Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
-
Size
408KB
-
MD5
3165b9f7012dbb650ea326364bd4808a
-
SHA1
e861b7427c92db1c83ad62ee631e7bea1bc4aad3
-
SHA256
81553f1592a6e50fd6facb95710195f8a3d6b4e9e2269bcbec79678d17b0c182
-
SHA512
d5cfcda780b82859f88541a43a35c1b6f636bbf87ce6d05994cac07077534aeee52604524608b161a849233c4651360baafe88d76111c04237efbb7e4ddab00c
-
SSDEEP
3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGQldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral1/files/0x000e00000001225e-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000015c7b-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f3-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f3-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000500000000b1f3-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000600000000b1f3-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000700000000b1f3-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000004ed7-82.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}\stubpath = "C:\\Windows\\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe" {50585677-D0E6-4114-86CA-2766851ECBE8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2} {05BD4040-845D-4213-8D25-50C5888F151B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A} {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50585677-D0E6-4114-86CA-2766851ECBE8} 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C238F10B-946E-4885-92AC-3E7418C36887} {7F69377D-A230-4f8b-BC36-50663C83845E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05BD4040-845D-4213-8D25-50C5888F151B} {C238F10B-946E-4885-92AC-3E7418C36887}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}\stubpath = "C:\\Windows\\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe" {05BD4040-845D-4213-8D25-50C5888F151B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D95E9586-EA22-4cb3-9567-47390ABB001D}\stubpath = "C:\\Windows\\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe" {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{452B0288-016E-4049-8C26-0C5DBC5CCBE9} {5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32} {F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}\stubpath = "C:\\Windows\\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe" {F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50585677-D0E6-4114-86CA-2766851ECBE8}\stubpath = "C:\\Windows\\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe" 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A} {50585677-D0E6-4114-86CA-2766851ECBE8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C238F10B-946E-4885-92AC-3E7418C36887}\stubpath = "C:\\Windows\\{C238F10B-946E-4885-92AC-3E7418C36887}.exe" {7F69377D-A230-4f8b-BC36-50663C83845E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05BD4040-845D-4213-8D25-50C5888F151B}\stubpath = "C:\\Windows\\{05BD4040-845D-4213-8D25-50C5888F151B}.exe" {C238F10B-946E-4885-92AC-3E7418C36887}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}\stubpath = "C:\\Windows\\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe" {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8225FA58-5299-4e72-96C4-A5A397A72C39}\stubpath = "C:\\Windows\\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe" {452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F559BA1B-F487-4680-A8A3-8A2B89408B6B} {8225FA58-5299-4e72-96C4-A5A397A72C39}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}\stubpath = "C:\\Windows\\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe" {8225FA58-5299-4e72-96C4-A5A397A72C39}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F69377D-A230-4f8b-BC36-50663C83845E} {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F69377D-A230-4f8b-BC36-50663C83845E}\stubpath = "C:\\Windows\\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe" {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D95E9586-EA22-4cb3-9567-47390ABB001D} {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}\stubpath = "C:\\Windows\\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe" {5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8225FA58-5299-4e72-96C4-A5A397A72C39} {452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe -
Deletes itself 1 IoCs
pid Process 2940 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 2640 {5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe 1272 {452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe 2032 {8225FA58-5299-4e72-96C4-A5A397A72C39}.exe 2216 {F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe 3044 {58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe {50585677-D0E6-4114-86CA-2766851ECBE8}.exe File created C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe {7F69377D-A230-4f8b-BC36-50663C83845E}.exe File created C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe File created C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe {5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe File created C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe {8225FA58-5299-4e72-96C4-A5A397A72C39}.exe File created C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe {F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe File created C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe File created C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe {C238F10B-946E-4885-92AC-3E7418C36887}.exe File created C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe {05BD4040-845D-4213-8D25-50C5888F151B}.exe File created C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe File created C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe {452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe File created C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe Token: SeIncBasePriorityPrivilege 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe Token: SeIncBasePriorityPrivilege 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe Token: SeIncBasePriorityPrivilege 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe Token: SeIncBasePriorityPrivilege 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe Token: SeIncBasePriorityPrivilege 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe Token: SeIncBasePriorityPrivilege 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe Token: SeIncBasePriorityPrivilege 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe Token: SeIncBasePriorityPrivilege 2640 {5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe Token: SeIncBasePriorityPrivilege 1272 {452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe Token: SeIncBasePriorityPrivilege 2032 {8225FA58-5299-4e72-96C4-A5A397A72C39}.exe Token: SeIncBasePriorityPrivilege 2216 {F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2636 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 28 PID 2176 wrote to memory of 2636 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 28 PID 2176 wrote to memory of 2636 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 28 PID 2176 wrote to memory of 2636 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 28 PID 2176 wrote to memory of 2940 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 29 PID 2176 wrote to memory of 2940 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 29 PID 2176 wrote to memory of 2940 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 29 PID 2176 wrote to memory of 2940 2176 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 29 PID 2636 wrote to memory of 2608 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 30 PID 2636 wrote to memory of 2608 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 30 PID 2636 wrote to memory of 2608 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 30 PID 2636 wrote to memory of 2608 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 30 PID 2636 wrote to memory of 2600 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 31 PID 2636 wrote to memory of 2600 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 31 PID 2636 wrote to memory of 2600 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 31 PID 2636 wrote to memory of 2600 2636 {50585677-D0E6-4114-86CA-2766851ECBE8}.exe 31 PID 2608 wrote to memory of 2376 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 34 PID 2608 wrote to memory of 2376 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 34 PID 2608 wrote to memory of 2376 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 34 PID 2608 wrote to memory of 2376 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 34 PID 2608 wrote to memory of 2436 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 35 PID 2608 wrote to memory of 2436 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 35 PID 2608 wrote to memory of 2436 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 35 PID 2608 wrote to memory of 2436 2608 {CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe 35 PID 2376 wrote to memory of 2348 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 36 PID 2376 wrote to memory of 2348 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 36 PID 2376 wrote to memory of 2348 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 36 PID 2376 wrote to memory of 2348 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 36 PID 2376 wrote to memory of 524 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 37 PID 2376 wrote to memory of 524 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 37 PID 2376 wrote to memory of 524 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 37 PID 2376 wrote to memory of 524 2376 {7F69377D-A230-4f8b-BC36-50663C83845E}.exe 37 PID 2348 wrote to memory of 1500 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 38 PID 2348 wrote to memory of 1500 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 38 PID 2348 wrote to memory of 1500 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 38 PID 2348 wrote to memory of 1500 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 38 PID 2348 wrote to memory of 924 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 39 PID 2348 wrote to memory of 924 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 39 PID 2348 wrote to memory of 924 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 39 PID 2348 wrote to memory of 924 2348 {C238F10B-946E-4885-92AC-3E7418C36887}.exe 39 PID 1500 wrote to memory of 624 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 40 PID 1500 wrote to memory of 624 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 40 PID 1500 wrote to memory of 624 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 40 PID 1500 wrote to memory of 624 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 40 PID 1500 wrote to memory of 1536 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 41 PID 1500 wrote to memory of 1536 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 41 PID 1500 wrote to memory of 1536 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 41 PID 1500 wrote to memory of 1536 1500 {05BD4040-845D-4213-8D25-50C5888F151B}.exe 41 PID 624 wrote to memory of 1220 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 42 PID 624 wrote to memory of 1220 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 42 PID 624 wrote to memory of 1220 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 42 PID 624 wrote to memory of 1220 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 42 PID 624 wrote to memory of 1948 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 43 PID 624 wrote to memory of 1948 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 43 PID 624 wrote to memory of 1948 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 43 PID 624 wrote to memory of 1948 624 {8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe 43 PID 1220 wrote to memory of 2640 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 44 