Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
-
Size
197KB
-
MD5
43198fa1c0eff6a701988f839ed3aea5
-
SHA1
6e6f835d17aae182ac0e3e06d0177ec0193fc4d4
-
SHA256
818b27ecafd62407479133bef34779c7f3c126e11351b413201ced809f20f8d8
-
SHA512
e1b4c4473010928aafb3f8082e5259e218ad66b1178a528a15ef1c9e1fadf0a9e4805b44ee02a46347954fdae3f36f2519ef3c4de41e66d8d2f4d079d455803b
-
SSDEEP
3072:jEGh0oal+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGslEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x0008000000023209-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000231ff-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f0000000230fa-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023119-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00100000000230fa-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023119-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00110000000230fa-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000230ef-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00120000000230fa-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b0000000230ef-37.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00130000000230fa-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}\stubpath = "C:\\Windows\\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe" 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1789309-A042-4e75-A122-FE7D8CF7793C}\stubpath = "C:\\Windows\\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe" {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C} {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BD3FC-EA8E-450a-87E4-CC657555F803} {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3} {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}\stubpath = "C:\\Windows\\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe" {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}\stubpath = "C:\\Windows\\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe" {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8550E314-E587-465b-8CA1-259E76846DE8} {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}\stubpath = "C:\\Windows\\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe" {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1789309-A042-4e75-A122-FE7D8CF7793C} {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}\stubpath = "C:\\Windows\\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe" {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C226931-FE38-48bb-A411-AD3DC11ED8C6} {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}\stubpath = "C:\\Windows\\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe" {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA} {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D630C050-8602-4fb0-9220-CD1AC33254B8} {8550E314-E587-465b-8CA1-259E76846DE8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}\stubpath = "C:\\Windows\\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe" {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}\stubpath = "C:\\Windows\\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe" {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9} 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8550E314-E587-465b-8CA1-259E76846DE8}\stubpath = "C:\\Windows\\{8550E314-E587-465b-8CA1-259E76846DE8}.exe" {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D630C050-8602-4fb0-9220-CD1AC33254B8}\stubpath = "C:\\Windows\\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe" {8550E314-E587-465b-8CA1-259E76846DE8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080C1650-6AFA-495d-8A4C-D70BC3A676E3} {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24} {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe -
Executes dropped EXE 11 IoCs
pid Process 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe 3276 {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe 2188 {CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe File created C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe File created C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe File created C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe File created C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe File created C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe File created C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe File created C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe {8550E314-E587-465b-8CA1-259E76846DE8}.exe File created C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe File created C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe File created C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4444 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe Token: SeIncBasePriorityPrivilege 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe Token: SeIncBasePriorityPrivilege 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe Token: SeIncBasePriorityPrivilege 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe Token: SeIncBasePriorityPrivilege 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe Token: SeIncBasePriorityPrivilege 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe Token: SeIncBasePriorityPrivilege 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe Token: SeIncBasePriorityPrivilege 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe Token: SeIncBasePriorityPrivilege 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe Token: SeIncBasePriorityPrivilege 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe Token: SeIncBasePriorityPrivilege 3276 {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4444 wrote to memory of 1848 4444 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 91 PID 4444 wrote to memory of 1848 4444 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 91 PID 4444 wrote to memory of 1848 4444 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 91 PID 4444 wrote to memory of 3872 4444 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 92 PID 4444 wrote to memory of 3872 4444 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 92 PID 4444 wrote to memory of 3872 4444 2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe 92 PID 1848 wrote to memory of 4672 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 93 PID 1848 wrote to memory of 4672 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 93 PID 1848 wrote to memory of 4672 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 93 PID 1848 wrote to memory of 756 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 94 PID 1848 wrote to memory of 756 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 94 PID 1848 wrote to memory of 756 1848 {2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe 94 PID 4672 wrote to memory of 1624 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe 99 PID 4672 wrote to memory of 1624 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe 99 PID 4672 wrote to memory of 1624 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe 99 PID 4672 wrote to memory of 2732 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe 100 PID 4672 wrote to memory of 2732 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe 100 PID 4672 wrote to memory of 2732 4672 {5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe 100 PID 1624 wrote to memory of 4172 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe 101 PID 1624 wrote to memory of 4172 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe 101 PID 1624 wrote to memory of 4172 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe 101 PID 1624 wrote to memory of 968 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe 102 PID 1624 wrote to memory of 968 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe 102 PID 1624 wrote to memory of 968 1624 {B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe 102 PID 4172 wrote to memory of 3596 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe 103 PID 4172 wrote to memory of 3596 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe 103 PID 4172 wrote to memory of 3596 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe 103 PID 4172 wrote to memory of 728 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe 104 PID 4172 wrote to memory of 728 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe 104 PID 4172 wrote to memory of 728 4172 {2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe 104 PID 3596 wrote to memory of 1904 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe 105 PID 3596 wrote to memory of 1904 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe 105 PID 3596 wrote to memory of 1904 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe 105 PID 3596 wrote to memory of 3344 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe 106 PID 3596 wrote to memory of 3344 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe 106 PID 3596 wrote to memory of 3344 3596 {8550E314-E587-465b-8CA1-259E76846DE8}.exe 106 PID 1904 wrote to memory of 5024 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe 107 PID 1904 wrote to memory of 5024 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe 107 PID 1904 wrote to memory of 5024 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe 107 PID 1904 wrote to memory of 3868 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe 108 PID 1904 wrote to memory of 3868 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe 108 PID 1904 wrote to memory of 3868 1904 {D630C050-8602-4fb0-9220-CD1AC33254B8}.exe 108 PID 5024 wrote to memory of 2600 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe 112 PID 5024 wrote to memory of 2600 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe 112 PID 5024 wrote to memory of 2600 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe 112 PID 5024 wrote to memory of 1632 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe 113 PID 5024 wrote to memory of 1632 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe 113 PID 5024 wrote to memory of 1632 5024 {080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe 113 PID 2600 wrote to memory of 3188 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe 114 PID 2600 wrote to memory of 3188 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe 114 PID 2600 wrote to memory of 3188 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe 114 PID 2600 wrote to memory of 2724 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe 115 PID 2600 wrote to memory of 2724 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe 115 PID 2600 wrote to memory of 2724 2600 {E1789309-A042-4e75-A122-FE7D8CF7793C}.exe 115 PID 3188 wrote to memory of 3276 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe 116 PID 3188 wrote to memory of 3276 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe 116 PID 3188 wrote to memory of 3276 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe 116 PID 