Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
-
Size
216KB
-
MD5
8ea0dd1a711c9c10168735d32e4aa174
-
SHA1
25d038f82d14faf3c2911dd41ed978c86d838ae0
-
SHA256
dd45da4ac9e71a521959ca58a588567054e9cdcb884a15dfb0699bf81045c02e
-
SHA512
25b011767726f66f55f5e1238de4535958536fdef94ece48267afae0bc1ff0e5ccf9963e073dd30ed47a765b5cdf23c3341d1e85d195c4daec3699cb2a33533d
-
SSDEEP
3072:jEGh0o0l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0007000000023210-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002320b-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023217-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002320b-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d05-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021d06-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021d05-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000072d-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B97CE493-16F8-4140-884F-15FB1B237A16} {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D} {9BA15531-A12A-4272-AA7C-2956CD817667}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D63F22D9-9ED5-4316-8767-821075F36FAF}\stubpath = "C:\\Windows\\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe" {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}\stubpath = "C:\\Windows\\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe" {918FB280-112E-4283-97CF-5681231EA6BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE} {12C40225-1013-4415-A568-FB02DB725901}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9} {918FB280-112E-4283-97CF-5681231EA6BF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB533CCD-0C97-4751-BC4C-F246376E0600}\stubpath = "C:\\Windows\\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe" {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}\stubpath = "C:\\Windows\\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe" {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D812A7-C614-4f51-9C74-610C39DBF4F3} {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA15531-A12A-4272-AA7C-2956CD817667} {B97CE493-16F8-4140-884F-15FB1B237A16}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE23A6F-85C7-41f0-A344-CA8116409042} {D63F22D9-9ED5-4316-8767-821075F36FAF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918FB280-112E-4283-97CF-5681231EA6BF} 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918FB280-112E-4283-97CF-5681231EA6BF}\stubpath = "C:\\Windows\\{918FB280-112E-4283-97CF-5681231EA6BF}.exe" 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B97CE493-16F8-4140-884F-15FB1B237A16}\stubpath = "C:\\Windows\\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe" {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D63F22D9-9ED5-4316-8767-821075F36FAF} {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE23A6F-85C7-41f0-A344-CA8116409042}\stubpath = "C:\\Windows\\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe" {D63F22D9-9ED5-4316-8767-821075F36FAF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB533CCD-0C97-4751-BC4C-F246376E0600} {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C40225-1013-4415-A568-FB02DB725901} {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A} {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D812A7-C614-4f51-9C74-610C39DBF4F3}\stubpath = "C:\\Windows\\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe" {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA15531-A12A-4272-AA7C-2956CD817667}\stubpath = "C:\\Windows\\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe" {B97CE493-16F8-4140-884F-15FB1B237A16}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}\stubpath = "C:\\Windows\\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe" {9BA15531-A12A-4272-AA7C-2956CD817667}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C40225-1013-4415-A568-FB02DB725901}\stubpath = "C:\\Windows\\{12C40225-1013-4415-A568-FB02DB725901}.exe" {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}\stubpath = "C:\\Windows\\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe" {12C40225-1013-4415-A568-FB02DB725901}.exe -
Executes dropped EXE 12 IoCs
pid Process 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe 2484 {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe 5000 {D63F22D9-9ED5-4316-8767-821075F36FAF}.exe 4540 {4EE23A6F-85C7-41f0-A344-CA8116409042}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe File created C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe File created C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe {12C40225-1013-4415-A568-FB02DB725901}.exe File created C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe File created C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe {B97CE493-16F8-4140-884F-15FB1B237A16}.exe File created C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe File created C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe {D63F22D9-9ED5-4316-8767-821075F36FAF}.exe File created C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe {918FB280-112E-4283-97CF-5681231EA6BF}.exe File created C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe File created C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe File created C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe {9BA15531-A12A-4272-AA7C-2956CD817667}.exe File created C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2872 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe Token: SeIncBasePriorityPrivilege 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe Token: SeIncBasePriorityPrivilege 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe Token: SeIncBasePriorityPrivilege 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe Token: SeIncBasePriorityPrivilege 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe Token: SeIncBasePriorityPrivilege 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe