Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
-
Size
204KB
-
MD5
375dbfc59e996eb9752cdbd68645f0a0
-
SHA1
0ed548a9c92a86c6e89beaefeb934ba842afe498
-
SHA256
28ed2df07c6fed10c0db88198033703b8d23b987bbb0ec0c83e087b5ac875840
-
SHA512
30088a8564b7440e55653b2b15047fdfdabea143fe6aa1d696d2efc19f8729d88defef90124c764479b8013842cfaa69441a14a78c84ef5baaa7369eb5d49fc5
-
SSDEEP
1536:1EGh0oMl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oMl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0008000000023208-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002321a-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000001e804-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002321a-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000001e804-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021f82-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000001e804-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000705-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F} {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8490A6B-918E-4738-845D-083C6D5EF9BD}\stubpath = "C:\\Windows\\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe" {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC} {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}\stubpath = "C:\\Windows\\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe" {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79} {6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{685FF935-5B69-47eb-BB41-062752329406}\stubpath = "C:\\Windows\\{685FF935-5B69-47eb-BB41-062752329406}.exe" 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25AF221-709B-4973-B956-8CCD4113756D}\stubpath = "C:\\Windows\\{A25AF221-709B-4973-B956-8CCD4113756D}.exe" {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35658802-4DD5-498e-A1B3-2A2701AD9A11}\stubpath = "C:\\Windows\\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe" {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB} {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}\stubpath = "C:\\Windows\\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe" {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA4DA3D-AD97-4154-A036-6311162F83DA} {A25AF221-709B-4973-B956-8CCD4113756D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA21867-9A9E-48cc-B8C3-8A874040480D} {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFA21867-9A9E-48cc-B8C3-8A874040480D}\stubpath = "C:\\Windows\\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe" {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35658802-4DD5-498e-A1B3-2A2701AD9A11} {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}\stubpath = "C:\\Windows\\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe" {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}\stubpath = "C:\\Windows\\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe" {6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D74E14A-10F1-4a82-B628-C95754D6B2A5} {685FF935-5B69-47eb-BB41-062752329406}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A25AF221-709B-4973-B956-8CCD4113756D} {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA4DA3D-AD97-4154-A036-6311162F83DA}\stubpath = "C:\\Windows\\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe" {A25AF221-709B-4973-B956-8CCD4113756D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8490A6B-918E-4738-845D-083C6D5EF9BD} {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31B60D9C-91B4-4c85-9BC6-874FEEE13526} {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{685FF935-5B69-47eb-BB41-062752329406} 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}\stubpath = "C:\\Windows\\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe" {685FF935-5B69-47eb-BB41-062752329406}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}\stubpath = "C:\\Windows\\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe" {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe -
Executes dropped EXE 12 IoCs
pid Process 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe 4324 {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe 5028 {6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe 3904 {2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe {A25AF221-709B-4973-B956-8CCD4113756D}.exe File created C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe File created C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe File created C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe File created C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe {685FF935-5B69-47eb-BB41-062752329406}.exe File created C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe File created C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe File created C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe File created C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe File created C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe File created C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe {6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe File created C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3736 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe Token: SeIncBasePriorityPrivilege 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe Token: SeIncBasePriorityPrivilege 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe Token: SeIncBasePriorityPrivilege 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe Token: SeIncBasePriorityPrivilege 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe Token: SeIncBasePriorityPrivilege 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe Token: SeIncBasePriorityPrivilege 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe Token: SeIncBasePriorityPrivilege 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe Token: SeIncBasePriorityPrivilege 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe Token: SeIncBasePriorityPrivilege 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe Token: SeIncBasePriorityPrivilege 4324 {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe Token: SeIncBasePriorityPrivilege 5028 {6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3736 wrote to memory of 1084 3736 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 93 PID 3736 wrote to memory of 1084 3736 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 93 PID 3736 wrote to memory of 1084 3736 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 93 PID 3736 wrote to memory of 2696 3736 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 94 PID 3736 wrote to memory of 2696 3736 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 94 PID 3736 wrote to memory of 2696 