Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
-
Size
204KB
-
MD5
1f57b3b2e0426da9841dcf20c031e1cd
-
SHA1
a98d6c1eaa825a4321d01c66ab5df496002effb5
-
SHA256
73a7aea95d6e7f8a274bfed7b82ef7bd0c2faa8a042c8f59cdf44f7b73491df5
-
SHA512
dee901fd35c0aaba529b039fd744e90068bc6111dd9f1fc6760572a4abce07a8a9a0b347ff38441248139acb41970813f2805cc21a45ac0db5c7846bec8adee8
-
SSDEEP
1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x000800000002324a-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002324b-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023253-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023121-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023253-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023121-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023253-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023253-32.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000023121-37.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002324f-41.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e000000023121-44.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FDD9A4-2E61-4951-83D4-A6221473DE44}\stubpath = "C:\\Windows\\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe" {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83C4698-91C2-4a39-8475-D5889B245D6D} {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83C4698-91C2-4a39-8475-D5889B245D6D}\stubpath = "C:\\Windows\\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe" {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B53402-B2A7-443c-94D9-9A9EF433B625} {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C546A100-6D1E-4539-95B4-7D9630D41E13} {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C546A100-6D1E-4539-95B4-7D9630D41E13}\stubpath = "C:\\Windows\\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe" {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}\stubpath = "C:\\Windows\\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe" {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}\stubpath = "C:\\Windows\\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe" {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}\stubpath = "C:\\Windows\\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe" {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F22468F8-2413-45e5-BBEF-083E79560F7C} 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}\stubpath = "C:\\Windows\\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe" {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FDD9A4-2E61-4951-83D4-A6221473DE44} {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B53402-B2A7-443c-94D9-9A9EF433B625}\stubpath = "C:\\Windows\\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe" {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844AF8B5-67E9-4b60-B862-D0132AB79617}\stubpath = "C:\\Windows\\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe" {C546A100-6D1E-4539-95B4-7D9630D41E13}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB} {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0} {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0948C779-DDDD-4b8b-A74D-73DCF1171F57} {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F22468F8-2413-45e5-BBEF-083E79560F7C}\stubpath = "C:\\Windows\\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe" 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C13666-E42E-4851-9D5C-A2B21AD239BF} {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E} {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{844AF8B5-67E9-4b60-B862-D0132AB79617} {C546A100-6D1E-4539-95B4-7D9630D41E13}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C13666-E42E-4851-9D5C-A2B21AD239BF}\stubpath = "C:\\Windows\\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe" {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}\stubpath = "C:\\Windows\\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe" {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1} {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe -
Executes dropped EXE 11 IoCs
pid Process 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe 1660 {C546A100-6D1E-4539-95B4-7D9630D41E13}.exe 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe 2816 {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe 1184 {0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe File created C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe File created C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe File created C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe File created C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe File created C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe File created C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe File created C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe File created C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe File created C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe File created C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4464 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe Token: SeIncBasePriorityPrivilege 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe Token: SeIncBasePriorityPrivilege 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe Token: SeIncBasePriorityPrivilege 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe Token: SeIncBasePriorityPrivilege 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe Token: SeIncBasePriorityPrivilege 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe Token: SeIncBasePriorityPrivilege 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe Token: SeIncBasePriorityPrivilege 4864 {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe Token: SeIncBasePriorityPrivilege 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe Token: SeIncBasePriorityPrivilege 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe Token: SeIncBasePriorityPrivilege 2816 {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4464 wrote to memory of 2608 4464 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 90 PID 4464 wrote to memory of 2608 4464 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 90 PID 4464 wrote to memory of 2608 4464 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 90 PID 4464 wrote to memory of 2064 4464 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 91 PID 4464 wrote to memory of 2064 4464 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 91 PID 4464 wrote to memory of 2064 4464 2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe 91 PID 2608 wrote to memory of 3908 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 92 PID 2608 wrote to memory of 3908 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 92 PID 2608 wrote to memory of 3908 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 92 PID 2608 wrote to memory of 3960 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 93 PID 2608 wrote to memory of 3960 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 93 PID 2608 wrote to memory of 3960 2608 {F22468F8-2413-45e5-BBEF-083E79560F7C}.exe 93 PID 3908 wrote to memory of 3952 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe 96 PID 3908 wrote to memory of 3952 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe 96 PID 3908 wrote to memory of 3952 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe 96 PID 3908 wrote to memory of 1044 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe 97 PID 3908 wrote to memory of 1044 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe 97 PID 3908 wrote to memory of 1044 3908 {02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe 97 PID 3952 wrote to memory of 3248 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe 100 PID 3952 wrote to memory of 3248 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe 100 PID 3952 wrote to memory of 3248 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe 100 PID 3952 wrote to memory of 4052 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe 101 PID 3952 wrote to memory of 4052 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe 101 PID 3952 wrote to memory of 4052 3952 {F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe 101 PID 3248 wrote to memory of 4896 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe 102 PID 3248 wrote to memory of 4896 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe 102 PID 3248 wrote to memory of 4896 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe 102 PID 3248 wrote to memory of 4424 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe 103 PID 3248 wrote to memory of 4424 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe 103 PID 3248 wrote to memory of 4424 3248 {60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe 103 PID 4896 wrote to memory of 2740 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe 104 PID 4896 wrote to memory of 2740 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe 104 PID 4896 wrote to memory of 2740 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe 104 PID 4896 wrote to memory of 4000 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe 105 PID 4896 wrote to memory of 4000 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe 105 PID 4896 wrote to memory of 4000 4896 {C83C4698-91C2-4a39-8475-D5889B245D6D}.exe 105 PID 2740 wrote to memory of 1660 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe 106 PID 2740 wrote to memory of 1660 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe 106 PID 2740 wrote to memory of 1660 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe 106 PID 2740 wrote to memory of 4276 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe 107 PID 2740 wrote to memory of 4276 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe 107 PID 2740 wrote to memory of 4276 2740 {60B53402-B2A7-443c-94D9-9A9EF433B625}.exe 107 PID 4864 wrote to memory of 768 4864 {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe 110 PID 4864 wrote to memory of 768 4864 {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe 110 PID 4864 wrote to memory of 768 4864 {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe 110 PID 4864 wrote to memory of 2364 4864 {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe 111 PID 4864 wrote to memory of 2364 4864 {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe 111 PID 4864 wrote to memory of 2364 4864 {844AF8B5-67E9-4b60-B862-D0132AB79617}.exe 111 PID 768 wrote to memory of 2280 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe 112 PID 768 wrote to memory of 2280 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe 112 PID 768 wrote to memory of 2280 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe 112 PID 768 wrote to memory of 4824 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe 113 PID 768 wrote to memory of 4824 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe 113 PID 768 wrote to memory of 4824 768 {06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe 113 PID 2280 wrote to memory of 2816 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe 114 PID 2280 wrote to memory of 2816 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe 114 PID 2280 wrote to memory of 2816 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe 114 PID 2280 wrote to memory of 2532 