Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
-
Size
344KB
-
MD5
0274ff2311ae5e9f0eae93830e95841a
-
SHA1
634acfa3b32020c9204fc0d8f9e292d0b9457151
-
SHA256
ce8aef93e0582a35fb4c5a47cec3059b965dc8e08cf64c24a4e7144428ef7def
-
SHA512
461bb60697f398ccbfc28003be77ea1332ba9ef1e60418a517016d51280ddf1ea399989dcff73c869dc8bafff4cfd60cab34f79cbbee9879f41fb2e3e5122299
-
SSDEEP
3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGmlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000d000000012324-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0021000000013522-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012324-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001f00000001386d-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012324-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012324-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000012324-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8519853-3D29-4512-BDA8-434C5C695304} {545388F7-5839-422f-871F-519685AB2725}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561880D2-6A4F-4635-84CE-92609B6E78AB}\stubpath = "C:\\Windows\\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe" {F8519853-3D29-4512-BDA8-434C5C695304}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B54440-EFDD-41a8-B51C-B2A2F84400A6} {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E1B225-C919-45ca-BDEE-C1E6989C54CC} {F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}\stubpath = "C:\\Windows\\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe" {F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C926DAE6-41EB-4e57-B8CC-93CA9278979D} 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{561880D2-6A4F-4635-84CE-92609B6E78AB} {F8519853-3D29-4512-BDA8-434C5C695304}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2ABF10-80D6-4a62-BFAB-95150665A248}\stubpath = "C:\\Windows\\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe" {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8} {C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}\stubpath = "C:\\Windows\\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe" {C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{545388F7-5839-422f-871F-519685AB2725}\stubpath = "C:\\Windows\\{545388F7-5839-422f-871F-519685AB2725}.exe" {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8519853-3D29-4512-BDA8-434C5C695304}\stubpath = "C:\\Windows\\{F8519853-3D29-4512-BDA8-434C5C695304}.exe" {545388F7-5839-422f-871F-519685AB2725}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}\stubpath = "C:\\Windows\\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe" {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D2ABF10-80D6-4a62-BFAB-95150665A248} {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAF7F36-7711-4d03-A083-EA12CF9AF238} {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}\stubpath = "C:\\Windows\\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe" {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}\stubpath = "C:\\Windows\\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe" 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{545388F7-5839-422f-871F-519685AB2725} {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17} {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}\stubpath = "C:\\Windows\\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe" {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078} {18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}\stubpath = "C:\\Windows\\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe" {18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe -
Deletes itself 1 IoCs
pid Process 2096 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 2192 {C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe 2384 {F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe 2920 {18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe 1256 {7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe {545388F7-5839-422f-871F-519685AB2725}.exe File created C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe {F8519853-3D29-4512-BDA8-434C5C695304}.exe File created C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe File created C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe {F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe File created C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe {18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe File created C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe File created C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe File created C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe File created C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe {C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe File created C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe File created C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe Token: SeIncBasePriorityPrivilege 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe Token: SeIncBasePriorityPrivilege 2736 {545388F7-5839-422f-871F-519685AB2725}.exe Token: SeIncBasePriorityPrivilege 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe Token: SeIncBasePriorityPrivilege 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe Token: SeIncBasePriorityPrivilege 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe Token: SeIncBasePriorityPrivilege 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe Token: SeIncBasePriorityPrivilege 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe Token: SeIncBasePriorityPrivilege 2192 {C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe Token: SeIncBasePriorityPrivilege 2384 {F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe Token: SeIncBasePriorityPrivilege 2920 {18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1808 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 28 PID 2804 wrote to memory of 1808 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 28 PID 2804 wrote to memory of 1808 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 28 PID 2804 wrote to memory of 1808 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 28 PID 2804 wrote to memory of 2096 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 29 PID 2804 wrote to memory of 2096 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 29 PID 2804 wrote to memory of 2096 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 29 PID 2804 wrote to memory of 2096 2804 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 29 PID 1808 wrote to memory of 2736 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 30 PID 1808 wrote to memory of 2736 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 30 PID 1808 wrote to memory of 2736 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 30 PID 1808 wrote to memory of 2736 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 30 PID 1808 wrote to memory of 2764 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 31 PID 1808 wrote to memory of 2764 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 31 PID 1808 wrote to memory of 2764 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 31 PID 1808 wrote to memory of 2764 1808 {C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe 31 PID 2736 wrote to memory of 2528 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 32 PID 2736 wrote to memory of 2528 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 32 PID 2736 wrote to memory of 2528 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 32 PID 2736 wrote to memory of 2528 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 32 PID 2736 wrote to memory of 2680 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 33 PID 2736 wrote to memory of 2680 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 33 PID 2736 wrote to memory of 2680 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 33 PID 2736 wrote to memory of 2680 2736 {545388F7-5839-422f-871F-519685AB2725}.exe 33 PID 2528 wrote to memory of 2640 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 36 PID 2528 wrote to memory of 2640 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 36 PID 2528 wrote to memory of 2640 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 36 PID 2528 wrote to memory of 2640 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 36 PID 2528 wrote to memory of 2796 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 37 PID 2528 wrote to memory of 2796 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 37 PID 2528 wrote to memory of 2796 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 37 PID 2528 wrote to memory of 2796 2528 {F8519853-3D29-4512-BDA8-434C5C695304}.exe 37 PID 2640 wrote to memory of 336 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 38 PID 2640 wrote to memory of 336 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 38 PID 2640 wrote to memory of 336 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 38 PID 2640 wrote to memory of 336 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 38 PID 2640 wrote to memory of 2776 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 39 PID 2640 wrote to memory of 2776 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 39 PID 2640 wrote to memory of 2776 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 39 PID 2640 wrote to memory of 2776 2640 {561880D2-6A4F-4635-84CE-92609B6E78AB}.exe 39 PID 336 wrote to memory of 2208 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 40 PID 336 wrote to memory of 2208 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 40 PID 336 wrote to memory of 2208 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 40 PID 336 wrote to memory of 2208 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 40 PID 336 wrote to memory of 2200 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 41 PID 336 wrote to memory of 2200 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 41 PID 336 wrote to memory of 2200 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 41 PID 336 wrote to memory of 2200 336 {05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe 41 PID 2208 wrote to memory of 1448 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 42 PID 2208 wrote to memory of 1448 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 42 PID 2208 wrote to memory of 1448 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 42 PID 2208 wrote to memory of 1448 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 42 PID 2208 wrote to memory of 808 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 43 PID 2208 wrote to memory of 808 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 43 PID 2208 wrote to memory of 808 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 43 PID 2208 wrote to memory of 808 2208 {5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe 43 PID 1448 wrote to memory of 2192 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 