Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe
-
Size
197KB
-
MD5
7700691d1d8ba6023d1d9bbaa3de7429
-
SHA1
d6e1723304c1fea09129871ff9e6fe1cb83ef91a
-
SHA256
e48951fb1eb66395f19027038718abafe06697d96adda70534ba15c0cc7ac7a8
-
SHA512
c0e6f62e9bc01b77fa423855f382da849b4718cc6cc55696cc08a5b554ebcd0d82a92248d99f8733f08bb0a166004b12c8e0061fa0cb0f8018cb9273263fc5be
-
SSDEEP
3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x00040000000130fc-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016d12-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000016d22-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000016d12-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000016d12-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000016d12-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000016d12-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}\stubpath = "C:\\Windows\\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe" {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F7A9F5-36CD-494b-BC04-87214242FD5C} {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}\stubpath = "C:\\Windows\\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe" {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}\stubpath = "C:\\Windows\\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe" {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99C201A-19EC-4844-86F1-0BECA5B9BC23} {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE} {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6CC007-05F2-45ea-B99D-B62A183E437E}\stubpath = "C:\\Windows\\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe" {C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{284D26C3-C78E-45bf-8836-211245AD58FD}\stubpath = "C:\\Windows\\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe" {A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7} 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}\stubpath = "C:\\Windows\\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe" 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD} {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F7A9F5-36CD-494b-BC04-87214242FD5C}\stubpath = "C:\\Windows\\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe" {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC} {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}\stubpath = "C:\\Windows\\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe" {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6CC007-05F2-45ea-B99D-B62A183E437E} {C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086} {FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}\stubpath = "C:\\Windows\\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe" {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F3EAAB-F2ED-4213-B90B-D44501870BE2} {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}\stubpath = "C:\\Windows\\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe" {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8727761E-1900-4c91-8C05-DAE64E4FF6DF} {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}\stubpath = "C:\\Windows\\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe" {FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{284D26C3-C78E-45bf-8836-211245AD58FD} {A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe -
Executes dropped EXE 11 IoCs
pid Process 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 2756 {C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe 1556 {FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe 1220 {A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe 1092 {284D26C3-C78E-45bf-8836-211245AD58FD}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe File created C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe File created C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe {C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe File created C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe {FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe File created C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe File created C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe File created C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe File created C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe File created C:\Windows\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe {A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe File created C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe File created C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe Token: SeIncBasePriorityPrivilege 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe Token: SeIncBasePriorityPrivilege 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe Token: SeIncBasePriorityPrivilege 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe Token: SeIncBasePriorityPrivilege 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe Token: SeIncBasePriorityPrivilege 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe Token: SeIncBasePriorityPrivilege 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe Token: SeIncBasePriorityPrivilege 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe Token: SeIncBasePriorityPrivilege 2756 {C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe Token: SeIncBasePriorityPrivilege 1556 {FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe Token: SeIncBasePriorityPrivilege 1220 {A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2780 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 