Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
-
Size
408KB
-
MD5
47ed00611fc28276ac7279e5a85a003d
-
SHA1
675b6f8ff31f6b6324a58637c101869979de4217
-
SHA256
fc23cd1c6f90f1a907c08e4fff0cf46e7d6552264201caccd9423bafde233e33
-
SHA512
adee5df07e61e158d70f43fc4faf4115a22d1a231f91101d7a77f56e1cc828d07aabbaab5988a469e41d1ad4ad12052c3dabb923c32748165658a0e8562bba83
-
SSDEEP
3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000a00000001418d-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000016056-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b00000001418d-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c00000001418d-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001418d-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e00000001418d-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000001418d-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}\stubpath = "C:\\Windows\\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe" 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D} {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}\stubpath = "C:\\Windows\\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe" {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB} {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}\stubpath = "C:\\Windows\\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe" {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}\stubpath = "C:\\Windows\\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe" {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017} {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A841007C-6540-422c-B8A4-F13088944423}\stubpath = "C:\\Windows\\{A841007C-6540-422c-B8A4-F13088944423}.exe" {631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19} {A841007C-6540-422c-B8A4-F13088944423}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}\stubpath = "C:\\Windows\\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe" {A841007C-6540-422c-B8A4-F13088944423}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE} {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D74B840A-03EB-4d99-ACB9-FD508FC76035} {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D74B840A-03EB-4d99-ACB9-FD508FC76035}\stubpath = "C:\\Windows\\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe" {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1} {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0} {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}\stubpath = "C:\\Windows\\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe" {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D157068A-6C63-4c72-92F3-827474DEEE9E} {69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906} 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}\stubpath = "C:\\Windows\\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe" {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}\stubpath = "C:\\Windows\\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe" {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A841007C-6540-422c-B8A4-F13088944423} {631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D157068A-6C63-4c72-92F3-827474DEEE9E}\stubpath = "C:\\Windows\\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe" {69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe -
Deletes itself 1 IoCs
pid Process 2556 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 860 {631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe 324 {A841007C-6540-422c-B8A4-F13088944423}.exe 2220 {69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe 1792 {D157068A-6C63-4c72-92F3-827474DEEE9E}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe File created C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe File created C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe File created C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe {631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe File created C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe {A841007C-6540-422c-B8A4-F13088944423}.exe File created C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe {69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe File created C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe File created C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe File created C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe File created C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe File created C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe Token: SeIncBasePriorityPrivilege 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe Token: SeIncBasePriorityPrivilege 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe Token: SeIncBasePriorityPrivilege 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe Token: SeIncBasePriorityPrivilege 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe Token: SeIncBasePriorityPrivilege 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe Token: SeIncBasePriorityPrivilege 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe Token: SeIncBasePriorityPrivilege 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe Token: SeIncBasePriorityPrivilege 860 {631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe Token: SeIncBasePriorityPrivilege 324 {A841007C-6540-422c-B8A4-F13088944423}.exe