Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
-
Size
197KB
-
MD5
7301feddda6b25fa3a7b33330cbcf8a5
-
SHA1
9b609736c4b860903ce25b43d2cc8558ce5e5dd3
-
SHA256
a8177f1a02ae27411c3159ad5289da8b29017045f942d5311f915d3f4db22dd6
-
SHA512
673df0ba7a4f69b842599a0d4f3bdb72c8984afec15c32ce5a02ed7c751838c6debc3b6b547793c310e09176a44144b4a0072fc956e85d6455a1a93941f53f30
-
SSDEEP
3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG3lEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000e000000012324-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002d00000001386d-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012324-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x002e0000000139f2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012324-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000012324-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0012000000012324-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4146CD63-A845-48bb-94E8-46F23B4C1B00}\stubpath = "C:\\Windows\\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe" {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007DDBD6-9988-46e1-8AAA-B66F4433442E} {4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46322FF-AECA-4833-9C9A-59B270BF2CD9} {6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF} {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4} {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E018DAAC-59BA-4949-825E-FDD20F8D3471} {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}\stubpath = "C:\\Windows\\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe" {0A25C888-D129-4792-9A56-53C11A3732C3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}\stubpath = "C:\\Windows\\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe" {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E018DAAC-59BA-4949-825E-FDD20F8D3471}\stubpath = "C:\\Windows\\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe" {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{906F201D-0C39-4d31-A74E-F84956A77A1D} {46278B0F-4043-47fb-A50E-1FCED2060369}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A25C888-D129-4792-9A56-53C11A3732C3} {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E} {0A25C888-D129-4792-9A56-53C11A3732C3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}\stubpath = "C:\\Windows\\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe" {6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A25C888-D129-4792-9A56-53C11A3732C3}\stubpath = "C:\\Windows\\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe" {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}\stubpath = "C:\\Windows\\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe" {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC} {007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4146CD63-A845-48bb-94E8-46F23B4C1B00} {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007DDBD6-9988-46e1-8AAA-B66F4433442E}\stubpath = "C:\\Windows\\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe" {4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}\stubpath = "C:\\Windows\\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe" {007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46278B0F-4043-47fb-A50E-1FCED2060369} 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46278B0F-4043-47fb-A50E-1FCED2060369}\stubpath = "C:\\Windows\\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe" 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{906F201D-0C39-4d31-A74E-F84956A77A1D}\stubpath = "C:\\Windows\\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe" {46278B0F-4043-47fb-A50E-1FCED2060369}.exe -
Executes dropped EXE 11 IoCs
pid Process 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 804 {4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe 2784 {007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe 1200 {6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe 580 {E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe File created C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe {0A25C888-D129-4792-9A56-53C11A3732C3}.exe File created C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe File created C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe File created C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe {4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe File created C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe {46278B0F-4043-47fb-A50E-1FCED2060369}.exe File created C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe File created C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe File created C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe File created C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe {007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe File created C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe {6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe Token: SeIncBasePriorityPrivilege 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe Token: SeIncBasePriorityPrivilege 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe Token: SeIncBasePriorityPrivilege 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe Token: SeIncBasePriorityPrivilege 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe Token: SeIncBasePriorityPrivilege 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe Token: SeIncBasePriorityPrivilege 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe Token: SeIncBasePriorityPrivilege 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe Token: SeIncBasePriorityPrivilege 804 {4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe Token: SeIncBasePriorityPrivilege 2784 {007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe Token: SeIncBasePriorityPrivilege 1200 {6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2264 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 28 PID 1732 wrote to memory of 2264 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 28 PID 1732 wrote to memory of 2264 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 28 PID 1732 wrote to memory of 2264 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 28 PID 1732 wrote to memory of 3044 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 29 PID 1732 wrote to memory of 3044 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 29 PID 1732 wrote to memory of 3044 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 29 PID 1732 wrote to memory of 3044 1732 2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe 29 PID 2264 wrote to memory of 2572 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 30 PID 2264 wrote to memory of 2572 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 30 PID 2264 wrote to memory of 2572 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 30 PID 2264 wrote to memory of 2572 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 30 PID 2264 wrote to memory of 2632 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 31 PID 2264 wrote to memory of 2632 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 31 PID 2264 wrote to memory of 2632 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 31 PID 2264 wrote to memory of 2632 2264 {46278B0F-4043-47fb-A50E-1FCED2060369}.exe 31 PID 2572 wrote to memory of 2520 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 32 PID 2572 wrote to memory of 2520 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 32 PID 2572 wrote to memory of 2520 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 32 PID 2572 wrote to memory of 2520 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 32 PID 2572 wrote to memory of 1152 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 33 PID 2572 wrote to memory of 1152 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 33 PID 2572 wrote to memory of 1152 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 33 PID 2572 wrote to memory of 1152 2572 {906F201D-0C39-4d31-A74E-F84956A77A1D}.exe 33 PID 2520 wrote to memory of 2140 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 36 PID 2520 wrote to memory of 2140 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 36 PID 2520 wrote to memory of 2140 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 36 PID 2520 wrote to memory of 2140 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 36 PID 2520 wrote to memory of 1236 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 37 PID 2520 wrote to memory of 1236 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 37 PID 2520 wrote to memory of 1236 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 37 PID 2520 wrote to memory of 1236 2520 {0A25C888-D129-4792-9A56-53C11A3732C3}.exe 37 PID 2140 wrote to memory of 1212 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 38 PID 2140 wrote to memory of 1212 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 38 PID 2140 wrote to memory of 1212 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 38 PID 2140 wrote to memory of 1212 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 38 PID 2140 wrote to memory of 2740 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 39 PID 2140 wrote to memory of 2740 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 39 PID 2140 wrote to memory of 2740 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 39 PID 2140 wrote to memory of 2740 2140 {FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe 39 PID 1212 wrote to memory of 1952 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 40 PID 1212 wrote to memory of 1952 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 40 PID 1212 wrote to memory of 1952 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 40 PID 1212 wrote to memory of 1952 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 40 PID 1212 wrote to memory of 2008 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 41 PID 1212 wrote to memory of 2008 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 41 PID 1212 wrote to memory of 2008 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 41 PID 1212 wrote to memory of 2008 1212 {F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe 41 PID 1952 wrote to memory of 1664 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 42 PID 1952 wrote to memory of 1664 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 42 PID 1952 wrote to memory of 1664 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 42 PID 1952 wrote to memory of 1664 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 42 PID 1952 wrote to memory of 692 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 43 PID 1952 wrote to memory of 692 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 43 PID 1952 wrote to memory of 692 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 43 PID 1952 wrote to memory of 692 1952 {7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe 43 PID 1664 wrote to memory of 804 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 44 PID 