Analysis
-
max time kernel
149s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe
-
Size
197KB
-
MD5
5b7a334f254fb584e0ce8faa81c233bf
-
SHA1
2beeb5d3bd037985313a4171e59377a642ac6463
-
SHA256
42e08e90c2816f29ee731cd5acf3fb826aef24ae66a890ed20059567e830229d
-
SHA512
d10ce77cbf21a8050266d257a5998acda5336bcaa060f1fbeae067ff7b9b5d8a816f62d7cb94934e8f270a310fa65a1d0cca0c96331fc07d0738661b4a6dbc73
-
SSDEEP
3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGXlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0007000000023206-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023207-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e00000002312f-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023207-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f00000002312f-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023207-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002312f-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023207-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002312f-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000023207-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001200000002312f-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000023207-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}\stubpath = "C:\\Windows\\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe" {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8} {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9} {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675} {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}\stubpath = "C:\\Windows\\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe" {CE55F913-449A-4955-88EE-A33BB746F923}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19035EF6-5F68-4d78-A471-356791591846} {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}\stubpath = "C:\\Windows\\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe" {19035EF6-5F68-4d78-A471-356791591846}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74CED50-ABFD-494e-9282-784D0A061099} {AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}\stubpath = "C:\\Windows\\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe" 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38AFB09C-6FB9-44a9-970B-803761272B27}\stubpath = "C:\\Windows\\{38AFB09C-6FB9-44a9-970B-803761272B27}.exe" {36295453-43CC-46c8-AEAF-513709D030DE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19035EF6-5F68-4d78-A471-356791591846}\stubpath = "C:\\Windows\\{19035EF6-5F68-4d78-A471-356791591846}.exe" {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC17550-B42B-4dcb-97B6-F2E103618EA7} {19035EF6-5F68-4d78-A471-356791591846}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36295453-43CC-46c8-AEAF-513709D030DE} {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36295453-43CC-46c8-AEAF-513709D030DE}\stubpath = "C:\\Windows\\{36295453-43CC-46c8-AEAF-513709D030DE}.exe" {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38AFB09C-6FB9-44a9-970B-803761272B27} {36295453-43CC-46c8-AEAF-513709D030DE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE55F913-449A-4955-88EE-A33BB746F923} {38AFB09C-6FB9-44a9-970B-803761272B27}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE55F913-449A-4955-88EE-A33BB746F923}\stubpath = "C:\\Windows\\{CE55F913-449A-4955-88EE-A33BB746F923}.exe" {38AFB09C-6FB9-44a9-970B-803761272B27}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A} {CE55F913-449A-4955-88EE-A33BB746F923}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770} 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}\stubpath = "C:\\Windows\\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe" {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}\stubpath = "C:\\Windows\\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe" {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B74CED50-ABFD-494e-9282-784D0A061099}\stubpath = "C:\\Windows\\{B74CED50-ABFD-494e-9282-784D0A061099}.exe" {AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB} {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}\stubpath = "C:\\Windows\\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe" {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe -
Executes dropped EXE 12 IoCs
