Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
-
Size
380KB
-
MD5
f036fbd260dca5a72a2b761714835ff7
-
SHA1
fe5480d67ab5bba2aafecee3959c00bef49081ed
-
SHA256
c5f7588ba2df97c916346dd82a407fa589dff4e935f3092eb6419f10527892da
-
SHA512
d6bdbbc62a92136599d9d31defb0dcd369f91902ff2a48cad8cea1ad9e8adf3b436f43df659a68a0570f895547e7d6558bcd6598f78456cc0e4a77bfc7579aba
-
SSDEEP
3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGhl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002322c-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0011000000023228-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023234-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0012000000023228-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021cfa-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021cfb-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021cfa-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000707-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4F2825-2B7E-4a58-B284-188481186536}\stubpath = "C:\\Windows\\{8C4F2825-2B7E-4a58-B284-188481186536}.exe" {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B797B3BE-F9F6-4f85-91AF-696809B0E439} {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}\stubpath = "C:\\Windows\\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe" {47626205-076F-4679-A319-F56900DB60E2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749A5034-AE0F-4a76-ACBE-90BBDE243E38} {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E4CF73-AD21-4566-B1F8-9F828B671581} {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF02139F-3ADB-450c-8D89-47157CCB2810} {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF02139F-3ADB-450c-8D89-47157CCB2810}\stubpath = "C:\\Windows\\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe" {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4} {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7327239F-91DB-43c0-8952-30548D4F149C} {B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47626205-076F-4679-A319-F56900DB60E2}\stubpath = "C:\\Windows\\{47626205-076F-4679-A319-F56900DB60E2}.exe" {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838FFA4-080A-4be0-8855-B9EADB6606F8}\stubpath = "C:\\Windows\\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe" {8C4F2825-2B7E-4a58-B284-188481186536}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}\stubpath = "C:\\Windows\\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe" {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8BD6D4-D267-433e-8071-5F03696331E8}\stubpath = "C:\\Windows\\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe" {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B797B3BE-F9F6-4f85-91AF-696809B0E439}\stubpath = "C:\\Windows\\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe" {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7327239F-91DB-43c0-8952-30548D4F149C}\stubpath = "C:\\Windows\\{7327239F-91DB-43c0-8952-30548D4F149C}.exe" {B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E} 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}\stubpath = "C:\\Windows\\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe" 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4F2825-2B7E-4a58-B284-188481186536} {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838FFA4-080A-4be0-8855-B9EADB6606F8} {8C4F2825-2B7E-4a58-B284-188481186536}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8BD6D4-D267-433e-8071-5F03696331E8} {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E4CF73-AD21-4566-B1F8-9F828B671581}\stubpath = "C:\\Windows\\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe" {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}\stubpath = "C:\\Windows\\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe" {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47626205-076F-4679-A319-F56900DB60E2} {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE503C21-AC48-48df-B94D-577BA8A2DFD1} {47626205-076F-4679-A319-F56900DB60E2}.exe -
Executes dropped EXE 12 IoCs
pid Process 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe 1124 {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe 556 {B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe 2196 {7327239F-91DB-43c0-8952-30548D4F149C}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe File created C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe {8C4F2825-2B7E-4a58-B284-188481186536}.exe File created C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe File created C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe File created C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe File created C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe File created C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe {47626205-076F-4679-A319-F56900DB60E2}.exe File created C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe File created C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe File created C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe File created C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe {B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe File created C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3100 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe Token: SeIncBasePriorityPrivilege 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe Token: SeIncBasePriorityPrivilege 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe Token: SeIncBasePriorityPrivilege 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe Token: SeIncBasePriorityPrivilege 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe Token: SeIncBasePriorityPrivilege 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe Token: SeIncBasePriorityPrivilege 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe Token: SeIncBasePriorityPrivilege 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe Token: SeIncBasePriorityPrivilege 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe Token: SeIncBasePriorityPrivilege 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe Token: SeIncBasePriorityPrivilege 1124 {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe Token: SeIncBasePriorityPrivilege 556 {B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3100 wrote to memory of 3420 3100 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 96 PID 3100 wrote to memory of 3420 3100 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 96 PID 3100 wrote to memory of 3420 3100 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 96 PID 3100 wrote to memory of 4884 3100 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 97 PID 3100 wrote to memory of 4884 3100 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 97 PID 3100 wrote to memory of 4884 3100 2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe 97 PID 3420 wrote to memory of 2320 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 98 PID 3420 wrote to memory of 2320 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 98 PID 3420 wrote to memory of 2320 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 98 PID 3420 wrote to memory of 1016 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 99 PID 3420 wrote to memory of 1016 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 99 PID 3420 wrote to memory of 1016 3420 {B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe 99 PID 2320 wrote to memory of 2088 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe 101 PID 2320 wrote to memory of 2088 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe 101 PID 2320 wrote to memory of 2088 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe 101 PID 2320 wrote to memory of 2124 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe 102 PID 2320 wrote to memory of 2124 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe 102 PID 2320 wrote to memory of 2124 2320 {47626205-076F-4679-A319-F56900DB60E2}.exe 102 PID 2088 wrote to memory of 4404 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe 103 PID 2088 wrote to memory of 4404 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe 103 PID 2088 wrote to memory of 4404 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe 103 PID 2088 wrote to memory of 2624 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe 104 PID 2088 wrote to memory of 2624 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe 104 PID 2088 wrote to memory of 2624 2088 {CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe 104 PID 4404 wrote to memory of 1740 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe 105 PID 4404 wrote to memory of 1740 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe 105 PID 4404 wrote to memory of 1740 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe 105 PID 4404 wrote to memory of 4976 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe 106 PID 4404 wrote to memory of 4976 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe 106 PID 4404 wrote to memory of 4976 4404 {749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe 106 PID 1740 wrote to memory of 1464 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe 107 PID 1740 wrote to memory of 1464 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe 107 PID 1740 wrote to memory of 1464 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe 107 PID 1740 wrote to memory of 3772 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe 108 PID 1740 wrote to memory of 3772 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe 108 PID 1740 wrote to memory of 3772 1740 {8C4F2825-2B7E-4a58-B284-188481186536}.exe 108 PID 1464 wrote to memory of 4704 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe 109 PID 1464 wrote to memory of 4704 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe 109 PID 1464 wrote to memory of 4704 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe 109 PID 1464 wrote to memory of 1484 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe 110 PID 1464 wrote to memory of 1484 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe 110 PID 1464 wrote to memory of 1484 1464 {9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe 110 PID 4704 wrote to memory of 4328 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe 111 PID 4704 wrote to memory of 4328 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe 111 PID 4704 wrote to memory of 4328 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe 111 PID 4704 wrote to memory of 5092 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe 112 PID 4704 wrote to memory of 5092 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe 112 PID 4704 wrote to memory of 5092 4704 {0E8BD6D4-D267-433e-8071-5F03696331E8}.exe 112 PID 4328 wrote to memory of 4652 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe 113 PID 4328 wrote to memory of 4652 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe 113 PID 4328 wrote to memory of 4652 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe 113 PID 4328 wrote to memory of 4344 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe 114 PID 4328 wrote to memory of 4344 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe 114 PID 4328 wrote to memory of 4344 4328 {D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe 114 PID 4652 wrote to memory of 1124 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe 115 PID 4652 wrote to memory of 1124 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe 115 PID 4652 wrote to memory of 1124 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe 115 PID 4652 wrote to memory of 1876 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe 116 PID 4652 wrote to memory of 1876 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe 116 PID 4652 wrote to memory of 1876 4652 {EF02139F-3ADB-450c-8D89-47157CCB2810}.exe 116 PID 1124 wrote to memory of 556 1124 {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe 117 PID 1124 wrote to memory of 556 1124 {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe 117 PID 1124 wrote to memory of 556 1124 {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe 117 PID 1124 wrote to memory of 3464 1124 {B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exeC:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exeC:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exeC:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exeC:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exeC:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exeC:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exeC:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exeC:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exeC:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exeC:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exeC:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exeC:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe13⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B797B~1.EXE > nul13⤵PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B899B~1.EXE > nul12⤵PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF021~1.EXE > nul11⤵PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0E4C~1.EXE > nul10⤵PID:4344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0E8BD~1.EXE > nul9⤵PID:5092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9838F~1.EXE > nul8⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8C4F2~1.EXE > nul7⤵PID:3772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{749A5~1.EXE > nul6⤵PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CE503~1.EXE > nul5⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{47626~1.EXE > nul4⤵PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B06E0~1.EXE > nul3⤵PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD52af684362148e8668723d9f866d8eda3
SHA1e4de2164d0df780cafe97296e9939435af71d784
SHA256d35231bb1bc1ceb5549cb180ba3769ec43cb19dca93230e63cbe57f9b2573d9c
SHA512028dd2fbfccd3f60de3cda979f7a485db8780eca2617ba89ec0d2ce03f0c3cb46c41f531a8f82144e67dafd79ae592bb9dc49524040a42369c92e0332eec12f1
-
Filesize
380KB
MD53a0ba1bb161ac9b5a21e1284868c8906
SHA10c8b1791729ec52dec422df49bcee41802ac9775
SHA256a55fd6b732eaeb577c8e8a1404c7fdf3ddd2e7542e5ab9ddfbbb1a5e9e19c8c4
SHA512152910767439e1ccecd41a57205b96a03e9a7496bfb7d589463be7f26974e0e3de8f5a93af6efc9a18aa23ee0eddb78894744ad0535c68d834a8d5069079d5cb
-
Filesize
380KB
MD5c3698d11005c279eed9cb1e1cbd22c1d
SHA1f7560a045e60567a39de102cf0e7e772c3cebe2f
SHA2565bc9a3ca9e861700db6614edbddb0f2c4834b7e1cacecc87a2ad482969ad7009
SHA512b8534deaeea5084dad30c019856c4c629f2c8a5baed0f743f706a7965459b674023808393d7010ff42bdf405dac7d49def616065c96926c4996fe9765d69b456
-
Filesize
380KB
MD5266050b0429000b5c7b46ea36a48ea56
SHA1cd61a72c78cabf3d567e6764853999ab7175794f
SHA2561ea58499d6c5f746b768041f7e7c1135f495a34cd53a10c3e58172984f94d98a
SHA512393c7d913207b9ab53c88964af7e335a84755b59a6cd571ad3b8135e03c283f4d8f8ee2e03ed6f4bf5879cda573e48e15fac82a07da7147fe8d8f06cde0d13d9
-
Filesize
380KB
MD57bde490f92506b270207842ddd9b50a1
SHA14870d1bf313f422a979ac980e69413f762626ea3
SHA256f768a2fee3859324d2b4f97e9aa6945c6795e9ff787384b4add100d86d1f49fe
SHA5124e8ad0721515b218573ae87dcfb55c08a7afbd5fc41948bdec6c6bd27434a798c77faef29e7ce9cc9b90cabc7dbde3307ff3dd6006630e11b332bec2f63d202e
-
Filesize
380KB
MD5496d2a05ebfb3c469ebb8f7b1ed09a8c
SHA164f9955dd37dc487cc086e1f64447896483f3c96
SHA256f61c5fc72399b1a60924503f3485288399f988d740eec8d47ab3f3839f500113
SHA5123f0969103ecf51969a1d9e89be69d9044bd700341b2d5dc85a00579d4240968a7d2e679776e02ccfd5531fb5e06561a94e619c251b9b3741e3b4124af8069103
-
Filesize
380KB
MD5bbeeb1fe07132072d41e48cf20d5af1c
SHA14f72a2e1832643cb51f0fe3363c4ec4d65716eee
SHA256b10c769f001f108fc67ffdf3bbf639df68d5beec5afe04464df2cbd2b096d243
SHA5124d0b6e869b3d77c9e57bc8bfd57dce70d3e0b6cd257c58c889aa6517a58b387fc9f2f2b5a3fc8c5b9a64c2f5575fa70299e35a8c0b842ee2cc69bb4a9cdd3763
-
Filesize
380KB
MD56be44d31e500ba4d085abe3bf1e0cc39
SHA1e1069ebd6712574841328017806c9c2d4792e613
SHA256e97a73b971a4a2764ce0d89c03af68245d63451262ab1bd5c9dd798dbb018767
SHA5125fd2d49296be3185c0f1f8ad70535ea978f58a6f3230f6a09c068dc2820f8cd97d261357c8ccda72d368fe623fcff512f72a35ae9d282367a6ee04b16a1db07f
-
Filesize
380KB
MD533f38b59f55e7a9b2abb800a0a756297
SHA112321646e8f9afac759520984ad4bd63e5bd9b76
SHA25631d4f863a0ec42963782462e5b30cbd0a1ada48cf554d218913f79edd0c57466
SHA512f25cddcab63a789531d050febf0e59fc95ba139616ff12335157ff08987672531211088cc03859fc05154c1ecef573ea5eb17a07a327419adcdcc19506b940fc
-
Filesize
380KB
MD58a2283a479a1a61e5f4c379a22347a04
SHA1dbacf57cedb3bf50ddb68cc6d1b56104482a90c5
SHA256610aec70006a57b54fb5c610242034563ff092abbd3dc81b4086eedc8479ade4
SHA512cb01ab652a0cea1a4554aec1b230612d8362b561b8baf874e0152415f0c153c06eccb8e1270200aff7cf4a0d716a9b6c288e291728187aaf2a38c34445c99e93
-
Filesize
380KB
MD5dadd9905d8d1a8a1d978ca571124964e
SHA13967a07404972c490968704715e8b55954fdf8ee
SHA256ed68b7363b5d45092fcd99e5486e98fa4eff55bd71b383953d9a91d0107e7d3a
SHA512d6482c02e20a3be4fa566475d6fb3a7cc427ea40f7cb79e47d5290b10a26fd30fab7ff3f9b90930fe236a6c60ed32db250c86da9af9c987151fc232c63aafaaa
-
Filesize
380KB
MD5cd7a50628e66e4596dcb0f9ba10e43bf
SHA1d7c22edc336f57e834d153de73b5f904ec2c84db
SHA256a7fba4653fd9d9b6da899775863468a91d79d46f68e1b840190ad689c41d89c7
SHA512d21f615501c0f8adeedb9487f65078db19720eb83853d5e5b4e7e97cf8c97a2354ce71999acc4bb7719ddf59b6ef3be970b6ecb2635aaed76a31458616f70fb4