Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
-
Size
408KB
-
MD5
164de08d5920bce67bd0075809e6beb7
-
SHA1
c840578699cf5038dc4093f890e17c19c8bad8a8
-
SHA256
a201e4705b075bf42639fe006c80d8c6a1c97092cce9d540478a68a6605dc605
-
SHA512
271a1af102f7877dfab8b99ce1295c4125b8743c092d7710b2b2b181a9023a286639b9a919998d4c5d2d0ea662860159f1fb7fb36ed8dfe3bc64a19f215b2c4b
-
SSDEEP
3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGdldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000900000002326c-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002326e-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023276-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c00000002326e-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000016d2b-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d00000002326e-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000016d2b-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e00000002326e-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000016d2b-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000022cfb-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000016d2b-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000022cfb-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}\stubpath = "C:\\Windows\\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe" {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1487626-296C-4ab4-9CF2-9151C92E0F26} 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98390355-6891-402d-927A-52B1E7189C9B}\stubpath = "C:\\Windows\\{98390355-6891-402d-927A-52B1E7189C9B}.exe" {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E7109D-AE94-4470-B6F7-5F31C9834698} {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67EAA800-E614-40a1-B7DD-0D97095EE950} {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67EAA800-E614-40a1-B7DD-0D97095EE950}\stubpath = "C:\\Windows\\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe" {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEC787B-2000-486e-8202-B09C9CF892D1} {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0C126D-BF7F-464c-81D5-20282407A79C}\stubpath = "C:\\Windows\\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe" {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7} {B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1D86F5-EEAC-407a-9CA1-BE4569038184} {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}\stubpath = "C:\\Windows\\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe" {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC392DD0-8D27-48d0-86CE-67B54EFF477F} {7928A926-96D1-4569-8672-1371AB35C300}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B49F18D3-5A3B-4067-9364-726C5BCC3E29} {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}\stubpath = "C:\\Windows\\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe" {B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4047F151-F5B3-428c-9065-74BB13FC01E7} {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4047F151-F5B3-428c-9065-74BB13FC01E7}\stubpath = "C:\\Windows\\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe" {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98390355-6891-402d-927A-52B1E7189C9B} {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7928A926-96D1-4569-8672-1371AB35C300} {98390355-6891-402d-927A-52B1E7189C9B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E7109D-AE94-4470-B6F7-5F31C9834698}\stubpath = "C:\\Windows\\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe" {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEC787B-2000-486e-8202-B09C9CF892D1}\stubpath = "C:\\Windows\\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe" {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0C126D-BF7F-464c-81D5-20282407A79C} {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1487626-296C-4ab4-9CF2-9151C92E0F26}\stubpath = "C:\\Windows\\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe" 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7928A926-96D1-4569-8672-1371AB35C300}\stubpath = "C:\\Windows\\{7928A926-96D1-4569-8672-1371AB35C300}.exe" {98390355-6891-402d-927A-52B1E7189C9B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}\stubpath = "C:\\Windows\\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe" {7928A926-96D1-4569-8672-1371AB35C300}.exe -
Executes dropped EXE 12 IoCs
pid Process 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe 4056 {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe 4488 {B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe 4424 {0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe {7928A926-96D1-4569-8672-1371AB35C300}.exe File created C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe File created C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe {B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe File created C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe File created C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe File created C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe File created C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe {98390355-6891-402d-927A-52B1E7189C9B}.exe File created C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe File created C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe File created C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe File created C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe File created C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3032 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe Token: SeIncBasePriorityPrivilege 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe Token: SeIncBasePriorityPrivilege 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe Token: SeIncBasePriorityPrivilege 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe Token: SeIncBasePriorityPrivilege 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe Token: SeIncBasePriorityPrivilege 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe Token: SeIncBasePriorityPrivilege 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe Token: SeIncBasePriorityPrivilege 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe Token: SeIncBasePriorityPrivilege 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe Token: SeIncBasePriorityPrivilege 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe Token: SeIncBasePriorityPrivilege 4056 {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe Token: SeIncBasePriorityPrivilege 4488 {B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 3624 3032 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 101 PID 3032 wrote to memory of 3624 3032 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 101 PID 3032 wrote to memory of 3624 3032 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 101 PID 3032 wrote to memory of 1080 3032 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 102 PID 3032 wrote to memory of 1080 3032 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 102 PID 3032 wrote to memory of 1080 3032 2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe 102 PID 3624 wrote to memory of 3404 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 103 PID 3624 wrote to memory of 3404 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 103 PID 3624 wrote to memory of 3404 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 103 PID 3624 wrote to memory of 1188 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 104 PID 3624 wrote to memory of 1188 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 104 PID 3624 wrote to memory of 1188 3624 {C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe 104 PID 3404 wrote to memory of 524 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe 107 PID 3404 wrote to memory of 524 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe 107 PID 3404 wrote to memory of 524 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe 107 PID 3404 wrote to memory of 2376 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe 108 PID 3404 wrote to memory of 2376 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe 108 PID 3404 wrote to memory of 2376 3404 {4047F151-F5B3-428c-9065-74BB13FC01E7}.exe 108 PID 524 wrote to memory of 1144 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe 110 PID 524 wrote to memory of 1144 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe 110 PID 524 wrote to memory of 1144 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe 110 PID 524 wrote to memory of 780 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe 111 PID 524 wrote to memory of 780 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe 111 PID 524 wrote to memory of 780 524 {7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe 111 PID 1144 wrote to memory of 2248 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe 113 PID 1144 wrote to memory of 2248 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe 113 PID 1144 wrote to memory of 2248 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe 113 PID 1144 wrote to memory of 2432 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe 114 PID 1144 wrote to memory of 2432 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe 114 PID 1144 wrote to memory of 2432 1144 {98390355-6891-402d-927A-52B1E7189C9B}.exe 114 PID 2248 wrote to memory of 4624 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe 115 PID 2248 wrote to memory of 4624 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe 115 PID 2248 wrote to memory of 4624 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe 115 PID 2248 wrote to memory of 220 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe 116 PID 2248 wrote to memory of 220 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe 116 PID 2248 wrote to memory of 220 2248 {7928A926-96D1-4569-8672-1371AB35C300}.exe 116 PID 4624 wrote to memory of 1188 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe 117 PID 4624 wrote to memory of 1188 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe 117 PID 4624 wrote to memory of 1188 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe 117 PID 4624 wrote to memory of 3528 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe 118 PID 4624 wrote to memory of 3528 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe 118 PID 4624 wrote to memory of 3528 4624 {DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe 118 PID 1188 wrote to memory of 1860 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe 119 PID 1188 wrote to memory of 1860 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe 119 PID 1188 wrote to memory of 1860 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe 119 PID 1188 wrote to memory of 4724 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe 120 PID 1188 wrote to memory of 4724 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe 120 PID 1188 wrote to memory of 4724 1188 {A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe 120 PID 1860 wrote to memory of 3584 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe 121 PID 1860 wrote to memory of 3584 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe 121 PID 1860 wrote to memory of 3584 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe 121 PID 1860 wrote to memory of 4476 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe 122 PID 1860 wrote to memory of 4476 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe 122 PID 1860 wrote to memory of 4476 1860 {67EAA800-E614-40a1-B7DD-0D97095EE950}.exe 122 PID 3584 wrote to memory of 4056 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe 123 PID 3584 wrote to memory of 4056 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe 123 PID 3584 wrote to memory of 4056 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe 123 PID 3584 wrote to memory of 1288 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe 124 PID 3584 wrote to memory of 1288 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe 124 PID 3584 wrote to memory of 1288 3584 {ACEC787B-2000-486e-8202-B09C9CF892D1}.exe 124 PID 4056 wrote to memory of 4488 4056 {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe 125 PID 4056 wrote to memory of 4488 4056 {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe 125 PID 4056 wrote to memory of 4488 4056 {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe 125 PID 4056 wrote to memory of 928 4056 {CD0C126D-BF7F-464c-81D5-20282407A79C}.