Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
-
Size
204KB
-
MD5
1116de28e782e197373277782dff7273
-
SHA1
f31cbededbc7ad1476d0e3e7642708139e64cc53
-
SHA256
361a5c5515731c012a1197cfa311b2d02c2ab9f8148727e129d4edfb7e4d890f
-
SHA512
e5ea98079f6e1066c24e16fa0489e1a4a0ba9f960006170cbbb841499112c68f895eb6e54766d9e6c280ecdfc35b1bf18e88935cb38d3e9ab774fd16252603ce
-
SSDEEP
1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oxl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002321e-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023222-5.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023229-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023222-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c000000021524-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000021526-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d000000021524-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000037-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000000037-37.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000000037-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}\stubpath = "C:\\Windows\\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe" {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A2F3DE-42A3-4911-84A3-A54634326D81}\stubpath = "C:\\Windows\\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe" {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}\stubpath = "C:\\Windows\\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe" {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A2F3DE-42A3-4911-84A3-A54634326D81} {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE} {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE} {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}\stubpath = "C:\\Windows\\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe" {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A848BC-2053-492b-998A-52E0BB9042C5} {5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}\stubpath = "C:\\Windows\\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe" 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98564B2F-D937-4fcc-AD6C-E6034689A485}\stubpath = "C:\\Windows\\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe" {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}\stubpath = "C:\\Windows\\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe" {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98564B2F-D937-4fcc-AD6C-E6034689A485} {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A384EB-6FF3-45a9-BBD5-72302FD8018D} {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}\stubpath = "C:\\Windows\\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe" {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E86B7C-CC15-40dc-8CE4-2571D7897254}\stubpath = "C:\\Windows\\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe" {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49} {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9} 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44} {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718814DB-6EF3-468b-A50B-C828095FA8BF} {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{718814DB-6EF3-468b-A50B-C828095FA8BF}\stubpath = "C:\\Windows\\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe" {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52E86B7C-CC15-40dc-8CE4-2571D7897254} {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A848BC-2053-492b-998A-52E0BB9042C5}\stubpath = "C:\\Windows\\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe" {5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}\stubpath = "C:\\Windows\\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe" {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6} {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe -
Executes dropped EXE 12 IoCs
pid Process 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe 2512 {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe 3196 {5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe 1680 {21A848BC-2053-492b-998A-52E0BB9042C5}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe File created C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe File created C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe File created C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe File created C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe File created C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe File created C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe {5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe File created C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe File created C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe File created C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe File created C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe File created C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2364 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe Token: SeIncBasePriorityPrivilege 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe Token: SeIncBasePriorityPrivilege 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe Token: SeIncBasePriorityPrivilege 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe Token: SeIncBasePriorityPrivilege 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe Token: SeIncBasePriorityPrivilege 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe Token: SeIncBasePriorityPrivilege 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe Token: SeIncBasePriorityPrivilege 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe Token: SeIncBasePriorityPrivilege 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe