Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
-
Size
380KB
-
MD5
050b37d7510f8a8ef9f98757c220251b
-
SHA1
8c9c533b59ff94f0b50103a37bb32804f74b4868
-
SHA256
a6a9bccdd59afea874a4d7da4f11e95a5b58e652c88b5da4b31d4cf38932eb7f
-
SHA512
9bd18744772cf7edeb21d0f44711e110724f57194fd556d50365ee233d53e8fd98ca8593072042cea34f166838519e0a9e6972645d231623fd26244699c0bdce
-
SSDEEP
3072:mEGh0oDlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0004000000022ac3-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000022ac4-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233f2-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000233f6-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000233fc-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233f6-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233fc-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233f6-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233fc-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000233f6-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000233fc-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b0000000233f6-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EE830B-2C50-44b3-862B-DA04E37C7126}\stubpath = "C:\\Windows\\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe" {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900951C4-A370-4c61-A8C8-75CD5528D398}\stubpath = "C:\\Windows\\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe" {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F41826-941E-47c7-A1D2-705271882C58}\stubpath = "C:\\Windows\\{B7F41826-941E-47c7-A1D2-705271882C58}.exe" {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF216A8E-6648-4801-8188-C43F8AE53620}\stubpath = "C:\\Windows\\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe" 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4244FDBC-15CB-4241-8D0E-9E776E61580C} {AF216A8E-6648-4801-8188-C43F8AE53620}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EE830B-2C50-44b3-862B-DA04E37C7126} {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4244FDBC-15CB-4241-8D0E-9E776E61580C}\stubpath = "C:\\Windows\\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe" {AF216A8E-6648-4801-8188-C43F8AE53620}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}\stubpath = "C:\\Windows\\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe" {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{042651AD-36D6-4fd5-8F1F-B34B992131E0}\stubpath = "C:\\Windows\\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe" {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B660DD36-227F-4aa2-BEC7-833B5269AEFF} {900951C4-A370-4c61-A8C8-75CD5528D398}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DE3ACA3-82C6-4a82-B779-20640363C2F9} {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7787983-2EEE-4e24-BCBC-14D4D35958AF} {B7F41826-941E-47c7-A1D2-705271882C58}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}\stubpath = "C:\\Windows\\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe" {B7F41826-941E-47c7-A1D2-705271882C58}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF216A8E-6648-4801-8188-C43F8AE53620} 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3029469-3CF9-48ae-AF7A-85929468A5BD} {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{042651AD-36D6-4fd5-8F1F-B34B992131E0} {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7C1863-535E-4e86-AA06-A3EAF27B7562} {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900951C4-A370-4c61-A8C8-75CD5528D398} {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}\stubpath = "C:\\Windows\\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe" {900951C4-A370-4c61-A8C8-75CD5528D398}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}\stubpath = "C:\\Windows\\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe" {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F41826-941E-47c7-A1D2-705271882C58} {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1} {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}\stubpath = "C:\\Windows\\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe" {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3029469-3CF9-48ae-AF7A-85929468A5BD}\stubpath = "C:\\Windows\\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe" {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe -
Executes dropped EXE 12 IoCs
pid Process 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe 2844 {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe 2436 {B7F41826-941E-47c7-A1D2-705271882C58}.exe 4900 {C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe File created C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe File created C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe File created C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe File created C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe File created C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe {900951C4-A370-4c61-A8C8-75CD5528D398}.exe File created C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe File created C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe File created C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe File created C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe File created C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe {B7F41826-941E-47c7-A1D2-705271882C58}.exe File created C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe {AF216A8E-6648-4801-8188-C43F8AE53620}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4900 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe Token: SeIncBasePriorityPrivilege 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe Token: SeIncBasePriorityPrivilege 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe Token: SeIncBasePriorityPrivilege 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe Token: SeIncBasePriorityPrivilege 