Token: SeIncBasePriorityPrivilege 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe Token: SeIncBasePriorityPrivilege 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe Token: SeIncBasePriorityPrivilege 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe Token: SeIncBasePriorityPrivilege 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe Token: SeIncBasePriorityPrivilege 2484 {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe Token: SeIncBasePriorityPrivilege 5000 {D63F22D9-9ED5-4316-8767-821075F36FAF}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 656 2872 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 97 PID 2872 wrote to memory of 656 2872 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 97 PID 2872 wrote to memory of 656 2872 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 97 PID 2872 wrote to memory of 5076 2872 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 98 PID 2872 wrote to memory of 5076 2872 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 98 PID 2872 wrote to memory of 5076 2872 2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe 98 PID 656 wrote to memory of 2496 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe 99 PID 656 wrote to memory of 2496 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe 99 PID 656 wrote to memory of 2496 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe 99 PID 656 wrote to memory of 5060 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe 100 PID 656 wrote to memory of 5060 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe 100 PID 656 wrote to memory of 5060 656 {918FB280-112E-4283-97CF-5681231EA6BF}.exe 100 PID 2496 wrote to memory of 4596 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe 102 PID 2496 wrote to memory of 4596 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe 102 PID 2496 wrote to memory of 4596 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe 102 PID 2496 wrote to memory of 1948 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe 103 PID 2496 wrote to memory of 1948 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe 103 PID 2496 wrote to memory of 1948 2496 {A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe 103 PID 4596 wrote to memory of 1620 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe 104 PID 4596 wrote to memory of 1620 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe 104 PID 4596 wrote to memory of 1620 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe 104 PID 4596 wrote to memory of 3420 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe 105 PID 4596 wrote to memory of 3420 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe 105 PID 4596 wrote to memory of 3420 4596 {BB533CCD-0C97-4751-BC4C-F246376E0600}.exe 105 PID 1620 wrote to memory of 1248 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe 106 PID 1620 wrote to memory of 1248 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe 106 PID 1620 wrote to memory of 1248 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe 106 PID 1620 wrote to memory of 2572 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe 107 PID 1620 wrote to memory of 2572 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe 107 PID 1620 wrote to memory of 2572 1620 {12C40225-1013-4415-A568-FB02DB725901}.exe 107 PID 1248 wrote to memory of 2824 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe 108 PID 1248 wrote to memory of 2824 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe 108 PID 1248 wrote to memory of 2824 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe 108 PID 1248 wrote to memory of 2840 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe 109 PID 1248 wrote to memory of 2840 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe 109 PID 1248 wrote to memory of 2840 1248 {A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe 109 PID 2824 wrote to memory of 4308 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe 110 PID 2824 wrote to memory of 4308 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe 110 PID 2824 wrote to memory of 4308 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe 110 PID 2824 wrote to memory of 2072 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe 111 PID 2824 wrote to memory of 2072 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe 111 PID 2824 wrote to memory of 2072 2824 {74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe 111 PID 4308 wrote to memory of 3820 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe 112 PID 4308 wrote to memory of 3820 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe 112 PID 4308 wrote to memory of 3820 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe 112 PID 4308 wrote to memory of 4916 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe 113 PID 4308 wrote to memory of 4916 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe 113 PID 4308 wrote to memory of 4916 4308 {80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe 113 PID 3820 wrote to memory of 4036 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe 114 PID 3820 wrote to memory of 4036 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe 114 PID 3820 wrote to memory of 4036 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe 114 PID 3820 wrote to memory of 1988 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe 115 PID 3820 wrote to memory of 1988 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe 115 PID 3820 wrote to memory of 1988 3820 {B97CE493-16F8-4140-884F-15FB1B237A16}.exe 115 PID 4036 wrote to memory of 2484 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe 116 PID 4036 wrote to memory of 2484 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe 116 PID 4036 wrote to memory of 2484 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe 116 PID 4036 wrote to memory