Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
-
Size
197KB
-
MD5
e4d2a0c0c33dc92bb5245ec3f744cdbf
-
SHA1
3efb34fc084ec2a81d56a8253fe55a2245e969a3
-
SHA256
2489e2760ad547f24841cca1879a74d5d47ca8083c53eb86fa73977edcfefd5e
-
SHA512
ed6b4ebfc4e272740d4eb36f8ef6906bf29a6579a80fbad88414d9c3b4ac01839ee609a710d9df1a66708d0329c5df62fe74d9a930a1eb2017b4922618d75a17
-
SSDEEP
3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x000a000000023162-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0012000000023241-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002324e-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0013000000023241-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c86-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c87-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021c86-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070f-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D} {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762} {1D7B2012-539B-4fd6-B920-4609950626F9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912B9C31-DCBC-40b5-85BE-42289F29373F}\stubpath = "C:\\Windows\\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe" {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912B9C31-DCBC-40b5-85BE-42289F29373F} {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}\stubpath = "C:\\Windows\\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe" 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}\stubpath = "C:\\Windows\\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe" {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25} {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}\stubpath = "C:\\Windows\\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe" {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54370453-3C4D-4bb3-9D78-10B68D041334}\stubpath = "C:\\Windows\\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe" {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D7B2012-539B-4fd6-B920-4609950626F9} {54370453-3C4D-4bb3-9D78-10B68D041334}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D7B2012-539B-4fd6-B920-4609950626F9}\stubpath = "C:\\Windows\\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe" {54370453-3C4D-4bb3-9D78-10B68D041334}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD} 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}\stubpath = "C:\\Windows\\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe" {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}\stubpath = "C:\\Windows\\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe" {1D7B2012-539B-4fd6-B920-4609950626F9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5} {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080B4434-0C83-440a-AB17-6F320EFB129E} {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080B4434-0C83-440a-AB17-6F320EFB129E}\stubpath = "C:\\Windows\\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe" {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58C4F985-777B-46a7-B1A5-A98752F5E3D5} {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462} {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}\stubpath = "C:\\Windows\\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe" {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54370453-3C4D-4bb3-9D78-10B68D041334} {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}\stubpath = "C:\\Windows\\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe" {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe -
Executes dropped EXE 11 IoCs
pid Process 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe 3784 {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe 2172 {080B4434-0C83-440a-AB17-6F320EFB129E}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe File created C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe File created C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe File created C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe File created C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe {1D7B2012-539B-4fd6-B920-4609950626F9}.exe File created C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe File created C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe File created C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe {54370453-3C4D-4bb3-9D78-10B68D041334}.exe File created C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe File created C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe File created C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4220 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe Token: SeIncBasePriorityPrivilege 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe Token: SeIncBasePriorityPrivilege 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe Token: SeIncBasePriorityPrivilege 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe Token: SeIncBasePriorityPrivilege 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe Token: SeIncBasePriorityPrivilege 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe Token: SeIncBasePriorityPrivilege 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe Token: SeIncBasePriorityPrivilege 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe Token: SeIncBasePriorityPrivilege 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe Token: SeIncBasePriorityPrivilege 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe Token: SeIncBasePriorityPrivilege 3784 {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4220 wrote to memory of 2504 4220 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 94 PID 4220 wrote to memory of 2504 4220 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 94 PID 4220 wrote to memory of 2504 4220 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 94 PID 4220 wrote to memory of 4996 4220 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 95 PID 4220 wrote to memory of 4996 4220 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 95 PID 4220 wrote to memory of 4996 4220 2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe 95 PID 2504 wrote to memory of 888 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 96 PID 2504 wrote to memory of 888 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 96 PID 2504 wrote to memory of 888 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 96 PID 2504 wrote to memory of 216 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 97 PID 2504 wrote to memory of 216 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 97 PID 2504 wrote to memory of 216 2504 {EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe 97 PID 888 wrote to memory of 2000 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe 99 PID 888 wrote to memory of 2000 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe 99 PID 888 wrote to memory of 2000 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe 99 PID 888 wrote to memory of 2300 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe 100 PID 888 wrote to memory of 2300 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe 100 PID 888 wrote to memory of 2300 888 {92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe 100 PID 2000 wrote to memory of 4944 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe 101 PID 2000 wrote to memory of 4944 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe 101 PID 2000 wrote to memory of 4944 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe 101 PID 2000 wrote to memory of 4128 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe 102 PID 2000 wrote to memory of 4128 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe 102 PID 2000 wrote to memory of 4128 2000 {58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe 102 PID 4944 wrote to memory of 3416 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe 103 PID 4944 wrote to memory of 3416 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe 103 PID 4944 wrote to memory of 3416 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe 103 PID 4944 wrote to memory of 4516 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe 104 PID 4944 wrote to memory of 4516 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe 104 PID 4944 wrote to memory of 4516 4944 {9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe 104 PID 3416 wrote to memory of 4624 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe 105 PID 3416 wrote to memory of 4624 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe 105 PID 3416 wrote to memory of 4624 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe 105 PID 3416 wrote to memory of 2304 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe 106 PID 3416 wrote to memory of 2304 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe 106 PID 3416 wrote to memory of 2304 3416 {E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe 106 PID 4624 wrote to memory of 992 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe 107 PID 4624 wrote to memory of 992 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe 107 PID 4624 wrote to memory of 992 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe 107 PID 4624 wrote to memory of 4384 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe 108 PID 4624 wrote to memory of 4384 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe 108 PID 4624 wrote to memory of 4384 4624 {54370453-3C4D-4bb3-9D78-10B68D041334}.exe 108 PID 992 wrote to memory of 2944 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe 109 PID 992 wrote to memory of 2944 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe 109 PID 992 wrote to memory of 2944 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe 109 PID 992 wrote to memory of 232 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe 110 PID 992 wrote to memory of 232 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe 110 PID 992 wrote to memory of 232 992 {1D7B2012-539B-4fd6-B920-4609950626F9}.exe 110 PID 2944 wrote to memory of 2044 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe 111 PID 2944 wrote to memory of 2044 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe 111 PID 2944 wrote to memory of 2044 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe 111 PID 2944 wrote to memory of 2208 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe 112 PID 2944 wrote to memory of 2208 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe 112 PID 2944 wrote to memory of 2208 2944 {3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe 112 PID 2044 wrote to memory of 3784 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe 113 PID 2044 wrote to memory of 3784 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe 113 PID 2044 wrote to memory of 3784 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe 113 PID 2044 wrote to memory of 1844 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe 114 PID 2044 wrote to memory of 1844 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe 114 PID 2044 wrote to memory of 1844 2044 {912B9C31-DCBC-40b5-85BE-42289F29373F}.exe 114 PID 3784 wrote to memory of 2172 3784 {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe 115 PID 3784 wrote to memory of 2172 3784 {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe 115 PID 3784 wrote to memory of 2172 3784 {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe 115 PID 3784 wrote to memory of 1624 3784 {A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exeC:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exeC:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exeC:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exeC:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exeC:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exeC:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exeC:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exeC:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exeC:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exeC:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exeC:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe12⤵
- Executes dropped EXE
PID:2172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A3ABD~1.EXE > nul12⤵PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{912B9~1.EXE > nul11⤵PID:1844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BD2F~1.EXE > nul10⤵PID:2208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D7B2~1.EXE > nul9⤵PID:232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{54370~1.EXE > nul8⤵PID:4384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7EA1~1.EXE > nul7⤵PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9D3F1~1.EXE > nul6⤵PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{58C4F~1.EXE > nul5⤵PID:4128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{92B78~1.EXE > nul4⤵PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EBD30~1.EXE > nul3⤵PID:216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD53113041443b5fa15feddca2389f5302c
SHA1993c0ec28cb2f49d2a5172b5b1df86a6cf78558c
SHA25640adda4ee5cc4c6a6a588cf818871c3279ab7b19a542618d0cdc5b66f46e864c
SHA512d8a565a0e42b8b177533314a67169b4ba13acfd2daab51498f006cd7d037fd195a074762631f098c515f66bc19bcb313d9af8d36cd15b6e668b33985257d8d96
-
Filesize
197KB
MD5877e2b907394a94b852541b3d039815f
SHA15810bdf516621dc478431278bec8f0cfe94b2417
SHA256392110d4cf24075af778d012a9f1ccc0bb00603d492f4399fb4f1fb65842d1ac
SHA512343a3536643eb57814137885be7492c65f498bc64f9d73242beafb84e419f4578edc9ae5553b81af399c12ab3645a176501925d65d81851575f125f43e6ccd92
-
Filesize
197KB
MD5b9f992ce548a2c7350fab4662303dede
SHA12000a837191879d92c545f4ef3e28292b49593af
SHA256f5c4a7629469ffa1c0273376afe09b0450a0871f5e5abf2e311a9ccd36ec1f95
SHA51268efd942a2d5e73aeaedd777c4b3f85d0a721d935f4771f3c16f86a056de8c701d21a58d04961b8c2d207dc2f49f9da43be2f7ec37c21538fb9453305d3a5684
-
Filesize
197KB
MD5031babf7863ee2fc22edcd65accbdf79
SHA1e50d10b75b4a312cfa51521c257a3deb435b2b37
SHA2561acec7fa5fbbbd7e30484ede202a70a9c97a4e859729b02b0747af15b1f958e9
SHA51272173a4e48c1aa81c9891c57429a52056a9fd79f8ffaa9a4d5ca52d97638ab2efb7e709f18b3cc024c03cdea4d19d346e2d47c7b2b5583b862cf470c0a7ea90a
-
Filesize
197KB
MD540e1f0c62392e3cffe6b4b08a05c6d3d
SHA1f12f5e914b40c720ace215311626891c30399f0d
SHA256a0102928968a94ca73b71ab999b58771397be1af60479ee5bc31f2f2902ca8cf
SHA5127c9e700f527c2a44ddc107ac0cc060883aa3a1775a8059df8468832c5bbf57c875ee8aa552e142fca11b88f1a90fe87e7a162d76a18efb712babb558200ffec6
-
Filesize
197KB
MD5b2c2cf23a68a0520455916dfca50e23f
SHA1a1ffd6782607ba0aa7412f0ba99a6165d46f8278
SHA256a66b758d375f0e40e918dc82d3ddb8f4784e30bb790d65a9a2cf85ce61893716
SHA512cee7c740034b2846b3a5761ed0d04ce667e682ea49b78ffa120fa836ff6fb06b7b3db54b4b4bbf7248241e5220eed1b247706c087c48726cf1e52ff76d9329b8
-
Filesize
197KB
MD5901847d0005cbc3f64d86eb79d01649f
SHA1284b12f3e49e288f3167058caae96c3ac85d24a1
SHA256f7770328c79c1faa491ea895da274863fc4bdee6df1bd8198822f12c872b47ca
SHA51253efe621dc3818a18c4301c54d3a03c6d21e96ecaed6e122e1f9bb767d20a4c8661dd121b79b2960f24331f89f29934d5a9a645d06a90df423ab1311298b2b2f
-
Filesize
197KB
MD53ca39dd2213ab7e93fef7183bb8fd091
SHA1b9d663fd31330fe964347fd5b9be43894c61b8ce
SHA256951b86b9c332cbe2c11dc629a4ee7370a4715881e6fac691353c32fe2d152850
SHA5120263cfd644a3362cd72c1c2c8138df25ea6fe63c59f5d010b72e79bf2285192fcde981ce7f6dffedec912bcb39d1463488a4035777d2b89c9449cc5989df33d9
-
Filesize
197KB
MD558079788461af6af7fab24b296b65ef6
SHA1121beeb5cc2460ef60ba99e5d993f377bc2b1ec0
SHA256952d52d6527e073c5bf5663b9e05bbe39aa2bf3bf8f9dc188b410863f6f35aab
SHA5122db75c5e58b1036620b171176ebfbb7214734e1181ceccc0da1f1e00871ad87815650ee21072e1b8dbbb8dbe33681438a2778ac05a00734627c2784ccc2d17cc
-
Filesize
197KB
MD5becc6d8af59879aa5eaed6c1384fcf07
SHA1e87d94a33374ad7ff7cd33fceb46e1629ff19270
SHA256ca5bc898bb06bf35e23411ea66acf242c17d79c555a3a2e6bf70fa695b34a774
SHA5125b7744ee2b1a79b5cdd22137614b2c215a88eac9056355906fc707b0fde021b49a3d21cd3bae7ce28886756be9b01c7c38bfb8eb881b3cdd9c0fb6f5cea570b9
-
Filesize
197KB
MD59b86bc58f5ae0197a04832b9067a984f
SHA10a5edfa9c4ab43fd2350baba7c74c3c15badc93c
SHA256742167644596edcbeefd0ffe035a364554cc3c1372f9bbb1cde838d96e79ea9f
SHA51267051a14fb20ae98fd09e3072c88d0a6a702e599310aced9952c5a1f1cd7dc01caeff9537ad4f852abd19f7b01806a8553b4709f5330e6f1cad640c40e9e4ecf