Analysis
-
max time kernel
149s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
-
Size
197KB
-
MD5
0da03db861609ce5d2f7075059c41f71
-
SHA1
11001db7b0c0a83612e91587aa621e17ab36b309
-
SHA256
4825ad8c88f1fbb6a19c34a89ebd938b91f8341cb30cdb7cf216757b57c1001e
-
SHA512
718cbda8488a15c19a4cb21b2c5666c639e662c88fac4a081c14b6cc95e64f6190aee42e70f273f6d38183fc90eb03c3897b887b5f35f0cbbea46b59182832ac
-
SSDEEP
3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGflEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000800000002320a-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023203-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023212-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000016923-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023212-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000016923-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023212-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000016923-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023212-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000016923-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002320f-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000016923-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}\stubpath = "C:\\Windows\\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe" {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}\stubpath = "C:\\Windows\\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe" {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AACE733-D40F-4085-AD76-84BE7353859B} 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}\stubpath = "C:\\Windows\\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe" {9AACE733-D40F-4085-AD76-84BE7353859B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}\stubpath = "C:\\Windows\\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe" {99D4680D-BA9C-4c80-9504-646A16104998}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DFF0C2-A810-4199-B651-C8391022BF19} {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074DBE8F-4E21-49e1-A330-499557A09302}\stubpath = "C:\\Windows\\{074DBE8F-4E21-49e1-A330-499557A09302}.exe" {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD} {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}\stubpath = "C:\\Windows\\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe" {BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99D4680D-BA9C-4c80-9504-646A16104998}\stubpath = "C:\\Windows\\{99D4680D-BA9C-4c80-9504-646A16104998}.exe" {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08} {99D4680D-BA9C-4c80-9504-646A16104998}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC52356C-CC8D-4231-9255-CA0691BBD852}\stubpath = "C:\\Windows\\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe" {074DBE8F-4E21-49e1-A330-499557A09302}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DFD35C-6FEA-4e42-8376-B394404B1AD7} {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0} {BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4DFF0C2-A810-4199-B651-C8391022BF19}\stubpath = "C:\\Windows\\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe" {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074DBE8F-4E21-49e1-A330-499557A09302} {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99D4680D-BA9C-4c80-9504-646A16104998} {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5} {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC52356C-CC8D-4231-9255-CA0691BBD852} {074DBE8F-4E21-49e1-A330-499557A09302}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}\stubpath = "C:\\Windows\\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe" {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213} {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}\stubpath = "C:\\Windows\\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe" {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AACE733-D40F-4085-AD76-84BE7353859B}\stubpath = "C:\\Windows\\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe" 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBBD5B11-1C4B-487f-801C-1DE109ADB838} {9AACE733-D40F-4085-AD76-84BE7353859B}.exe -
Executes dropped EXE 12 IoCs
pid Process 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe 2320 {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe 4308 {BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe 2988 {92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe File created C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe File created C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe File created C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe File created C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe File created C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe {9AACE733-D40F-4085-AD76-84BE7353859B}.exe File created C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe File created C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe File created C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe {99D4680D-BA9C-4c80-9504-646A16104998}.exe File created C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe File created C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe {074DBE8F-4E21-49e1-A330-499557A09302}.exe File created C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe {BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1064 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe Token: SeIncBasePriorityPrivilege 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe Token: SeIncBasePriorityPrivilege 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe Token: SeIncBasePriorityPrivilege 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe Token: SeIncBasePriorityPrivilege 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe Token: SeIncBasePriorityPrivilege 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe Token: SeIncBasePriorityPrivilege 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe Token: SeIncBasePriorityPrivilege 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe Token: SeIncBasePriorityPrivilege 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe Token: SeIncBasePriorityPrivilege 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe Token: SeIncBasePriorityPrivilege 2320 {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe Token: SeIncBasePriorityPrivilege 4308 {BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1112 1064 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 93 PID 1064 wrote to memory of 1112 1064 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 93 PID 1064 wrote to memory of 1112 1064 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 93 PID 1064 wrote to memory of 1004 1064 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 94 PID 1064 wrote to memory of 1004 1064 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 94 PID 1064 wrote to memory of 1004 1064 2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe 94 PID 1112 wrote to memory of 2120 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe 95 PID 1112 wrote to memory of 2120 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe 95 PID 1112 wrote to memory of 2120 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe 95 PID 1112 wrote to memory of 552 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe 96 PID 1112 wrote to memory of 552 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe 96 PID 1112 wrote to memory of 552 1112 {9AACE733-D40F-4085-AD76-84BE7353859B}.exe 96 PID 2120 wrote to memory of 4380 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe 99 PID 2120 wrote to memory of 4380 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe 99 PID 2120 wrote to memory of 4380 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe 99 PID 2120 wrote to memory of 5068 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe 100 PID 2120 wrote to memory of 5068 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe 100 PID 2120 wrote to memory of 5068 2120 {EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe 100 PID 4380 wrote to memory of 5012 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe 103 PID 4380 wrote to memory of 5012 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe 103 PID 4380 wrote to memory of 5012 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe 103 PID 4380 wrote to memory of 3504 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe 104 PID 4380 wrote to memory of 3504 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe 104 PID 4380 wrote to memory of 3504 4380 {99D4680D-BA9C-4c80-9504-646A16104998}.exe 104 PID 5012 wrote to memory of 2480 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe 105 PID 5012 wrote to memory of 2480 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe 105 PID 5012 wrote to memory of 2480 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe 105 PID 5012 wrote to memory of 3512 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe 106 PID 5012 wrote to memory of 3512 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe 106 PID 5012 wrote to memory of 3512 5012 {C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe 106 PID 2480 wrote to memory of 968 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe 107 PID 2480 wrote to memory of 968 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe 107 PID 2480 wrote to memory of 968 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe 107 PID 2480 wrote to memory of 1600 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe 108 PID 2480 wrote to memory of 1600 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe 108 PID 2480 wrote to memory of 1600 2480 {D4DFF0C2-A810-4199-B651-C8391022BF19}.exe 108 PID 968 wrote to memory of 2484 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe 109 PID 968 wrote to memory of 2484 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe 109 PID 968 wrote to memory of 2484 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe 109 PID 968 wrote to memory of 3004 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe 110 PID 968 wrote to memory of 3004 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe 110 PID 968 wrote to memory of 3004 968 {B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe 110 PID 2484 wrote to memory of 4724 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe 111 PID 2484 wrote to memory of 4724 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe 111 PID 2484 wrote to memory of 4724 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe 111 PID 2484 wrote to memory of 432 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe 112 PID 2484 wrote to memory of 432 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe 112 PID 2484 wrote to memory of 432 2484 {074DBE8F-4E21-49e1-A330-499557A09302}.exe 112 PID 4724 wrote to memory of 2468 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe 113 PID 4724 wrote to memory of 2468 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe 113 PID 4724 wrote to memory of 2468 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe 113 PID 4724 wrote to memory of 5032 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe 114 PID 4724 wrote to memory of 5032 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe 114 PID 4724 wrote to memory of 5032 4724 {AC52356C-CC8D-4231-9255-CA0691BBD852}.exe 114 PID 2468 wrote to memory of 2320 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe 115 PID 2468 wrote to memory of 2320 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe 115 PID 2468 wrote to memory of 2320 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe 115 PID 2468 wrote to memory of 2712 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe 116 PID 2468 wrote to memory