1664 wrote to memory of 804 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 44 PID 1664 wrote to memory of 804 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 44 PID 1664 wrote to memory of 804 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 44 PID 1664 wrote to memory of 316 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 45 PID 1664 wrote to memory of 316 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 45 PID 1664 wrote to memory of 316 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 45 PID 1664 wrote to memory of 316 1664 {E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exeC:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exeC:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exeC:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exeC:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exeC:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exeC:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exeC:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exeC:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exeC:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exeC:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1200 -
C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exeC:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe12⤵
- Executes dropped EXE
PID:580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6ABFB~1.EXE > nul12⤵PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{007DD~1.EXE > nul11⤵PID:592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4146C~1.EXE > nul10⤵PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E018D~1.EXE > nul9⤵PID:316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7961B~1.EXE > nul8⤵PID:692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F90C7~1.EXE > nul7⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FB7C5~1.EXE > nul6⤵PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A25C~1.EXE > nul5⤵PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{906F2~1.EXE > nul4⤵PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46278~1.EXE > nul3⤵PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5a92d37bb2767f36006d3805b07d641fd
SHA1687712868c531210174efc24e4f403f8c122132d
SHA2563fa619535f34c28837e40db0fa653872974f8659c45c5e02654b104f6944a86c
SHA512be94cdde076b27f66441a4d08558cb4e010e46537c31427b0784e228c6b6a4eb03507e10ea92ed7f3134e9b5248db39be7efb6f9b4b407cb4eb9fe599d23faa3
-
Filesize
197KB
MD5297f6583a5fced8be664100c42bc2d67
SHA1bcc789cfc9b56fbf00056aa094afa8e21d7d5aeb
SHA2563fbd275283109adad4941e19828b71b256e80c0c92a1993d91a21470f92cde44
SHA51288912286bf5b64f792bb36399c57ba57bdea12a60c5322dc63c7e02a9249404a0bfa2289100fabdc7c68c0dde85f1e575fc30e9c85d25c6b646444deb6415bbe
-
Filesize
197KB
MD5982764a00e3260a199ccbe8cd32b58eb
SHA1b7784096af12f8cc9e7dfaa1ca5ab52fbea39533
SHA2562a8035ec7a7f048da96ed2d3c88f2be9f6d9e4d206b7c107b9f88e7a76c46442
SHA51271d736bc7e6e9b9bac3dcf854db59673540aeeda4d2090bc8b92dd10ebc1bea9bd6baddbb8eeda291d2078ad0d8a5e13c6db1689af0ca060937066a4a904677c
-
Filesize
197KB
MD555aaaba87a62f2f3f6459960d8e1d1d4
SHA1e1907a9168fe31641f7291edbd38fc777c4ca95b
SHA2562e32f27df0e0c74a759f9784752d0a3d084ab1805d9dd6353ef697af90d7af19
SHA5125ad8bfe2894338cc884fc00457bfa02c34dea98a1c934f1b1097827cdd5d3fb25294aac3108622937c824c318cacf3f464e20748a5325d59f8ae20325eac1124
-
Filesize
197KB
MD50169cf074fd10b5ac0fcad1dab8905f8
SHA1d24a0370986a4a09cd6be372dcf95f33db5814a6
SHA25602ec44738f286c2c33e9a997f1c2beda95b1ab03ab7150d0abd59ffd43d86173
SHA512b778a67b170acaf3f8d03c990c28a921433421c5a7d90d89d1e9a2bfa08a561121ce8e086699bdfef315da457dcf5dae166a8c9bb05ea741da58c788cfa26264
-
Filesize
197KB
MD5ea8d4bf158e86f0fb50513540219db52
SHA155dadf6838ec51bd0589d20d703a3603843594df
SHA256a2c5aa845591326ec1d2faa677d0343c54c97afc8544eeca4a85c26b4e164007
SHA512c26da445bfaacc58e5783f36268910df6ce86d591395a6a06e7da94cb07b0539d9ab717236c4a4737a6e2e3b568387483e8dbf93a2175388f30d4674a47d56b5
-
Filesize
197KB
MD5def3018e209126e15b1c740077b487b9
SHA1d811aa7e484115f0b2babff355b11b52e58a2ad7
SHA256533b506cec1b392724d8fc09dad4e3fb19b58022185c38b54f48123ee9c69b26
SHA512e13c5e75f47ae9d4220482a373b204457ca5b69b8d8891d3562f48beb179fd0c01fb3f2daf975548ea967d7ea207bcefce34a1191ffd1cda09eeae572aae9046
-
Filesize
197KB
MD5bd5cabe38e079f5a82d333c0d9b7c4ba
SHA11bfb607e0c97fafdd8584481d7d8e1ceb51db9b5
SHA256adc4c05e5efd574d2880e636c612bc332b987a7aeb7091e16f408bcfeb46ed7c
SHA51205640df943f7966153e74819d9c07bb479e3246d34b7685a956ef39bb8d8c26a9b737758d9f92e165626b1dc8c8c232819f740e0af7e7c8ab579d742c08fc112
-
Filesize
197KB
MD5afabff026ddc63bc812d505dc58ed98e
SHA1b52d6c0ac7645740536c7e4c958adfcbbe7d55d4
SHA2563d6f3296fb632f6a44990e6fc98579ba039d93daa541cb3e72b43bb2642ee658
SHA51283ef68c6b1a5c4f0a19a6a75c77194940a8dd6fb6e936a5a5baeb8dda3888aec315ed8d1861303179dc1e940af0198f81ee3255cd238fa49a9b52e3209304711
-
Filesize
197KB
MD594cc08fa8199f447355a32121a4dcbff
SHA195c7b2c2192ab2dab8ac86b651aa9d2219edc42b
SHA25665f7ce1a48d3f44bc9c931c02c7d0dfccf7ff044b8baf4c6d98e4f62e416baaf
SHA512c27286938ec5b54946b82976d6ffc07343ceaa2c88339e48c6e29bfb22ab2a98112ae1b7b17b5a5b6db5f63b8d3d82648d018ba636012040f95d4858471bf6d7
-
Filesize
197KB
MD5a9550d59ed1abe686f4462fb89ac90c8
SHA1b5121504b2508612e16960c61d581fd6619b666b
SHA25691736213f7d7b6fe7be8a9a0441ee881e2d1618e7786ef755aed589012474d3d
SHA51298224248879f78c264fc07601969a8c63cd337e475098436929451ec9de2e2a347c03fed160ce779072892e88b44a49e6428badb7061c34560a9f23e421e94c0