a64ec9c9cd228edde66017c509b2ea9e52e00b68b485d62dc6455a9167c32a158fb9c8915715acca22741510314d0ef70b5d8c00e21bfa20f873a60cd3fe
-
Filesize
168KB
MD5910eb6415da30ed7947fcab3fc9bb58e
SHA1b99bdbf53bc9c01c1634e9ebc503f8d24a64f1cd
SHA2567c9fc572758e6f28bd6c195e674fdad65b545771c6f8321cb87b1fd22673d75f
SHA512fe4cbb6beb0401315123936dbe9f92da8bcc524dc4e96471fed59e55765b1a9a7d7ca67dd66ba45e7f6b78e540d4e312bef804a9d7c2f569694db44ddf2d7e1d
-
Filesize
168KB
MD5d58b02f5a70aa36ba0e722076458c5a3
SHA146449b00de722ce5e6965652aef10d0ffdef0deb
SHA2560b39b3b13ab872cbe3f46aa869f46f443bd9d2d5be33da914df1a31be8c51190
SHA512bf27746c0f2a27b91532ad01c590f702aa97cad8029c9cd7f35f127cf28982a212e31742882aff9db5af77ff76773344e2ad847ee4c04b288fbdd9a2261ee90c
-
Filesize
168KB
MD5b0b002113bfbe3e1bebea22b10b8876d
SHA1608ef026db226b020c30449a4dc111f93bb63784
SHA2568fa543302070d433acf18b172bc70670d16ec83dd118731049ca95574558dbc1
SHA512d9f8c8d080ea7320d2f77793f82d1cd3bce7d6bd8b56b7385dffbe1e72c3e9aea641613f558bc40ae6fd8b339b49da27d7507f9a4f259774edaf827489dea233
-
Filesize
168KB
MD58ff9766b1bc7e0685489c01d2455732b
SHA1aa6ada078fd92fa806be71dddb8442ffdbbef046
SHA256bf4ba5671c5917dc44c5f979eaf048fafb0c4d4f86a3beae6bea34f6f41eda0b
SHA5120bc3483e0e75cdb10e8c44ce7996e75b1a65533609621619a7db423af023f693b4349c2b362b43db18fd273bddae03fb2b8ea79ba953af5430dcc78e740e95d7
-
Filesize
168KB
MD57f920956bf055810e088a31f7f2895c3
SHA11a53a8abe8d2042df2016a5c53904149e24822b2
SHA2568326b89edca6f74dcf05e5140feb8ed4c3304ff517b77f4aa6f557d626a64a9b
SHA5126e0ee78416bad0c95de67c51ccb99d9237a02ce15b542590d8f476c7ea4435b2dfd5fc8201cebc3121562ebffa80187fff2e965ae7926c68b3a1cce634be9e20