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe Token: SeIncBasePriorityPrivilege 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe Token: SeIncBasePriorityPrivilege 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe Token: SeIncBasePriorityPrivilege 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe Token: SeIncBasePriorityPrivilege 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe Token: SeIncBasePriorityPrivilege 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe Token: SeIncBasePriorityPrivilege 2844 {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe Token: SeIncBasePriorityPrivilege 2436 {B7F41826-941E-47c7-A1D2-705271882C58}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 4816 4900 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 85 PID 4900 wrote to memory of 4816 4900 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 85 PID 4900 wrote to memory of 4816 4900 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 85 PID 4900 wrote to memory of 3020 4900 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 86 PID 4900 wrote to memory of 3020 4900 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 86 PID 4900 wrote to memory of 3020 4900 2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe 86 PID 4816 wrote to memory of 2168 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe 87 PID 4816 wrote to memory of 2168 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe 87 PID 4816 wrote to memory of 2168 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe 87 PID 4816 wrote to memory of 1912 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe 88 PID 4816 wrote to memory of 1912 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe 88 PID 4816 wrote to memory of 1912 4816 {AF216A8E-6648-4801-8188-C43F8AE53620}.exe 88 PID 2168 wrote to memory of 4396 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe 91 PID 2168 wrote to memory of 4396 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe 91 PID 2168 wrote to memory of 4396 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe 91 PID 2168 wrote to memory of 1528 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe 92 PID 2168 wrote to memory of 1528 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe 92 PID 2168 wrote to memory of 1528 2168 {4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe 92 PID 4396 wrote to memory of 1808 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe 97 PID 4396 wrote to memory of 1808 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe 97 PID 4396 wrote to memory of 1808 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe 97 PID 4396 wrote to memory of 3124 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe 98 PID 4396 wrote to memory of 3124 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe 98 PID 4396 wrote to memory of 3124 4396 {4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe 98 PID 1808 wrote to memory of 3664 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe 100 PID 1808 wrote to memory of 3664 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe 100 PID 1808 wrote to memory of 3664 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe 100 PID 1808 wrote to memory of 3476 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe 101 PID 1808 wrote to memory of 3476 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe 101 PID 1808 wrote to memory of 3476 1808 {A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe 101 PID 3664 wrote to memory of 4696 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe 102 PID 3664 wrote to memory of 4696 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe 102 PID 3664 wrote to memory of 4696 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe 102 PID 3664 wrote to memory of 5032 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe 103 PID 3664 wrote to memory of 5032 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe 103 PID 3664 wrote to memory of 5032 3664 {C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe 103 PID 4696 wrote to memory of 4616 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe 104 PID 4696 wrote to memory of 4616 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe 104 PID 4696 wrote to memory of 4616 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe 104 PID 4696 wrote to memory of 4048 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe 105 PID 4696 wrote to memory of 4048 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe 105 PID 4696 wrote to memory of 4048 4696 {BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe 105 PID 4616 wrote to memory of 3732 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe 106 PID 4616 wrote to memory of 3732 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe 106 PID 4616 wrote to memory of 3732 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe 106 PID 4616 wrote to memory of 3616 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe 107 PID 4616 wrote to memory of 3616 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe 107 PID 4616 wrote to memory of 3616 4616 {042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe 107 PID 3732 wrote to memory of 4952 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe 108 PID 3732 wrote to memory of 4952 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe 108 PID 3732 wrote to memory of 4952 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe 108 PID 3732 wrote to memory of 4464 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe 109 PID 3732 wrote to memory of 4464 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe 109 PID 3732 wrote to memory of 4464 3732 {900951C4-A370-4c61-A8C8-75CD5528D398}.exe 109 PID 4952 wrote to memory of 2844 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe 110 PID 4952 wrote to memory of 2844 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe 110 PID 4952 wrote to memory of 2844 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe 110 PID 4952 wrote to memory of 4316 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe 111 PID 4952 wrote to memory of 4316 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe 111 PID 4952 wrote to memory of 4316 4952 {B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe 111 PID 2844 wrote to memory of 2436 2844 {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe 112 PID 2844 wrote to memory of 2436 2844 {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe 112 PID 2844 wrote to memory of 2436 2844 {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe 112 PID 2844 wrote to memory of 2128 2844 {8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exeC:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exeC:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exeC:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exeC:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exeC:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exeC:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exeC:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exeC:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exeC:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exeC:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exeC:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exeC:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe13⤵
- Executes dropped EXE
PID:4900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7F41~1.EXE > nul13⤵PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8DE3A~1.EXE > nul12⤵PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B660D~1.EXE > nul11⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90095~1.EXE > nul10⤵PID:4464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04265~1.EXE > nul9⤵PID:3616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC7C1~1.EXE > nul8⤵PID:4048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C4EE8~1.EXE > nul7⤵PID:5032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A3029~1.EXE > nul6⤵PID:3476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4B168~1.EXE > nul5⤵PID:3124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4244F~1.EXE > nul4⤵PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF216~1.EXE > nul3⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD506237ee806ce922031c1070c3f0e149b
SHA1ee0d5f7437581f107c5e81140656d7454d84a641
SHA25651d4121b82969e15d423056c94bf55ce648d01d35fc8f864529c8f79eaae5783
SHA512300e1e491565c03e00bded5190c62e61c6353bdda7d53d27d19470dcf5e82a1b256e488b3fdaca854e61e235f506138ef8b51fdd02994611e67325b714d83e25
-
Filesize
380KB
MD580b1dccf5a3880b075b42fa587acd58e
SHA1484845ed9b565137ed69473f76012d32ef5c32e9
SHA256c911c1ef0c416cb1c2b671806000f1304b3c4746904e7f3367151d99de94b227
SHA51264f4172978934c628d6741137029ed97035b24978a54dab80a4d94eee7805b609c1e7ec6a49f60b35b02cc2d5cc67c47332181e641bfab948f527d50e8d1936d
-
Filesize
380KB
MD5a30d2a948a1a25871f3a8b0751a47483
SHA18a073df53d7a67553900a8a733c5786d58fe9784
SHA25616391069052c280220145d37784192f9034136fb0ce387c87f0036c25d9ea59a
SHA512f878a629b657b6431572cc35eacf7d04637193ce71048834f73695d582613f6af5a91d7fb7efa325a7ab027c85fa98f736d0ff00d8a7f520ab3512a4685efbed
-
Filesize
380KB
MD5f1cec4e92653c69e8e28f28a6307ea8b
SHA1f086c9bd85f06fd71c8f9516977fe75f15836159
SHA2565266e7680713e7d5af19c75defad94be5a89c4baa00358bc6a2b971e51226f9c
SHA512e24be535eb4aacd879126ce19464e5c9adacf187354ce4a1596a090d6c287c02fa2a63ec0cc91135962dce665eac0e17b5aa1796808d61d20366def49f338347
-
Filesize
380KB
MD59427269a112e23fc510d45d280bde90c
SHA184de051a2c001ed70863cadf1d590f13080e7c3e
SHA256e24a2af642d83eecd396ad95a885864c58cf29154966ccb80d1d2584b8bbc032
SHA5124dc43c2f2a1262dabb658a7cab272964b8d11956f3e954d1cbef9b0f089d5a634e92437878d8417ce2fc5072bb2e6e52a30f9084d37c2059bb9d6917f9abccaa
-
Filesize
380KB
MD5a344ee53899d3203ed2f4b790cf83494
SHA1dce69d1f0a03484f93f5a696bcd2f7af7d72fd78
SHA256ed8d0a037b87556fd2af1506395a9184643efed2b16dfcd281a014986c96d8a6
SHA512c003a9c93e460a4d3afae9165f6465437e4975a4288d4e0a3efee8fa8ee71cd28c077820f1de244b17a48db10d8710ed5422d67200817b76d0f61be892c760d5
-
Filesize
380KB
MD5c4aff1f04f302c6b3647866a1916d16d
SHA1446ebff989a5f4760a605eee840be146abd1e3e5
SHA2568a4fd84f848a7fce182786d88af05e059a15c72c666775c259171c4ea27f2b1a
SHA51292fd8438362f1d1d9908a3ef05c9a6cc5a21f8b4bcfd661d9b95f2fbdc00ac94745760e663f843443ddae7aca21db998cb58965981add00349d6e11770647adb
-
Filesize
380KB
MD5d410cca892a5f5579f4211be0e35b250
SHA1c6e3393043c80b8b86d95bb1af8ce4bc266adb22
SHA25655d1a7508d5d56acaa8cbfa7d3277b2e04eb09fdebadf337d923e394b82d52ba
SHA5122e5f335afd6e4475eb2df36651515104264d1b2e89520e493a2282fb4eac9eb7a1a42b6b8544eba52c97fd77819128145d63ca0886911a8ac937a008ae8f7c56
-
Filesize
380KB
MD53ee5a03464a173929a4007599b041735
SHA1782b00e3c3ec3072234ab4a5c78674ef22940be2
SHA256aa66cffc663d03edf403c3b262338ecdf3360d976cec5875d6a50379fee18e68
SHA5123ee2f35759d47b08f33a3fcb1b6a5708d3ae9886914c954799604aa80493f65305267f4b3a0ccb503e5aafe4320726f8644bb57aef6f88214a2d18a84064b92b
-
Filesize
380KB
MD59cd1212f74caa727fb870a10162edf94
SHA18c1e44fe7195aedfb4257dbb107e2b175d76ecf8
SHA25698b1a48762c70322281d3144ba53b1c48d1fc68c5e3a90788f52562bc70b9386
SHA5121f456326065c5017c23bf6b035e9ca01c66cc3b060c85776c1210350fda2fb58cd96a986cb5251c38c339fce2e77502904282d9256221315408dbfde8b25d2c0
-
Filesize
380KB
MD5bd6c11a34b10c48ca647b7f83aab694f
SHA1cd97876954250ceb313669f24720c47b98257943
SHA256e7d2481cdc7690da97df636d38495c57dc5dcc19a317be1bc9d18dde808367a1
SHA512c73e3dbb7e664ee91adcd457ab4b7b79a177fae1358d231b52bf2d4a96edb6e9f4f76dd944c0967a32a172ddc69d9fc2b0bbd294a196c74ba41fc553fab53dbb
-
Filesize
380KB
MD5d4c746b63547a1e06e396422214997b6
SHA147e413f4261bc31e858485060fcf6e83f92607ac
SHA256fa27dd9c4038cd9b92a9cd479d982aebdd790f8acd78ce85a9f82f8b06a0d987
SHA5121f4a9828ccdeafb7093fb03f8b2207cc3282b1d94b51635e0a311230412da838c0c46be9d13b0865d1fd74e8827bfba248e3b3805d197cede407952a3783e2af