Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
-
Size
204KB
-
MD5
14f5b92fdb38838cf5a78fa932e15e9e
-
SHA1
c3337c6cdb30205cc2af4e2d63a50fba1ab65a80
-
SHA256
9ae334582da93f547d84f738b8d96fdae5999d61459a2c8a1b7213aff0c7466a
-
SHA512
ab99fbcaaa0e3966e0e1c6d2ef6c1fefad08ef18a330e1f815d0b3629f07ec097c53a29131e59f72ba6fc9e9ed0b94f57adf725f98bcef7754e6a4dfa062681a
-
SSDEEP
1536:1EGh0osLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x001200000002320c-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023218-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002321f-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023218-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c86-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c87-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021c86-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070f-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000735-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9873B557-5F84-4067-BECC-4D078279318B}\stubpath = "C:\\Windows\\{9873B557-5F84-4067-BECC-4D078279318B}.exe" {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16F6CCF4-7BFC-406f-9966-51706500F890}\stubpath = "C:\\Windows\\{16F6CCF4-7BFC-406f-9966-51706500F890}.exe" {9873B557-5F84-4067-BECC-4D078279318B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEB675F2-3449-4623-86F9-98030183B8BE}\stubpath = "C:\\Windows\\{EEB675F2-3449-4623-86F9-98030183B8BE}.exe" {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081} {8555BFAB-8489-43b9-9215-B6A70703C756}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}\stubpath = "C:\\Windows\\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe" {8555BFAB-8489-43b9-9215-B6A70703C756}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE} {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}\stubpath = "C:\\Windows\\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe" {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}\stubpath = "C:\\Windows\\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe" 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA485FBD-4481-46d0-AE22-F2962B1948F4} {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}\stubpath = "C:\\Windows\\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe" {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C0F86B-A3C9-4269-8729-50F3D2188815}\stubpath = "C:\\Windows\\{C0C0F86B-A3C9-4269-8729-50F3D2188815}.exe" {BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEB675F2-3449-4623-86F9-98030183B8BE} {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65837DA2-5C01-4209-9ECB-740A0E066B86}\stubpath = "C:\\Windows\\{65837DA2-5C01-4209-9ECB-740A0E066B86}.exe" {16F6CCF4-7BFC-406f-9966-51706500F890}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}\stubpath = "C:\\Windows\\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe" {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37} {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA485FBD-4481-46d0-AE22-F2962B1948F4}\stubpath = "C:\\Windows\\{BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe" {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0C0F86B-A3C9-4269-8729-50F3D2188815} {BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65837DA2-5C01-4209-9ECB-740A0E066B86} {16F6CCF4-7BFC-406f-9966-51706500F890}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9873B557-5F84-4067-BECC-4D078279318B} {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16F6CCF4-7BFC-406f-9966-51706500F890} {9873B557-5F84-4067-BECC-4D078279318B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8555BFAB-8489-43b9-9215-B6A70703C756} {EEB675F2-3449-4623-86F9-98030183B8BE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8555BFAB-8489-43b9-9215-B6A70703C756}\stubpath = "C:\\Windows\\{8555BFAB-8489-43b9-9215-B6A70703C756}.exe" {EEB675F2-3449-4623-86F9-98030183B8BE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9} {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C} 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe -
Executes dropped EXE 12 IoCs