Token: SeIncBasePriorityPrivilege 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe Token: SeIncBasePriorityPrivilege 2512 {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe Token: SeIncBasePriorityPrivilege 3196 {5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3540 2364 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 96 PID 2364 wrote to memory of 3540 2364 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 96 PID 2364 wrote to memory of 3540 2364 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 96 PID 2364 wrote to memory of 1340 2364 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 97 PID 2364 wrote to memory of 1340 2364 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 97 PID 2364 wrote to memory of 1340 2364 2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe 97 PID 3540 wrote to memory of 1440 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 98 PID 3540 wrote to memory of 1440 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 98 PID 3540 wrote to memory of 1440 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 98 PID 3540 wrote to memory of 2592 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 99 PID 3540 wrote to memory of 2592 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 99 PID 3540 wrote to memory of 2592 3540 {81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe 99 PID 1440 wrote to memory of 404 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe 101 PID 1440 wrote to memory of 404 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe 101 PID 1440 wrote to memory of 404 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe 101 PID 1440 wrote to memory of 2540 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe 102 PID 1440 wrote to memory of 2540 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe 102 PID 1440 wrote to memory of 2540 1440 {36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe 102 PID 404 wrote to memory of 1844 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe 103 PID 404 wrote to memory of 1844 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe 103 PID 404 wrote to memory of 1844 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe 103 PID 404 wrote to memory of 4736 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe 104 PID 404 wrote to memory of 4736 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe 104 PID 404 wrote to memory of 4736 404 {98564B2F-D937-4fcc-AD6C-E6034689A485}.exe 104 PID 1844 wrote to memory of 456 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe 105 PID 1844 wrote to memory of 456 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe 105 PID 1844 wrote to memory of 456 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe 105 PID 1844 wrote to memory of 1376 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe 106 PID 1844 wrote to memory of 1376 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe 106 PID 1844 wrote to memory of 1376 1844 {99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe 106 PID 456 wrote to memory of 1596 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe 107 PID 456 wrote to memory of 1596 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe 107 PID 456 wrote to memory of 1596 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe 107 PID 456 wrote to memory of 1856 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe 108 PID 456 wrote to memory of 1856 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe 108 PID 456 wrote to memory of 1856 456 {43A2F3DE-42A3-4911-84A3-A54634326D81}.exe 108 PID 1596 wrote to memory of 212 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe 109 PID 1596 wrote to memory of 212 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe 109 PID 1596 wrote to memory of 212 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe 109 PID 1596 wrote to memory of 2400 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe 110 PID 1596 wrote to memory of 2400 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe 110 PID 1596 wrote to memory of 2400 1596 {F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe 110 PID 212 wrote to memory of 3800 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe 111 PID 212 wrote to memory of 3800 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe 111 PID 212 wrote to memory of 3800 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe 111 PID 212 wrote to memory of 4432 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe 112 PID 212 wrote to memory of 4432 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe 112 PID 212 wrote to memory of 4432 212 {1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe 112 PID 3800 wrote to memory of 920 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe 113 PID 3800 wrote to memory of 920 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe 113 PID 3800 wrote to memory of 920 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe 113 PID 3800 wrote to memory of 4276 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe 114 PID 3800 wrote to memory of 4276 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe 114 PID 3800 wrote to memory of 4276 3800 {1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe 114 PID 920 wrote to memory of 2512 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe 115 PID 920 wrote to memory of 2512 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe 115 PID 920 wrote to memory of 2512 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe 115 PID 920 wrote to memory of 1684 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe 116 PID 920 wrote to memory of 1684 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe 116 PID 920 wrote to memory of 1684 