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exeC:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exeC:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exeC:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exeC:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exeC:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exeC:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exeC:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exeC:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exeC:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exeC:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exeC:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exeC:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe13⤵
- Executes dropped EXE
PID:4424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B49F1~1.EXE > nul13⤵PID:4792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CD0C1~1.EXE > nul12⤵PID:928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ACEC7~1.EXE > nul11⤵PID:1288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{67EAA~1.EXE > nul10⤵PID:4476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5E71~1.EXE > nul9⤵PID:4724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DC392~1.EXE > nul8⤵PID:3528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7928A~1.EXE > nul7⤵PID:220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{98390~1.EXE > nul6⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A1D8~1.EXE > nul5⤵PID:780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4047F~1.EXE > nul4⤵PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C1487~1.EXE > nul3⤵PID:1188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:2164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5a28b95e4c2afdfc172591f374bfafa4e
SHA1b043104438e486f83235430f15ecdc261825a9d7
SHA2560ca7c450fa96d1cd359341643c9a181a92930275443ad76bcc3230e52fc3f9a6
SHA512b7ca8ee701100f494f46f652bcbce4f34bfcca05a4d73dd4d9724e2d3a7ffcc02fcd2a2e1dae542ee5407f1ede132eeb36309c824b5fb8410c9e9754c95528d1
-
Filesize
408KB
MD56822c062a6193fc9b110d60141911442
SHA1832a2bab459971279a0be22c3c497895824b24d9
SHA256e781bc9ede80c86fef40af68046924dc316223acfca632c267ad00919dd4a3d7
SHA51253ff51dd2268aa28c81cc99ad442b30eab518bb9036f442e15e4969bde08e24e3d3cc58a26809460eb262fb452c9d7d8f6f5e5f59d97b390b57bca05c754d0e5
-
Filesize
408KB
MD50e95545d51ecdd67ba0b934041f13241
SHA1122464d3c861bd3eb1b6597117880d35863ab140
SHA2561230ffe58a9718cce1d4c9ba854a02066442af221f47da2e658f2be5d7153105
SHA51285f23502b4852fb12d347a458089acd1ae69549048e5535d07de1efbb9fb283a5974d44cc4ea9669df5226309179c2e564712bcb400601fc1ac79565da84a193
-
Filesize
408KB
MD547e04ced1c2db2935026a227926ebcd6
SHA1a3c4c4a3942771b5742ccf8693212ee101079fec
SHA2563b29723d796787d129b5dbc005498142c3ae95cb1b0e48ca8f214650933184f8
SHA51205e3bb029e3b233e01dd135be42e38f481950302701862379b57d327709031f495c4b3da546b37d2dab8bc0f6c87e1149078b0e03868e1690a12db7f28f456d5
-
Filesize
408KB
MD57b63b31385159d4733045e1054b49edb
SHA11b93e4f9f8acc0becefeda31befe305c2b242e87
SHA2561ada88a4b298996703f2e652ef6189d519eb5d8c9c51e7320c17ee08f27e3b69
SHA5129742b6540feab5d1cdd238aa3c4559488fd444b07a9728d145c3e9c932658925abda330464e2f3b75ace26f739302aae4b94be9e0c87d61f95f41b4d84a29c5e
-
Filesize
408KB
MD5ef5499a41592997ec8ca74cf3f689649
SHA184517388825a894c75b4093b1a682f664f73061e
SHA2560e6bc8ee87b54ceab7ff4e5c35d6ed8f239bc8134535b7789b73ac2be0c6703b
SHA512e3ab069f94ad4223a2147b11ac4952d85f24c02b99bb5e6e0668fb0f2a6b6fe0cb13a860c3d2501ed6b3013722b13ef83885a3844be9adb309447c590011eb45
-
Filesize
408KB
MD5b9293e774cd94a788396b30464b8b819
SHA120d02816fb2e7f4b5c36a05ddc0595b0d1f29757
SHA256665e27cebcc4f7321cf2aef0f59028e03e59bfa4f837a463686834b3fd883104
SHA512146a2b92685951b35da8fc3a83ef82227eee727ed3e7c7f6aa82ac35a0a21b801282ce765d4a1121ad7e9253040e839175cda4366525f006952917a32c1c7614
-
Filesize
408KB
MD54d84f15606401cb742f115d34744371f
SHA16839f696ec877dff4554ad58eaba66877e015c9d
SHA25695c99d02c81794e2e2efb5d101383834936f522e002d3f2d704f4e286dc609ff
SHA512e7c81211fd1fbe2fdb093f5412b28d80c9166f38432d1adcfe6085256c3613f2c50a38b6e111b1fff9b07f6529379d9a5cbb736713115f4e0d02ba5a84587737
-
Filesize
408KB
MD5fc72558249d967002775beed8e140ae7
SHA1e1f511923db1756a88595ea9a9ed5fdc25f6fa94
SHA2565d522fbe1de227a84c9a46a0743b0d0776091364a0015cdf01010262d76173b0
SHA5129a261cd4b793605895273a5b1ffa74cc2467ab20e2730c2bbc62b9effc0e97bc4a1a6ca7d21060c975dc4f814e780ed80994708e45f8456f6d62482599967ba5
-
Filesize
408KB
MD56a44eea4d9ee4644da0f417a6e62c31c
SHA18180cafbc6821cbee7168eaf3516d243d30f5f8a
SHA256af427ca61bc00f5de18b688fdc8d7e821610d655ac9c0879d5d749ed720edd93
SHA512199fd36ce92ee3e75338dfad55c7f13034d2b4baa070b78ce87cf0d7415c2b08574bb89fcbc32fb315dec949861a7cc117a18c7bed7242ac72728ffca97aec9f
-
Filesize
408KB
MD588f0d17a1e9c2fd69373dc00d9fe0e0a
SHA135c46a0e8ce212f83cdc1bf706ac231c7486fcb4
SHA256de97abc898f3a2470951d7f53b5b1fbd68ea7917e84899a220c6ddf01d7f696c
SHA5120f22a6fb9ea991fd94a272e4ae8f88ef009e02b112989f814a3c257a73877508986d21ce92454e92a5b40078d2d64b87735f22bbd4c8628ae0747f8fc9202f67
-
Filesize
408KB
MD520f72f12d151ec7fe7922214446a59d9
SHA174df359bd98fc9de661547848b231b6a4995ed56
SHA2568ad33bbca96bee57753115962efdf01433c728d71daa5ac143a319e411bb46de
SHA512c2323265e5d5e225056c25198401e632cbe99abb94b88595dcf04befc5d36dbdd4c484dfe257f298302f9b3b40e718b695359e5efa08bbdbb777faf9980dfddc