pid Process 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe 1788 {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe 4828 {BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe 1824 {C0C0F86B-A3C9-4269-8729-50F3D2188815}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{65837DA2-5C01-4209-9ECB-740A0E066B86}.exe {16F6CCF4-7BFC-406f-9966-51706500F890}.exe File created C:\Windows\{8555BFAB-8489-43b9-9215-B6A70703C756}.exe {EEB675F2-3449-4623-86F9-98030183B8BE}.exe File created C:\Windows\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe {8555BFAB-8489-43b9-9215-B6A70703C756}.exe File created C:\Windows\{BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe File created C:\Windows\{16F6CCF4-7BFC-406f-9966-51706500F890}.exe {9873B557-5F84-4067-BECC-4D078279318B}.exe File created C:\Windows\{9873B557-5F84-4067-BECC-4D078279318B}.exe {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe File created C:\Windows\{EEB675F2-3449-4623-86F9-98030183B8BE}.exe {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe File created C:\Windows\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe File created C:\Windows\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe File created C:\Windows\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe File created C:\Windows\{C0C0F86B-A3C9-4269-8729-50F3D2188815}.exe {BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe File created C:\Windows\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2380 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe Token: SeIncBasePriorityPrivilege 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe Token: SeIncBasePriorityPrivilege 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe Token: SeIncBasePriorityPrivilege 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe Token: SeIncBasePriorityPrivilege 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe Token: SeIncBasePriorityPrivilege 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe Token: SeIncBasePriorityPrivilege 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe Token: SeIncBasePriorityPrivilege 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe Token: SeIncBasePriorityPrivilege 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe Token: SeIncBasePriorityPrivilege 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe Token: SeIncBasePriorityPrivilege 1788 {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe Token: SeIncBasePriorityPrivilege 4828 {BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 4776 2380 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 95 PID 2380 wrote to memory of 4776 2380 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 95 PID 2380 wrote to memory of 4776 2380 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 95 PID 2380 wrote to memory of 5032 2380 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 96 PID 2380 wrote to memory of 5032 2380 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 96 PID 2380 wrote to memory of 5032 2380 2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe 96 PID 4776 wrote to memory of 3540 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 97 PID 4776 wrote to memory of 3540 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 97 PID 4776 wrote to memory of 3540 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 97 PID 4776 wrote to memory of 5052 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 98 PID 4776 wrote to memory of 5052 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 98 PID 4776 wrote to memory of 5052 4776 {19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe 98 PID 3540 wrote to memory of 3156 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe 100 PID 3540 wrote to memory of 3156 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe 100 PID 3540 wrote to memory of 3156 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe 100 PID 3540 wrote to memory of 4324 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe 101 PID 3540 wrote to memory of 4324 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe 101 PID 3540 wrote to memory of 4324 3540 {9873B557-5F84-4067-BECC-4D078279318B}.exe 101 PID 3156 wrote to memory of 3212 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe 102 PID 3156 wrote to memory of 3212 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe 102 PID 3156 wrote to memory of 3212 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe 102 PID 3156 wrote to memory of 864 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe 103 PID 3156 wrote to memory of 864 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe 103 PID 3156 wrote to memory of 864 3156 {16F6CCF4-7BFC-406f-9966-51706500F890}.exe 103 PID 3212 wrote to memory of 960 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe 104 PID 3212 wrote to memory of 960 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe 104 PID 3212 wrote to memory of 960 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe 104 PID 3212 wrote to memory of 1196 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe 105 PID 3212 wrote to memory of 