Token: SeIncBasePriorityPrivilege 2220 {69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 3008 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 28 PID 2492 wrote to memory of 3008 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 28 PID 2492 wrote to memory of 3008 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 28 PID 2492 wrote to memory of 3008 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 28 PID 2492 wrote to memory of 2556 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 29 PID 2492 wrote to memory of 2556 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 29 PID 2492 wrote to memory of 2556 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 29 PID 2492 wrote to memory of 2556 2492 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 29 PID 3008 wrote to memory of 2636 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 30 PID 3008 wrote to memory of 2636 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 30 PID 3008 wrote to memory of 2636 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 30 PID 3008 wrote to memory of 2636 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 30 PID 3008 wrote to memory of 2568 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 31 PID 3008 wrote to memory of 2568 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 31 PID 3008 wrote to memory of 2568 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 31 PID 3008 wrote to memory of 2568 3008 {26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe 31 PID 2636 wrote to memory of 2544 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 32 PID 2636 wrote to memory of 2544 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 32 PID 2636 wrote to memory of 2544 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 32 PID 2636 wrote to memory of 2544 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 32 PID 2636 wrote to memory of 2464 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 33 PID 2636 wrote to memory of 2464 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 33 PID 2636 wrote to memory of 2464 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 33 PID 2636 wrote to memory of 2464 2636 {5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe 33 PID 2544 wrote to memory of 2692 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 36 PID 2544 wrote to memory of 2692 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 36 PID 2544 wrote to memory of 2692 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 36 PID 2544 wrote to memory of 2692 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 36 PID 2544 wrote to memory of 2704 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 37 PID 2544 wrote to memory of 2704 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 37 PID 2544 wrote to memory of 2704 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 37 PID 2544 wrote to memory of 2704 2544 {F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe 37 PID 2692 wrote to memory of 2296 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 38 PID 2692 wrote to memory of 2296 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 38 PID 2692 wrote to memory of 2296 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 38 PID 2692 wrote to memory of 2296 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 38 PID 2692 wrote to memory of 2900 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 39 PID 2692 wrote to memory of 2900 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 39 PID 2692 wrote to memory of 2900 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 39 PID 2692 wrote to memory of 2900 2692 {D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe 39 PID 2296 wrote to memory of 1576 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 40 PID 2296 wrote to memory of 1576 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 40 PID 2296 wrote to memory of 1576 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 40 PID 2296 wrote to memory of 1576 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 40 PID 2296 wrote to memory of 1892 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 41 PID 2296 wrote to memory of 1892 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 41 PID 2296 wrote to memory of 1892 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 41 PID 2296 wrote to memory of 1892 2296 {8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe 41 PID 1576 wrote to memory of 1328 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 42 PID 1576 wrote to memory of 1328 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 42 PID 1576 wrote to memory of 1328 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 42 PID 1576 wrote to memory of 1328 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 42 PID 1576 wrote to memory of 2656 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 43 PID 1576 wrote to memory of 2656 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 43 PID 1576 wrote to memory of 2656 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 43 PID 1576 wrote to memory of 2656 1576 {BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe 43 PID 1328 wrote to memory of 860 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 44 PID 1328 wrote to memory of 860 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 