Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 19:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
-
Size
408KB
-
MD5
810074d7792fd317e3ca96f6eeebe3bc
-
SHA1
aec915f1c3b177aeb021b3e4ebac9879534e75f8
-
SHA256
6fe40ad407fa1a10ffd59ad3d5c546ab8981b00ad90e74b01f30e6fba26b2a1c
-
SHA512
40ec2064878db8515ce0cc2a7e677ede8b3e26bdb545f6116b2c61a19c5d418ed2fd4e66a74b1431ba074042fca97c4b9c4ba800a86f2883c5151d43e5e289b0
-
SSDEEP
3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGyldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000c000000012331-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d00000001342e-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000d000000012331-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002a000000013a88-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012331-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012331-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012331-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A8842C-B048-47e6-9D8B-AE8728BA950A} {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A8842C-B048-47e6-9D8B-AE8728BA950A}\stubpath = "C:\\Windows\\{70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe" {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}\stubpath = "C:\\Windows\\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe" {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF190C11-2964-4c13-80CA-4702B86347DC} {ED7A8968-0632-43f5-8BED-34668FB124CD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077} 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2} {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}\stubpath = "C:\\Windows\\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe" {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19DD2C83-37ED-4ae6-87AD-22E1325478D2} {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}\stubpath = "C:\\Windows\\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe" {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}\stubpath = "C:\\Windows\\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exe" {AF190C11-2964-4c13-80CA-4702B86347DC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A62DD74-4C56-405a-9178-756A9D9025E0} {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A62DD74-4C56-405a-9178-756A9D9025E0}\stubpath = "C:\\Windows\\{2A62DD74-4C56-405a-9178-756A9D9025E0}.exe" {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}\stubpath = "C:\\Windows\\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe" {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF190C11-2964-4c13-80CA-4702B86347DC}\stubpath = "C:\\Windows\\{AF190C11-2964-4c13-80CA-4702B86347DC}.exe" {ED7A8968-0632-43f5-8BED-34668FB124CD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}\stubpath = "C:\\Windows\\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe" 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3} {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4} {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED7A8968-0632-43f5-8BED-34668FB124CD}\stubpath = "C:\\Windows\\{ED7A8968-0632-43f5-8BED-34668FB124CD}.exe" {3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9} {AF190C11-2964-4c13-80CA-4702B86347DC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}\stubpath = "C:\\Windows\\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe" {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B} {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED7A8968-0632-43f5-8BED-34668FB124CD} {3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe -
Deletes itself 1 IoCs
pid Process 2484 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 1244 {3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe 2200 {ED7A8968-0632-43f5-8BED-34668FB124CD}.exe 768 {AF190C11-2964-4c13-80CA-4702B86347DC}.exe 1820 {FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe File created C:\Windows\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe File created C:\Windows\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe File created C:\Windows\{AF190C11-2964-4c13-80CA-4702B86347DC}.exe {ED7A8968-0632-43f5-8BED-34668FB124CD}.exe File created C:\Windows\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe File created C:\Windows\{ED7A8968-0632-43f5-8BED-34668FB124CD}.exe {3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe File created C:\Windows\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exe {AF190C11-2964-4c13-80CA-4702B86347DC}.exe File created C:\Windows\{2A62DD74-4C56-405a-9178-756A9D9025E0}.exe {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe File created C:\Windows\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe File created C:\Windows\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe File created C:\Windows\{70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe Token: SeIncBasePriorityPrivilege 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe Token: SeIncBasePriorityPrivilege 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe Token: SeIncBasePriorityPrivilege 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe Token: SeIncBasePriorityPrivilege 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe Token: SeIncBasePriorityPrivilege 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe Token: SeIncBasePriorityPrivilege 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe Token: SeIncBasePriorityPrivilege 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe Token: SeIncBasePriorityPrivilege 1244 {3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe Token: SeIncBasePriorityPrivilege 2200 {ED7A8968-0632-43f5-8BED-34668FB124CD}.exe Token: SeIncBasePriorityPrivilege 768 {AF190C11-2964-4c13-80CA-4702B86347DC}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2472 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 28 PID 2184 wrote to memory of 2472 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 28 PID 2184 wrote to memory of 2472 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 28 PID 2184 wrote to memory of 2472 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 28 PID 2184 wrote to memory of 2484 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 29 PID 2184 wrote to memory of 2484 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 29 PID 2184 wrote to memory of 2484 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 29 PID 2184 wrote to memory of 2484 2184 2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe 29 PID 2472 wrote to memory of 2504 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 30 PID 2472 wrote to memory of 2504 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 30 PID 2472 wrote to memory of 2504 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 30 PID 2472 wrote to memory of 2504 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 30 PID 2472 wrote to memory of 2540 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 31 PID 2472 wrote to memory of 2540 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 31 PID 2472 wrote to memory of 2540 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 31 PID 2472 wrote to memory of 2540 2472 {C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe 31 PID 2504 wrote to memory of 2304 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 32 PID 2504 wrote to memory of 2304 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 32 PID 2504 wrote to memory of 2304 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 32 PID 2504 wrote to memory of 2304 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 32 PID 2504 wrote to memory of 2424 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 33 PID 2504 wrote to memory of 2424 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 33 PID 2504 wrote to memory of 2424 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 33 PID 2504 wrote to memory of 2424 2504 {2A62DD74-4C56-405a-9178-756A9D9025E0}.exe 33 PID 2304 wrote to memory of 856 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 36 PID 2304 wrote to memory of 856 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 36 PID 2304 wrote to memory of 856 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 36 PID 2304 wrote to memory of 856 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 36 PID 2304 wrote to memory of 1364 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 37 PID 2304 wrote to memory of 1364 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 37 PID 2304 wrote to memory of 1364 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 37 PID 2304 wrote to memory of 1364 2304 {F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe 37 PID 856 wrote to memory of 2716 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 38 PID 856 wrote to memory of 2716 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 38 PID 856 wrote to memory of 2716 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 38 PID 856 wrote to memory of 2716 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 38 PID 856 wrote to memory of 1612 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 39 PID 856 wrote to memory of 1612 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 39 PID 856 wrote to memory of 1612 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 39 PID 856 wrote to memory of 1612 856 {AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe 39 PID 2716 wrote to memory of 1960 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 40 PID 2716 wrote to memory of 1960 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 40 PID 2716 wrote to memory of 1960 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 40 PID 2716 wrote to memory of 1960 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 40 PID 2716 wrote to memory of 2156 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 41 PID 2716 wrote to memory of 2156 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 41 PID 2716 wrote to memory of 2156 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 41 PID 2716 wrote to memory of 2156 2716 {C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe 41 PID 1960 wrote to memory of 2736 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 42 PID 1960 wrote to memory of 2736 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 42 PID 1960 wrote to memory of 2736 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 42 PID 1960 wrote to memory of 2736 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 42 PID 1960 wrote to memory of 1348 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 43 PID 1960 wrote to memory of 1348 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 43 PID 1960 wrote to memory of 1348 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 43 PID 1960 wrote to memory of 1348 1960 {19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe 43 PID 2736 wrote to memory of 1244 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 44 PID 2736 wrote to memory of 1244 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 44 PID 2736 wrote to memory of 1244 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 44 PID 2736 wrote to memory of 1244 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 44 PID 2736 wrote to memory of 