Analysis
-
max time kernel
149s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
-
Size
192KB
-
MD5
b74120f39986ebaf4507dd39d76c5a14
-
SHA1
f5ea0ec84e6830c1044d993559b1b8a5f1935a55
-
SHA256
21a531c3306520a16e04aa7a4f24c5aab801c790525e46256fbaaf7665da9291
-
SHA512
906e42a51642a1a0c3cb94383ecaa6e5bea2761a61f7d547a4e4e806c8e138124867d103fb06383fbbb3740b3ef18811d3f374ca4dbd74773550b88b3d5e1607
-
SSDEEP
1536:1EGh0ool15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ool1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00070000000231e2-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00120000000231db-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000231e9-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00130000000231db-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021fa2-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021fa3-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021fa2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000703-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000703-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00030000000006db-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}\stubpath = "C:\\Windows\\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe" {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE} {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651C47C8-01D7-4345-91BE-DB021417A092}\stubpath = "C:\\Windows\\{651C47C8-01D7-4345-91BE-DB021417A092}.exe" {42723B1C-F75B-4464-931B-718D61F1FA72}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72} {651C47C8-01D7-4345-91BE-DB021417A092}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB18EE09-3F82-41eb-993E-4301F2707232}\stubpath = "C:\\Windows\\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe" {34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1913E57F-A12B-4755-A932-D2AA5FE221C9} {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1913E57F-A12B-4755-A932-D2AA5FE221C9}\stubpath = "C:\\Windows\\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe" {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42723B1C-F75B-4464-931B-718D61F1FA72} {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223B197D-6314-4ab8-8D61-AE16B275A698} {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0} {223B197D-6314-4ab8-8D61-AE16B275A698}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD} {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF82682E-7377-4a09-948D-0DB6CD97A905} {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}\stubpath = "C:\\Windows\\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe" {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6916BB1-1AF2-482d-A48F-866F5CF633AC} {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}\stubpath = "C:\\Windows\\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe" {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42723B1C-F75B-4464-931B-718D61F1FA72}\stubpath = "C:\\Windows\\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe" {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651C47C8-01D7-4345-91BE-DB021417A092} {42723B1C-F75B-4464-931B-718D61F1FA72}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB18EE09-3F82-41eb-993E-4301F2707232} {34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75034D37-7304-4983-AFAD-141DC02D1E5A} 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75034D37-7304-4983-AFAD-141DC02D1E5A}\stubpath = "C:\\Windows\\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe" 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF82682E-7377-4a09-948D-0DB6CD97A905}\stubpath = "C:\\Windows\\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe" {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}\stubpath = "C:\\Windows\\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe" {651C47C8-01D7-4345-91BE-DB021417A092}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{223B197D-6314-4ab8-8D61-AE16B275A698}\stubpath = "C:\\Windows\\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe" {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}\stubpath = "C:\\Windows\\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe" {223B197D-6314-4ab8-8D61-AE16B275A698}.exe -
Executes dropped EXE 12 IoCs
pid Process 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe 3892 {223B197D-6314-4ab8-8D61-AE16B275A698}.exe 808 {34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe 2960 {AB18EE09-3F82-41eb-993E-4301F2707232}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe File created C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe {651C47C8-01D7-4345-91BE-DB021417A092}.exe File created C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe {223B197D-6314-4ab8-8D61-AE16B275A698}.exe File created C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe {34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe File created C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe File created C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe File created C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe File created C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe {42723B1C-F75B-4464-931B-718D61F1FA72}.exe File created C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe File created C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe File created C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe File created C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1640 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe Token: SeIncBasePriorityPrivilege 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe Token: SeIncBasePriorityPrivilege 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe Token: SeIncBasePriorityPrivilege 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe Token: SeIncBasePriorityPrivilege 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe Token: SeIncBasePriorityPrivilege 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe Token: SeIncBasePriorityPrivilege 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe Token: SeIncBasePriorityPrivilege 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe Token: SeIncBasePriorityPrivilege 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe Token: SeIncBasePriorityPrivilege 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe Token: SeIncBasePriorityPrivilege 3892 {223B197D-6314-4ab8-8D61-AE16B275A698}.exe Token: SeIncBasePriorityPrivilege 808 {34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 4848 1640 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 95 PID 1640 wrote to memory of 4848 1640 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 95 PID 1640 wrote to memory of 4848 1640 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 95 PID 1640 wrote to memory of 4040 1640 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 96 PID 1640 wrote to memory of 4040 1640 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 96 PID 1640 wrote to memory of 4040 1640 2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe 96 PID 4848 wrote to memory of 1504 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 97 PID 4848 wrote to memory of 1504 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 97 PID 4848 wrote to memory of 1504 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 97 PID 4848 wrote to memory of 5116 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 98 PID 4848 wrote to memory of 5116 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 98 PID 4848 wrote to memory of 5116 4848 {75034D37-7304-4983-AFAD-141DC02D1E5A}.exe 98 PID 1504 wrote to memory of 4280 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe 100 PID 1504 wrote to memory of 4280 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe 100 PID 1504 wrote to memory of 4280 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe 100 PID 1504 wrote to memory of 3468 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe 101 PID 1504 wrote to memory of 3468 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe 101 PID 1504 wrote to memory of 3468 1504 {03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe 101 PID 4280 wrote to memory of 3204 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe 102 PID 4280 wrote to memory of 3204 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe 102 PID 4280 wrote to memory of 3204 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe 102 PID 4280 wrote to memory of 4788 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe 103 PID 4280 wrote to memory of 4788 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe 103 PID 4280 wrote to memory of 4788 4280 {EF82682E-7377-4a09-948D-0DB6CD97A905}.exe 103 PID 3204 wrote to memory of 5000 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe 104 PID 3204 wrote to memory of 5000 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe 104 PID 3204 wrote to memory of 5000 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe 104 PID 3204 wrote to memory of 5040 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe 105 PID 3204 wrote to memory of 5040 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe 105 PID 3204 wrote to memory of 5040 3204 {1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe 105 PID 5000 wrote to memory of 2524 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe 106 PID 5000 wrote to memory of 2524 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe 106 PID 5000 wrote to memory of 2524 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe 106 PID 5000 wrote to memory of 4360 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe 107 PID 5000 wrote to memory of 4360 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe 107 PID 5000 wrote to memory of 4360 5000 {0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe 107 PID 2524 wrote to memory of 4372 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe 108 PID 2524 wrote to memory of 4372 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe 108 PID 2524 wrote to memory of 4372 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe 108 PID 2524 wrote to memory of 4972 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe 109 PID 2524 wrote to memory of 4972 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe 109 PID 2524 wrote to memory of 4972 2524 {F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe 109 PID 4372 wrote to memory of 5060 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe 110 PID 4372 wrote to memory of 5060 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe 110 PID 4372 wrote to memory of 5060 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe 110 PID 4372 wrote to memory of 680 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe 111 PID 4372 wrote to memory of 680 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe 111 PID 4372 wrote to memory of 680 4372 {42723B1C-F75B-4464-931B-718D61F1FA72}.exe 111 PID 5060 wrote to memory of 1988 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe 112 PID 5060 wrote to memory of 1988 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe 112 PID 5060 wrote to memory of 1988 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe 112 PID 5060 wrote to memory of 4908 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe 113 PID 5060 wrote to memory of 4908 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe 113 PID 5060 wrote to memory of 4908 5060 {651C47C8-01D7-4345-91BE-DB021417A092}.exe 113 PID 1988 wrote to memory of 3892 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe 114 PID 1988 wrote to memory of 3892 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe 114 PID 1988 wrote to memory of 3892 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe 114 PID 1988 wrote to memory of 920 