Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
-
Size
408KB
-
MD5
47ed00611fc28276ac7279e5a85a003d
-
SHA1
675b6f8ff31f6b6324a58637c101869979de4217
-
SHA256
fc23cd1c6f90f1a907c08e4fff0cf46e7d6552264201caccd9423bafde233e33
-
SHA512
adee5df07e61e158d70f43fc4faf4115a22d1a231f91101d7a77f56e1cc828d07aabbaab5988a469e41d1ad4ad12052c3dabb923c32748165658a0e8562bba83
-
SSDEEP
3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0007000000023211-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0011000000023216-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002321d-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0012000000023216-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c86-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c87-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021c86-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070f-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000735-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9913C8E-C158-4373-858D-684241B83347}\stubpath = "C:\\Windows\\{F9913C8E-C158-4373-858D-684241B83347}.exe" {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D8D6CA-6AC3-4346-B364-87F34C77C723}\stubpath = "C:\\Windows\\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe" {F9913C8E-C158-4373-858D-684241B83347}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF79E3A-7F93-4439-8044-011398DEF3F3} {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AD80E8-3627-4513-B8CF-07F1779EF0E1} {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657156EC-8D0E-425e-862E-0A58AF8D6176} {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657156EC-8D0E-425e-862E-0A58AF8D6176}\stubpath = "C:\\Windows\\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe" {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}\stubpath = "C:\\Windows\\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe" {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9913C8E-C158-4373-858D-684241B83347} {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}\stubpath = "C:\\Windows\\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe" {963A86C1-70B3-429f-9E73-D400E033AF37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}\stubpath = "C:\\Windows\\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe" {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11} {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}\stubpath = "C:\\Windows\\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe" {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECF79E3A-7F93-4439-8044-011398DEF3F3}\stubpath = "C:\\Windows\\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe" {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A667AB5A-9E89-46dd-A6A3-BE39C8341433} {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{963A86C1-70B3-429f-9E73-D400E033AF37} {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{199D00EB-7ECA-4605-A153-FAE4DC4068C3} {963A86C1-70B3-429f-9E73-D400E033AF37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}\stubpath = "C:\\Windows\\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe" 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7} {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{963A86C1-70B3-429f-9E73-D400E033AF37}\stubpath = "C:\\Windows\\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe" {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446} 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}\stubpath = "C:\\Windows\\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe" {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD} {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}\stubpath = "C:\\Windows\\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe" {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D8D6CA-6AC3-4346-B364-87F34C77C723} {F9913C8E-C158-4373-858D-684241B83347}.exe -
Executes dropped EXE 12 IoCs
pid Process 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe 376 {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe 4724 {963A86C1-70B3-429f-9E73-D400E033AF37}.exe 1028 {199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe File created C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe File created C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe {963A86C1-70B3-429f-9E73-D400E033AF37}.exe File created C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe File created C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe File created C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe File created C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe File created C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe File created C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe File created C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe {F9913C8E-C158-4373-858D-684241B83347}.exe File created C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe File created C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2792 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe Token: SeIncBasePriorityPrivilege 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe Token: SeIncBasePriorityPrivilege 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe Token: SeIncBasePriorityPrivilege 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe Token: SeIncBasePriorityPrivilege 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe Token: SeIncBasePriorityPrivilege 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe Token: SeIncBasePriorityPrivilege 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe Token: SeIncBasePriorityPrivilege 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe Token: SeIncBasePriorityPrivilege 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe Token: SeIncBasePriorityPrivilege 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe Token: SeIncBasePriorityPrivilege 376 {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe Token: SeIncBasePriorityPrivilege 4724 {963A86C1-70B3-429f-9E73-D400E033AF37}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 3180 2792 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 93 PID 2792 wrote to memory of 3180 2792 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 93 PID 2792 wrote to memory of 3180 2792 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 93 PID 2792 wrote to memory of 624 2792 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 94 PID 2792 wrote to memory of 624 2792 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 94 PID 2792 wrote to memory of 624 2792 2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe 94 PID 3180 wrote to memory of 4440 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 95 PID 3180 wrote to memory of 4440 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 95 PID 3180 wrote to memory of 4440 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 95 PID 3180 wrote to memory of 2856 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 96 PID 3180 wrote to memory of 2856 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 96 PID 3180 wrote to memory of 2856 3180 {6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe 96 PID 4440 wrote to memory of 4040 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe 98 PID 4440 wrote to memory of 4040 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe 98 PID 4440 wrote to memory of 4040 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe 98 PID 4440 wrote to memory of 2312 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe 99 PID 4440 wrote to memory of 2312 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe 99 PID 4440 wrote to memory of 2312 4440 {F9913C8E-C158-4373-858D-684241B83347}.exe 99 PID 4040 wrote to memory of 2612 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe 100 PID 4040 wrote to memory of 2612 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe 100 PID 4040 wrote to memory of 2612 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe 100 PID 4040 wrote to memory of 3684 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe 101 PID 4040 wrote to memory of 3684 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe 101 PID 4040 wrote to memory of 3684 4040 {14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe 101 PID 2612 wrote to memory of 2864 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe 102 PID 2612 wrote to memory of 2864 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe 102 PID 2612 wrote to memory of 2864 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe 102 PID 2612 wrote to memory of 3172 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe 103 PID 2612 wrote to memory of 3172 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe 103 PID 2612 wrote to memory of 3172 2612 {3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe 103 PID 2864 wrote to memory of 4592 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe 104 PID 2864 wrote to memory of 4592 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe 104 PID 2864 wrote to memory of 4592 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe 104 PID 2864 wrote to memory of 4556 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe 105 PID 2864 wrote to memory of 4556 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe 105 PID 2864 wrote to memory of 4556 2864 {ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe 105 PID 4592 wrote to memory of 3044 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe 106 PID 4592 wrote to memory of 3044 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe 106 PID 4592 wrote to memory of 3044 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe 106 PID 4592 wrote to memory of 4812 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe 107 PID 4592 wrote to memory of 4812 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe 107 PID 4592 wrote to memory of 4812 4592 {44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe 107 PID 3044 wrote to memory of 1684 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe 108 PID 3044 wrote to memory of 1684 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe 108 PID 3044 wrote to memory of 1684 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe 108 PID 3044 wrote to memory of 2896 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe 109 PID 3044 wrote to memory of 2896 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe 109 PID 3044 wrote to memory of 2896 3044 {657156EC-8D0E-425e-862E-0A58AF8D6176}.exe 109 PID 1684 wrote to memory of 4420 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe 110 PID 1684 wrote to memory of 4420 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe 110 PID 1684 wrote to memory of 4420 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe 110 PID 1684 wrote to memory of 4264 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe 111 PID 1684 wrote to memory of 4264 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe 111 PID 1684 wrote to memory of 4264 1684 {76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe 111 PID 4420 wrote to memory of 376 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe 112 PID 4420 wrote to memory of 376 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe 112 PID 4420 wrote to memory of 376 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe 112 PID 4420 wrote to memory of 2276 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe 113 PID 4420 wrote to memory of 2276 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe 113 PID 4420 wrote to memory of 