Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
-
Size
344KB
-
MD5
808dd2fd506c4d92529be8ef0b673040
-
SHA1
183ed54749759b2c0bd66ef19e1b7eeb5b87b8c7
-
SHA256
572fa7e5bc407aa57cc5d75092843b5552b40ef7ce6cac2138d7c9ef69bd62ce
-
SHA512
93daf1fbf909e3967c6c9171ee2abdd699bb5a1a5dd1f24deaa6b3c273fef7c0f8b353e225d997f9d3553199104a7cfd72e7e962126eace0084d8d146a304f4b
-
SSDEEP
3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGelqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000d000000012327-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0031000000014230-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000e000000012327-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x003100000001424e-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000012327-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000012327-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000012327-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17C9E3E-3466-43f5-A766-21779C09E6BB}\stubpath = "C:\\Windows\\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe" 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}\stubpath = "C:\\Windows\\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe" {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D626C78A-83E7-4151-A7F7-F46927379BAA} {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA} {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4DC051-A22E-4d62-9599-D6B570F049ED} {5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A2673D7-CF52-43e4-9206-A0E4816020D2}\stubpath = "C:\\Windows\\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe" {CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A859487E-8325-454c-8E3D-93E4909EE838}\stubpath = "C:\\Windows\\{A859487E-8325-454c-8E3D-93E4909EE838}.exe" {6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE55C28-3045-4ce9-88CF-3E56AD957577} {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE55C28-3045-4ce9-88CF-3E56AD957577}\stubpath = "C:\\Windows\\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe" {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96FBDB4A-BB6F-4376-8958-F3A0A8309044} {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17C9E3E-3466-43f5-A766-21779C09E6BB} 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}\stubpath = "C:\\Windows\\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe" {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5FABF7C-1C11-4d8a-930B-088E024C05C7} {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}\stubpath = "C:\\Windows\\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe" {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}\stubpath = "C:\\Windows\\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe" {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4DC051-A22E-4d62-9599-D6B570F049ED}\stubpath = "C:\\Windows\\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe" {5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A859487E-8325-454c-8E3D-93E4909EE838} {6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}\stubpath = "C:\\Windows\\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe" {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0} {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203} {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D626C78A-83E7-4151-A7F7-F46927379BAA}\stubpath = "C:\\Windows\\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe" {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A2673D7-CF52-43e4-9206-A0E4816020D2} {CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe -
Deletes itself 1 IoCs
pid Process 2840 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 2764 {5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe 1984 {CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe 1300 {6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe 488 {A859487E-8325-454c-8E3D-93E4909EE838}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe File created C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe File created C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe File created C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe {5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe File created C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe {CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe File created C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe {6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe File created C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe File created C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe File created C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe File created C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe File created C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe Token: SeIncBasePriorityPrivilege 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe Token: SeIncBasePriorityPrivilege 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe Token: SeIncBasePriorityPrivilege 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe Token: SeIncBasePriorityPrivilege 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe Token: SeIncBasePriorityPrivilege 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe Token: SeIncBasePriorityPrivilege 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe Token: SeIncBasePriorityPrivilege 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe Token: SeIncBasePriorityPrivilege 2764 {5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe Token: SeIncBasePriorityPrivilege 1984 {CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe Token: SeIncBasePriorityPrivilege 1300 {6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1060 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 28 PID 1676 wrote to memory of 1060 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 28 PID 1676 wrote to memory of 1060 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 28 PID 1676 wrote to memory of 1060 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 28 PID 1676 wrote to memory of 2840 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 29 PID 1676 wrote to memory of 2840 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 29 PID 1676 wrote to memory of 2840 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 29 PID 1676 wrote to memory of 2840 1676 2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe 29 PID 1060 wrote to memory of 2644 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 30 PID 1060 wrote to memory of 2644 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 30 PID 1060 wrote to memory of 2644 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 30 PID 1060 wrote to memory of 2644 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 30 PID 1060 wrote to memory of 2580 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 31 PID 1060 wrote to memory of 2580 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 31 PID 1060 wrote to memory of 2580 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 31 PID 1060 wrote to memory of 2580 1060 {E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe 31 PID 2644 wrote to memory of 2700 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 32 PID 2644 wrote to memory of 2700 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 32 PID 2644 wrote to memory of 2700 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 32 PID 2644 wrote to memory of 2700 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 32 PID 2644 wrote to memory of 2524 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 33 PID 2644 wrote to memory of 2524 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 33 PID 2644 wrote to memory of 2524 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 33 PID 2644 wrote to memory of 2524 2644 {8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe 33 PID 2700 wrote to memory of 2476 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 36 PID 2700 wrote to memory of 2476 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 36 PID 2700 wrote to memory of 2476 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 36 PID 2700 wrote to memory of 2476 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 36 PID 2700 wrote to memory of 3000 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 37 PID 2700 wrote to memory of 3000 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 37 PID 2700 wrote to memory of 3000 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 37 PID 2700 wrote to memory of 3000 2700 {96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe 37 PID 2476 wrote to memory of 2792 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 38 PID 2476 wrote to memory of 2792 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 38 PID 2476 wrote to memory of 2792 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 38 PID 2476 wrote to memory of 2792 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 38 PID 2476 wrote to memory of 2832 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 39 PID 2476 wrote to memory of 2832 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 39 PID 2476 wrote to memory of 2832 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 39 PID 2476 wrote to memory of 2832 2476 {7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe 39 PID 2792 wrote to memory of 2412 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 40 PID 2792 wrote to memory of 2412 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 40 PID 2792 wrote to memory of 2412 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 40 PID 2792 wrote to memory of 2412 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 40 PID 2792 wrote to memory of 1812 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 41 PID 2792 wrote to memory of 1812 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 41 PID 2792 wrote to memory of 1812 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 41 PID 2792 wrote to memory of 1812 2792 {7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe 41 PID 2412 wrote to memory of 628 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 42 PID 2412 wrote to memory of 628 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 42 PID 2412 wrote to memory of 628 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 42 PID 2412 wrote to memory of 628 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 42 PID 2412 wrote to memory of 2400 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 43 PID 2412 wrote to memory of 2400 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 43 PID 2412 wrote to memory of 2400 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 43 PID 2412 wrote to memory of 2400 2412 {D626C78A-83E7-4151-A7F7-F46927379BAA}.exe 43 PID 628 wrote to memory of 2764 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 