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe 115 PID 2280 wrote to memory of 2532 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe 115 PID 2280 wrote to memory of 2532 2280 {A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe 115 PID 2816 wrote to memory of 1184 2816 {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe 116 PID 2816 wrote to memory of 1184 2816 {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe 116 PID 2816 wrote to memory of 1184 2816 {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe 116 PID 2816 wrote to memory of 2192 2816 {922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exeC:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exeC:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exeC:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exeC:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exeC:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exeC:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exeC:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:1660 -
C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exeC:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe9⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exeC:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exeC:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exeC:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exeC:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe13⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{922BD~1.EXE > nul13⤵PID:2192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A705C~1.EXE > nul12⤵PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{06E78~1.EXE > nul11⤵PID:4824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{844AF~1.EXE > nul10⤵PID:2364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C546A~1.EXE > nul9⤵PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60B53~1.EXE > nul8⤵PID:4276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C83C4~1.EXE > nul7⤵PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60FDD~1.EXE > nul6⤵PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F01C5~1.EXE > nul5⤵PID:4052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{02C13~1.EXE > nul4⤵PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2246~1.EXE > nul3⤵PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5a00470546208979fbef9de90c66ee2e7
SHA16a551484118040a05cd48dab14a3461346eff7d9
SHA256790af07a96a255f1b008b07857be199d5bd6a1b81e22ae27d5fa92d84be554c2
SHA512ec66304e79dddaa9d1cb5dcdd1538414c799915d53b488fadf933f677ad06c6e41b484403ef23777cf6f27454571fb312803bdcb8b5ed854ecbf6ec369f85207
-
Filesize
204KB
MD5b580fef4b3f0694af11dafe7d420ca32
SHA13d5c003f97c3fdf195a04e9fa1ae5e3ee942e842
SHA25672d0ed1fc33354930117e354700f1fcc6dcf061686c6b747233bae08718d1032
SHA5128a4f0043bb892cd9b4f77a27778aa5eedcb429b785ff6b0366d23c97f79ea081bf400eb63803803cfeff5bb7e124dfd7e6222216cf84b2b157e88c9dac205177
-
Filesize
204KB
MD5fd4aaef922b7bbbce0f98f0d21892f93
SHA1795e470ade6ffd2bccf39deaf95f1a3f9af4e504
SHA256ad508dad33e8f018a69448d1012f703c64e7098d5b2e306d894b8c50142fb523
SHA51245d9647ccb364c8c0c29369fbe24928e0d2ae4514c3d76a876e0c6ffa86d5f731e605834bb831e66c33364bd0a217f03ab2c47eb8e4176fac4c0bd60769ff6bf
-
Filesize
204KB
MD59d53619cd30fa43882b647c0e414d2b0
SHA1892174098883a3924f2b6fc102554140b4fe07d7
SHA256fd6f36ab2cd315e1bf19a8a27e93c3212c5ae4915677010dbfffa1100b22ef68
SHA512d955b90b7db5b19737554dd36868e9109303ad84d2d8a3247900ecb8fc7538605afc49d0f2499dc3c2cb7077bb9bd30de85d9a30a01e4b8e2a5a76ea3f177a3f
-
Filesize
204KB
MD590daba52049b932a0bee2a6c4a99b529
SHA113a41c1ef35a88a5cd7c35881fa68eb3b4c10e6d
SHA256961de6077251df4dc460ba85f917d8f68888ec903d86bac0b8eb33e161b4eea0
SHA512e1a4854c123cb56ee3b695b0e806741a77a02196c833313926644115cf8ee44a6ccc4651883373ebbe2d4c796ac9cc6528a4f45fed1c6a36f373bbb05de72cf5
-
Filesize
204KB
MD59ac1b1ebc8269f440e033d83c7456314
SHA1bdb6a44dd3d735561c853a9c6f2e5d35b522ad79
SHA25634fc1b6388aa77487462d8af99772aaff3b04089cba3480d97e941e323eae623
SHA512008ec4d50ab8137389a3b6618851401b5a8873d1ad36e3fd690e2ad4c283fd90d990138a5d1959725370b3d81dff32064afcdf17220a7bda9979dc0e67dcd989
-
Filesize
204KB
MD5132db0dd058db563b45cc32b07385940
SHA1e3a31c642306be6bc5defb4793b8173cc4abb1d2
SHA2564839377d0b71c92936a9dd32c84abb6558ae582de41c5c668e7137c837bdaac9
SHA5127ee5724e8d200cbb16550b32d0b34c671d7fb59d04dda72279e289c316a166b8f5dbc157bc1229ad7868dc1d853b0b2d8ecf101b744d9157fead2286dc57d427
-
Filesize
204KB
MD5f38d5d6e495123ab90dcea1c9396cd5d
SHA1fb94c4cdfc82418cb5f66d9dbcc37a30f828d625
SHA2565548f22f61c39454860189d9fa29037aebb5bcaa9e79f06e6b1cec4353a4514e
SHA5129b08442243e4139fd7f5d745fca1ae1dc6f95f4debed2a556102019f96f443a3af6c777a93ec5313541c71f44a64d8ade91ac597841f9ca5a93521e273dc990b
-
Filesize
204KB
MD508ce0da54c7a22c30affef5319fb0a57
SHA12257aff90e9691a3a1e651ab6cadaef38afc592d
SHA2561a0200d31a27dd94891f04ad20aa9992cb8231ec8b81cb7ce15347a9dd4e908a
SHA51284860e47798499ddd540f652d79103558ebc2ea12edffd4eee6a8eefb1c0457ebebc678f10f0d3c318808ab458a900bdf3fedc9e50646fb8eee5bdc16411ac1e
-
Filesize
204KB
MD51eb1efa41a1f8a74ab5202983fafd400
SHA11f97fb40f8b9031e5a88aacdbf429eecbf7f2122
SHA25631bdd84953cfd5a162d330ce1cfe21f5aacbe239dc665139d519cd2362d06877
SHA512d6ca79ee320b6b5e53ea4db2e70574a31ca9d0478a345397b35f4db75cd9cd4b49785c9333714a4027939f6ce82bdec77b6bd13953d2441f052255f83c1788ec
-
Filesize
204KB
MD5ab4f5f4702d7d1e8256056a0a436e4b2
SHA11b6ee746c13a4af8c6ad9335411d57e756335cb9
SHA256a0f02b6efb02183ae16d34882417cfa7d62c54b3fcf11a4a16486a5904fecbd2
SHA51277a7dee410e595a2859786a19987baab9a66cadd9c83c537b1de25e6cb690dfe5284f11ff0842e33f06a4ee822d18a9242c62c316f1496eb7044a2b0f28b063b