Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe
-
Size
168KB
-
MD5
2680d6392f72a0c5db4e1d4eb20e3fb2
-
SHA1
e0e6554478c119d14cd2ada53a16b71982b2d8ec
-
SHA256
02229c757c01b07239d030159c39b38281b72687a8d3406f01043e42db7128b9
-
SHA512
c4a0b8a112b714bfc60d373b8473bb5b96e1085fadb8ccce972f341354637aaf144d52111dffbaf5f0c277f9439c1875967420f1444e6148ab21ac61472a536e
-
SSDEEP
1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c00000001225d-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000013417-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001225d-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000013a53-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001225d-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001225d-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000001225d-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0DD74C5-72BF-495e-9739-FD9FBE692788} {B11088D9-15BA-4c5f-9020-580D11D28345}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34794B5F-6ADF-41ba-991B-BD29A125913E}\stubpath = "C:\\Windows\\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe" {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07979479-C257-4cbe-9B30-235C54347859} {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70} {07979479-C257-4cbe-9B30-235C54347859}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}\stubpath = "C:\\Windows\\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe" {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC} {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A39C267-FC2B-4054-8343-584CC181B7A8}\stubpath = "C:\\Windows\\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe" {F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07979479-C257-4cbe-9B30-235C54347859}\stubpath = "C:\\Windows\\{07979479-C257-4cbe-9B30-235C54347859}.exe" {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF} {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}\stubpath = "C:\\Windows\\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe" {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}\stubpath = "C:\\Windows\\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe" {ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC} {D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A39C267-FC2B-4054-8343-584CC181B7A8} {F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0DD74C5-72BF-495e-9739-FD9FBE692788}\stubpath = "C:\\Windows\\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe" {B11088D9-15BA-4c5f-9020-580D11D28345}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34794B5F-6ADF-41ba-991B-BD29A125913E} {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81173C5-D70A-4f74-8469-08D7C1B33BD6} {ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}\stubpath = "C:\\Windows\\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe" {D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B11088D9-15BA-4c5f-9020-580D11D28345} 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B11088D9-15BA-4c5f-9020-580D11D28345}\stubpath = "C:\\Windows\\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe" 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F810EF-4D2A-4724-BDAE-45589F53D6D4} {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}\stubpath = "C:\\Windows\\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe" {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}\stubpath = "C:\\Windows\\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe" {07979479-C257-4cbe-9B30-235C54347859}.exe -
Deletes itself 1 IoCs
pid Process 1720 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 2616 {ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe 1904 {D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe 2876 {F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe 576 {2A39C267-FC2B-4054-8343-584CC181B7A8}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe {ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe File created C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe {F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe File created C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe File created C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe {B11088D9-15BA-4c5f-9020-580D11D28345}.exe File created C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe File created C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe File created C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe File created C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe File created C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe {07979479-C257-4cbe-9B30-235C54347859}.exe File created C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe File created C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe {D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe Token: SeIncBasePriorityPrivilege 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe Token: SeIncBasePriorityPrivilege 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe Token: SeIncBasePriorityPrivilege 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe Token: SeIncBasePriorityPrivilege 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe Token: SeIncBasePriorityPrivilege 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe Token: SeIncBasePriorityPrivilege 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe Token: SeIncBasePriorityPrivilege 