pid Process 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe 2336 {19035EF6-5F68-4d78-A471-356791591846}.exe 2748 {AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe 1408 {B74CED50-ABFD-494e-9282-784D0A061099}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe {19035EF6-5F68-4d78-A471-356791591846}.exe File created C:\Windows\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe File created C:\Windows\{36295453-43CC-46c8-AEAF-513709D030DE}.exe {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe File created C:\Windows\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe {CE55F913-449A-4955-88EE-A33BB746F923}.exe File created C:\Windows\{19035EF6-5F68-4d78-A471-356791591846}.exe {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe File created C:\Windows\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe File created C:\Windows\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe File created C:\Windows\{B74CED50-ABFD-494e-9282-784D0A061099}.exe {AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe File created C:\Windows\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe File created C:\Windows\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe File created C:\Windows\{38AFB09C-6FB9-44a9-970B-803761272B27}.exe {36295453-43CC-46c8-AEAF-513709D030DE}.exe File created C:\Windows\{CE55F913-449A-4955-88EE-A33BB746F923}.exe {38AFB09C-6FB9-44a9-970B-803761272B27}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1808 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe Token: SeIncBasePriorityPrivilege 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe Token: SeIncBasePriorityPrivilege 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe Token: SeIncBasePriorityPrivilege 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe Token: SeIncBasePriorityPrivilege 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe Token: SeIncBasePriorityPrivilege 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe Token: SeIncBasePriorityPrivilege 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe Token: SeIncBasePriorityPrivilege 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe Token: SeIncBasePriorityPrivilege 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe Token: SeIncBasePriorityPrivilege 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe Token: SeIncBasePriorityPrivilege 2336 {19035EF6-5F68-4d78-A471-356791591846}.exe Token: SeIncBasePriorityPrivilege 2748 {AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1808 wrote to memory of 4364 1808 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe 91 PID 1808 wrote to memory of 4364 1808 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe 91 PID 1808 wrote to memory of 4364 1808 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe 91 PID 1808 wrote to memory of 4988 1808 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe 92 PID 1808 wrote to memory of 4988 1808 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe 92 PID 1808 wrote to memory of 4988 1808 2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe 92 PID 4364 wrote to memory of 724 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 93 PID 4364 wrote to memory of 724 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 93 PID 4364 wrote to memory of 724 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 93 PID 4364 wrote to memory of 1708 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 94 PID 4364 wrote to memory of 1708 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 94 PID 4364 wrote to memory of 1708 4364 {69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe 94 PID 724 wrote to memory of 1444 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe 99 PID 724 wrote to memory of 1444 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe 99 PID 724 wrote to memory of 1444 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe 99 PID 724 wrote to memory of 316 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe 98 PID 724 wrote to memory of 316 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe 98 PID 724 wrote to memory of 316 724 {6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe 98 PID 1444 wrote to memory of 2964 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe 100 PID 1444 wrote to memory of 2964 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe 100 PID 1444 wrote to memory of 2964 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe 100 PID 1444 wrote to memory of 2416 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe 101 PID 1444 wrote to memory of 2416 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe 101 PID 1444 wrote to memory of 2416 1444 {9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe 101 PID 2964 wrote to memory of 2780 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe 102 PID 2964 wrote to memory of 2780 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe 102 PID 2964 wrote to memory of 2780 