Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
-
Size
197KB
-
MD5
7ab09cf27c3f40c2dda8d177614af4df
-
SHA1
c5641c003869f3c35b8c35158bd902d77481dcc6
-
SHA256
9f5cb290f246ab711516464b106d16d714c9b940d450a6efe4d4ae3d170be7cd
-
SHA512
989f7d057c91f946c0e4d195d04c4abf65487c2b509332ff1c8657df5df078bde4e952cb0e2697211887a29453c9d51d82d571df9025b06aa4ca95c5eb9a4964
-
SSDEEP
3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGZlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00070000000231fb-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00130000000231f4-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023202-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00140000000231f4-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d05-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d06-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021d05-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000705-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F74C34-5E87-47d2-81C2-BC939C416253}\stubpath = "C:\\Windows\\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe" {4A02DF97-FF65-4909-A883-144C95653DBE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E005216-E643-48f2-97EE-350E040BC522} {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E005216-E643-48f2-97EE-350E040BC522}\stubpath = "C:\\Windows\\{4E005216-E643-48f2-97EE-350E040BC522}.exe" {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F} {D6E145EC-617A-4364-8079-41BA74D37EFA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC762C9F-B672-45eb-B51B-C46ABF197EF6} {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}\stubpath = "C:\\Windows\\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe" {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41} {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC90A403-C3EC-4c4e-83F8-204E07142636} {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF42C359-D683-4e51-B245-1A35A7545B1F}\stubpath = "C:\\Windows\\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe" 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}\stubpath = "C:\\Windows\\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe" {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F74C34-5E87-47d2-81C2-BC939C416253} {4A02DF97-FF65-4909-A883-144C95653DBE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6E145EC-617A-4364-8079-41BA74D37EFA}\stubpath = "C:\\Windows\\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe" {4E005216-E643-48f2-97EE-350E040BC522}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A02DF97-FF65-4909-A883-144C95653DBE} {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF42C359-D683-4e51-B245-1A35A7545B1F} 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E366FC-EB05-4056-8BF6-AC4B5290932C} {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57E366FC-EB05-4056-8BF6-AC4B5290932C}\stubpath = "C:\\Windows\\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe" {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC90A403-C3EC-4c4e-83F8-204E07142636}\stubpath = "C:\\Windows\\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe" {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}\stubpath = "C:\\Windows\\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe" {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6E145EC-617A-4364-8079-41BA74D37EFA} {4E005216-E643-48f2-97EE-350E040BC522}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}\stubpath = "C:\\Windows\\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe" {D6E145EC-617A-4364-8079-41BA74D37EFA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}\stubpath = "C:\\Windows\\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe" {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBC99A7-0D2A-4500-B867-6273722B2ADA} {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A02DF97-FF65-4909-A883-144C95653DBE}\stubpath = "C:\\Windows\\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe" {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF} {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe -
Executes dropped EXE 12 IoCs
pid Process 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe 4328 {4E005216-E643-48f2-97EE-350E040BC522}.exe 376 {D6E145EC-617A-4364-8079-41BA74D37EFA}.exe 1736 {9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe File created C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe File created C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe File created C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe File created C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe File created C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe File created C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe File created C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe File created C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe {4E005216-E643-48f2-97EE-350E040BC522}.exe File created C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe {D6E145EC-617A-4364-8079-41BA74D37EFA}.exe File created C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe File created C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe {4A02DF97-FF65-4909-A883-144C95653DBE}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3984 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe Token: SeIncBasePriorityPrivilege 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe Token: SeIncBasePriorityPrivilege 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe Token: SeIncBasePriorityPrivilege 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe Token: SeIncBasePriorityPrivilege 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe Token: SeIncBasePriorityPrivilege 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe Token: SeIncBasePriorityPrivilege 