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe Token: SeIncBasePriorityPrivilege 2616 {ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe Token: SeIncBasePriorityPrivilege 1904 {D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe Token: SeIncBasePriorityPrivilege 2876 {F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2344 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 28 PID 2184 wrote to memory of 2344 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 28 PID 2184 wrote to memory of 2344 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 28 PID 2184 wrote to memory of 2344 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 28 PID 2184 wrote to memory of 1720 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 29 PID 2184 wrote to memory of 1720 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 29 PID 2184 wrote to memory of 1720 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 29 PID 2184 wrote to memory of 1720 2184 2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe 29 PID 2344 wrote to memory of 2640 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 30 PID 2344 wrote to memory of 2640 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 30 PID 2344 wrote to memory of 2640 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 30 PID 2344 wrote to memory of 2640 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 30 PID 2344 wrote to memory of 2624 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 31 PID 2344 wrote to memory of 2624 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 31 PID 2344 wrote to memory of 2624 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 31 PID 2344 wrote to memory of 2624 2344 {B11088D9-15BA-4c5f-9020-580D11D28345}.exe 31 PID 2640 wrote to memory of 2556 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 32 PID 2640 wrote to memory of 2556 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 32 PID 2640 wrote to memory of 2556 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 32 PID 2640 wrote to memory of 2556 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 32 PID 2640 wrote to memory of 2460 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 33 PID 2640 wrote to memory of 2460 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 33 PID 2640 wrote to memory of 2460 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 33 PID 2640 wrote to memory of 2460 2640 {A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe 33 PID 2556 wrote to memory of 2680 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 36 PID 2556 wrote to memory of 2680 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 36 PID 2556 wrote to memory of 2680 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 36 PID 2556 wrote to memory of 2680 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 36 PID 2556 wrote to memory of 2960 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 37 PID 2556 wrote to memory of 2960 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 37 PID 2556 wrote to memory of 2960 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 37 PID 2556 wrote to memory of 2960 2556 {93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe 37 PID 2680 wrote to memory of 2824 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 38 PID 2680 wrote to memory of 2824 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 38 PID 2680 wrote to memory of 2824 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 38 PID 2680 wrote to memory of 2824 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 38 PID 2680 wrote to memory of 3040 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 39 PID 2680 wrote to memory of 3040 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 39 PID 2680 wrote to memory of 3040 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 39 PID 2680 wrote to memory of 3040 2680 {34794B5F-6ADF-41ba-991B-BD29A125913E}.exe 39 PID 2824 wrote to memory of 2784 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 40 PID 2824 wrote to memory of 2784 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 40 PID 2824 wrote to memory of 2784 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 40 PID 2824 wrote to memory of 2784 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 40 PID 2824 wrote to memory of 1940 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 41 PID 2824 wrote to memory of 1940 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 41 PID 2824 wrote to memory of 1940 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 41 PID 2824 wrote to memory of 1940 2824 {07979479-C257-4cbe-9B30-235C54347859}.exe 41 PID 2784 wrote to memory of 1628 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 42 PID 2784 wrote to memory of 1628 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 42 PID 2784 wrote to memory of 1628 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 42 PID 2784 wrote to memory of 1628 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 42 PID 2784 wrote to memory of 2492 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 43 PID 2784 wrote to memory of 2492 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 43 PID 2784 wrote to memory of 2492 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 43 PID 2784 wrote to memory of 2492 2784 {878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe 43 PID 1628 wrote to memory of 2616 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 44 