44 PID 1328 wrote to memory of 860 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 44 PID 1328 wrote to memory of 860 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 44 PID 1328 wrote to memory of 2044 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 45 PID 1328 wrote to memory of 2044 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 45 PID 1328 wrote to memory of 2044 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 45 PID 1328 wrote to memory of 2044 1328 {C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exeC:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exeC:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exeC:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exeC:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exeC:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exeC:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exeC:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exeC:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exeC:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exeC:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exeC:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe12⤵
- Executes dropped EXE
PID:1792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{69FDD~1.EXE > nul12⤵PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8410~1.EXE > nul11⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{631C7~1.EXE > nul10⤵PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C91D9~1.EXE > nul9⤵PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC49E~1.EXE > nul8⤵PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8AEB4~1.EXE > nul7⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D74B8~1.EXE > nul6⤵PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F7E55~1.EXE > nul5⤵PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5A18D~1.EXE > nul4⤵PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26252~1.EXE > nul3⤵PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD507c3ed2e72668fce068b4869fadfff8f
SHA1b8dcee8dc234d0bc8f8ac08c256e2fabe9d5f186
SHA256d1c530863832d83ae41f96822c9156c1252546def4ce37d7abb3f713a9c3bf9e
SHA5129e71e21b6589ab490b5d79e22ac1cc56a4fbf60db413a7502bbc54bee4338f5a9ce65f2f8fb12bf34d96dec0c5d5af1f4db66a53605297ffabd257a26af85ab5
-
Filesize
408KB
MD5b1b1c0a2d5f1512d7d662ad3486bbe3c
SHA1a6b4ef4c620a2b165c85a32f51ce7fcb65d419e0
SHA25607b0248220b0c56ead77c5ab93c27962aa27b4c389d7cd9db834fa1a65c81617
SHA5128c026f9e0e9ebbf44a641ddc6d8e9d05a1bd6e582390481cd97fd097ad831ed6dda9b4e897e4e5f3cb44e0f9ed7d27ba56d0cfab5857f6ba4bd2f382e4441e2d
-
Filesize
408KB
MD53a4d18e664dab7705c160cea9b03ecc7
SHA1912a1f8503e85ae2a42cba6d76501eb85a9aac26
SHA256db1c9c2c773f897a49d8c8c53a62e98051922753b46f53be9b3c50137fd6b287
SHA512c7360728b7ceb86dd687e6c2eefacacd9c7ce75671d71fafc5ec3c0cac631ad2c968a751516c7cb863aeb695fdfeb019c93d4db9bb84ad0bdc74f9cc9ffce67f
-
Filesize
408KB
MD51e5dce9a86b44be8c43d7bb9e9a524a5
SHA185950bff1f96a1a1ac7b3c5958ce7d359dcae2de
SHA256347175f0886af87ac79031d0927427b1d08ef6a327db139badd21cba2a1a2946
SHA51294bb9e71a1701cff0c6067ebb905490ca76f3ece085739c0eb1b7c1f9bfc5ab7896e8caebd01671a9930e91e09b3215b0b045b97b0f8a8c816d1e92e13d93acb
-
Filesize
408KB
MD53cede7d47d80a1f8e31f215623d9d88d
SHA1738ba58478f61a1a73db6dd2e13a4e7c5098ffad
SHA25607cdfc96e719a073b8b0fce92888276c9e6e6d0f6e600cebf2589ef1c70b74a4
SHA512d7ca52b0fdbe3e0c158bb479c78b4a25cd1471b1cd9bf3e3d36dcfb756c660895dd3cebe170697101f6bbffd18cbc1f727062f13aaffb85dec087a0d05d11014
-
Filesize
408KB
MD50e072c946c60f04a244aba03ec6d5957
SHA1896d01122e8d16038af8a7d7104fdbc5c7730123
SHA256950e28ade2258e11e380f7b95d532e319646337154003361f09a38846ff1fb8d
SHA51284cfd12e02dff8dbaa83e83ddc2e64c21918c7dc92a1591f440d125b73239558d7ff23edc815ec725de2b19002aac5c1183e3b7319a7cf7842d7ff225a1b43f6
-
Filesize
408KB
MD54799fda54b8450077fd1bb3e13a95fb5
SHA138a5e167f4bdfb39c2014b913b36e26805241d19
SHA256089b71b37bf9f60deb972c7aa479f648996cd95f60eb2abac493ace681f3890b
SHA5128df51659ff1068ab0fdb0c9046b24f3fc9b2e63bb36972a01127fe4c3d03fda38dce124fb04987b268f2f983c3141b99e8752ffce1f0b771e53fb98f85074aa5
-
Filesize
408KB
MD5aa412ab46d73210f82c5c420c7e28e31
SHA1f0b44f94b19d7df6108155f4566158f0416b7898
SHA2569dd4c88499d50b3155bcb602e105ddab4a5b4bdae91119bc44733a788f5827f5
SHA5121c53c81b4693509a2f07e5e962f7781b09c8a3a1e8be20b947c0bd5b6c808941ea3240a3dee571b433d3345aa67c757528266cc0f4d4eca26b8db80e1768c963
-
Filesize
408KB
MD5121a5b728854d8bf292d6499a06d7dfa
SHA171303ffbba8e2eb27ee889ed385cda15132c1162
SHA25646f536cdd881a04e42fcf943133a9f68f47ead5f5caa57e6886d6c8204e815c8
SHA51232c74e7cecdd655efdd5fed5e51c7aba8296ce2391621bb6385d7707ebf9b1761c30733aa94c7fc3216691e0cb6fdc5e4757bbcd58fe043f3a7532c6240ebe55
-
Filesize
408KB
MD52a045127c5c9408f9470146cd02e3574
SHA1b905bd8b87fd399a1299e6265978990c48f38652
SHA256b0bee28bd095769053c8b59bb396f117501f0c4bdc2f436fd852eb88f8c8637d
SHA5126e9c42107e399a12996b72cf8a71d1320644cdbf885efb2b7e01d0875a75db8a6408f5594a0e9f7a5fb607c3ddb5e9707cffad658559fcf46b4ee377452fcd6b
-
Filesize
408KB
MD57cfb1f2328ce4abce9f52af540ba636a
SHA197637fb809edb50a61e6055a625013cd0086f6e3
SHA256097e0c657e2ba2b18554383d59bd7aec41b5d652425d4e0617d9c584cc308d19
SHA5127cd68888940f7dc52b1df4e76549f20b4fd2d6400100e428c72a4e90b1a2cfa61881e474642b6ab1ec87c88faacb5df5edc7c4bdc80913514912307ec1d2181a