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe Token: SeIncBasePriorityPrivilege 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe Token: SeIncBasePriorityPrivilege 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe Token: SeIncBasePriorityPrivilege 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe Token: SeIncBasePriorityPrivilege 4328 {4E005216-E643-48f2-97EE-350E040BC522}.exe Token: SeIncBasePriorityPrivilege 376 {D6E145EC-617A-4364-8079-41BA74D37EFA}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 3692 3984 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 96 PID 3984 wrote to memory of 3692 3984 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 96 PID 3984 wrote to memory of 3692 3984 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 96 PID 3984 wrote to memory of 4676 3984 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 97 PID 3984 wrote to memory of 4676 3984 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 97 PID 3984 wrote to memory of 4676 3984 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 97 PID 3692 wrote to memory of 1216 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 98 PID 3692 wrote to memory of 1216 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 98 PID 3692 wrote to memory of 1216 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 98 PID 3692 wrote to memory of 3988 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 99 PID 3692 wrote to memory of 3988 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 99 PID 3692 wrote to memory of 3988 3692 {CF42C359-D683-4e51-B245-1A35A7545B1F}.exe 99 PID 1216 wrote to memory of 632 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe 101 PID 1216 wrote to memory of 632 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe 101 PID 1216 wrote to memory of 632 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe 101 PID 1216 wrote to memory of 1092 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe 102 PID 1216 wrote to memory of 1092 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe 102 PID 1216 wrote to memory of 1092 1216 {57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe 102 PID 632 wrote to memory of 2504 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe 103 PID 632 wrote to memory of 2504 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe 103 PID 632 wrote to memory of 2504 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe 103 PID 632 wrote to memory of 2628 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe 104 PID 632 wrote to memory of 2628 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe 104 PID 632 wrote to memory of 2628 632 {CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe 104 PID 2504 wrote to memory of 3112 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe 105 PID 2504 wrote to memory of 3112 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe 105 PID 2504 wrote to memory of 3112 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe 105 PID 2504 wrote to memory of 1620 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe 106 PID 2504 wrote to memory of 1620 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe 106 PID 2504 wrote to memory of 1620 2504 {0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe 106 PID 3112 wrote to memory of 1872 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe 107 PID 3112 wrote to memory of 1872 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe 107 PID 3112 wrote to memory of 1872 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe 107 PID 3112 wrote to memory of 4788 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe 108 PID 3112 wrote to memory of 4788 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe 108 PID 3112 wrote to memory of 4788 3112 {6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe 108 PID 1872 wrote to memory of 1348 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe 109 PID 1872 wrote to memory of 1348 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe 109 PID 1872 wrote to memory of 1348 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe 109 PID 1872 wrote to memory of 2256 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe 110 PID 1872 wrote to memory of 2256 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe 110 PID 1872 wrote to memory of 2256 1872 {AC90A403-C3EC-4c4e-83F8-204E07142636}.exe 110 PID 1348 wrote to memory of 1156 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe 111 PID 1348 wrote to memory of 1156 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe 111 PID 1348 wrote to memory of 1156 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe 111 PID 1348 wrote to memory of 3672 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe 112 PID 1348 wrote to memory of 3672 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe 112 PID 1348 wrote to memory of 3672 1348 {4A02DF97-FF65-4909-A883-144C95653DBE}.exe 112 PID 1156 wrote to memory of 1200 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe 113 PID 1156 wrote to memory of 1200 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe 113 PID 1156 wrote to memory of 1200 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe 113 PID 1156 wrote to memory of 2032 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe 114 PID 1156 wrote to memory of 2032 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe 114 PID 1156 wrote to memory of 2032 1156 {B7F74C34-5E87-47d2-81C2-BC939C416253}.exe 114 PID 1200 wrote to memory of 4328 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe 115 PID 1200 wrote to memory of 4328 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe 115 PID 1200 wrote to memory of 4328 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe 115 PID 1200 wrote to memory of 4512 