28 PID 1516 wrote to memory of 2780 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 28 PID 1516 wrote to memory of 2780 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 28 PID 1516 wrote to memory of 2780 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 28 PID 1516 wrote to memory of 1216 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 29 PID 1516 wrote to memory of 1216 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 29 PID 1516 wrote to memory of 1216 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 29 PID 1516 wrote to memory of 1216 1516 2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe 29 PID 2780 wrote to memory of 2664 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 30 PID 2780 wrote to memory of 2664 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 30 PID 2780 wrote to memory of 2664 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 30 PID 2780 wrote to memory of 2664 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 30 PID 2780 wrote to memory of 3000 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 31 PID 2780 wrote to memory of 3000 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 31 PID 2780 wrote to memory of 3000 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 31 PID 2780 wrote to memory of 3000 2780 {1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe 31 PID 2664 wrote to memory of 2656 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 34 PID 2664 wrote to memory of 2656 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 34 PID 2664 wrote to memory of 2656 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 34 PID 2664 wrote to memory of 2656 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 34 PID 2664 wrote to memory of 2592 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 35 PID 2664 wrote to memory of 2592 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 35 PID 2664 wrote to memory of 2592 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 35 PID 2664 wrote to memory of 2592 2664 {2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe 35 PID 2656 wrote to memory of 2896 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 36 PID 2656 wrote to memory of 2896 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 36 PID 2656 wrote to memory of 2896 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 36 PID 2656 wrote to memory of 2896 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 36 PID 2656 wrote to memory of 2072 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 37 PID 2656 wrote to memory of 2072 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 37 PID 2656 wrote to memory of 2072 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 37 PID 2656 wrote to memory of 2072 2656 {37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe 37 PID 2896 wrote to memory of 472 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 38 PID 2896 wrote to memory of 472 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 38 PID 2896 wrote to memory of 472 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 38 PID 2896 wrote to memory of 472 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 38 PID 2896 wrote to memory of 1292 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 39 PID 2896 wrote to memory of 1292 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 39 PID 2896 wrote to memory of 1292 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 39 PID 2896 wrote to memory of 1292 2896 {82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe 39 PID 472 wrote to memory of 1120 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 40 PID 472 wrote to memory of 1120 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 40 PID 472 wrote to memory of 1120 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 40 PID 472 wrote to memory of 1120 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 40 PID 472 wrote to memory of 876 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 41 PID 472 wrote to memory of 876 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 41 PID 472 wrote to memory of 876 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 41 PID 472 wrote to memory of 876 472 {E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe 41 PID 1120 wrote to memory of 1752 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 42 PID 1120 wrote to memory of 1752 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 42 PID 1120 wrote to memory of 1752 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 42 PID 1120 wrote to memory of 1752 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 42 PID 1120 wrote to memory of 1088 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 43 PID 1120 wrote to memory of 1088 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 43 PID 1120 wrote to memory of 1088 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 43 PID 1120 wrote to memory of 1088 1120 {8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe 43 PID 1752 wrote to memory of 2756 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 44 PID 1752 wrote to memory of 2756 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 44 PID 1752 wrote to memory of 2756 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 44 PID 1752 wrote to memory of 2756 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 44 PID 1752 wrote to memory of 2732 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 45 PID 1752 wrote to memory of 2732 