PID 1220 wrote to memory of 2640 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 44 PID 1220 wrote to memory of 2640 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 44 PID 1220 wrote to memory of 2640 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 44 PID 1220 wrote to memory of 1092 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 45 PID 1220 wrote to memory of 1092 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 45 PID 1220 wrote to memory of 1092 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 45 PID 1220 wrote to memory of 1092 1220 {D95E9586-EA22-4cb3-9567-47390ABB001D}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exeC:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exeC:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exeC:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exeC:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exeC:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exeC:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exeC:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exeC:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exeC:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exeC:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exeC:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exeC:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe13⤵
- Executes dropped EXE
PID:3044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F559B~1.EXE > nul13⤵PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8225F~1.EXE > nul12⤵PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{452B0~1.EXE > nul11⤵PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5A138~1.EXE > nul10⤵PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D95E9~1.EXE > nul9⤵PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8AA93~1.EXE > nul8⤵PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05BD4~1.EXE > nul7⤵PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C238F~1.EXE > nul6⤵PID:924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7F693~1.EXE > nul5⤵PID:524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CF5AF~1.EXE > nul4⤵PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{50585~1.EXE > nul3⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD523a8a3d667aa1dec00f491cc9fed4d54
SHA10febb1a2713d6268c7af98dea8623cb94ad420ee
SHA256379f6b8aa819726ded8f0efc283e3c120f90a7456c6600b7cfba865a6c37cdb2
SHA51258faaa2b7e13345ca296814249ca47bd4d8cffa6ce03fc3a7309880a33a9e017ef9b4585b73107fe4a138c94b883b23099f10c0be49cf41f23f66719b63139c3
-
Filesize
408KB
MD57250e2d39ffe7a7f35d1cd47687ef8bf
SHA1fffc3f4686a598c42cdb54affb7c68cf1a3b8b09
SHA256baf34db5cef61dc7c2d25a5e76fd25dbfed2f3d16fdb4a503248fc908875084c
SHA5123cc792abc7fe009249051da866765991b89cdb74a9e26f2de95d405db10c153aa1a90ca286e7ec44aa8c829b0df585e46b8e263a1c5b3aed736f622cb6ce5134
-
Filesize
408KB
MD5d0a6460ba0e4520aa7b99f60e19008b3
SHA1d43bf08f59662aaa2abef14c31e2d0d07b7a93b6
SHA2561ebfe46c066599ee000ce1493b424ece21b649778fbe122d6ec5443c0f2a9b0c
SHA51221ac324a6f0f12bc990a961af41e8dbaa12375cdc530da67614f66bb593f15dba03fb9e35facc4bde44705e688dc9866752c522e9a913a4f8537bf6e4c346526
-
Filesize
408KB
MD5131398e6443c3117035ec6c47d62474a
SHA1d2ae9c726b5751a5614816b48b297e81ef47d5b1
SHA256d0365f24749190725f9edc83793fd9a54f0dcf4acfb3f6d8af2a92f2d6777ea7
SHA51218535dbe62d0885ab701f9f39d9b68defe9d71bc8ea5324cdddcc7d86ca24835889f1ad36a005c9d2b9573ccee6211da8a0266b7f006b327919374f9dd599460
-
Filesize
408KB
MD5dbeb31fcbd98185b6f29529e1b16dbf3
SHA15a2ffce4a1858c399c0bf2f2dab46b6fa95188f3
SHA256adf49f9aee8e7c938b038b56b75f40ae7ab654bc0c064c2550cf931b6f4403dd
SHA512f97119f34ed5b20ef98f4d562b14551e8898400d0e7551c5cc262700d9c19fb85f966f016582b7fe91e0da00ed08234253a1bc31ac83d965bf6e510f4fed7134
-
Filesize
408KB
MD5a4020abd96505f3b0dffbd615e91ea35
SHA1a1ccd8f4e535ca033d440224ec33516b671e7624
SHA256703e6407c0deca5d6f82113fd90aaf28c8965cd8ad6fa71e50ca088a517d6a5e
SHA5125090ccff293fbe2410173b2bb2b644c538b38e69fb08a9a1b8c208390a0d193e1184a6c28d06fdc7e21d3ca04868f60c930fab1e50a859414aaab6ec43d3bb03
-
Filesize
408KB
MD5c740497d7f086dcec681ba3b7b7cf5b2
SHA10bc46e55f3c56a15cd916797b39291c5ff28fb26
SHA2561ac366c0afac3a08a78e77e7b0f74485bf48ea3b7b775c70d8de480a4c74339d
SHA512d81bd8dbcc34e19f0edcf06c199a59e1a4bc01369881c82e32bfbaa1f5a4a0706ad2ecfc153c72d5f35e8a56de051f84c37fc8dbf6309385f7de777df6ff87dd
-
Filesize
408KB
MD55994c63cbb90584152e4744a1d59e260
SHA1f5751ddcc67ee87e00d1c88992e9685dc1a1d01f
SHA256bf75e180c63986076999d0174a11ef7648272438079775560445885ebf3f2574
SHA512da32d8a72d88fda795d2f7fe5d4cf54186dd5ca2963171b1209dead171f9b5c641ef46b280481b256409028bee0d477a0f0e0e0b658827228e41a72242c59c0c
-
Filesize
408KB
MD56f915ef3b9130be1621a3df1ec94fa4a
SHA167b558465ac3b0cd1b37a1243b69c573f9b0bdb9
SHA2569a7456517b208a9a689dcedeb6f792dad207168ab1735db591b06b9d531e7dae
SHA5120c4acafb536d391a6b1d421b8562e934e251436beeb0ebacb4a4221252d97217ea6c3b9b6ac5940e55f11acd5f3a57ba4df1897af22ed0eecbc8b169ea05ac98
-
Filesize
408KB
MD5e39e3163467045f97f592aa00cd4488c
SHA121b104121c9c42fe6502c9ad14710725bfc91e65
SHA2567177d64893a675bfb19323e079676cdf7b454be4216ed74b801832544c6e6c27
SHA512eca21cda60237fcd552fb5b1ff6aca2ec2b722a9e8339f8fa72680f448443b3e7fb6437140b64541654eafb64f23dfdc901c8d514b118a96358eed4921be761d
-
Filesize
408KB
MD5d01a6ac9ba3fc56d760e767181241f5d
SHA1f8b946fb6009326d68b83c8ff2da165f5ecdac4c
SHA2568002f315d532a8976d685cd67154e409422068553f690688b41ced2af4315efe
SHA5129b12305a1205208f5548fcb90f69c293a0bf429d8c5a9c724401a87730857b021546d9c78431625f16e7821e2cd87ca38931d1a561c850aed2262d239bf00e3e
-
Filesize
408KB
MD5923e02862829fca540e83b38bce6f14b
SHA1aad0bb741539837421c747abb352035f3260b9df
SHA256b10590ee956c0b18bf04a27f245a81290ad456ce63f6dd27c019db819cba590f
SHA51251dae9360a8404df356872361f069c20937fd52287ac66534936fa2f8e1c1bcb948027b2d8879796375b721f4b2478019c6cd6e7ef3a5f2e61a022e09b9120cc