920 {718814DB-6EF3-468b-A50B-C828095FA8BF}.exe 116 PID 2512 wrote to memory of 3196 2512 {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe 117 PID 2512 wrote to memory of 3196 2512 {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe 117 PID 2512 wrote to memory of 3196 2512 {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe 117 PID 2512 wrote to memory of 712 2512 {52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exeC:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exeC:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exeC:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exeC:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exeC:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exeC:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exeC:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exeC:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exeC:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exeC:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exeC:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3196 -
C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exeC:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe13⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5ADBE~1.EXE > nul13⤵PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{52E86~1.EXE > nul12⤵PID:712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{71881~1.EXE > nul11⤵PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1EE20~1.EXE > nul10⤵PID:4276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1F495~1.EXE > nul9⤵PID:4432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F6B8F~1.EXE > nul8⤵PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{43A2F~1.EXE > nul7⤵PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99A38~1.EXE > nul6⤵PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{98564~1.EXE > nul5⤵PID:4736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36A73~1.EXE > nul4⤵PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81D0F~1.EXE > nul3⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD52e2bba62b4451cc670e9919c952de48d
SHA1edff1b0919a4641324bc8f7d1abfa6b393815124
SHA2567c6b96e73fc0474c89deb9500c826ee7f7dfbb179af15c174a7b505968032cad
SHA5125a0cdde408cd4242f291285ece3932115715b4e7972c66a42371c1b02feafd997a74fa68086e41d4aa6215445be00bb14fa514c8bd17e75b204034e5a83bff5a
-
Filesize
204KB
MD5c9c4229ea6e87758e93432969278f9de
SHA1e8e671545a90d5ca4f467d76085a55a7c6d1bd8a
SHA2561a65373e9e7a6355753e681bf16d328bbd62c2cef5fcbd313d175a429c7a037f
SHA512971f9bcbd52ea59809e9a0a0b2824862fe345a0f536298d9690c824a0820180eb9a92ed2aca4972e18f087a096fbd44f5d4f985f730677239609b1744d43e137
-
Filesize
204KB
MD5da427f7382a7793f80af76bdca4cd642
SHA11ad7ecd90e2401c795910d9273f21df929d44d7f
SHA25683d10ba3a26650dd02e6ef5c96faf2fdcc6086845b32bdf7184b69c4c5731344
SHA512cdee2f2d99d5b50ca0f5645473889979a4af2e7436f7e7067f7e8f815be1a10cc5feae2b25d4b7b2cafdc133b25634ab48493d9388a09c937438a66a879e9913
-
Filesize
204KB
MD5177bcf7b542648f46334093f02604971
SHA14ddb1f863ac94a00e6b86fb2ae75c1aa2560a1ac
SHA256247b7f4bd0828cb272330cfbdc7aad6fe220aeb062308104039107ebaadcdbf4
SHA51212e211a187659c70be78fd7bcb267d57933c049ee39f3a3b03180a446373dcf501c9a38a2e72ef12e0c6fdca85b21868377687f72762e052d30853ce65fde0a7
-
Filesize
204KB
MD53e49f3cc3e16882b51b4ed7e29d0f692
SHA1e04bde84ab7f23984e28e0a08ba82c0c22733961
SHA2562578029062fa38711f27fc2422a382a7ccf789b91d13b09d7181987ec3a0b860
SHA512eeac99fc5e6b200ca4db54c48b2462246d6d435c72feaf969d74638ba45ba498ba5d04a0ae5a126da1f359be1aa033e85fa62008b13ddb52bd019e0bee013fe8
-
Filesize
204KB
MD52fed1986f077cce2c60ecfba09947895
SHA1734f9664b779bde6169e74907027fc4105ec8f94
SHA2562603ea77f63d120cb4aa9fda850b1d5dea2bb0b639b29aafcde626e34b163a34
SHA51254a3f21a8ec13534312a922c48ea3e52472f21c80f1ba0397348ea61ea1ee3c4bbe2001b045adb1d72922a6bd55d2909e989a779ed34df8d87d3cc9b3afaa42e
-
Filesize
204KB
MD5a89acaaa4612e88c4e886713342399d3
SHA1f1581092fed960e1590226b924e518b6b7d9b653
SHA256124fb829a4ae16eb3b74d3af6c6bdb0deb5210f8b223cff41fb2064a4de86602
SHA512247f09729ee83561ef9adff76094828a118f35f2c00923305ef0212e3bd16794528c307e24e89964af83b848756b989032ae5a45e5edc3faec2b4755c5dc1d85
-
Filesize
204KB
MD53911e221ab26f894d39e85e4c3dc7071
SHA1aa5262371674129aea86f735f011504d04474fb1
SHA256c689166d01078a3d486d8c5192cc4d6e5476f4d09f9ff6596bf84ceb8dde6524
SHA512ec7e0f079b952fbce8750427caf79d6b5cde053c04f4eef130b44f1543aa4b134e52f034a137156f58a9f9bd5d313cfd916339f029c8604da631fbab1a9de210
-
Filesize
204KB
MD537cffa0494c1acfdaab59db8bf2abdf6
SHA1ceb79398fe061e75b147df206d0c8931b87b2f0e
SHA256d28e5a7dac2c92f01be36cd81226ef3da23cfc1b381256f9d23d3b7a75761a90
SHA512969bbc0283170e3be1fb13c172e1af39e59204b15b6440129fc1d9ba8da8ec31b6eec78fc650dea4959c22fbc9ac1924999bf660119b438921fb23a8d95fe305
-
Filesize
204KB
MD56176220e2dab4612004bc65e96766a9d
SHA1d4c619cc039bfe99c504aeb093d939109d56b699
SHA256c4cd918cf112dd65ecb51ad39b2372a934232f225cbc77f8f0d83182cd107642
SHA512ce81154903611f996ca598fb90701a3a3a97307f5d1fb73b6c8699c9f28acb51a44c3f236e25f19937b35b2fa058a5342a1e73bc66aadf4ebdc4dd493051278c
-
Filesize
204KB
MD5d098339f19c86500aeae7ea4af4fc413
SHA12ff38fe36fa9b011ea3f17dcef08e23ae0c9e254
SHA25674ac4b21e59f3fdf6b7607f66b73d7a99dafe784449849ee1de4d6a614a17122
SHA512de1e1925f5d05ee14f23e5148fb1d18999bc43d061ad7a3c6bda041077c7f0d137711662985be782e9da68a0fa3167198df2665bf205d2b01ea83b6f2ce93ffa
-
Filesize
204KB
MD55f348da000176e032dfbfd0b310821aa
SHA11c463992f6606494aded81f4bd122fb703cb963f
SHA256d40bbcfc67a2f293651098b3519920a60fd844631bc9d7288cfc2f846ee2a6f5
SHA5125164611f29d55548aceaae2dfcd8d3d1bf2e63665479500694c47972b86d84d4ec726f7a357ae6fa288b95aebc2d2be40470351780597ec6dd5527b1fcd5e182