of 2712 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe 116 PID 2468 wrote to memory of 2712 2468 {4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe 116 PID 2320 wrote to memory of 4308 2320 {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe 117 PID 2320 wrote to memory of 4308 2320 {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe 117 PID 2320 wrote to memory of 4308 2320 {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe 117 PID 2320 wrote to memory of 1376 2320 {53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exeC:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exeC:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exeC:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exeC:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exeC:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exeC:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exeC:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exeC:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exeC:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exeC:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exeC:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4308 -
C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exeC:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe13⤵
- Executes dropped EXE
PID:2988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC7A4~1.EXE > nul13⤵PID:4808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53DFD~1.EXE > nul12⤵PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4D0DB~1.EXE > nul11⤵PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AC523~1.EXE > nul10⤵PID:5032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{074DB~1.EXE > nul9⤵PID:432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B809E~1.EXE > nul8⤵PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4DFF~1.EXE > nul7⤵PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C53BB~1.EXE > nul6⤵PID:3512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99D46~1.EXE > nul5⤵PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EBBD5~1.EXE > nul4⤵PID:5068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9AACE~1.EXE > nul3⤵PID:552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD588912de5393e531fe00a2adc2956927e
SHA168e344e5e21c7c3dddddb2681f2768b1852d3a7c
SHA2567c9313f755bb6493c044f8ee50b07b4e367229a42e6139798bf362207fac5744
SHA5126f7ef0c10b549ac34bb4a6750ddc3ab3391dd36b9b069a627edf51f17f9762823f67354a016ca0a0b0c8801160278122c8edf865c5bb1a9e342373c926c3e226
-
Filesize
197KB
MD5f5a24b39704957c26a2a581c2ee14907
SHA1ef989bafc07196f7cf2e625f89ae442ea31bb806
SHA256392b0578b9da37472a9eb6c0db3dc78b1db3ff882b46ff654907226518ce9976
SHA512f2b7b192bf4a924952bd91f284e79912396ed03861342a75373a5a878e5624ab73f784ce1b5d5e5aa5fa4a1b42d00064dc88c78c977295dfaa5f930d2afe76c8
-
Filesize
197KB
MD548f8f0885dd877c1885ebb8e896c89a0
SHA1c0d560ed164531b854144841bb8fc9ae24cef030
SHA256ad9c054b18703c0a560699e28637229949378262c4fd0297663f81433c13a558
SHA51267c8b94a13408f6093d4353620ba974eb3158e8048b48d2c543da8d3b7d4395ac63855731b41ef21939c125aa3d1b5ef8c952ba8fd2774ffd3a7e719b5fe5e77
-
Filesize
197KB
MD5ff5742a575c2833000ae071b72258a5e
SHA1763d729dcd5d132c9ca9d64e5faf9b6f9017f847
SHA2563d4ad9985a08c3041d94378d3ff3245c8106f84b8c19570e7263308518d0819a
SHA5126f9f8410a890ca3ab99b2ca709b5c559e1756bbf6a28684f5400b57d6a98c80a1a72083d2522385252e6c7e4d738e31f7df97970382820cb024f623ae918d645
-
Filesize
197KB
MD577d707cc315d02d290e9bc1c7d96e6a8
SHA1e10e889450742ca58d6ed160aedb844d1edbb1ca
SHA25692e244e970491f26767eece391b9d6fe0b3fd51806c90c84675e942889d46317
SHA512ec632629a2f59c35bb04fcffc296b8628cc361f1243ba7a8aa84a650da2b99a9d97865ea9d0a8651ed02015403669d0485ed5d865593a49ba3251e13be4b77f9
-
Filesize
197KB
MD5cf0f11b7ec143213d54f8c58a75032cc
SHA1d8a4bff85e1142a6c098f7922f539c60974cc6aa
SHA256c48b4ebfcddcd3edaa92c71fe20921e9d362ab7d698f0f494b438c474661baaa
SHA51271f3a440b723d7795e6b088307835f070c915de180677d774fee15de7cf5c8b5b631f799dae3ec4a3e41fa048d275bd4ce1495ecf666feb6e45f7476627b5cc4
-
Filesize
197KB
MD5bdf0ce51aec66ec1ae5d5b8c006168a0
SHA11c018a0237a46b07168cdf08a9c05d559f9413db
SHA256964785e87b5dfe2a12f7ef2e822bef7441bb047a5334d3240ee76b02d22d18ef
SHA512fcce6f40341002e404152cfd434245ca63267fe867cb2d0bede8e2500d79f79cdc882f6a0e73841ae34b40f163b855c6725bc2f40f951c3b7429380248e792be
-
Filesize
197KB
MD562d5177d959432f4dbae4abf05fdf36d
SHA10d841b3710ba96e1179c1d1bd1c5ffcac4d3286b
SHA256ec90ccc264d2eadc25a984741c27a146209e55421c58be91601d6d2a57e61193
SHA512fbb204e5d6fa32e99c89e079abc9bc9ead53ae31c16f353ef95f9bf4ca15f9902028fc46ac927a479b3ec8fc2232ae19ed8b03d1aef91c14f887af21b2f59a23
-
Filesize
197KB
MD58da0d5ae136c1afdd2f2327f0bd79993
SHA10e046cefa3f8c926f6bf1ca706830fb2c1135d70
SHA25663fc4def3e7502b511f728cb8215e141498786bdaed171072962909cd66e7a8a
SHA5127b4b6cdebf570bce8e0d68c8098562557e4e6388c2455063a59496edfb0144682dc24fc615255a27f67e25059920adef618b0e1a978c009c5c0fe2f6abf602fc
-
Filesize
197KB
MD58d336a4b3dc55f20ceb4939bf95cf10f
SHA1865d9fcfa713f185501788bbe40c46a6eaa262c0
SHA25695735c1de957ecbc38b899b28fbbd9637c819a0f7443d904507aa87e00625841
SHA51226d09d7ab4e96cfba73fa678b95522d39e787b715a238dfedf72533ad040ae7e13743c7dd0b4e09d564f08615c139501ab0b1cc573258d49164cb4fad36e6d40
-
Filesize
197KB
MD574717dddd54aefb6806290bbb34ceb94
SHA126e9ac3f57230a8ea1aef23e4d6f624440c89232
SHA256272de64826bc5122b0f878ad0906244d5cfaaa221ffa01970f52748cf0e467b2
SHA5123e733437d7bf9f36d6af82095161f3e8859901894aa8b0fda5a55a342cdfbf55516550f3e32cfcaf24992ad4faefd10ff5c99bb3fc13b370794e785d42225f1e
-
Filesize
197KB
MD5b33215fe8a93f7d6be4b990497b4f9cd
SHA1464469e083eb0a1a7affb92fe0d7c11987d1c1d3
SHA25609fd55a2beba009e6442b9401d62f842a38f1a0a36f9d299caadf55340fc2e33
SHA512699a20397e4a4885b55616e05c70a1b6feec0a8035491648568883fca1b884f1fac501db04c30de8324d187b614e8d9300bd71c04960a7630c869895db82821b