PID 1628 wrote to memory of 2616 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 44 PID 1628 wrote to memory of 2616 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 44 PID 1628 wrote to memory of 2616 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 44 PID 1628 wrote to memory of 2256 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 45 PID 1628 wrote to memory of 2256 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 45 PID 1628 wrote to memory of 2256 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 45 PID 1628 wrote to memory of 2256 1628 {FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exeC:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exeC:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exeC:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exeC:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exeC:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exeC:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exeC:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exeC:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exeC:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exeC:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exeC:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe12⤵
- Executes dropped EXE
PID:576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F6B16~1.EXE > nul12⤵PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8117~1.EXE > nul11⤵PID:2108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ACA9D~1.EXE > nul10⤵PID:1248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE95C~1.EXE > nul9⤵PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87879~1.EXE > nul8⤵PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07979~1.EXE > nul7⤵PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34794~1.EXE > nul6⤵PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{93F81~1.EXE > nul5⤵PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A0DD7~1.EXE > nul4⤵PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B1108~1.EXE > nul3⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD56f2c20e3b0a402c56ef0c761ca471503
SHA161a5f5031c233e5dd0538d88b6098168207fe27e
SHA2563834d237bd69ca2568740a4eca0977d72c84843c5f6292f25494649ee41ba411
SHA512ea27126a868506ea787269f8c513f0aefa8ce53970bb35c8a3e1f1f5bc5327bf5893db52c7561345a759f212832e3daa20100be8c5f66a78c32fddcdfbf1bb38
-
Filesize
168KB
MD5f8caae330947a6bffbd32f7c40d8de22
SHA118067c6341c34bba89845e439d5b2b4791d90b32
SHA2569338e17b77a9e1d30ae2a19cf2d470d996bdf9b8fa15dbca7a48e9ffe6980277
SHA5123ba168257f382ef4094e11cd50bc9c0b091fcbaae2721a60badec249db8fdd53bb4d5c329dc8aa719a1ed9b521c9aaa98001b8977ddb846f4c276f3bcfae3086
-
Filesize
168KB
MD5b9c783bd79f264b1284ee69e4e7b183e
SHA1e54ba80e8a8fce94b1b37a299a6b408768dced68
SHA256e6472563a8bee4ced468bf5a97a3b5b436d24005c0f90a01e711dac49093ef78
SHA5122d546cff0d569dcb22eee484660a2397fbc762d02c4af53c5232b63e31fa3965bfc13a9e85d217d16638e569292e3377eec1e3d65b8f9252d2a0369339856edd
-
Filesize
168KB
MD52b6b909821942d68a586460dfa1a06ef
SHA12f67467a3794d1de47e0364d2d9a63acb60ec7e4
SHA256e39e91d0c45cd109f66f913f54d5d0246fa8ed69abcb3dca929a7f7489a4bdf7
SHA5121b84e89445c7b945d32a369a008cfc7ba693821e8522abaa273a47677656618a00f46cd6728649cf1f8b231e3b2351b444567081f1202e4b57de825e9ac1abdc
-
Filesize
168KB
MD56d1e6f9b0d112d0b4026b93387080304
SHA1b3d1fa8428f1fddaa76ee2f801dff69619d6bce1
SHA2566bc2cb4cba952c47dd33f511f61177aabb49cf565b4d2b4ee6dd714c5bb644dd
SHA5125495e4e7108601b583b61ab0a54e908fef54f386a88892b5a29e6a964e3f09ea5b1719c0a0be2616597c3e6e1435c2a0e4ae7c5fd4f834d01f72ece7d95e8b7f
-
Filesize
168KB
MD517fa96149d2fffbe71bbe306482417ec
SHA1b93f81ce37200debcd52ee1b21b3138b3eeda8fc
SHA2568f9c18fabb72006c45134c814717896803b828d823c5301ed38a6fd19a22d309
SHA5121f4a9bba23dc821ef5376fb7e1bdab5e1b51e9d065391e9f4053b4399b3bd4b05a2665182a276ae0620ad676755ede3b9331301368eb0c31e2336c62d91b2fdc
-
Filesize
168KB
MD51dd005d27374ab7866934557b258edec
SHA1f4f1b6e5d807c001cb21eb06937ceae595a8c3dc
SHA2569b13f709ba4e9b33a7a927680c668c52448fb1b2e4391d464031fe352a80ce36
SHA512849a241fd56fb9c96008f2661ce0921bad29ea1dcdba1d9e171e934953d3e29dc90a347e57782db13e330c11826cf1060181a6ddb063c7ea0a5ebde5b9300588
-
Filesize
168KB
MD5243b6ece830e64446c5bf1a1b833375b
SHA1a55c44dcf55875b18c8b50eb60d6653678ca3814
SHA256e8972d906dcfc2fd0c0f1e8d3be138b161c4fd11a76f60ef026e59eeb3816b3b
SHA5125cc767fbb24bb2c3d0cf06f69bb6093824dda0d1b893997e984f4c36d930f0a66a63bc6cf2a223bb4365ff00d0a4f121b69138881b02a884592ff7bf2a7717ee
-
Filesize
168KB
MD5410d0bda6c6cdb26d71fb4c402cbb9cd
SHA192c3240ac607ab713f557b6bb095e8059db08e61
SHA2568c8a62ce64affd4bce5edeb2b094d4ba5d0c0976037dce9915989748d065509f
SHA51233d1258ba7c8d169d41ab5be9bfa64406d4c782e7f4b7053311f5794c683728759f6eeebc67ad1cfe59d942cb1a5160a620a305f8741e1f53f8bdd68ec13a64d
-
Filesize
168KB
MD593a690030a9578e17a4de8edee6cd383
SHA12f0fa931cc184b35377036c8bfc8f9f0871b8d76
SHA2562f7206911447ef3d3cd92b112da991f36fbad26cf62329b92ad0d6c5c0466a1d
SHA5123844f3a1137d12be6ab068ecc414292e3fd6604f56e85f68e3c6d5f789edb1cfb4707d589d03e049d20e0b6394437ee99c0f0e1ac301f13e729120feb91ea495
-
Filesize
168KB
MD5df56c7201eb6f98f49e61767f1b6f440
SHA13221bd87c2cc0013508ea9805c39ec054268b2c0
SHA256ee1abe13ebf33f46ddf363c8ed7d8757f8ee2adb51aaf122553a76f64283389d
SHA512191c6b22c05eb13b6b99b5691a1c5652ca8eb80760f3f8118afcc1c8aa5baeb9731819c9c497a4ae3fb65aa718cb09dccbb7011f8bfdf3a27cba83fbf9b3704c