Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
-
Size
180KB
-
MD5
566aa4cd67f4c3337a1d128c0ee66d87
-
SHA1
82125716a0fd42b24ac14bf8543439bd02b3cc6c
-
SHA256
a4d353a50d90c5ee5f645e50e11954d7e4dbee081d95e4fa3fa51e857b192168
-
SHA512
97123beefeeadfb7a7e2c09fdcfcfeb98246313bf4e3853c683403eeb158f37d9ff0b0962a5cb9f57dfc5a56e3cd89c63755a366a8b369626e30581d2c22c98e
-
SSDEEP
3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000012707-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000014890-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000c000000012707-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0034000000015083-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012707-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012707-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012707-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCC416B-2248-4984-8F67-B901D98E8F67}\stubpath = "C:\\Windows\\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe" 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}\stubpath = "C:\\Windows\\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe" {9B8E65DD-0180-41df-8903-910F8314783F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C8E36-E0B0-40e2-89AC-171CFD078124} {4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6013F-E941-4aac-99A6-13E1F5BAC725} {EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86} {6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}\stubpath = "C:\\Windows\\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe" {6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCCC416B-2248-4984-8F67-B901D98E8F67} 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3} {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4} {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}\stubpath = "C:\\Windows\\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe" {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}\stubpath = "C:\\Windows\\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe" {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{604BFE7E-8D72-4868-8415-2BD7EE83987E}\stubpath = "C:\\Windows\\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe" {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8E65DD-0180-41df-8903-910F8314783F} {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87649AC-2E2E-4144-81F5-34E4C0198C86}\stubpath = "C:\\Windows\\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe" {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}\stubpath = "C:\\Windows\\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe" {4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}\stubpath = "C:\\Windows\\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe" {EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{604BFE7E-8D72-4868-8415-2BD7EE83987E} {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8E65DD-0180-41df-8903-910F8314783F}\stubpath = "C:\\Windows\\{9B8E65DD-0180-41df-8903-910F8314783F}.exe" {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871} {9B8E65DD-0180-41df-8903-910F8314783F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}\stubpath = "C:\\Windows\\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe" {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B87649AC-2E2E-4144-81F5-34E4C0198C86} {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B66E4F2-50E4-422c-A65B-9C42C70562CD} {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe -
Deletes itself 1 IoCs
pid Process 2756 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 1632 {4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe 2316 {EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe 2824 {6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe 1060 {F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe File created C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe File created C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe {6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe File created C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe File created C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe {9B8E65DD-0180-41df-8903-910F8314783F}.exe File created C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe File created C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe {4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe File created C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe {EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe File created C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe File created C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe File created C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe Token: SeIncBasePriorityPrivilege 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe Token: SeIncBasePriorityPrivilege 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe Token: SeIncBasePriorityPrivilege 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe Token: SeIncBasePriorityPrivilege 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe Token: SeIncBasePriorityPrivilege 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe Token: SeIncBasePriorityPrivilege 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe Token: SeIncBasePriorityPrivilege 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe Token: SeIncBasePriorityPrivilege 1632 {4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe Token: SeIncBasePriorityPrivilege 2316 {EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe Token: SeIncBasePriorityPrivilege 2824 {6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 3068 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 28 PID 2268 wrote to memory of 3068 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 28 PID 2268 wrote to memory of 3068 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 28 PID 2268 wrote to memory of 3068 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 28 PID 2268 wrote to memory of 2756 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 29 PID 2268 wrote to memory of 2756 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 29 PID 2268 wrote to memory of 2756 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 29 PID 2268 wrote to memory of 2756 2268 2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe 29 PID 3068 wrote to memory of 2632 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 30 PID 3068 wrote to memory of 2632 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 30 PID 3068 wrote to memory of 2632 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 30 PID 3068 wrote to memory of 2632 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 30 PID 3068 wrote to memory of 2804 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 31 PID 3068 wrote to memory of 2804 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 31 PID 3068 wrote to memory of 2804 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 31 PID 3068 wrote to memory of 2804 3068 {FCCC416B-2248-4984-8F67-B901D98E8F67}.exe 31 PID 2632 wrote to memory of 2792 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 32 PID 2632 wrote to memory of 2792 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 32 PID 2632 wrote to memory of 2792 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 32 PID 2632 wrote to memory of 2792 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 32 PID 2632 wrote to memory of 2188 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 33 PID 2632 wrote to memory of 2188 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 33 PID 2632 wrote to memory of 2188 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 33 PID 2632 wrote to memory of 2188 2632 {604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe 33 PID 2792 wrote to memory of 2720 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 36 PID 2792 wrote to memory of 2720 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 36 PID 2792 wrote to memory of 2720 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 36 PID 2792 wrote to memory of 2720 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 36 PID 2792 wrote to memory of 2868 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 37 PID 2792 wrote to memory of 2868 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 37 PID 2792 wrote to memory of 2868 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 37 PID 2792 wrote to memory of 2868 2792 {9B8E65DD-0180-41df-8903-910F8314783F}.exe 37 PID 2720 wrote to memory of 2492 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 38 PID 2720 wrote to memory of 2492 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 38 PID 2720 wrote to memory of 2492 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 38 PID 2720 wrote to memory of 2492 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 38 PID 2720 wrote to memory of 2648 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 39 PID 2720 wrote to memory of 2648 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 39 PID 2720 wrote to memory of 2648 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 39 PID 2720 wrote to memory of 2648 2720 {A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe 39 PID 2492 wrote to memory of 1196 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 40 PID 2492 wrote to memory of 1196 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 40 PID 2492 wrote to memory of 1196 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 40 PID 2492 wrote to memory of 1196 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 40 PID 2492 wrote to memory of 1036 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 41 PID 2492 wrote to memory of 1036 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 41 PID 2492 wrote to memory of 1036 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 41 PID 2492 wrote to memory of 1036 2492 {35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe 41 PID 1196 wrote to memory of 1252 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 42 PID 1196 wrote to memory of 1252 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 42 PID 1196 wrote to memory of 1252 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 42 PID 1196 wrote to memory of 1252 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 42 PID 1196 wrote to memory of 304 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 43 PID 1196 wrote to memory of 304 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 43 PID 1196 wrote to memory of 304 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 43 PID 1196 wrote to memory of 304 1196 {3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe 43 PID 1252 wrote to memory of 1632 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 44 PID 1252 wrote to memory of 1632 