Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
-
Size
344KB
-
MD5
0274ff2311ae5e9f0eae93830e95841a
-
SHA1
634acfa3b32020c9204fc0d8f9e292d0b9457151
-
SHA256
ce8aef93e0582a35fb4c5a47cec3059b965dc8e08cf64c24a4e7144428ef7def
-
SHA512
461bb60697f398ccbfc28003be77ea1332ba9ef1e60418a517016d51280ddf1ea399989dcff73c869dc8bafff4cfd60cab34f79cbbee9879f41fb2e3e5122299
-
SSDEEP
3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGmlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0002000000022a48-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000232f4-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002353a-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023541-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023547-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023541-21.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023547-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023541-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023547-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000600000000002f-37.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000713-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D642A007-FD9A-449c-B528-A53A097A7BCF}\stubpath = "C:\\Windows\\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe" {5DD69A26-F94F-4630-A452-954FC69F7212}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1560311-87D3-4cf0-93D7-E8265B722BA7}\stubpath = "C:\\Windows\\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe" {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61838062-CC67-45fc-84D2-1481564F0F90} {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C0E007-6DFF-42ac-B040-B62DC26901B8}\stubpath = "C:\\Windows\\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe" {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39624838-6A19-430d-A8E8-0532DF60B7FE}\stubpath = "C:\\Windows\\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe" {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF} {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{498E330C-5C31-4b57-970A-FB5D78B142E5} {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB006AE-933F-4359-8C3F-F4F29C04721E} {61838062-CC67-45fc-84D2-1481564F0F90}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{498E330C-5C31-4b57-970A-FB5D78B142E5}\stubpath = "C:\\Windows\\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe" {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BA8725-2998-4907-B91A-9F6518F0CEA2} 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52677632-ED47-4064-A25E-FA54B0B2B3C8} {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52677632-ED47-4064-A25E-FA54B0B2B3C8}\stubpath = "C:\\Windows\\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe" {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD69A26-F94F-4630-A452-954FC69F7212} {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD69A26-F94F-4630-A452-954FC69F7212}\stubpath = "C:\\Windows\\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe" {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39624838-6A19-430d-A8E8-0532DF60B7FE} {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}\stubpath = "C:\\Windows\\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe" {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A} {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}\stubpath = "C:\\Windows\\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe" 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D642A007-FD9A-449c-B528-A53A097A7BCF} {5DD69A26-F94F-4630-A452-954FC69F7212}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C0E007-6DFF-42ac-B040-B62DC26901B8} {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}\stubpath = "C:\\Windows\\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe" {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1560311-87D3-4cf0-93D7-E8265B722BA7} {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61838062-CC67-45fc-84D2-1481564F0F90}\stubpath = "C:\\Windows\\{61838062-CC67-45fc-84D2-1481564F0F90}.exe" {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DB006AE-933F-4359-8C3F-F4F29C04721E}\stubpath = "C:\\Windows\\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe" {61838062-CC67-45fc-84D2-1481564F0F90}.exe -
Executes dropped EXE 12 IoCs
pid Process 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe 4316 {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe 1500 {61838062-CC67-45fc-84D2-1481564F0F90}.exe 3720 {6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe File created C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe File created C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe File created C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe File created C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe File created C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe File created C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe File created C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe File created C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe {5DD69A26-F94F-4630-A452-954FC69F7212}.exe File created C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe File created C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe File created C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe {61838062-CC67-45fc-84D2-1481564F0F90}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1784 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe Token: SeIncBasePriorityPrivilege 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe Token: SeIncBasePriorityPrivilege 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe Token: SeIncBasePriorityPrivilege 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe Token: SeIncBasePriorityPrivilege 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe Token: SeIncBasePriorityPrivilege 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe Token: SeIncBasePriorityPrivilege 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe Token: SeIncBasePriorityPrivilege 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe Token: SeIncBasePriorityPrivilege 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe Token: SeIncBasePriorityPrivilege 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe Token: SeIncBasePriorityPrivilege 4316 {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe Token: SeIncBasePriorityPrivilege 1500 {61838062-CC67-45fc-84D2-1481564F0F90}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1800 1784 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 95 PID 1784 wrote to memory of 1800 1784 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 95 PID 1784 wrote to memory of 1800 1784 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 95 PID 1784 wrote to memory of 4996 1784 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 96 PID 1784 wrote to memory of 4996 1784 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 96 PID 1784 wrote to memory of 4996 1784 2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe 96 PID 1800 wrote to memory of 4728 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 97 PID 1800 wrote to memory of 4728 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 97 PID 1800 wrote to memory of 4728 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 97 PID 1800 wrote to memory of 4644 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 98 PID 1800 wrote to memory of 4644 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 98 PID 1800 wrote to memory of 4644 1800 {C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe 98 PID 4728 wrote to memory of 684 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe 101 PID 4728 wrote to memory of 684 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe 101 PID 4728 wrote to memory of 684 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe 101 PID 4728 wrote to memory of 512 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe 102 PID 4728 wrote to memory of 512 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe 102 PID 4728 wrote to memory of 512 4728 {52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe 102 PID 684 wrote to memory of 2652 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe 107 PID 684 wrote to memory of 2652 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe 107 PID 684 wrote to memory of 2652 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe 107 PID 684 wrote to memory of 624 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe 108 PID 684 wrote to memory of 624 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe 108 PID 684 wrote to memory of 624 684 {5DD69A26-F94F-4630-A452-954FC69F7212}.exe 108 PID 2652 wrote to memory of 2248 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe 110 PID 2652 wrote to memory of 2248 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe 110 PID 2652 wrote to memory of 2248 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe 110 PID 2652 wrote to memory of 3780 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe 111 PID 2652 wrote to memory of 3780 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe 111 PID 2652 wrote to memory of 3780 2652 {D642A007-FD9A-449c-B528-A53A097A7BCF}.exe 111 PID 2248 wrote to memory of 2320 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe 112 PID 2248 wrote to memory of 2320 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe 112 PID 2248 wrote to memory of 2320 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe 112 PID 2248 wrote to memory of 3576 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe 113 PID 2248 wrote to memory of 3576 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe 113 PID 2248 wrote to memory of 3576 2248 {18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe 113 PID 2320 wrote to memory of 4108 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe 114 PID 2320 wrote to memory of 4108 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe 114 PID 2320 wrote to memory of 4108 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe 114 PID 2320 wrote to memory of 4492 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe 115 PID 2320 wrote to memory of 4492 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe 115 PID 2320 wrote to memory of 4492 2320 {39624838-6A19-430d-A8E8-0532DF60B7FE}.exe 115 PID 4108 wrote to memory of 1760 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe 116 PID 4108 wrote to memory of 1760 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe 116 PID 4108 wrote to memory of 1760 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe 116 PID 4108 wrote to memory of 4716 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe 117 PID 4108 wrote to memory of 4716 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe 117 PID 4108 wrote to memory of 4716 4108 {D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe 117 PID 1760 wrote to memory of 4044 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe 118 PID 1760 wrote to memory of 4044 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe 118 PID 1760 wrote to memory of 4044 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe 118 PID 1760 wrote to memory of 400 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe 119 PID 1760 wrote to memory of 400 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe 119 PID 1760 wrote to memory of 400 1760 {498E330C-5C31-4b57-970A-FB5D78B142E5}.exe 119 PID 4044 wrote to memory of 4316 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe 120 PID 4044 wrote to memory of 4316 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe 120 PID 4044 wrote to memory of 4316 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe 120 PID 4044 wrote to memory of 2244 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe 121 PID 4044 wrote