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe 102 PID 2964 wrote to memory of 4392 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe 103 PID 2964 wrote to memory of 4392 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe 103 PID 2964 wrote to memory of 4392 2964 {36295453-43CC-46c8-AEAF-513709D030DE}.exe 103 PID 2780 wrote to memory of 4716 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe 104 PID 2780 wrote to memory of 4716 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe 104 PID 2780 wrote to memory of 4716 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe 104 PID 2780 wrote to memory of 1068 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe 105 PID 2780 wrote to memory of 1068 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe 105 PID 2780 wrote to memory of 1068 2780 {38AFB09C-6FB9-44a9-970B-803761272B27}.exe 105 PID 4716 wrote to memory of 1152 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe 106 PID 4716 wrote to memory of 1152 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe 106 PID 4716 wrote to memory of 1152 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe 106 PID 4716 wrote to memory of 4972 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe 107 PID 4716 wrote to memory of 4972 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe 107 PID 4716 wrote to memory of 4972 4716 {CE55F913-449A-4955-88EE-A33BB746F923}.exe 107 PID 1152 wrote to memory of 3388 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe 108 PID 1152 wrote to memory of 3388 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe 108 PID 1152 wrote to memory of 3388 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe 108 PID 1152 wrote to memory of 4304 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe 109 PID 1152 wrote to memory of 4304 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe 109 PID 1152 wrote to memory of 4304 1152 {4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe 109 PID 3388 wrote to memory of 5040 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe 110 PID 3388 wrote to memory of 5040 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe 110 PID 3388 wrote to memory of 5040 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe 110 PID 3388 wrote to memory of 4880 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe 111 PID 3388 wrote to memory of 4880 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe 111 PID 3388 wrote to memory of 4880 3388 {5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe 111 PID 5040 wrote to memory of 2336 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe 112 PID 5040 wrote to memory of 2336 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe 112 PID 5040 wrote to memory of 2336 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe 112 PID 5040 wrote to memory of 2892 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe 113 PID 5040 wrote to memory of 2892 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe 113 PID 5040 wrote to memory of 2892 5040 {852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe 113 PID 2336 wrote to memory of 2748 2336 {19035EF6-5F68-4d78-A471-356791591846}.exe 114 PID 2336 wrote to memory of 2748 2336 {19035EF6-5F68-4d78-A471-356791591846}.exe 114 PID 2336 wrote to memory of 2748 2336 {19035EF6-5F68-4d78-A471-356791591846}.exe 114 PID 2336 wrote to memory of 2824 2336 {19035EF6-5F68-4d78-A471-356791591846}.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exeC:\Windows\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exeC:\Windows\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6262B~1.EXE > nul4⤵PID:316
-
-
C:\Windows\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exeC:\Windows\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\{36295453-43CC-46c8-AEAF-513709D030DE}.exeC:\Windows\{36295453-43CC-46c8-AEAF-513709D030DE}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\{38AFB09C-6FB9-44a9-970B-803761272B27}.exeC:\Windows\{38AFB09C-6FB9-44a9-970B-803761272B27}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\{CE55F913-449A-4955-88EE-A33BB746F923}.exeC:\Windows\{CE55F913-449A-4955-88EE-A33BB746F923}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exeC:\Windows\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exeC:\Windows\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exeC:\Windows\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\{19035EF6-5F68-4d78-A471-356791591846}.exeC:\Windows\{19035EF6-5F68-4d78-A471-356791591846}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exeC:\Windows\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\{B74CED50-ABFD-494e-9282-784D0A061099}.exeC:\Windows\{B74CED50-ABFD-494e-9282-784D0A061099}.exe13⤵