2984 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 45 PID 2736 wrote to memory of 2984 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 45 PID 2736 wrote to memory of 2984 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 45 PID 2736 wrote to memory of 2984 2736 {70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exeC:\Windows\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\{2A62DD74-4C56-405a-9178-756A9D9025E0}.exeC:\Windows\{2A62DD74-4C56-405a-9178-756A9D9025E0}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exeC:\Windows\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exeC:\Windows\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exeC:\Windows\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exeC:\Windows\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\{70A8842C-B048-47e6-9D8B-AE8728BA950A}.exeC:\Windows\{70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exeC:\Windows\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Windows\{ED7A8968-0632-43f5-8BED-34668FB124CD}.exeC:\Windows\{ED7A8968-0632-43f5-8BED-34668FB124CD}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\{AF190C11-2964-4c13-80CA-4702B86347DC}.exeC:\Windows\{AF190C11-2964-4c13-80CA-4702B86347DC}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:768 -
C:\Windows\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exeC:\Windows\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exe12⤵
- Executes dropped EXE
PID:1820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF190~1.EXE > nul12⤵PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED7A8~1.EXE > nul11⤵PID:584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3AFA2~1.EXE > nul10⤵PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70A88~1.EXE > nul9⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{19DD2~1.EXE > nul8⤵PID:1348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C8CA3~1.EXE > nul7⤵PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AA264~1.EXE > nul6⤵PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F86A2~1.EXE > nul5⤵PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A62D~1.EXE > nul4⤵PID:2424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C47EC~1.EXE > nul3⤵PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD53451e0b5de5c3baf515230fbf11fd00f
SHA14460a7c30ee2352919c430116bb18ca3eba6d695
SHA25665f2cf98a33907eb5ce6c6e052d77ed4f46a83a55668d188befd1f97a242f4f0
SHA5121a94a51d26b162d0f10f5c88cb18aa11529dc4101cfc4f6fad7e7024723e93a8538930c3466366124f93aaf171c0f8bc5c4c66c83dbfd9e516106c86b129011e
-
Filesize
408KB
MD58ff2c0d7fc3ae17b5fe79f5d3c31eb8f
SHA14ebb1c4644af383adf3646346793f86326827f9c
SHA2566bbad76f001e78598df2614f1fae6f4b42dd4dfc128e006ea16cbe5f62921a6a
SHA512f572656cbc1234c05d874b67b1a08be2246296ced47d4bff92898b45f55171f952dcc6a91be51e613ee9b2d277946b80f093e1c7b8d0648c520eb85816d80e9f
-
Filesize
408KB
MD5245d7a7945bdffe2f96af6df0ada608e
SHA132d81b2b1e5228d791b339273c58dcdfd312534f
SHA25689d33a4934cbcc96ef226026ae3c88dc800dc18b4cc1daf8e3a4e5c8d05dc805
SHA512c86e111ce8190f1e53c08ccee2a873ec075c7988d0010bea89fff73b1dacf33fd0cbbfe1f8e93888e5f9082a003ec33305df36b1d9e00a4e09b2fe38bf557360
-
Filesize
408KB
MD569c0bf7ce322a2d2b69d633f78547de3
SHA166fae684f3d14809f57c6d06f6db77f7625a25bb
SHA256c928c05a8c4c63c0e1d18b031f0d300554522961c22b83736ff494f7aa0dd0fd
SHA512912a59e724812f9caaeae09a8d3cff4bfb95620cd3bd1f1f9c81a1920b2c208ff581c25fad8f431d6cfcbf3c5e20191275d9528d32b64df1e83beb0e9c124619
-
Filesize
408KB
MD58975e9efb42bda81eacc0af78f5ecdfc
SHA19547e1e7e066da7d67487f030da15c244a456809
SHA256788049fdb35cbfb551b9c1d5bfeb1d705eb0dc3a99cf68aab4de23f0754232f3
SHA512e78ab84d2cc19f2948978aede538c6b17d5527016f853b0f7b789141844dce553caf5b5259727250332de619c6d7f7b4593cd6ee8fafe5fbd28c90494f46ee98
-
Filesize
408KB
MD5bb9d161addc2880f1f3d3ced29302c06
SHA1216e14733f5d6b6c46367892bc8d52b3425a18e4
SHA256422610a7cb2061be5a9dd773b4328b776df56a90df259c1894c0283ae2aa76b1
SHA512eb287390b88e34bcf9f1f8caf0ddf0639a10aa4b29e70cb41d9ce17697d6e7389d391ead43188e52930b74f54760180fa13b103bdd723fda20f4e4941e4cd1e7
-
Filesize
408KB
MD523c324a3d34781e65050fec65f33eca3
SHA1554cdce3e33ea0be85ca6383e79854210242ac4e
SHA256157d3acf68408913573219267de7f3a11bec3add4b23cf30d9576a54927679a3
SHA5126bf58061bc2604953d064c57a3d65849fa79764ba9e1248d0cb533eb64e289b93dc8f34ebb0a302a18971fbb02ba83aab89058a0b4c294a254444dcd6a6169db
-
Filesize
408KB
MD5335a973ed426c1f5c378978c58e2ec8b
SHA14e55311cf565cf1b2abd322046c3633503b9100c
SHA256d38b6dca50162694a78419ec02b36f35f8a4ac9926b104ddcedf4f1ee3fac546
SHA512cd466c4cac401744c2508d84ef15e263ef9b2c99ea6ea2095fd8902da93e74301eae9c78ee46c1e7850be0166ac58952b55c5b14b5ab99daa85a386572e5dc5d
-
Filesize
408KB
MD5c398ef7a8414dbc871efdab5d15caca8
SHA186d204cb308b664f343e94242ab06f789078e8b8
SHA256ace4336cffe1078b228692e8dce984169e2d74c5865bcb58e730bd240e29d705
SHA512a5a26d78a16bcb98e558e27252a38dab013adcc6c13bf076490ff6afdc427ac081cad7b7085f13b89e577fa409b2766dfac53e1751d4c02dc6582b5254af5ffa
-
Filesize
408KB
MD5c1d3ac9f15d8c9abe3cbb0fdcf45354c
SHA1cb73553f4c254b0869ad83b13748c0e61f137ef9
SHA2567ffdf43ce7dd9ac12b44fa6b768b41ef3b9316a5abd489c5ed20b874dcd9d0e4
SHA5127f69afa1db022e151aa3959e756b5eb26ee858aee4738b1c4012bb8eefc8a0e1a6f0f0917624b1414ccfaf04d6399dd2ce0b7bf810fadbcad7121d5ad914cd73
-
Filesize
408KB
MD50ef00a71e38175c6a067fc84c4bc68ee
SHA159ac470371a270635a9a0aa3691c2feacabb5856
SHA256b1cef1b72cdc5b20520fd82b546eded8711291b6fe37e9f24e68344f7fb5ed6b
SHA5122e96e2dcd8b0ca9bd564688845adabb0bf64b307033c52bc288d6b1b6881a76a84292471f9dccd81d84457fb65a72ebc1702d5cceb4cf14e8123b33133960544