1196 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe 105 PID 3212 wrote to memory of 1196 3212 {65837DA2-5C01-4209-9ECB-740A0E066B86}.exe 105 PID 960 wrote to memory of 1516 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe 106 PID 960 wrote to memory of 1516 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe 106 PID 960 wrote to memory of 1516 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe 106 PID 960 wrote to memory of 4404 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe 107 PID 960 wrote to memory of 4404 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe 107 PID 960 wrote to memory of 4404 960 {EEB675F2-3449-4623-86F9-98030183B8BE}.exe 107 PID 1516 wrote to memory of 3280 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe 108 PID 1516 wrote to memory of 3280 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe 108 PID 1516 wrote to memory of 3280 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe 108 PID 1516 wrote to memory of 3116 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe 109 PID 1516 wrote to memory of 3116 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe 109 PID 1516 wrote to memory of 3116 1516 {8555BFAB-8489-43b9-9215-B6A70703C756}.exe 109 PID 3280 wrote to memory of 3340 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe 110 PID 3280 wrote to memory of 3340 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe 110 PID 3280 wrote to memory of 3340 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe 110 PID 3280 wrote to memory of 1324 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe 111 PID 3280 wrote to memory of 1324 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe 111 PID 3280 wrote to memory of 1324 3280 {7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe 111 PID 3340 wrote to memory of 3460 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe 112 PID 3340 wrote to memory of 3460 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe 112 PID 3340 wrote to memory of 3460 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe 112 PID 3340 wrote to memory of 2928 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe 113 PID 3340 wrote to memory of 2928 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe 113 PID 3340 wrote to memory of 2928 3340 {0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe 113 PID 3460 wrote to memory of 1788 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe 114 PID 3460 wrote to memory of 1788 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe 114 PID 3460 wrote to memory of 1788 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe 114 PID 3460 wrote to memory of 1564 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe 115 PID 3460 wrote to memory of 1564 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe 115 PID 3460 wrote to memory of 1564 3460 {2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe 115 PID 1788 wrote to memory of 4828 1788 {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe 116 PID 1788 wrote to memory of 4828 1788 {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe 116 PID 1788 wrote to memory of 4828 1788 {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe 116 PID 1788 wrote to memory of 4156 1788 {4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exeC:\Windows\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\{9873B557-5F84-4067-BECC-4D078279318B}.exeC:\Windows\{9873B557-5F84-4067-BECC-4D078279318B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\{16F6CCF4-7BFC-406f-9966-51706500F890}.exeC:\Windows\{16F6CCF4-7BFC-406f-9966-51706500F890}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\{65837DA2-5C01-4209-9ECB-740A0E066B86}.exeC:\Windows\{65837DA2-5C01-4209-9ECB-740A0E066B86}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\{EEB675F2-3449-4623-86F9-98030183B8BE}.exeC:\Windows\{EEB675F2-3449-4623-86F9-98030183B8BE}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\{8555BFAB-8489-43b9-9215-B6A70703C756}.exeC:\Windows\{8555BFAB-8489-43b9-9215-B6A70703C756}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exeC:\Windows\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exeC:\Windows\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exeC:\Windows\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exeC:\Windows\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\{BA485FBD-4481-46d0-AE22-F2962B1948F4}.exeC:\Windows\{BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\{C0C0F86B-A3C9-4269-8729-50F3D2188815}.exeC:\Windows\{C0C0F86B-A3C9-4269-8729-50F3D2188815}.exe13⤵
- Executes dropped EXE
