Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
-
Size
408KB
-
MD5
3165b9f7012dbb650ea326364bd4808a
-
SHA1
e861b7427c92db1c83ad62ee631e7bea1bc4aad3
-
SHA256
81553f1592a6e50fd6facb95710195f8a3d6b4e9e2269bcbec79678d17b0c182
-
SHA512
d5cfcda780b82859f88541a43a35c1b6f636bbf87ce6d05994cac07077534aeee52604524608b161a849233c4651360baafe88d76111c04237efbb7e4ddab00c
-
SSDEEP
3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGQldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x0008000000023317-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023318-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023320-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000231c3-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000001e477-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000231c3-21.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000001e477-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000231c3-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000001e479-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b0000000231c3-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000001e479-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBAC153F-BB60-412b-8C3F-F1B34EC93524} {E54C357F-FA2A-45be-B6A6-452751C97022}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}\stubpath = "C:\\Windows\\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe" {E54C357F-FA2A-45be-B6A6-452751C97022}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D} {F2D2B923-E5F7-4039-8524-2F186A503072}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E312C99-BE09-4d60-852F-924EA9BEF217}\stubpath = "C:\\Windows\\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe" {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}\stubpath = "C:\\Windows\\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe" {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A} {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627} {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54C357F-FA2A-45be-B6A6-452751C97022} {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}\stubpath = "C:\\Windows\\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe" {F2D2B923-E5F7-4039-8524-2F186A503072}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E312C99-BE09-4d60-852F-924EA9BEF217} {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2197D2BF-4031-4864-8338-89ADD2AA9500} {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}\stubpath = "C:\\Windows\\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe" {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54C357F-FA2A-45be-B6A6-452751C97022}\stubpath = "C:\\Windows\\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe" {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D2B923-E5F7-4039-8524-2F186A503072} {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D2B923-E5F7-4039-8524-2F186A503072}\stubpath = "C:\\Windows\\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe" {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BA070E-A646-48c3-9CF8-430F095B9F8E} 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BA070E-A646-48c3-9CF8-430F095B9F8E}\stubpath = "C:\\Windows\\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe" 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2197D2BF-4031-4864-8338-89ADD2AA9500}\stubpath = "C:\\Windows\\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe" {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A} {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}\stubpath = "C:\\Windows\\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe" {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56} {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}\stubpath = "C:\\Windows\\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe" {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe -
Executes dropped EXE 11 IoCs
pid Process 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe 1968 {F2D2B923-E5F7-4039-8524-2F186A503072}.exe 1148 {23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe File created C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe File created C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe File created C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe {F2D2B923-E5F7-4039-8524-2F186A503072}.exe File created C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe File created C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe File created C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe File created C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe File created C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe File created C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe File created C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe {E54C357F-FA2A-45be-B6A6-452751C97022}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4356 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe Token: SeIncBasePriorityPrivilege 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe Token: SeIncBasePriorityPrivilege 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe Token: SeIncBasePriorityPrivilege 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe Token: SeIncBasePriorityPrivilege 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe Token: SeIncBasePriorityPrivilege 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe Token: SeIncBasePriorityPrivilege 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe Token: SeIncBasePriorityPrivilege 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe Token: SeIncBasePriorityPrivilege 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe Token: SeIncBasePriorityPrivilege 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe Token: SeIncBasePriorityPrivilege 1968 {F2D2B923-E5F7-4039-8524-2F186A503072}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4356 wrote to memory of 4092 4356 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 99 PID 4356 wrote to memory of 4092 4356 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 99 PID 4356 wrote to memory of 4092 4356 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 99 PID 4356 wrote to memory of 5112 4356 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 100 PID 4356 wrote to memory of 5112 4356 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 100 PID 4356 wrote to memory of 5112 4356 2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe 100 PID 4092 wrote to memory of 3252 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 101 PID 4092 wrote to memory of 3252 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 101 PID 4092 wrote to memory of 3252 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 101 PID 4092 wrote to memory of 1416 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 102 PID 4092 wrote to memory of 1416 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 102 PID 4092 wrote to memory of 1416 4092 {47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe 102 PID 3252 wrote to memory of 1412 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe 105 PID 3252 wrote to memory of 1412 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe 105 PID 3252 wrote to memory of 1412 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe 105 PID 3252 wrote to memory of 3400 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe 106 PID 3252 wrote to memory of 3400 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe 106 PID 3252 wrote to memory of 3400 3252 {2E312C99-BE09-4d60-852F-924EA9BEF217}.exe 106 PID 1412 wrote to memory of 684 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe 109 PID 1412 wrote to memory of 684 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe 109 PID 1412 wrote to memory of 684 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe 109 PID 1412 wrote to memory of 2120 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe 110 PID 1412 wrote to memory of 2120 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe 110 PID 1412 wrote to memory of 2120 1412 {2197D2BF-4031-4864-8338-89ADD2AA9500}.exe 110 PID 684 wrote to memory of 2872 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe 111 PID 684 wrote to memory of 2872 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe 111 PID 684 wrote to memory of 2872 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe 111 PID 684 wrote to memory of 4040 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe 112 PID 684 wrote to memory of 4040 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe 112 PID 684 wrote to memory of 4040 684 {1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe 112 PID 2872 wrote to memory of 3632 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe 113 PID 2872 wrote to memory of 3632 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe 113 PID 2872 wrote to memory of 3632 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe 113 PID 2872 wrote to memory of 1480 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe 114 PID 2872 wrote to memory of 1480 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe 114 PID 2872 wrote to memory of 1480 2872 {A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe 114 PID 3632 wrote to memory of 3684 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe 115 PID 3632 wrote to memory of 3684 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe 115 PID 3632 wrote to memory of 3684 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe 115 PID 3632 wrote to memory of 3076 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe 116 PID 3632 wrote to memory of 3076 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe 116 PID 3632 wrote to memory of 3076 3632 {5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe 116 PID 3684 wrote to memory of 4080 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe 117 PID 3684 wrote to memory of 4080 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe 117 PID 3684 wrote to memory of 4080 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe 117 PID 3684 wrote to memory of 2740 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe 118 PID 3684 wrote to memory of 2740 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe 118 PID 3684 wrote to memory of 2740 3684 {77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe 118 PID 4080 wrote to memory of 548 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe 119 PID 4080 wrote to memory of 548 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe 119 PID 4080 wrote to memory of 548 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe 119 PID 4080 wrote to memory of 4920 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe 120 PID 4080 wrote to memory of 4920 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe 120 PID 4080 wrote to memory of 4920 4080 {E54C357F-FA2A-45be-B6A6-452751C97022}.exe 120 PID 548 wrote to memory of 1968 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe 121 PID 548 wrote to memory of 1968 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe 121 PID 548 wrote to memory of 1968 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe 121 PID 548 wrote to memory of 4548 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe 122 PID 548 wrote to memory of 4548 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe 122 PID 548 wrote to memory of 4548 548 {BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe 122 PID 1968 wrote to memory of 1148 1968 {F2D2B923-E5F7-4039-8524-2F186A503072}.exe 123 PID 1968 wrote to memory of 1148 1968 {F2D2B923-E5F7-4039-8524-2F186A503072}.exe 123 PID 1968 wrote to memory of 1148 1968 {F2D2B923-E5F7-4039-8524-2F186A503072}.exe 123 PID 1968 wrote to memory of 3196 1968 {F2D2B923-E5F7-4039-8524-2F186A503072}.