- Executes dropped EXE
PID:1408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AEC17~1.EXE > nul13⤵PID:908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{19035~1.EXE > nul12⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{852A8~1.EXE > nul11⤵PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5BAED~1.EXE > nul10⤵PID:4880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F3AF~1.EXE > nul9⤵PID:4304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CE55F~1.EXE > nul8⤵PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{38AFB~1.EXE > nul7⤵PID:1068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36295~1.EXE > nul6⤵PID:4392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9FFC1~1.EXE > nul5⤵PID:2416
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{69EEB~1.EXE > nul3⤵PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD586a8021b6e56d684a53d566173c65498
SHA1cd736982271f7c6f3088ad89abdff00b0e8b3c55
SHA256e8f63f5f1ab5e60b32801240b721d523a08aafd73ceb919235559517499134cc
SHA5123e9cc8214dfdced7d63b191ea2907ed88f4d7fdabdf8b4aa1047a0dd5e839556ed6bf510935e228eb8c87bb65d3adc0c9f45f44cb24bbee73ac7a1a052c9523f
-
Filesize
197KB
MD5d08a76cffd79bf65f040a623be7bb136
SHA1036e34f7d056cc4a3812e1cb413a3114e2cf8dcb
SHA2569e72330d5c27504920d82aa673890c0c5e217cddcd9c43209deee967a88eaf0d
SHA51222efebeac198d5c5394233cf4c7292c239aea318b78acb7662be9b97b100a9139f60e8886492d8a88cf7a68f19c724b8532eb63f8c39016098c304bbe1ae42e9
-
Filesize
197KB
MD506a966878c1a67a811ee8342e99e5063
SHA16493a8e62d192780982f701fcf93d06428de0c65
SHA25690ed391064fe0d9066c7f519c9cb75c1015e4449c5e6fc1dc879832b704378d5
SHA5127eb80be3ed4091627c4c6a198e8ecb734a9f3958168d0d553c50c7783cb667daf0840682d7718f4c0da21cc7e3b164992c9f15b90ffdc40890f61d554b56e373
-
Filesize
197KB
MD544a6a418511873fb84afe181a3bf5138
SHA16471fece781b1feb296557c7b7d8a3d06a6529a4
SHA2565ffb05e5463b3bdf2bc63fbd158e32c5618dbcbbadec485d4d1e57679d5d88ca
SHA51238aa0da87b8653565aabf5b580c5ce6eacd169a5efa46a9695244cf70aff9a269851cf067041d6a45dbac784f382ab2b067a0c65731b8b54eee91dca4d270715
-
Filesize
197KB
MD58472a58fbb93f622cc6557a186b5f920
SHA107fe20a0d26e2455feffbf05e914aab035a812bc
SHA25665e05eafc9c9e7e0f28a9de5f54d5b16d29931236b6f09e5f3cfb4431f007e37
SHA5123a96b24fead61ed8644f4a4fa2ab1d4f2f64e3a5d57094c057e4e693d25a2f9ad57cc8dc268746d4a99cbf4cbac10fb8edb1f2a027365210c13ac568b9579c49
-
Filesize
197KB
MD5e80b0cf20e73166b77aa851f6fdfab33
SHA11f4666fd60378bbea20964d13615eda4339d1900
SHA256f8b449899c5415f6b35444423bc8b93a2b492f81e4dd6bba7bdae4dd4687df64
SHA512f9aec36a949666046a200ca4a189c14a9c2e6465f0ed19577dec05692c3a98c8d2fe0d0825327aacb0b6161f2044fc93be8b41a5e224db945c4ac7c5375e3227
-
Filesize
197KB
MD56b8f796672d4f71402b1690fd9e5813c
SHA1021026f44fa13095be04a845167682d0fed6806e
SHA25640bada44f8db5215c969af762b64354587f1f8db0b6330fd0bb23c0fdcd23aea
SHA51262da4c89fe2f8f3fd6c7bbbee4e236e2392dc448af4b56d0c52ea93730f910b266888690329a58b1c3337e0759abf87933e10110055b7a12759b9a916626e5ad
-
Filesize
197KB
MD5185359c88906a9d61a667a666a451f7d
SHA1ac2639523e0cd8f04695ae1cabf9bf300c64c120
SHA2561eb1c558d54e244800f56d15911b508f696c76911a823ec24c6e680e2f16f1c5
SHA5129c4cf0372212b80abb0f9b11f39edae346bdfea6fe4d21074561354823ed88fbf4ba2f422e4ea190a1a7644f9621bf7bcccdef8409a15c8fe51a1cf98091da74
-
Filesize
197KB
MD5a1f69482fe6257bfb0c987c44c8a3f20
SHA160fa5aacdcc958f7582166d17f0ab5c1a68781eb
SHA2563b7b667871a1edc0357b0eb9ec1bc21829522f8c087d889862e7ddb9e126356d
SHA512346cd58301c5a3b480fd70c439d30daf13fe93fe94c73a75ec97f52b6442c9a0ebecbc7cbb7edfc17f5489a09c0cabbf66de13754bf61c976b4b5bc9e5bacd0e
-
Filesize
197KB
MD5b6481f05e9d781cb090004a9b2dff03e
SHA12e98c6c12f47a8c298813d7c0bb7ba86feba7355
SHA256f53043fffe0b59de0564803227cd6e09079a137ee0ddede084a8f777cf9ecd28
SHA512f923eb44be602205ef95dfd16215e2e3d44aa5e1eb7506c10a60f2d0c4ce43e958b9c91cbbafb5de8ae80a62d1a10b9235867aeedc8d90dfefc50728ad376f68
-
Filesize
197KB
MD5bc617ffcf86aa2c98a53c6f97ab92fe6
SHA1be1ab98438707a1f0cd6bdc4e760a6c17b1f5481
SHA256c970b84c5ae53b17f4ad5e852a1631470cd576223c9a6d4d382643069f84f1e2
SHA512674d885801163c36e72dd180a9d20744cdc9879580f522966ae6fd22ee41c6a2f9032bbba0e1ce9a03dbf58864489580306abeab9305d87623561d09079c2ee5
-
Filesize
197KB
MD507b3bcb54ed383e6eda9cedbb256eaa0
SHA1771cc52b838080c9784a22cfebf657320503564b
SHA25657a1c9a2d2c1f847f8fcb1bfd161123f378aa846ef2ed76e3297fe0e150c2b1e
SHA512be29857ab29572d139857918fb700fde60b367b9ead030c1a8dc7f3a032acc071e6d59bc849421374f5ceb47e295183e282a25a12c65f9db149bdb273160a1e5