Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
-
Size
380KB
-
MD5
886c0ff26e3a5079f29bc8a6e2c25646
-
SHA1
61538066cc38d86ffd79c935f8054fc33923ef3e
-
SHA256
32dc77046d1eb839d21503392b7bd9f2f81f4c0cd25a4583a04dbc8c931a0abd
-
SHA512
a5db5a8ea4985a1ead82537b16c1daaac00c315b1e7ed9a84743edec07c33a2515d794e9ba67b5f888c0db1c131dd02cf93d00c462c208a444ce7d050ac72061
-
SSDEEP
3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000e000000012122-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0038000000015d28-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012122-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0038000000015d49-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012122-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000012122-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0012000000012122-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10794911-E79A-42ef-8CE2-19B63A14FC1D}\stubpath = "C:\\Windows\\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe" 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D32D72-2446-4a46-ACA3-87177BA46D3E}\stubpath = "C:\\Windows\\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe" {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8441CCA4-F1E4-4444-B360-F5CA94860F31} {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10794911-E79A-42ef-8CE2-19B63A14FC1D} 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C01CA9A-5779-4f68-B407-D655FBBED702}\stubpath = "C:\\Windows\\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe" {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFFFC588-1004-4cd1-9806-A9220FAF676C} {0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFFFC588-1004-4cd1-9806-A9220FAF676C}\stubpath = "C:\\Windows\\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe" {0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}\stubpath = "C:\\Windows\\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe" {B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B303CD1E-15F7-4764-8654-6F9FADFD4773}\stubpath = "C:\\Windows\\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe" {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028D70CB-E1ED-47c7-893C-B8A4913A54C9} {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}\stubpath = "C:\\Windows\\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe" {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{801400A8-B30A-4b8a-A70E-288E0A37BC8F} {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26D32D72-2446-4a46-ACA3-87177BA46D3E} {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88D074E-D186-48a2-B0E1-77DC68488FB9} {DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA} {B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B303CD1E-15F7-4764-8654-6F9FADFD4773} {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}\stubpath = "C:\\Windows\\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe" {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C01CA9A-5779-4f68-B407-D655FBBED702} {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8441CCA4-F1E4-4444-B360-F5CA94860F31}\stubpath = "C:\\Windows\\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe" {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA} {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}\stubpath = "C:\\Windows\\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe" {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B88D074E-D186-48a2-B0E1-77DC68488FB9}\stubpath = "C:\\Windows\\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe" {DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe -
Deletes itself 1 IoCs
pid Process 2712 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 1572 {0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe 2376 {DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe 2860 {B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe 1260 {66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe File created C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe File created C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe File created C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe File created C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe File created C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe File created C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe File created C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe {0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe File created C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe {DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe File created C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe {B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe File created C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe Token: SeIncBasePriorityPrivilege 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe Token: SeIncBasePriorityPrivilege 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe Token: SeIncBasePriorityPrivilege 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe Token: SeIncBasePriorityPrivilege 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe Token: SeIncBasePriorityPrivilege 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe Token: SeIncBasePriorityPrivilege 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe Token: SeIncBasePriorityPrivilege 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe Token: SeIncBasePriorityPrivilege 1572 {0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe Token: SeIncBasePriorityPrivilege 2376 {DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe Token: SeIncBasePriorityPrivilege 2860 {B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 848 wrote to memory of 2264 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 28 PID 848 wrote to memory of 2264 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 28 PID 848 wrote to memory of 2264 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 28 PID 848 wrote to memory of 2264 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 28 PID 848 wrote to memory of 2712 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 29 PID 848 wrote to memory of 2712 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 29 PID 848 wrote to memory of 2712 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 29 PID 848 wrote to memory of 2712 848 2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe 29 PID 2264 wrote to memory of 2708 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 30 PID 2264 wrote to memory of 2708 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 30 PID 2264 wrote to memory of 2708 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 30 PID 2264 wrote to memory of 2708 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 30 PID 2264 wrote to memory of 2692 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 31 PID 2264 wrote to memory of 2692 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 31 PID 2264 wrote to memory of 2692 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 31 PID 2264 wrote to memory of 2692 2264 {10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe 31 PID 2708 wrote to memory of 2752 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 32 PID 2708 wrote to memory of 2752 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 32 PID 2708 wrote to memory of 2752 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 32 PID 2708 wrote to memory of 2752 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 32 PID 2708 wrote to memory of 2820 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 33 PID 2708 wrote to memory of 2820 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 33 PID 2708 wrote to memory of 2820 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 33 PID 2708 wrote to memory of 2820 2708 {B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe 33 PID 2752 wrote to memory of 3008 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 36 PID 2752 wrote to memory of 3008 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 36 PID 2752 wrote to memory of 3008 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 36 PID 2752 wrote to memory of 3008 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 36 PID 2752 wrote to memory of 2316 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 37 PID 2752 wrote to memory of 2316 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 37 PID 2752 wrote to memory of 2316 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 37 PID 2752 wrote to memory of 2316 2752 {028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe 37 PID 3008 wrote to memory of 1516 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 38 PID 3008 wrote to memory of 1516 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 38 PID 3008 wrote to memory of 1516 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 38 PID 3008 wrote to memory of 1516 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 38 PID 3008 wrote to memory of 1448 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 39 PID 3008 wrote to memory of 1448 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 39 PID 3008 wrote to memory of 1448 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 39 PID 3008 wrote to memory of 1448 3008 {801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe 39 PID 1516 wrote to memory of 1916 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 40 PID 1516 wrote to memory of 1916 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 40 PID 1516 wrote to memory of 1916 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 40 PID 1516 wrote to memory of 1916 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 40 PID 1516 wrote to memory of 1672 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 41 PID 1516 wrote to memory of 1672 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 41 PID 1516 wrote to memory of 1672 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 41 PID 1516 wrote to memory of 1672 1516 {1C01CA9A-5779-4f68-B407-D655FBBED702}.exe 41 PID 1916 wrote to memory of 328 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 42 PID 1916 wrote to memory of 328 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 42 PID 1916 wrote to memory of 328 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 42 PID 1916 wrote to memory of 328 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 42 PID 1916 wrote to memory of 1420 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 43 PID 1916 wrote to memory of 1420 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 43 PID 1916 wrote to memory of 1420 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 43 PID 1916 wrote to memory of 1420 1916 {26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe 43 PID 328 wrote to memory of 1572 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 