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 45 PID 1752 wrote to memory of 2732 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 45 PID 1752 wrote to memory of 2732 1752 {4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exeC:\Windows\{1F9B4C96-E32F-4d0c-9A59-028CCF9C19C7}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exeC:\Windows\{2B711807-E5C6-40e7-8E6E-545C0E6DD8DD}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exeC:\Windows\{37F3EAAB-F2ED-4213-B90B-D44501870BE2}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exeC:\Windows\{82F7A9F5-36CD-494b-BC04-87214242FD5C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exeC:\Windows\{E99C201A-19EC-4844-86F1-0BECA5B9BC23}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exeC:\Windows\{8727761E-1900-4c91-8C05-DAE64E4FF6DF}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exeC:\Windows\{4100C6FF-AEF9-40e0-A6A3-3F3B32614CCC}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exeC:\Windows\{C1D233E1-EBCA-4704-8BD7-1E505F2017CE}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exeC:\Windows\{FA6CC007-05F2-45ea-B99D-B62A183E437E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exeC:\Windows\{A2C6910E-3DAE-4d1d-A726-ED2D19E87086}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1220 -
C:\Windows\{284D26C3-C78E-45bf-8836-211245AD58FD}.exeC:\Windows\{284D26C3-C78E-45bf-8836-211245AD58FD}.exe12⤵
- Executes dropped EXE
PID:1092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2C69~1.EXE > nul12⤵PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FA6CC~1.EXE > nul11⤵PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C1D23~1.EXE > nul10⤵PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4100C~1.EXE > nul9⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87277~1.EXE > nul8⤵PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E99C2~1.EXE > nul7⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{82F7A~1.EXE > nul6⤵PID:1292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{37F3E~1.EXE > nul5⤵PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B711~1.EXE > nul4⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1F9B4~1.EXE > nul3⤵PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5eecf3019153851685ca1853710e1ac1a
SHA1f09c06cf819104489f57beeb794dad36b8c3db5d
SHA256b55b4eba4eeca3776695fcb590e63aa5deabf8b379263a5449d7fb262142d9ca
SHA5121d149e9e6149980e7813e57094bb2a9eca13c44292bec35d2ab72da0bae1f5ae12890b74cc980d203212d9cd536ce9109c785e7f16fc2b8e96568cc089203a6a
-
Filesize
197KB
MD52da9d22d06fa58a013d5cf503d476073
SHA1a8d69507380bef0d5d68bf5d1995c6cae2d0de53
SHA2563b9d3bf2b08822350e2700a3304074ca5a8da15a06cdfb1124629677f705c8bd
SHA5121735d3be9135ea696cc0605c274e2ad74e1afadc15dea9af977f45b5f369ebe6561662b26bfeedcfef3ea1a39cfea7008adb3dc7a61211cfda73aa61c417d409
-
Filesize
197KB
MD5e406ff81b38d6345e349eecb1497c357
SHA1bc0d58325725d6e7606008c7ee388a935716fe71
SHA256ccbd9999b56d84dd603ef8e10d8e11708f99bee4990cb653119ca8f639915432
SHA512a60d3e88aed545ee93579cc4885e1b338a7cbcc5064a70a0d24a4115e47cfe8559bddea9e960bae8a971450337de3718c9fca36b08bb2643faa0d56fac667c3b
-
Filesize
197KB
MD53939837a97ea9c5afc9d5497797f6027
SHA160bca6a9f5b4c7aa2f25486e50886daa447679df
SHA25678c9f2808f4ba3709116ffc569f82608fed7ae9c7fb90d91339b14e527c66936
SHA51295b9adf68f4c57def700c0dc4287dc34409684bd74e02dc6ba91af43dd5ef912376ae9df7f368e13b3922fe10b2b022a63a48678eaaa9f943b1f9ac7a0e51474
-
Filesize
197KB
MD5ca55d477ed4eede8e5b94fe42b8f949d
SHA18e902ce629764a85f600d4cfcf48c010d110119b
SHA256a15e9259a03c8f164cae9545c2f5df51b23a3fde74e07129d09723e04bec6bfe
SHA512fbe136a998203fc08229e5fdc4a07a6e9283a98dae99d920d77f15e6120c3d8cf32ee1c78fb495641cb81708f97515ec99547974b9d6ce547c93943ed4cc3bcf
-
Filesize
197KB
MD5ef29cc273952a3b498d62421972de1ad
SHA1db41749e6b2d88efd47f702439157165feaabfb8
SHA2563760b972106ba2943ea4d5364a3447c197e284c70d0d4d1dc7f0f71680249322
SHA5123f72b87162219bc2d39210367dd7f834a3a0380b63c2ecd4c3a9d422bcd0d52800625ca6fd20fa67eb3d944dbd2339d207fc18ddce6d9f3d3db7110f146a8b95
-
Filesize
197KB
MD588817a97e9a1a961dcee56943ddbb608
SHA1425d0524a1eec26766c21083ae277de41973d40a
SHA256dc93feedd95866e99971a93af9a451ec919f2c6fa747f7bc6d9312ceac08e267
SHA5123cef6275c28f2f43e8204ffcc496837c0adf4dddac80cf3be95a8bcb5474541578db9736acb25c9346b56b56c22d8735f7f1988cc441a96206a581913256dab5
-
Filesize
197KB
MD562c240b09ff5d30bf1af3c009feb979b
SHA19759988be3380b559f0487e3f2ea3c2242d3f713
SHA256bf49f4f3e79cbd53eb5ce5b6790f894375671e68eb32dfa62f5ffbaa1ac55908
SHA51279e3f0dd46c2168966a0853b31a341431afb08425c3bcfa224c69bcb3adc7989d53eea164b8c3bb01aca090c640a6a85c64e2b180446e07964107db5f5697ad2
-
Filesize
197KB
MD5722cbef8ae74ebf39aa3f9d1330fb48e
SHA18386d787dab363302b520f0a637ffcca3afd7cdd
SHA2560d04e39af934d04687e0d64b64dd425548b553e5bbf82c7ed9ec5aa965417a7e
SHA512b6e9cadf81d59ecb82f98d24f8cf53e3edb37abd923a517e6de99059208ce02b6b7e66679dabaa19d1a4da4c8b4c0a113b8b2c4fd393d54c2add07666d0de493
-
Filesize
197KB
MD5be7300af720926e9c34f4d4c85d0a168
SHA12010698dd5e18a526bd0ac9b15e92ac6fe762cb4
SHA256ae8a021d3d6e906b42c41109f6b47920f6fa8ba846e04f20bb0ed2938161a9f5
SHA5121c1ca9b9afac50bd463e11455829534d0a20a08728983cef589d64422cc6406c74bc646bcbd0272327f70e20080e7123013dbcd569e79a4bb789db9d190d4465
-
Filesize
197KB
MD50d8994e62835a0fe3b64fefc71ccfa35
SHA172b6b239b7b45ff460dce646720f051ad21a1772
SHA256481cbdd92c60baa555c2af68334cef4998a59ebed40ea396b70b08ea3897f9a9
SHA512668cbdc312df764fba33d7a614b7b4f1139ccdce83499bff6078ad4e3bd401e53ff4a838f7269bbd610f1c2f51ea355470acbd12a78aa55cb5afd094b109d2ea