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe 116 PID 1200 wrote to memory of 4512 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe 116 PID 1200 wrote to memory of 4512 1200 {032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe 116 PID 4328 wrote to memory of 376 4328 {4E005216-E643-48f2-97EE-350E040BC522}.exe 117 PID 4328 wrote to memory of 376 4328 {4E005216-E643-48f2-97EE-350E040BC522}.exe 117 PID 4328 wrote to memory of 376 4328 {4E005216-E643-48f2-97EE-350E040BC522}.exe 117 PID 4328 wrote to memory of 3984 4328 {4E005216-E643-48f2-97EE-350E040BC522}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exeC:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exeC:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exeC:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exeC:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exeC:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exeC:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exeC:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exeC:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exeC:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exeC:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exeC:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exeC:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe13⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D6E14~1.EXE > nul13⤵PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E005~1.EXE > nul12⤵PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03295~1.EXE > nul11⤵PID:4512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7F74~1.EXE > nul10⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4A02D~1.EXE > nul9⤵PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AC90A~1.EXE > nul8⤵PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6D7E9~1.EXE > nul7⤵PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0CBC9~1.EXE > nul6⤵PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC762~1.EXE > nul5⤵PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57E36~1.EXE > nul4⤵PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CF42C~1.EXE > nul3⤵PID:3988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD522c1485c6fc717ead99f12b5f324a805
SHA17dd4aad0516ffb0006615251eb072798fb4a7363
SHA256ecaeb6925371736ddec78c2c89f5e34773a83f977800e18bd78302ac19c6a031
SHA512f2fcde8c2666bcd01c58c9f8e5f42f1461c71c0f1bee98adb3852b90070d29eb5ee2fc8ed679fb89c87baa0ef9b5d87c26b3de541794b35f8297d803f4bb7de1
-
Filesize
197KB
MD573161a6d1079fde1e41dac6eeee25af8
SHA17ff92e3401a82219538c4796cd2b3958f22d9c41
SHA25661f0334531ffa3ea7fb69fbf6759537b84dc445d484fb02b4149126d82aecc98
SHA5120e0f4f7c1a15ff791bde019d9336649d42c2397839f5104b9351f333357cf161dbe62aa5db4b2c39a1dee8139f2cfb29172e6e38be9b54b2fa34e2be98d4eee0
-
Filesize
197KB
MD5e62dc7dadab2112540e858782dd19f3e
SHA181442942cfaad4e200da3039877e29382bbd20b7
SHA2562f0dc54ef2c912d479d9325ee6c81c2a79d2ca13e1268588f0f611e338b02844
SHA5127afecf91a4f726cd07b239e35692c2fce3dce184a8b4d4b2551388516ac329c0218e508b82b3a374eadbc7980d985a27c415631030b322db33c6d61f17d8bca6
-
Filesize
197KB
MD51738696c634dcfc09e5a0ae2d69523fe
SHA13951dae4354b03633e64d0d0639f9f699b4db50a
SHA256271d15e1c7ece342ab79a92c4134432eca8a57bbe017451009967b30d03b6e46
SHA512a33c805d7ee42cf1ec85108dfed0eb80df8c15763068d3b0d45995188b0de34b859c0b782eda35d364c90918fad4639615ea7f1029507a34a9055d93d733dfc1
-
Filesize
197KB
MD5de9628a5389c09fa3456d7c9eb2279f6
SHA150b8f3cc0218f46e94228a6ecfb9b55022e17450
SHA256b772303edda7d7ce24b77328fc0e24632333561fedfba2d4187a4afe17f87e08
SHA51241c6745fd120fce89db2f6b7c653ce561472086a3e377acb0d9f95807c2997aa6a14f2d3f85ff0ccbf9d20213241817667978833cf865beb863d9b02ff517f96
-
Filesize
197KB
MD5be27b62d4c28f50ac0d884dcbc59bdb6
SHA12159d172a71470cd4cc30ed878e679ea53bcd507
SHA2567d6238257a54d453c18d19f77196193c29190affe292e002312f54725e9ebdd8
SHA512e749006b5c74ef3e89952de7842ec6d77cd691d2c8adb781b71a53bf1671b0c4ba39477eee1042d54e44152c4b464199199b388b3a26af14204e0312c1652637
-
Filesize
197KB
MD52da41137f2853677c6f5a9c92772f9aa
SHA1a8773c29957e049c31c8618993be3bdf1bdf0ade
SHA256ac2f27fb695d6516f22dc3f6f1be11766cc1d64c682a274410fdcc0ae1ce9a5b
SHA512a377f5e977e0d17bac3878e0c17e2494533d486325b7eb245027778c70ac856c1e281469b5845a5ef05f63400277d84bd5770a7f0bc2dc605fa7b1ff85c7c1c1
-
Filesize
197KB
MD5ee35f6f09751ffe038424c2bf4b257ef
SHA19b97846314a4f425f17e477fe9921347b7944da4
SHA256aa9b172ce361b78fcf3be4a3701878efad0522527ac8f7eb6dce3e0383ef211d
SHA512357a28e8f659326188768af7a9a785f09ded536a56d5532eff506595718f577234c86209eee6f833aeafebaf39387217665a3d62f549bce60abdd59fd07764c4
-
Filesize
197KB
MD59142706754f7c376f04a289ce74658b8
SHA1f2e440548b6e5de69ec0256f4c126a593c5a3d59
SHA2568495f01f4b13c00ff0bfc97375278533454407860364b60f91e475ca1dcd4a17
SHA512ed3a90c768e9b04c63a39e6f2e43993ee5149fa24026a3b4a93d1cac581f89cc6594e2a51e8957daee62e6ca04c0ae86432b2f8adcf2733c75d001d0e6505681
-
Filesize
197KB
MD5e3c957f7d6edf60e7dd9b00c7f739e57
SHA1c3e5bf5c41334167c290b54af29c207837695e76
SHA25667a380c9044e30c6a084f6ef86c8e1d6fca4fad8b791e4fe4d6d898d020050a3
SHA512342ffc2333f43bd4e22ec3ddc443af51f0058ed8df83e466dec120d743b46203fb03782855f3605473dc9a738b6ee1761cab662885ccfeb34660d62c9f1de873
-
Filesize
197KB
MD5bf2aca766e2fd0efb855d0c20db24e77
SHA1b5770f95e66ee1d59fb6281bd4d9c6aeb80e0bed
SHA25642d07d11e7736abc37f9b4d172ff182a6ef6a9b37a1235d34307f821d087015d
SHA5126e69285aaa032ad96e64395540eb147fc4fb6fdb23d3224c336eeeae93a551b90817288fc301dee8174af0f64a14098283ef2849097bba71320f7bb49663acfb
-
Filesize
197KB
MD57923f6dd4a07f9c8f83e5d82316e6048
SHA1cb898f6b588f970fe271a7b571064f757900d157
SHA256313b3cf4d51d1dc664fab4ce7b1bcb6359fbf0bf68626bd4231014245998e168
SHA5129665594602a129b7280521dcb654b5cf80368896b310e4ea723df147d2e4aef970af4b00a595566156240cfefa8e979c9c7814c88c5f423dc6e21e404a5b6e7b