of 824 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe 117 PID 4036 wrote to memory of 824 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe 117 PID 4036 wrote to memory of 824 4036 {9BA15531-A12A-4272-AA7C-2956CD817667}.exe 117 PID 2484 wrote to memory of 5000 2484 {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe 118 PID 2484 wrote to memory of 5000 2484 {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe 118 PID 2484 wrote to memory of 5000 2484 {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe 118 PID 2484 wrote to memory of 3216 2484 {2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exeC:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exeC:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exeC:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exeC:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exeC:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exeC:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exeC:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exeC:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exeC:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exeC:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exeC:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exeC:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe13⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D63F2~1.EXE > nul13⤵PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2DD4A~1.EXE > nul12⤵PID:3216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9BA15~1.EXE > nul11⤵PID:824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B97CE~1.EXE > nul10⤵PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{80D81~1.EXE > nul9⤵PID:4916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74B5E~1.EXE > nul8⤵PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A25A0~1.EXE > nul7⤵PID:2840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{12C40~1.EXE > nul6⤵PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB533~1.EXE > nul5⤵PID:3420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A45AC~1.EXE > nul4⤵PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{918FB~1.EXE > nul3⤵PID:5060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5543893a0a858923956e345f39ee6b4cd
SHA1fae3f9e9617a4624b0ebb360fc432480e85bafd1
SHA256b883cd5714ea5d62f99bd498662407c7e26636631be5ef052e2364499a18ed02
SHA512b34192ccabb1e9364916546b9526401461d2331398ebe19f275950f87cf49b8334fa1ee9b28d642d2fee948895062e4a57a7b74b9e3476a013fcce11f4a94078
-
Filesize
216KB
MD52455b9dfa3240f88e4cbd906dba88ef9
SHA10f3b2dca4bf8ec6b0134560ab0ad7fb4f248b6cc
SHA256c232d63ec482c0eba0b58a3e661c36c7136e599400ff1ce05c9089353c3f16d4
SHA512ae8d03b44698761f868e67e3eae557c07b2e04e4ad735c6c6244f7099bc7b8e32f8c165fd7d6bf4428af85cc35ab366e62b0067609a4734efb827059af428bce
-
Filesize
216KB
MD555c75934c745647e28b938043b65779e
SHA1856d147aa1951aac8922f44c3a12891fd582caef
SHA256aac89ad9247e50b74f968f5789f7a8c783e85b4dc49951ac730a2f6341fbb247
SHA5122c87a626c0f2fb12be9a4be2a6b2057a0717423eef739637b1f658c52af3ef5a8628697316744713d9a3d7acbf7e9a194673549284612bbee5b5f7066c80a61b
-
Filesize
216KB
MD56366bf3fc3e0af6785e1d8c6227d95f4
SHA159184270f232e71a531f23ddce24b644256aff57
SHA2567267b9f9eb0b2fceb21a29e1d02a592c5229e63f103f2e98223d4091bf8ccd33
SHA51268851e88870322242d73b28299b852d03c3efa9f9c220762e94c11cd8c4d151e5a0dfb235347f18c89f05a2796d99d95df1f81d64329140729d2ca1a909eba80
-
Filesize
216KB
MD5b113dd50ed62f2aa70f0cfd611994d54
SHA1677b424659d090d1835671b58c745721b742b07e
SHA256a0db00408000e8d03d34550f1208a50f1d5fa28a8374f397d30c6faf0f00e795
SHA512e7677f57f494919a4f7f1b65f8c8561f7b1241ccf5964254801d1b87ef3e1c0afb198f6594f6aadf3162890c1fbfd0ab6b8c7f1fa3176a851a955079005f74ee
-
Filesize
216KB
MD5cf085e698cb7b788bfb5cedacefe0257
SHA17af13fead39d1826f6daea7132ed1badaff46447
SHA25699715c049e6336d7f2d9ed8b4921bb6e04d529bbc3332ff8f02a345a1fdec323
SHA5121e5984877c22d225ef2c7097599980b7f0589a5fa06ab410878cac7ecbded4d9682d007e0f6cc1094819dcb69f1325844363e3ee8be5a08c005983cae25ec0ce
-
Filesize
216KB
MD5ac9fa2a4221bd749f9a6bca8ab88d62c
SHA19bfc78a4d4ef8155080e1691c65162a35f15d6ea
SHA25612138fbde420804b2b037190fa83532b8a711e49fdaf5d18c4cba5a1aebc94da
SHA512560058ba482712ac3704c7bdf16354f6fdb8a4f1bcab553dc5cdead85550c3a8ee9cfb5053e7de0d8dca9abd33a4e3baa9f47b68123e1c01fab1bf4a62d9dfc7
-
Filesize
216KB
MD52f29dcd67ab25a1d8b66f256e08a0ded
SHA1b82cdf48cc058b387f0b9649f83ee0fdfaeb97e1
SHA2569dd1fcbf1040e2fd54ce547064d0bff3c1202c2195acdfe29f558fb3666e4589
SHA512610a77a11582cd3724de5a0e49fbf55e6e1b7cd28ef64c3543a252782352fae346c4c696b37828e30a1afa1d8a2de81310f739ac76c95db452776287788cd7cb
-
Filesize
216KB
MD5dc588700cb292a8ad17c88f572b97dc5
SHA15006a6dde1252f87f1cd2cb3b0d2013eaac448d2
SHA256fc0bef8ef2348fde23cfd4bd301a7adae9a40e87a21b61e1655931f90f886ee6
SHA5124067c53d1d0ecc97dd1ad83177bb3e34de03ba467f01203f654607d7d639313ab3953f81c484b10f3b735b9bc0409abd78a925fbee0c30d3b0c2f0e89f933f10
-
Filesize
216KB
MD5b0cadd284e6475b0da7670031c563dc2
SHA1cab84a6856a5b94af73972ad9338d94d43e01dcd
SHA2565afa4c830ef87b7d0436448918353e33a53ce524a2f03556f1f21fcfb43a3f93
SHA512d24ad3f7acd090a7ecc1deab194fec5165a299b65e85bee0a4745b7bfcacdc9fc6a69fdd49f2ea7c7f86b481700b22bd7cee14cf62bb743da31b6d4d8256351f
-
Filesize
216KB
MD5c19eefde76eeb805a99f9ef9971f6483
SHA183757c1587687cd7ea30802d52c1d5578ce8a996
SHA256d4193ef8d13817bb4a15f2500372c39bca26771fd26834bfd7d6bea43d36c282
SHA512c17facf5f765dcca748b2b65e3123d36931ea9b184b530881772db7588bdb4784a499e3644af170be6f5518eb883ea5d843911a07836db44337dae946130e257
-
Filesize
216KB
MD596da12da75a15b3f6b308bdc66f535c9
SHA189e8e5fd6e0b1fa378fb844919d94adbc05645b3
SHA256c7fd2d257f25b00a5b6177ddff56fa33d6e49006289bb5e854c4875cf8351a0a
SHA512c09bfecfe3464618cc6e173e2744b0ae633af80b21349512e48105b1ab8323dfdce4099b4a9dc02aceca564b7e2594b32119e04135958115933853e4fead26db