3188 wrote to memory of 3728 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe 117 PID 3188 wrote to memory of 3728 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe 117 PID 3188 wrote to memory of 3728 3188 {C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe 117 PID 3276 wrote to memory of 2188 3276 {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe 118 PID 3276 wrote to memory of 2188 3276 {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe 118 PID 3276 wrote to memory of 2188 3276 {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe 118 PID 3276 wrote to memory of 976 3276 {A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exeC:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exeC:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exeC:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exeC:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exeC:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exeC:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exeC:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exeC:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exeC:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exeC:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exeC:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe12⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2771~1.EXE > nul12⤵PID:976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C3E33~1.EXE > nul11⤵PID:3728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1789~1.EXE > nul10⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{080C1~1.EXE > nul9⤵PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D630C~1.EXE > nul8⤵PID:3868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8550E~1.EXE > nul7⤵PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B97A~1.EXE > nul6⤵PID:728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B619F~1.EXE > nul5⤵PID:968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5C226~1.EXE > nul4⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2519E~1.EXE > nul3⤵PID:756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD55b944cc48aa80445754ecb73fe94767e
SHA10e34b62e6a48fe90c2520d04924dea5fa2def0b6
SHA2564f18f6fc52863001a1dec92979986171eb3940e46af8c5d2973097972e941af7
SHA512142cfccd2f0e281af7ba19f423610c3c22cacf6c989ad41ed3cf19dcdd9a350252f5824323cee6882b0c0ddf44dd97c3003405b13c065000ecf286322fd56e6f
-
Filesize
197KB
MD5e904e8a83fad10d0a63cbeaab5a3bfb4
SHA1949575c2c873809366776ccb91f533fdcb0ed451
SHA256c84fafa2c241b628c88e757da4497fa9f07a843753b26678da76b82cf396dd05
SHA512b9cdd94c98ecd6f2c927c1f695a2c90be1a988324105fa4d69f559e925de58d3bfb77aebd61854e8f61b7ec87fbb3f504760b6a38ad654b25dbd75033edaf39b
-
Filesize
197KB
MD5c34daf0ff0c2db9aa6c619c21ddbfd37
SHA14e901782334d80d9aad083cfe5e9f1d165297a02
SHA256aac4b5267cb997c45cc21132407cefb2ccdc8fc5b74d9a6ca60c8a8515938e50
SHA5128777cecf8a417e191cd04783007d3c63ad5f9c9c85e58ed00508aea1becc48ef1895fe4a49d14c8ea9c2c1eb36f7cb3d638b5fe40d05851699e3b039f7b395dc
-
Filesize
197KB
MD5f625b9c6f1d28d9c668c3cdcf058f2fb
SHA14baecf07fafdebafadb1cd5cdd2d22a7524e3202
SHA25606a7c78b5211b81f5e28a250b678d2d8fccfa6f448b8726480fba25b955056fa
SHA512baf12093ba46e1f916e1aded68eaa2e710d8061027d012a9d06515bb2dabd372ab150f96ab562276cec7b598d19f57217fa833565e2ee13a6ccbce464889c568
-
Filesize
197KB
MD5c927f29ce27be9cd8a0f0c17430da951
SHA1db74dee01aeec937729f99779aa351c25af72fe2
SHA2568140acdbef506542bd3736cc338dcab4eab86e4b58cc7dadd02720adedaeb77d
SHA5121d3a6066ac417db1984b3528313f6c65d2b7ab3128bf78df3e2211a2994eb72d2a4f4eb43b07c19df9787bc6c2dd9c4b984c1a1a0a0d5e312158cba3ef64bfcc
-
Filesize
197KB
MD55c4ff13e4a6dc60b6e4c8177b7ee714e
SHA159519188b796f62ae848c3bde354b026e8f2bf36
SHA256f3d0f052ea4960aa5eb9dc54e879edc516f38a71096854af3f7cf603fcc64b3c
SHA51273abe72e47b23acd90957482970a95c8c136f1cd1691a1e87dfa8688e370fa8f05dd7a54720b675bc849023405d018ae33bccc8ea9ef100b4d2772309dce5f05
-
Filesize
197KB
MD5cdca9b33fedde9a4bfa8467cc54a6666
SHA18690d99555f03cddfe10b9d2905788c4c650960d
SHA2565eb687e1a261dc43e28ebee11401335efc2bff90f70186a89c797c5159d6b3c2
SHA512425c6b7b28055be958f646b1cb8c9560a9544ff8402bee6ac165ca84a1720582eabd21bb474bf91c83394051b4ab5209e597863afe90d53d513d8d54c19bf7a1
-
Filesize
197KB
MD5f43427e664148170aba2b37861057efd
SHA1fe0dfd6bed8cbc9e969f161addbe7ee727896414
SHA256c8ffdb4c735e1425a3a55ad89fcc57d5df30cde9ee3578cf2cfaa078a2124567
SHA5122a07b60ab92b84c13e38a20500d154dad5b3a86e4dce6c457ae9e4704a3bc1cda6a85852464c6a3e32447771700c713252e25c383afd6dfb59e944ea999f009d
-
Filesize
197KB
MD551b6334063f4dbe29dd3517fab7186e1
SHA1d63f66873f06c7bb1ea989faa419c191620b39b1
SHA2564d1ddd706f23ff4e685d63ad106e00b6d5aed11d47da48645ed8967430f3d527
SHA512d424fce9c63cb3603b5d7035373c889a5e4fb13c63ab2a6d10b47f897fdbcb5246fc94661d459dfed225b08212530486b057823831ec59d26c117776c6626e65
-
Filesize
197KB
MD5cf1b5d9ff12e2d8d23e2d937420ea6a9
SHA15cdedb6fe64b40d0c07c09d3f88defbe33060711
SHA256a08781e10e0270ca1e6f25616bcb35b31c281d9b1009ce57b1b45ecb652f7fc8
SHA5120a7323e6b0ac0cb2f19ffa8a8141bb5597ecb398a4a46eb51b8ecca962429ef5ba310f67361c53638b3dd8f23ba150b5eb87d765f258840c64774f3238268220
-
Filesize
197KB
MD5c9e8992deabf78659a6b84688a6d0992
SHA1d5de0218d2e9951d0e04f9dfab2325600d041b74
SHA256b1edb2400e4fce70e19b910372e1fc843a86c42444e0b35bf70adb925d1b533e
SHA512547aff14685b26d6500ef64cbae07767d4351d15af8aa67e084bad54b83ba792590619c2918bd4b0d40e8a084671aa83cf6e7fb30a79579df131aedd51c694c8