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe 115 PID 1988 wrote to memory of 920 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe 115 PID 1988 wrote to memory of 920 1988 {BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe 115 PID 3892 wrote to memory of 808 3892 {223B197D-6314-4ab8-8D61-AE16B275A698}.exe 116 PID 3892 wrote to memory of 808 3892 {223B197D-6314-4ab8-8D61-AE16B275A698}.exe 116 PID 3892 wrote to memory of 808 3892 {223B197D-6314-4ab8-8D61-AE16B275A698}.exe 116 PID 3892 wrote to memory of 4876 3892 {223B197D-6314-4ab8-8D61-AE16B275A698}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exeC:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exeC:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exeC:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exeC:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exeC:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exeC:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exeC:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exeC:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exeC:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exeC:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exeC:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exeC:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe13⤵
- Executes dropped EXE
PID:2960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34A09~1.EXE > nul13⤵PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{223B1~1.EXE > nul12⤵PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB799~1.EXE > nul11⤵PID:920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{651C4~1.EXE > nul10⤵PID:4908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{42723~1.EXE > nul9⤵PID:680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F6916~1.EXE > nul8⤵PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0E5B9~1.EXE > nul7⤵PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1913E~1.EXE > nul6⤵PID:5040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF826~1.EXE > nul5⤵PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03EF5~1.EXE > nul4⤵PID:3468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{75034~1.EXE > nul3⤵PID:5116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5632f5de6ddb7cbc1e82fe3da2ade607f
SHA131fce5224d4856f7ee5bccf3a6132fd069b5d92a
SHA25654209f59ab57303331dbd9a99b489ef09d3d32654fcb1ef87add45a34642ba39
SHA512096ab142941158f4f78f28f5a3761b7a5787838251e32af2aee8b09fdfec569f9a8d6d35919cf8a1ec1f5d7027093164b90e364fbb9c115b70a39de253abdd8f
-
Filesize
192KB
MD5a61a7b5724d714d412c42ef5fb25486e
SHA142050b0cc2efaebefb7d90e3a4998ba07eef4c0c
SHA2569e920232f3d385fde2f4a58d63291cf240a5ef3a4a72103af901a050c700f62a
SHA512ba63403c11aac59bc96874e2d73a4d91a9af7698bea3c7c513582313f7df4b69c9ed9b739d08d2544ca732b834a7c1d4f335c3d7d4eba2c1b9e7028b6b8ce68d
-
Filesize
192KB
MD5d4cf6e476c25122f0ee3761484378300
SHA14d0c6b096d1217efc8a7dd06c7ae0ccb117303e6
SHA25637f78c040f4cefa089991f19482978c6eb9ed513286eb1a66096c7ccd93193e9
SHA5128756a473ac49ea04207e33f1d551e2248b822948dd8b61521a3dff566a858bf16e43a4c3a74029641633343deb0d2721a5318d4728ca893fab5c93209119c744
-
Filesize
192KB
MD5595b4204ed87a8db4c3623006798240b
SHA1437b00e026289aefa36fb53c4801cf3bae0846f3
SHA256ee9b9a46652351e3b596975c845d59c051468ad2b4514096c7a843e3767632cc
SHA512dc2860bec17b724164a433cdd6b60fcba5cd2848adac3f504dfe6be38c0ac3f9c2a1e34929c0557e944de337b7f7290f4bdc26e7f5c08d868dea507f6bd45d52
-
Filesize
192KB
MD504e541aad12a58dc156a1bce222e5bc6
SHA142380d837f4e5a1dafefaa75fd7f0ce766b62001
SHA256b39a7c41df2ca1281b103baa0f237bf0a2d86a4fa696cea3a386bdfdaaf653e4
SHA512c84cf5b5cb62095a3797b9fca6da18198ac56f2dd62dc241e1adc6516d25d342e6dbe02588b4302017bb3c13e9f594f9d01aa8d91191e6881be26ac4100fae2f
-
Filesize
192KB
MD54e3dc5fe20190afdad7d051e0e422306
SHA102e55184b6662327e0e6af6c6a8be8cc4746420f
SHA256dcbc5ee52f9589526e9ec5a2f8057a8260586f3105e05c44d9cfce9f8eefabb9
SHA512f5e1fb2ad3adc47c52fadcee8d42059bbfe0018b66d01f86bed97f1ee37b05aacd40c7641ec26fbdd8de26ad17c2df8fdbc44f9ad50a5476f44abe26d8438556
-
Filesize
192KB
MD58a6dce3283331245a56854c6e67cbb06
SHA147bb21c6e5b54f0dabca3acb4001c6f172f06a25
SHA256bcbbd2793472c371106195af3e31df5706bcc437392a4e999e6f6a68820928e2
SHA5126141031aee3d9cad3118cb5df2de257a765a762d4576e44f381d3f54c8426774cee5c23652f2900b4e7a3289c5519e49cb9daa7c5a150dfa30aa79fedfa75303
-
Filesize
192KB
MD5694c9e86cd85f7362dd7e6dc514ec0b9
SHA10ad1fe62854aa38c5539c2e7b667cebe44371823
SHA2568fc2bb0cf6eab93b131f16bdf0180f61b580375333cafcdc4d26e0a1db8704a4
SHA512286dec890858a91b0fc06cd31eceba0ae6c2cf96faf637e3fb0685ef25cebf682dae916e40d4f8416588aece5ac533fff733652d9594cd35c2a733cd81f6ce91
-
Filesize
192KB
MD59ee357d65edc8a7c3ae4f39cfbf89ac3
SHA12a988363797ad20b9805de80d376be4481f48304
SHA25676aba62559a520c35fdc2614ba5b2bdedd236e18671dae0537b8f47201a5c222
SHA512fe80712d34e53b1dcd4dadaa57ab7c7728f39a18ea35e179a33f7d5d0db51497e5be003d4f4a40b73d426aadb16d8290454d3181e685ff3766b57af169e92134
-
Filesize
192KB
MD5ebb98166aae649d0dd74f655b105b9a3
SHA1e35846e2addabba2926922bad1c30a13a7068e1d
SHA25615d72c234daa065e8cecc0d78473d504ecbe6bad2a7c2862aa8507fedd090d48
SHA512a9aa41d3721aa6d5eb0eef2dad636471e5f1b0154f8f38d5e7fde1b388108e1cdbe42ab48f22f9be5e21dff1a99f485fae020099e58677900c445227883e04a3
-
Filesize
192KB
MD5226cfbc1f59376911d164a505733cc9b
SHA12eeba35d1c79d21d5da6ec75d6c11f09b5bb3fdc
SHA256df2690b448d26da7ba3c6a691e61efa49224034bf290e26ac7be28ed5b640ce4
SHA512534b9685d4c94eb458b086634b90beeea85b8bb179a28db8dd036fc3e084cb7181c19f5d624fc2aaf90a2ae59310bcd230c93fd0fa7f4d0f7d4fd863693a3c80
-
Filesize
192KB
MD5f3d37850bdd8a7e308af3129584aed7d
SHA1e5bbd744d06f6bbf9b6c75652f60f3ffa7df504f
SHA2567f31fbbc2d9f61fb0871aca95ea4a1ce048f788ad8c7001417afb71837debaf6
SHA5121441a8c9bd0b3c74e4ec2e395700717964ecf7cac5fa7209e28021baecca30389823eac581060ca2259eefa5ff9479a1b7582f8a1f5892025bbc55014f5861f3