2276 4420 {F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe 113 PID 376 wrote to memory of 4724 376 {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe 114 PID 376 wrote to memory of 4724 376 {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe 114 PID 376 wrote to memory of 4724 376 {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe 114 PID 376 wrote to memory of 3300 376 {A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exeC:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exeC:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exeC:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exeC:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exeC:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exeC:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exeC:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exeC:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exeC:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exeC:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exeC:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4724 -
C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exeC:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe13⤵
- Executes dropped EXE
PID:1028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{963A8~1.EXE > nul13⤵PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A667A~1.EXE > nul12⤵PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F355A~1.EXE > nul11⤵PID:2276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76ABA~1.EXE > nul10⤵PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65715~1.EXE > nul9⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{44AD8~1.EXE > nul8⤵PID:4812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ECF79~1.EXE > nul7⤵PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B01F~1.EXE > nul6⤵PID:3172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{14D8D~1.EXE > nul5⤵PID:3684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9913~1.EXE > nul4⤵PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6DB9A~1.EXE > nul3⤵PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5821674d0454023c4f4f679964ee62cfd
SHA1953f0280f756a5e19b22db5a4a6b36096de6db3b
SHA2562d3e0817be10b06331154e004808e8332539a96a64743b8d96eb56bee86890a9
SHA51290e287fd5664a35651629f65482ef43355ce4a1c207d011c5cdf25aff407ec6eb34e6aa78193842b04a051a0bcca6166b3539dcb14cfc71b24b87129b48b23c2
-
Filesize
408KB
MD5c52472e2a98cebb80da79306d259e400
SHA1cf8a7ee686b73594226d87dccb456fdda88ed659
SHA2562539cf392c02958463726181830960f6bdf4c188d363058874a2d19b63f3910d
SHA51279393e0c9c74c5ed0511d21901c0653ef7bfe4ae87e313594b5a5d5738430f93581e4502322a9b8de3a99f27174ac062353b4492888416c0798c2359fbed3258
-
Filesize
408KB
MD5e8c2e77fb2fb532915d00b3373b29bee
SHA1a097e32a4a500cdfe7cb132b3173c6d15425b7bf
SHA25690f8adb215f3bfa7573b901970534735cadbd10a0d5c5942fb6e20337adf4060
SHA5122aa4da78356dadcb943d4e4392be51ffe7f94995a583773b952dfca20f786ef5b65786a0fbfc1afb7b6af1f3cb9d821d7faf033de34c33b7f6a73ff340654ad0
-
Filesize
408KB
MD5d174c64fc77199f704e18588543cfde7
SHA120b5bd68d5e95fda9d9257c4a3c34567cf0a2a16
SHA256d91eacaf0ecb50c417a05b8d1b9c09cedbcf46c334e20b94aa6341d997fb8ffd
SHA512068eec547574438e315325b799bf8740f9938ca2b7efaf089418416a8e5fc52875be68571879d5735c31502e9dd17785a02543974599327ba1c3c4e4ac2cb072
-
Filesize
408KB
MD52ab59873d513e0492307b146a6010def
SHA13de3db02e28ff2a26021669002e1354b421a449e
SHA25655747f8936787e46e3d60f5f9709c13ed5eaa7f26756500ded2f811508ec3442
SHA512f36751ab7b99b6666ed03e0554c94ba4bdb5638eb874259176a91115fae8f99f7a539fc82b0e1cd1f4e0b824f64b146e211ef81bdc74ca5392810c9f3cd83240
-
Filesize
408KB
MD532651d41a6a2bf57dd4ce64474a1e4af
SHA119961b60b30281704f185e8c63cc812efdd613f4
SHA2562df4c15dbac32a250f88ea08c6bd9b85b1e2eabe2bbe39a87b98588735abb523
SHA512edbf2939a4f5c8d55d6e7e920d16056d650293ddfa7a68f4ac00b812116e43818a1e290b65982e42b0aa486711fb343a44a9d5577920e4318872c3ca616950e2
-
Filesize
408KB
MD5601287cc2d2e33a297edf35aa26d14e6
SHA1840b545ae2253ee07bc95c02d3175159072f23a1
SHA256e6fa3f7779d6e6599057082273ced9a4e799e177061243843573721cd6e93f94
SHA512d44d1126202433e6aaf9bec71b41bc88d0d1853ef2686d5cbf0352faf55b8f049f921d701939e7f13913511c7ecd6e33a9c65a7e9c4d2338ae8e4255b10e526b
-
Filesize
408KB
MD5e52cb39e5576a05a0292f2ca8e7da159
SHA11e404747b71a69e2065f573dd9e93082570223ed
SHA256574aa4ef5b86a3a075e1bebbe152ba17da6fa0d0930227493f1961eb3ebc4fe9
SHA51269347722bf38350b8e0537ceb3d41ce446a2d8c1dd1506c6ec182076df1f4cf5e4616041c3f4ef42acfc4950527278dae4c6a6fa2c4579f76ba9d3a6a707a55b
-
Filesize
408KB
MD57f62503c9619f4636ffe863a1cbf0175
SHA1bf6837a400795ee472ae49ee2a349a36114c2b66
SHA25658ec75fa61468938d2685e2cfc7876be7bbaffdcf4d28f35a3261d2d5ade49a9
SHA5122084736a65f94fd9f6cff19c31af6ee5598223776202b9ffa162274b5f566c41dec762939052e56ad886f7c3f9106c126fe25615010e142e097a7856bc5606c6
-
Filesize
408KB
MD54db616f2bf5c550bfc27934a4fec9de3
SHA148ca0f4d254832f2a9defa0191fcaaea8ea26bea
SHA256bbee10a408520e3e97608fe93b95e4e59e48bfe87691ec648277714fa108f3fd
SHA5126c3de249ebd338c65ac3d66ba4167cc41fb855594cc191af0fbe838454a11553c153e8b543cc72a0c924f1598cfdf7efc7a4e081894071035b35084ee47fb0a5
-
Filesize
408KB
MD58b58a46ade66528664244579aa6cbef2
SHA1057ef6c0f472a2408bb94645fe67329c64a707dc
SHA256834b4479cc78dbe21d919e5debc7c2f14e3e256fbeaed1801641f1fa7643447c
SHA512cb50b937711e58907b905e0f815b77bab3a9614b4ad9032dcd742a15b34a8743cf73cd2b844e8e44f2aeb5fe856b8ea31b7fc191d3c81cb65fa1db31bcc17971
-
Filesize
408KB
MD5a0cb047d09d4cd6e80deea341b3ca5b1
SHA144d96db58ca5ca3d421572ae85a85e99ca162b7b
SHA256ea9cb02db62e5df17d11091ab3fb8933332cc7c43d9d8803bbf804dfbcfe46ac
SHA51255b2f854daca938032236fb1775c6e98e0dc6aec6bc728c14b39cb0045a2ad8d1c4b36626d22d22e46422ccf402e5bfe0ef146f0e07d178e97ea518332a26215