PID:1824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BA485~1.EXE > nul13⤵PID:4176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4A491~1.EXE > nul12⤵PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2711B~1.EXE > nul11⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0E1CE~1.EXE > nul10⤵PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7BDE0~1.EXE > nul9⤵PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8555B~1.EXE > nul8⤵PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EEB67~1.EXE > nul7⤵PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65837~1.EXE > nul6⤵PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{16F6C~1.EXE > nul5⤵PID:864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9873B~1.EXE > nul4⤵PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{19319~1.EXE > nul3⤵PID:5052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:5032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD58326c86edfa2f92ec039afbd10c41acc
SHA1e01d8d1d34f307057bb7b61fac9a66d68c13c2d7
SHA256bb7c6e51279ba03a6994684ee7f4989bcf03999797712f8829e89d45ee995108
SHA51230c05da4ba18e031c52202d908900df1b32d752bb5721e9e798ecdd7ced7f8ace44840ccfda9db032c6831622b4d886d1691188799c237046db383c6dcf8e468
-
Filesize
204KB
MD5782feeaf14549278d6b67c6aae225505
SHA1f1a9d377d36a107279e3c433eb38157d21b6ebc0
SHA2560300a1c0dbccade6b7b11c1a7b173de91076472f50fb28d41e2e96f43c46dc61
SHA512aafd5b44881495ab66451f38af53433194b03495e4655bead0826e7b9fe858e421ce76845a62f2de485a70774d6da2ef30d3f0b476c218d99051dec90915f680
-
Filesize
204KB
MD5bf3944d79c533641f472a67e1c3cded4
SHA115a67a057bbdc63e9f01e125f74bebce91f2742f
SHA256c33671345dc129a49326d2ac9ebb406622c9d3990a7d5e479f53f7973e4edff0
SHA5120bf16a387e8c797eb17f0e19e507dac34efd35e171e8d67e98d959323c52bea1ede750d1c43ec23461ff9d61bff7cd770c8bdc01afa24e2882fe1c6d36fab0fb
-
Filesize
204KB
MD5785de830219f036c4d25d356a70e9db2
SHA1594133632194e4b7a448931a4edf4af781a739d5
SHA256b3face999cf2103c2c0cef0f5f22bffa02e85530273984e8a0d9f689037fbae4
SHA5126a010f253dfe52ec4197d984c775487d3e45577542d27d5e8557a4532ceea9d3be780295db0ae3edfe0b0ff5077c3627a05864c984758daa514091dbd2134a1d
-
Filesize
204KB
MD5bff9696e205d7d6e375ed63289bbfda7
SHA13d8725b1100b59fce0afb78dfbbbd12270413abb
SHA2560a6948ce8b9346084e6423406fca482db9365c384fb4087ffbc647de70fee324
SHA5124eaf57c8c1007efd94103f730f4ebee66e9fe578a8d6ed499f329653c0f40d0e203d0ea98491a05bbe868ad0f5b9fcb5df2ba551938864fd687164a5c0c86666
-
Filesize
204KB
MD504fc6040d06e73f4b8097113ef271c97
SHA19ef832ad1bdd147dcb14bbe57234d4ff80617b7a
SHA256938f43e602e76d99d35b4c28de17f6a342836483ed5adb8b8c9ff6ae1687573d
SHA512b4d4941ee2eb7cce0b07df2ef12a59160f79b19e5c2a070304af541c8a4b6b6a61193c2806d287e1b8fa021d038ef2fdf5f853b846be9692364d7a41b40a74b0
-
Filesize
204KB
MD5819658b8b59d3e1af28967b624c8066a
SHA139619b1c49ac1d68100a7f1eb3c24e94a1c0c0f4
SHA256652ba381267b314e30e59b4e3940ee6208a3a7036f2adc91dc6e55eeb754b81b
SHA5123d372051251bdde9e907db5dcb29b75eaaef9de18ccca754ed9cd3739b9c31afb2b9f35ef12e993c004157bed5e3127d14f4b00d9149cc1bc95ea18d7044da4c
-
Filesize
204KB
MD5af785546614f5e1ffd09eb0fccf4632c
SHA14150caf0c9db071b2cf17ca07e9fe9e8d02c6263
SHA2568ad519e8a30dca113cae61e61482a567bd9803b062cc82a09216f3306dffca5e
SHA512e2d26bfc877482fbec84ca3ac5b9745d64b2fb087c7ce77000782168928130a8b8d3410c4851b05d8a7e8e2db910bf2b2f098cda6f7254cacb681a035201169a
-
Filesize
204KB
MD51ca058c88acc64ddefaaaabb10225440
SHA10fbab38ce08dd5685abcea0ae57f30c7eb2bcbab
SHA2566b2eef1e34c3e5912ee6f0b9a408b47f1d260eb8ead03c919fb937fd33dc994c
SHA5126b3fd434b25a8ee40230285416abb7baa0ffec9f4d89a5b0b0fa6a571ee58e3d1d63e87343dc1dc6c17ecb3a2b445be82f63849bee717191eb4c65356f878415
-
Filesize
204KB
MD5fc9e47e93d3de3cbce4c283c9c5e682d
SHA13ff2d9df653f8cff8552388fe31c3198df868660
SHA256bfbc3b382388cd11c9f3aedd26cedf6b2b43b8da855128a36c93f74e04252e31
SHA512b888d344c6242c5a0e93ba7425f738cca75136f6626289609c57a8dcebc738c7e7cd3aff0ac26305087666f31bc18180e242e3431792db03466b7b31356cf814
-
Filesize
204KB
MD53fa0a82e4e4d708e647aca3edf172fce
SHA14919dc9486a35cb32bd489df3f84b9ad114cd23e
SHA2564fa0180d4bf7026950b0a924a8732068b2a0515b13c7fdaa2f561e88e0434eb3
SHA512a3127c2d2a1aec0690cd5a6b76f1e4c5e91022d8bd4dcbf554d8e81aa2b305417730e431321ac4a6beb92fa8779fd74eadb45a280985c0f63b98a03f31b8bce5
-
Filesize
204KB
MD5d17eceb6ebf8c197cf2d384a49687c7c
SHA1d7a0980913b70052ee1194b895d949f8ebed74e1
SHA256ce350b5ff85601fcebace0e0efa5b02f9933ebf70657920cb3077ea00a63385a
SHA5129baea24195c90608e131cb7646cc3549a55c47b251b0f27615050ea686bf5538664df208d804f561ff16f817044bafceca58e0d755f15834d16876df3f1b8737