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exeC:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exeC:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exeC:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exeC:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exeC:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exeC:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exeC:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exeC:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exeC:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exeC:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exeC:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe12⤵
- Executes dropped EXE
PID:1148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2D2B~1.EXE > nul12⤵PID:3196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BBAC1~1.EXE > nul11⤵PID:4548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E54C3~1.EXE > nul10⤵PID:4920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{77591~1.EXE > nul9⤵PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D9EE~1.EXE > nul8⤵PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5EE6~1.EXE > nul7⤵PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1FF0B~1.EXE > nul6⤵PID:4040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2197D~1.EXE > nul5⤵PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2E312~1.EXE > nul4⤵PID:3400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{47BA0~1.EXE > nul3⤵PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:81⤵PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD51621f13afd01660d04a674ab644c5e49
SHA14497ac719660aa0d555e86e1e3cd3a88d445e17d
SHA256961104ab387497dd86914599d5a0b038d9e5dd69c74b1d304142ef2472a10e04
SHA5121e0c58d517c328c327ac19cccacac571d3357fb193f9d600d304d827ebac4562b532bb686504c72aa129f9825fe8b610f27105401646d4e91278d6216f8b6566
-
Filesize
408KB
MD5587b7d4b954a4cef2e92ecadb5e2079f
SHA1e1f5a776214389059d331aac54f970b8703dc740
SHA25635e9298bde40defec090fb819e12b70d0a62fd7495bd6408106e8ce18162ff89
SHA51204596edacc6331fe4a31655172eacc844e6744ae4f776a00ae01942c9db480ce2d8a2379502d63843244536920797279619ef2d93d901ac0495beaa0f93690eb
-
Filesize
408KB
MD5106976e94e6d2d155a0694ecf9b12208
SHA1aa283aed1e0dbe54ea6dcba78fb560648c755ba1
SHA2565b99c975beceb7fc84e723b128a0c492d977a98df89935afbf680c0b2d9fa260
SHA51265d0ff816b4a16892922f0e91eb47b9c63b7d7e50ad8eacb8bdb85b4feb75e7e5ccb11c7339d5a6c956a5551e6705e24ec5b2fe4093db4bcac78d5e36be2bc95
-
Filesize
408KB
MD52661adf58cc1085a05a164e4f282836c
SHA1a437fb91e661a698ca16a14c4074e77c381746da
SHA2565d66c31f49f7f973bea8249ff5a60db617b7a12b1b815213cbf819f4786b4ad0
SHA512c6c63aa89a904b9db6b833f4f33c406971fb6472d712742138f06b84efcec9a3e28ac9680309406dc1fab0732b6ff888dac1df3e1289ed7e1dd7a7a2ac34c37f
-
Filesize
408KB
MD50fca95936320ef7652a6226c696db753
SHA119301c0f6a1db028c870d2bc4d11c2f9ca8a2080
SHA256878af7c83ab958f08ac591529648d7a19c98e3f1ff3e2e00b3811578b3570117
SHA512f34c0cd419ce56f776ee9cbd6fb79b7fe21b08b31a65a6dc0d3e275fc9eaf73c8413d29de5ffef90f6611c2a586ff02133168f01a711f865c292c830df7865d7
-
Filesize
408KB
MD57120fff8ab996c36830f3f9f3125760f
SHA126d4178273e95d0ce3950fd3f72f875697143e7d
SHA256e29ad291faa377c41708cea6edd25d895e41a42c701d114833b538f64c86de3c
SHA512c8e8f6c6efb34e7a4afbc2586e802c5abe4c7ec4e733c10611f900c20d62f0f9920c78c20ff2d60b9f870b760f64ce4bfe0cb651ff89c7c5b3cc5568be006c18
-
Filesize
408KB
MD543dfb71b4482e4557379a2295aee8be2
SHA1b33ee106c44b8546d4c4eeed7ec491a7c404ce1f
SHA2563b7f7731df850b57267e425dd060a59905e5ea1ffcb6077003aefe398705e54b
SHA5126687a1040e509febed8437ee2ecc030a3872013ee95c5fa1f86a2627c0f218f74d9e81a603ce7802eafbd2d4e7f75b00ce45d094ad6c49e5242dfc914d4aff41
-
Filesize
408KB
MD560e3f1188eb9543985dce240ba146172
SHA1ccdf18e1a8fcf7a9802c8b19cd71b599468d7d58
SHA2560df832e047d3f0c50a7ad982736a491f910873be0e957f21f8cc9e86fcb95f9b
SHA5126f98d730985212f372e379c9cb53e2c9a535e76f6ae634dcbd820a8eb6f203cb6e80071a30840bdf5b68ca94c6cf6247201bbc3cc800b3704868978e3c693111
-
Filesize
408KB
MD5cd798d87908f4770b05dba0ea015ce78
SHA19b60aba1f4e87eb91bee8ce68e1d196f9b0a9033
SHA2569e869640cc2fb619edcfca48e778cd59833c2380ba6e32d694b7e29ed7a41963
SHA5122363ede2ff5c55249031501917b0c3f67f79522c1c1e9f7afc1e4954a95883e777c7f9a2fc3f47b59c0d31961154f971417f473b1eb6c530eaf291fd839d9c0a
-
Filesize
408KB
MD57fc22b8a82efd85fec22b43327a33ba4
SHA1fe10711d8e3b8f56f9a5c94a0a94bd706f0eb54d
SHA2567097f4214f12471f7fb616dc38213eb166774956e72bac78c93f507309dd92c6
SHA512b3b83ddb0039ad0da0143bedf141cb1ee2390674dc9c4ca5d8ef698806d2241fec16d4cb8e23af69852cb34b249c5fd5cc8210c1fa1341ce9757d18be2d5361f
-
Filesize
408KB
MD55ab84c126baadf46c059da66b6b37cf3
SHA1803599193cd9e9e16092627f6b77a11603613c68
SHA256544489fac4679b40a6396c9785b7e52d84aae92f40705e3392177ad067867968
SHA512791b9b5e2649781ac6e03fd628d8c6440ca3c6068eedea47372a6aae931ce4e71b26801a617179a6bb7047cae76cf8fb07cc7e091c29ec212a364b8d3e7d995b