to memory of 2244 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe 121 PID 4044 wrote to memory of 2244 4044 {3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe 121 PID 4316 wrote to memory of 1500 4316 {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe 122 PID 4316 wrote to memory of 1500 4316 {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe 122 PID 4316 wrote to memory of 1500 4316 {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe 122 PID 4316 wrote to memory of 4020 4316 {F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exeC:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exeC:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exeC:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exeC:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exeC:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exeC:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exeC:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exeC:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exeC:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exeC:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exeC:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exeC:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe13⤵
- Executes dropped EXE
PID:3720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{61838~1.EXE > nul13⤵PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1560~1.EXE > nul12⤵PID:4020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3728D~1.EXE > nul11⤵PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{498E3~1.EXE > nul10⤵PID:400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D6F69~1.EXE > nul9⤵PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{39624~1.EXE > nul8⤵PID:4492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18C0E~1.EXE > nul7⤵PID:3576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D642A~1.EXE > nul6⤵PID:3780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5DD69~1.EXE > nul5⤵PID:624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{52677~1.EXE > nul4⤵PID:512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA8~1.EXE > nul3⤵PID:4644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:81⤵PID:4176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD53023096b3fe9dde77aa7d9cda9e7669e
SHA190d6ea6390f60d89abe56a43b6db672f88fadc97
SHA2567a2840b653d54a74b1111d88445d8f901e755d58603251381d3b8337fd2b4956
SHA512fe086ca31b0d35e017e4f399105f140c53c7ef16483c6802e851b6438ca45aa012cc403a3b69998c2566c9eb944f695961ed3df5d49c51dfdea9bfff490f3905
-
Filesize
344KB
MD59c2aa551ed1e247fa0d43b124bbdf055
SHA1d3a010baee2cfb38dd34cb8f298fb4b53bb76e48
SHA2560022acc25e0f4bcacb62005377db4d0d0ea18bc561133599a50b9f72d2ce1f93
SHA51207948a5910302abe89508e13d3b62d94cb0779e9bf503370c97e3638c2ce581c83105ab9be94d6e00aa66c7572adfe55009768c3057250f87bf467e0f23ef1fb
-
Filesize
344KB
MD5881f4f0d763622fd4b5700e5b4f22c8c
SHA1b0ffc995913277dfe5419eecb643d61a8828baab
SHA256c80b23b059368ec59c5e503a22ff538ad7bfb9fd33c70552768c4828b4cb4be4
SHA512bb667fa6051c0ceca483616482471021e823bc954ae88246e5db043600ce842a8e1a67ec441c4ff6352c4a9bf4e31bffbd9d8701d770143ba21c60de76b182ea
-
Filesize
344KB
MD57dcc0395ef3b72e02447ddec77b8ae9d
SHA1a20cbc7c65cace112d2c4357920007cfdffd642c
SHA256aeb42dfb444e91bf187f1ab8469d1d2e8bfa1202d76bd4e2a149c41cad0301db
SHA512bac4e14b87b69b7459fe219ceac483695006cb8d033d6d1edbdfe88e4cc0375ed7c960d2fe6f1df25c0ca7201b44efa827f5336a023303a51b28f46fa8839dbc
-
Filesize
344KB
MD5e2e51107d906657fbda7e7e72fadfe44
SHA16b902aff13bedfa071698eee7da18971cfffec4e
SHA256496d5c6d4980acb0fe1ad9b4b8f69d78474b9b52d6a79c6b92575dfbc00fd796
SHA51293ea8a18413b6868d92b8ab5f099fa232726aa2ee04d724ce009a1b033a82bdb7afc8bfd5cf0dbf71390ccf9063d18e6419533229180393450a9343baad13b22
-
Filesize
344KB
MD5ee8d7961de30ce5658b6e18c4679f262
SHA1579f35cf59a53fe1b96d2464dc223c556f75fe93
SHA25606c69179112f43b5ae70c024d4eace70876f9f6b451adaa2d6615f837ab9660b
SHA5121e929621356a7a135b371435d3746434870b3b4d2b8919b5ed7ad1b6956374769e3477ca5680aad9a5d2a90b09651d7d68b3b4e4e2bd00f56f802be22d7040a6
-
Filesize
344KB
MD558cd0a45b21b2d06f0b8d285a2ec31c3
SHA1004c4d73e3ab08a2f8b93d256bb41e9a0a63fd54
SHA2560bcd47aa2c3afddaf8f66c99411eef958f00bb450e3865000c5c3011e4d4a920
SHA512851b7d1381fdec8b14c25ed5c138e86147ff5d512d28de55661311ad2e7dccb3b82fb24d61d427b536f220c60c6ea5cfa1c33e23c5a73305bc948c4fbea9ce61
-
Filesize
344KB
MD58e3ce6da73c7ad2b679e067e9afe026b
SHA166553748a905d13e5a00e28947541686e628435a
SHA25692e179326c4c0e6701fb7275a4e305fe98e600009529c4bc534c8460a2be50a7
SHA512f05116ddadf78587d84b0466c1b4485cda324bc235cd42ca37da0518765f909bb4ba24a1496e3e078338ed7cea4a49fd6904189c4fb4c3441f6cd77b6baf626c
-
Filesize
344KB
MD5b8aa223fa794b14065d91fd978dee421
SHA1757e0f9e33323e950d788d52b60dc038744cd839
SHA256d8da933dd2a7c7db766eb6dce95ac93a29ce581ed8d6eaf968a6533dcd25a00b
SHA512dbed7ae9782d2ab059e232c14442bf20c03c2d4af40ae9a66f0518035b75bf3dc459ccfe54e0bf2299716e7fcf9460def958809b496b133fe536081f06590b42
-
Filesize
344KB
MD59f2c944a8e2a50c8d94a549f536d292d
SHA19df011f7940c9cac9fd1921c3d67e2d357302dae
SHA256a62bfb06332e0e4b21d0d2ad6d3423b3462e5d181926a26f478f4d3b95581fcc
SHA5129570bfc08eb41a5e9251672a26fbd145b025fb54b640fdad49843d9dbfec072b76e8cd8d4bb4a3041c490bd5e7823438b9cf8ebbd42967ea6afd2689eaecafa4
-
Filesize
344KB
MD52d4668b0602e0ffcf5f95bd13f0c8028
SHA1ed2e461afe1a0faa19bc0119b5242ad352ac2776
SHA2569f34256356399cdc571abce50bd8517adde5937a5dd7101ab09a6106f9129b80
SHA512333a109aeade2918553673ce40f95a94bb0f73581d56c5330d1d7b5dd3fb38aee43830a01b62e59a03fa9f72db21711fbd956e7dcef78b7c983d49ce4e4c55b8
-
Filesize
344KB
MD54a400717ae300b7c1f5e1526e2e117a3
SHA126fb48a7ca969526a7f297a4478b771bfbd42a55
SHA256e88f6d07475cab9ce1d000a19459afef520e6f392e7d301becf48dcffb8b98d0
SHA512524bf5562f279cdd90bd3ded6d5959df9f2c6869972263def43389f0bca067b2302639c468ee5ca37af9c71e727fff530088bbfe99bf8b29a4ea961d56ad6022