44 PID 328 wrote to memory of 1572 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 44 PID 328 wrote to memory of 1572 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 44 PID 328 wrote to memory of 1572 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 44 PID 328 wrote to memory of 2404 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 45 PID 328 wrote to memory of 2404 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 45 PID 328 wrote to memory of 2404 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 45 PID 328 wrote to memory of 2404 328 {8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exeC:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exeC:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exeC:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exeC:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exeC:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exeC:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exeC:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exeC:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exeC:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exeC:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exeC:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe12⤵
- Executes dropped EXE
PID:1260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B88D0~1.EXE > nul12⤵PID:664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DFFFC~1.EXE > nul11⤵PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0EE8B~1.EXE > nul10⤵PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8441C~1.EXE > nul9⤵PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26D32~1.EXE > nul8⤵PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1C01C~1.EXE > nul7⤵PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{80140~1.EXE > nul6⤵PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{028D7~1.EXE > nul5⤵PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B303C~1.EXE > nul4⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{10794~1.EXE > nul3⤵PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD532abf136737b41587b273bf80e2eef3b
SHA195ba1edec3b4c574f10ff360d816ec5bb5e15c06
SHA2564fb461a9b65778ccf66886b0d27676db8d917aea3a9c82d22fe620389571961f
SHA51211c8388a6406885ef401300ab43f795fcbdc114de916dd2faf409dccc0fab0f2096c94986667c53c4a07f0ffd6de5a72f5661d6a2fd6dd1cf428a212e7f3e447
-
Filesize
380KB
MD547ea89c92d8b695ed2bdbfb2188f2c5b
SHA1638dd1566751cdf32145535b63c351ac5f91aad2
SHA256c403c4cc26b6efbf43e76f7b3249d24b3d9c32aadb3bf75fdbf840e85f3878e9
SHA5123166b53375485a8ef40316d63363b194b5d30abe15dd43283071fd8ee1b14f4dee20fc5cf1adfe3f38745047d22d97f3c8a4d7c454b3501649b3b89700ead7bb
-
Filesize
380KB
MD57c2c750a390c08138b28045ec14e5da9
SHA1628ac48125906a3cdb5f0d91c38330f24c66e58b
SHA25616a0cbbca6817b8f0523053b15f7bbbbf00deb764163eaa66c2cbc0ebb4d4633
SHA512ce0937c20e4133c6ed6ace6553ba037f2de0ff009a9f7c8544c9dcc555a2739a1271540e12668039bd781ea8cfd69aefa3ede44f3f77ef73c7d2639447e3bc94
-
Filesize
380KB
MD515ac04327674cb3c511eb80b37a8205c
SHA10691e341ceac2b9e6383c36e81d371541b447e05
SHA256cc9d7087b8820552acd5a4fbc0113b21a17d25005908cc9fda698a6666b81eda
SHA5125860a33d58084d2cd0aeb5bc9b014cfcd1cd341e26366fd3f5376a9d11c8ad1591221b3e05c6f23971a590eaebfbe06d01e7359ad21d14b45d340a8483e4d5e4
-
Filesize
380KB
MD5eb0111f0f0e4cb4190064121613d0bd6
SHA1c67693986926a7099e1cd5f93482401eac5b7a97
SHA256ed1e4ccc7accb1ce67aa9ea75eee37c236eff009aecdf90171aeae3edc54fb11
SHA512226237c4d19ec6a3c179f4fa8216af5996c89076b6e5d527ce08ebf71dd38d81446e162988cc70809e36839b7e271f0faced508b2790eb72f209e9a31dace377
-
Filesize
380KB
MD57ed226c3e2880cc71aaecdca5a4a5550
SHA1fe4345f38f059309fce810f17b3661040c5ec749
SHA25602bddfa355e3e2ca035c0e59681adbbc5d5e319197d6844027bae7c62856df65
SHA512668e81c5ce237fea5d940de424ff41805957351e477f4ec8e7d98f28bee06d1d427c40bb66f1da55e6d756f5e25eee0d94a1e75fa1f9f5d21a017a754e7cf8a2
-
Filesize
380KB
MD58f17fea1e1765e222a3ec6e30f75aeb2
SHA19ed24768f56862f69b05d038f03b2fa737c708e6
SHA2568a58d79e41ccb0eca29ccc3d594577f49d645826a9ba26ea99a49a98c0f7bd26
SHA512e4b1ef49b3affbb378e21c04c66b1a058e6290afea83851440fd537384a00db970ae7f33aceb6d4dbd984461da6cbc818ecf25331831bed62fcf96766af3462f
-
Filesize
380KB
MD58ad4e2ec5080bcbdbd9b6bff36c266c1
SHA18f60e343c73665c6051e8d5726df713d825af971
SHA256885388e2da1da36fa00dbc3ac1cee1adadf7870027dceb6755cc748cf5abb3cb
SHA51238752f6a03a59e3415ff0f5489931a1b4e6f3dc4229768190e4243e3cb932200e5eb6dd48d668314b1b1b5fbf4bd1254b65d4a211441cea373e3dbe3188df5e1
-
Filesize
380KB
MD51cbeafb668317a7722c6466f66085ec5
SHA1c81500d7ce44b2c736a0006d51fd250dc5bfded8
SHA2560241153823616050013a1c4b7f5d9e45ea38ab7b2c223b9c80f1c72397621e4d
SHA512b368b330c85104511a02710cf50f1a8c7c67f0e1ba45ee86d7c7d7fdd543c48e05394c18d154e63b6e4f80ce8080f7d8dc5e3b6424d417e43b216949aca201e9
-
Filesize
380KB
MD5863a852135fe62a52596bf704159d36a
SHA12cac4b461da9d4a8b4df30da52f20f7f2ad7fa91
SHA256b52f3cda897fca2beead34e08e941f16c7b9f2c0b83ac05e63b6ef668e3c4dc3
SHA5124d85535617e262bdb79da9b6ad2c32bcf2b485d564a0dc7aeaeb91b0f6ae8b27da07fd779648353af06d3294a2e0751d6c0d161da23707bb541751d68a365105
-
Filesize
380KB
MD5e45e796a8ca92de1a58558505163dfeb
SHA15dcd257259f1ebcc069481fd99b3e548c90497cd
SHA256e5ac24180ef8fe260b8b06b5d00c61475e5c4939893ae42c2a048487b3f56edf
SHA51277e1eb484d58329d4184d6b2b25d3c53db0dd28bcead0856cd26e0c019dc14f768afbea17650e075ef9ab541c3b2b24313ba9b7b76dd31cf40bf4ffd3e0e5ec3