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 44 PID 1252 wrote to memory of 1632 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 44 PID 1252 wrote to memory of 1632 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 44 PID 1252 wrote to memory of 876 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 45 PID 1252 wrote to memory of 876 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 45 PID 1252 wrote to memory of 876 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 45 PID 1252 wrote to memory of 876 1252 {B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exeC:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exeC:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exeC:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exeC:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exeC:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exeC:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exeC:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exeC:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exeC:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exeC:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exeC:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe12⤵
- Executes dropped EXE
PID:1060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6AD60~1.EXE > nul12⤵PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EB3C8~1.EXE > nul11⤵PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4B66E~1.EXE > nul10⤵PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B8764~1.EXE > nul9⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BF3D~1.EXE > nul8⤵PID:304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35EE9~1.EXE > nul7⤵PID:1036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A1665~1.EXE > nul6⤵PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9B8E6~1.EXE > nul5⤵PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{604BF~1.EXE > nul4⤵PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FCCC4~1.EXE > nul3⤵PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5a157d7c774553e1b30311f41f7dd1bbf
SHA141602061ff4327959b777d13d62cf4cd76095512
SHA256b572aa5c03475fc2578f78aa153e4b9e4ff8d16aecefc70f97b0170d868e9f13
SHA512b26049a12117b54554b915b5ad6d3a6db8b6d6fe0870e667e903752164e20d2416033b3f1feaa790ae36ed1a86951378cc3fd0693aec52a78bb9059b40b69f50
-
Filesize
180KB
MD5b092c683792194635b29a52de32a0f98
SHA1b7c3550c33114e3a61c12a898e162dc93c2658d5
SHA25659cb80853b8ebabcb9bff0d701c353e76850d1870b132d90e9183ae330135bd7
SHA51289653b9f4c69149eaadaff8b17d8c53a93e586bff7df7d0e92e416082b204cf8cf98615e0cf8ffd96458dfd36174ad65fa089252f98cb194e4fc73ae0690a2f3
-
Filesize
180KB
MD5c27e58a7d6aaadb450283217e9b8b3e7
SHA13ece90233252ded4b564826b037db395b9c6a225
SHA256e7b1a6eb6b529df898adbcd8a90f18447a77b75452d72d418e7ad3e8aec9e879
SHA5120e9f7511057f7b53f7a68c48bbdfaa396b413d9fabce58d5f4ccf4c612d26aaac8fedc147f17066675511e98958ca97859a713fb964ce734d8155a961b910176
-
Filesize
180KB
MD556e50e2b967acbb0d24488c0bc2bbaa2
SHA11e31b5ebd9426aecb4896f1f69ef0ce1a1a71de9
SHA2561e34c4176ab4509f9ebab70461b2b15686042126f10a9ff6eb484afc95c4afb3
SHA51223e85f75881ad209cd167641ffced90a1fb6c8bb916295d13450c4f0cc66efef21ecb5c743fbdc8e62ce5a5f3abaaa2533535cb48a03e81c1c411c5ced91faca
-
Filesize
180KB
MD5a1cd3f99cfb4b417d3c6b7754a1ff522
SHA14fb281ea818fcd5d1050043b95961a39110c679f
SHA2569d5f1f544ff5756603f1f657c1e0602a72add7a469fc41999f4504b9c26a2239
SHA51253412b9fd5810fd38a3c26a739a169fb60ddda251b4247b8af74add0fbe19075f7196f976123672777a764343e24d3a91e0be4576e222e817793cf3e99cb64c9
-
Filesize
180KB
MD534fb909ad609b13ee3daa35a99c873b2
SHA1de387611134d7e4725ff103ddf0992d393d95d37
SHA256c796f6da61c8579bdd5b6eac472b7a51589304ee9c94bcf801f22fb3601f40c2
SHA512bb1106c3a27dee637a2fb38104d83d863fda18984af1fa87e704b9406574b03efe13e2048d90b3babad3295b49309b5c92307f376825c63f56e61ff7d1322840
-
Filesize
180KB
MD5a1fc6ab812dfad7e48b4feac80539371
SHA132492210dc4ae2c77b4eb9d950f326bd116235a4
SHA256d2de389109edd5717ba1df530db1dfc338239a56f5ed7593c58ab4f6102b4ab0
SHA51202451eb93e5bbbbb8de4371da589089370cbf2098529539d80a2ce8da05b4a2eeb167349dfa67c1208d96c166e0bf4ab7bb36ec3e876e4570f77858ac4328167
-
Filesize
180KB
MD5a52714442065a2d688dc9f64a039b659
SHA1daaf60b3561163bc1593263ac8568ff319422163
SHA25664f1244b34f6666f0e89c6ed7b8d64d28a518590bc4ba577827839ce7738a1e8
SHA5124bec2ac3cb2a774cf057965929dc4ea1186d3140f9f66157006c73210224ff0b2079a54906e6716b7d2f35b42a6717f7b7bd0ac3b01cd3f3f6d660bd44d68d46
-
Filesize
180KB
MD5cba567da7c2781c136d6b41dd3bcfc5a
SHA14db1a940af3aefd68a6f77301480ea2ecdb5f28b
SHA256b145bb067e58fdb9e16b0b64371b27601722183a31ec738e4d67b89c227fbb0b
SHA51283eb9bce1647de624fa8487cb25f392810889373fa7c5c85e9eb169d3fc6270e2caec04b6c1f2371e17e8bf1f03a6fea7fc4e9141965581b46ff108fe7905955
-
Filesize
180KB
MD509641c994c8200aa5437f719f04eb09e
SHA19bde1f6fd87230b7db3674e60f74b4e1da2ae2d3
SHA25639b2c06abb9b0bd18c7e231ef66816940e54e9e87b4330c7af42935dad7eb035
SHA51216f5e937e298558720f46ffcab51b33b54dad8f96c58c6fa593b947c4288c21a9b9870c067c1a8c746dcd008cf0f326ddcbc236b2d0baa37fce9add86a9a58bb
-
Filesize
180KB
MD50675366eb2db2b9fb6c571acc3d3cfff
SHA151220fd63562fed5f193cee5e5e15ea9bdb7dc7b
SHA256c1ac122ee6e70f72d69a735c0807b49eb8a0f7d4ccd75952668cb1918ca54c50
SHA51284163e2025a22fb50bc7583bf522de5f05a8cf3ffd5e007b5f857fc9bb2bea9f0689761814c1690b0bfb6134b6ea1325a7caa2ea52532b2e5081ab313abf5977