44 PID 1448 wrote to memory of 2192 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 44 PID 1448 wrote to memory of 2192 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 44 PID 1448 wrote to memory of 2192 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 44 PID 1448 wrote to memory of 1056 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 45 PID 1448 wrote to memory of 1056 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 45 PID 1448 wrote to memory of 1056 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 45 PID 1448 wrote to memory of 1056 1448 {2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exeC:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exeC:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exeC:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exeC:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exeC:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exeC:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exeC:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exeC:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exeC:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exeC:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exeC:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe12⤵
- Executes dropped EXE
PID:1256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18E1B~1.EXE > nul12⤵PID:600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0F01~1.EXE > nul11⤵PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C3CCD~1.EXE > nul10⤵PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BAF7~1.EXE > nul9⤵PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D2AB~1.EXE > nul8⤵PID:808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05B54~1.EXE > nul7⤵PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56188~1.EXE > nul6⤵PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8519~1.EXE > nul5⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{54538~1.EXE > nul4⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C926D~1.EXE > nul3⤵PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD571b6f0fa3f4fb9f7564bfed9ff806519
SHA1ecfe1609f48be007c8ec8f719c0c398f6dadbb9d
SHA2560acdd013a5949a6d3774703f22ee05c9aef478240a2ed521756be2efd8a48eef
SHA512b22a5028fe73d4652345ce7d01fe733b610ff8fc1ec6af6696a4afe0da4644f30de955c506938a50563385ad77461a4a5eb1436b2fcb68579d73e94c3132f82e
-
Filesize
344KB
MD5e5e8106a44cf4650c40008bd90b8f38d
SHA16ab7a3a06ddc7ff94003053c061382aec1d85a70
SHA2565f6019b78d9c4eff83b6bc799749a7594974ea449e2e5d580844be0e0ff6715d
SHA5123256b170c4c692ebb60baff5176cdd116da302746ece5f6cd40939e9bec735f7917980154ecfcd3ef41d585eaf96b97c4c63679a865cbf16b7afd376c98bc9b7
-
Filesize
344KB
MD5f939e63c4cf1c1dd35bb0ec54fe76e90
SHA15435385eb818c06459fc249ea7ca8d0a72518637
SHA2569c19b5bbc201ee5015b6f51e3d457e317c4521ca082c7084bd4edaa62d65736f
SHA5123e895af2387efc9aa5a7e6eb4b2d90f5c301d93ebc3c95ecc10b5a2c4e62ff88a6d6725fc45921db6d4265b5326414a26b695d67e122ea0a6ec9cfa718ea2181
-
Filesize
344KB
MD528f0f4207f2202acc027d77a0cc73075
SHA1a0a08dc819507d3a375e07103ca78d9cb00534b2
SHA2566bf6c9f92296190651f32cba015a32bbd872a14157c7380f6d01b941f98aa0e6
SHA5125087d0d26942b800c1b874ad2c9b9fcf32d556033262752de0a98cdcceef78a56209625dfce5c5f1b4a68cbd3316b2a6ad37d57ffcfad4e8c367515488aaee2f
-
Filesize
344KB
MD5c65e8b9e5edc5870f00f3319256eecc6
SHA11da239d2b302015bc200c34d56acaa709b4c0aed
SHA256055b43ef786959ea6286bdcea12f09c91736d31caca75cd940877d0513f130e5
SHA512c62316cf16f0d3143cf06422d0de845130874d2f30608c925781f0b53e322b5c8b7f3f3fe34f5d2c6407efe1bddb6b0a9caf182345b287c29f99a85838bef9bb
-
Filesize
344KB
MD53dee73dba0f88b29b39ef58f8eb0dc97
SHA1fbd1d468587c7b0ed309d64431851a5d24064064
SHA256c54bc53d389ff3209acabae369752e6c472a8ae4359ba72cecdcfa244151d3d4
SHA512f345f90fcbb9230d1f86957de34a0372c3f42ab71f939e2d71315f80a3c3d1eaf80cbbf2a7827741c62a471bbfb84e9245fc521a1e33d722053e4d2239e3ef09
-
Filesize
344KB
MD5e412c4c763fbb5b392981a0eb49caebe
SHA179630549bcbef1f109f1fbbb8880d6ac895350e1
SHA2563b21fc6d70580fd0e539d6bbc481966032b7a598731a36a3ef7debbbfd2806c9
SHA5127e4739f3cdfe94f6d83d66f69f699d4ea739d9007a7c589070d80bed4950063210dc26ea681dbd08e83536b7b22fb375673099253a1ad49f015862761c527129
-
Filesize
344KB
MD5242224bb020c83093609444c21499ffd
SHA12903bcda21d3b1bf0c229db02237b120acecfa2b
SHA256493f1f0fafda31ab80629013e0ea926e26c029641dfc7c56781e3159d647f1f7
SHA5120599d2670d9e1cd2354b554c392f459b8bb10939685a3d50362f6de694deb631470edbc11c08631b66f0fc4329dc6ce29244da7396838b98a19c88348c0132cc
-
Filesize
344KB
MD5dd6207f4e74aa65aaadfc1928cccbc25
SHA1a5e988c838790eec389e681f4a9a32a0894c0f34
SHA2563d1d907f81bdb69e4a2b9e30afe9955c8d19c679bd891fe4a704135b787feb5c
SHA512d0fa19158f9808389813324f8d6c23875d9bc6a5f27897cabcd35b7c9fa1356ed845ef1891f94ed0c5b689f9371f9164ff0d74530aeeffb4a53836cfd6ef463b
-
Filesize
344KB
MD550b1445e4eabdc993c368754ef6aedfe
SHA13613e89413e2dc2cf6f55db0abc4110edead3ce4
SHA2561af6f15c78539e8616aa42caf03393a77c683491b643887e755dc5263f2276a1
SHA512bf607e7d012a1ca3ee83e10a22a851cfc38142ee7e9f72cdf0acf414f50177674b3e1db501ba3f5cbefac58d957fc4e25e9598b6895779da70732e45acc5facf
-
Filesize
344KB
MD59c0f1ddf503e82b2958e3a488eef45a5
SHA126f24cdf1121e4983a12b0e593d3bbb7d183c30e
SHA256282e66cd1f52c08c57676ebc3cd95338ef3ee9fcaaf7133383470746f13c3c37
SHA512084bdd1f4c8a533a9f3196edc282902f8942f0deebf5ce5dca11f9b56e6c5a0c39834af8dff63fcc6c6f276730c89b2e6f872c7d4f1aab9a78b1a7aff54d79df