44 PID 628 wrote to memory of 2764 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 44 PID 628 wrote to memory of 2764 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 44 PID 628 wrote to memory of 2764 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 44 PID 628 wrote to memory of 1620 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 45 PID 628 wrote to memory of 1620 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 45 PID 628 wrote to memory of 1620 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 45 PID 628 wrote to memory of 1620 628 {A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exeC:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exeC:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exeC:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exeC:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exeC:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exeC:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exeC:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exeC:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exeC:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exeC:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exeC:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe12⤵
- Executes dropped EXE
PID:488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A267~1.EXE > nul12⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CA4DC~1.EXE > nul11⤵PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5DCA0~1.EXE > nul10⤵PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5FAB~1.EXE > nul9⤵PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D626C~1.EXE > nul8⤵PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7DFB3~1.EXE > nul7⤵PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7E16E~1.EXE > nul6⤵PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{96FBD~1.EXE > nul5⤵PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8BE55~1.EXE > nul4⤵PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E17C9~1.EXE > nul3⤵PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5363e2e407bf57dd59447e1ae33b3a836
SHA1deaa3cfdefe08d73f38a936c1b55637507eed925
SHA2562c703ef60f94637b846ae8921aafb9208de07c91c8302fc6f7c57ec6a387e491
SHA512df496568b31eb4ff0084eaac0684bfaa8eba604c2fb2d6ea280a63adf47f09637d3db4f3dddcf467646437ea2313369f55206763fa4be7f6b742e5e460a27bac
-
Filesize
344KB
MD5fe8e93d5d20f985fb5f16f80a49c243e
SHA15b8916d73e308173a0f6c1684a824874fca731de
SHA256ba4cd8bc6f56701ce8c144d68a062e28bd3f643806b9c6b15f7fc4799741e3db
SHA512929d391b491d43fbb0ffd3816196daeebc53ff7259edfda2ba1f606f20caae588ac030ed2318c53447ea9f1cabbbb4dda14a9cae07c175416fb02f8263dc2ad6
-
Filesize
344KB
MD57f16f2a0e573d4459b713b57af5f7b44
SHA1df7ee56151ba777cc104e7f33b166c9d1a75155c
SHA2567c2367a5393587117a004e53987bd66b4f203a7006230bfc8a791269a22e5af1
SHA512c9ef1af09a47e01be2773bb841726b40b923833500c35bf2a5bd5fe801e0c690da975a8a4ceb6184580652bac11a6670ad41bad28e5ab27cd045f6638c7d035b
-
Filesize
344KB
MD56115c3580dbd03d74c8fc9f463163a79
SHA169fbf3eb591ab7ae9ab4b13b2bec69ab60b859c1
SHA2567a71fc736efb3b6b02a4ba4f5763b08732d669b3b695d7e4f4996581be6009dc
SHA5129ce28142af4f32e9748fe748cbe28e9d9de9adda001604140b7e10804d34d11fc6959fe64636c5c58cdc6ed3c278e3095557ed90ca29e210bb622b451de53b4a
-
Filesize
344KB
MD56dc09cdcc1fa03cb3e0f6f254eb912d0
SHA1f58d9e6df97b18801fb392a4ed5be5fb505b9d2d
SHA256b5f6399ef9b28e31eab8b65889c1dda74a38d6869aca4b2540b589747aeda8e7
SHA512a1973841d6d46655bc06cbe00d3270d48048dd12581164393a7ae66e826584c4cd681177f0eeb7f5d68db5300c76f8978ff4c9d7ac42ce4b9edbd96d99c50380
-
Filesize
344KB
MD5cedd8fedfdfb9223d4d025e4c1fc7348
SHA18e87fafe5728c26fb920522760ff3ae011a18a02
SHA2567e16afd2e326d12b1203de5b7e4119ec09e47bd2434022f5a542c61e9daa0386
SHA51267b42c8bcb4318762fb43dcc427c9350866267836a3a3ee5037c779113d6c00df073bf33439094158dc5da7a809238ebaebdf31c1ef4fbf52dd934b7a42ad815
-
Filesize
344KB
MD51fe66a40bb5b7c04dd8436006fa699ef
SHA196ed928c25e0768abb4bd95980ca80fcfd1e69e1
SHA2560b4c24d2cd1689bad939a3dd5c682b35ee365e3ec369e43e21f30ff83b6b0134
SHA5125cc9a89b1f7ced1864af417229c87f766e714bcfe11069f75f5d6ef630d63fc7e167a51be1059722050ce1c1534c3bf249cf424517f2e8ea1b3b4329f093b2f1
-
Filesize
344KB
MD5829c4e10ed1f24a033b7ba866f02e509
SHA1742376d092681d37c59bab4155fafc5f8ee2a4b5
SHA25620e9e34efd98d524041b19e72b064085942c621110f20ebedc16eb428fe1dc33
SHA512d0fdf0c00e40aa21703af6d8d4f445b95c02a0137f5514b83caa51f25e99ad0555a9f04f5ab79221ed52f97e7893457dbc8b777a1845c77d08388c0b47ebbec5
-
Filesize
344KB
MD539bcb74b065e99595b1d32fd84e851df
SHA1f1cfceeb949fc8e3ac04a0afb69c06b2d2158840
SHA256866d4fee8040b07440bad146a45e82547c2a563ec6f60306403a4f11d217c8c9
SHA51277eccc3d75b0abf81c8f814639c5e69d930d2ca632c9fae49c902ea1231ee02a182822b8f22bfe0a76ba4270de4257ed9ca25b1b13f9902d6b7ce94f11a58f9b
-
Filesize
344KB
MD53ef9c932a68298aab1cbe01299a1a4fd
SHA1ad6d195bcaf691b202cb0e49cdc179fe84de6033
SHA2560e9ebf3b9822bca1ce2632b19db33b4fd413d80445c661d27dba6daca2c30c03
SHA512ad70bc8152b16492d08663bef11d286362156e1400147018f62b917b58957f216427db21b46f360fa98b4b9dccb0b2944c0564b1bbf6856a79654306e6127fae
-
Filesize
344KB
MD56df5ee1f39fc95475fa99ac9ab20d8e1
SHA10b6d285047a57279a62339a48f371f5caab846f0
SHA256c504c8118632e1c318b14ff163a25d2c18fc67b851bc84530a166c624ff1c977
SHA5128294759a20c2585ef4baf4d94fd68402e97bdd75c2ea910a7d1100d9225b9d72522446883b873be74de5828ef46ae659566a3c393a1b0cf97d6f8e7b8b93c6ee