3736 2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe 94 PID 1084 wrote to memory of 4948 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe 95 PID 1084 wrote to memory of 4948 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe 95 PID 1084 wrote to memory of 4948 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe 95 PID 1084 wrote to memory of 3412 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe 96 PID 1084 wrote to memory of 3412 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe 96 PID 1084 wrote to memory of 3412 1084 {685FF935-5B69-47eb-BB41-062752329406}.exe 96 PID 4948 wrote to memory of 3116 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe 98 PID 4948 wrote to memory of 3116 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe 98 PID 4948 wrote to memory of 3116 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe 98 PID 4948 wrote to memory of 4924 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe 99 PID 4948 wrote to memory of 4924 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe 99 PID 4948 wrote to memory of 4924 4948 {0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe 99 PID 3116 wrote to memory of 4024 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe 100 PID 3116 wrote to memory of 4024 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe 100 PID 3116 wrote to memory of 4024 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe 100 PID 3116 wrote to memory of 3272 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe 101 PID 3116 wrote to memory of 3272 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe 101 PID 3116 wrote to memory of 3272 3116 {A25AF221-709B-4973-B956-8CCD4113756D}.exe 101 PID 4024 wrote to memory of 2336 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe 102 PID 4024 wrote to memory of 2336 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe 102 PID 4024 wrote to memory of 2336 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe 102 PID 4024 wrote to memory of 3896 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe 103 PID 4024 wrote to memory of 3896 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe 103 PID 4024 wrote to memory of 3896 4024 {1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe 103 PID 2336 wrote to memory of 364 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe 104 PID 2336 wrote to memory of 364 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe 104 PID 2336 wrote to memory of 364 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe 104 PID 2336 wrote to memory of 1400 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe 105 PID 2336 wrote to memory of 1400 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe 105 PID 2336 wrote to memory of 1400 2336 {35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe 105 PID 364 wrote to memory of 4596 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe 106 PID 364 wrote to memory of 4596 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe 106 PID 364 wrote to memory of 4596 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe 106 PID 364 wrote to memory of 772 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe 107 PID 364 wrote to memory of 772 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe 107 PID 364 wrote to memory of 772 364 {BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe 107 PID 4596 wrote to memory of 1844 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe 108 PID 4596 wrote to memory of 1844 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe 108 PID 4596 wrote to memory of 1844 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe 108 PID 4596 wrote to memory of 2324 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe 109 PID 4596 wrote to memory of 2324 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe 109 PID 4596 wrote to memory of 2324 4596 {E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe 109 PID 1844 wrote to memory of 3524 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe 110 PID 1844 wrote to memory of 3524 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe 110 PID 1844 wrote to memory of 3524 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe 110 PID 1844 wrote to memory of 5048 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe 111 PID 1844 wrote to memory of 5048 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe 111 PID 1844 wrote to memory of 5048 1844 {31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe 111 PID 3524 wrote to memory of 4324 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe 112 PID 3524 wrote to memory of 4324 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe 112 PID 3524 wrote to memory of 4324 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe 112 PID 3524 wrote to memory of 1108 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe 113 PID 3524 wrote to memory of 1108 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe 113 PID 3524 wrote to memory of 1108 3524 {CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe 113 PID 4324 wrote to memory of 5028 4324 {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe 114 PID 4324 wrote to memory of 5028 4324 {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe 114 PID 4324 wrote to memory of 5028 4324 {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe 114 PID 4324 wrote to memory of 1628 4324 {FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exeC:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exeC:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exeC:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exeC:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exeC:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exeC:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exeC:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exeC:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exeC:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exeC:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exeC:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exeC:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe13⤵
- Executes dropped EXE
PID:3904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6180A~1.EXE > nul13⤵PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FFA21~1.EXE > nul12⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CF96E~1.EXE > nul11⤵PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{31B60~1.EXE > nul10⤵PID:5048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E8490~1.EXE > nul9⤵PID:2324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE86F~1.EXE > nul8⤵PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35658~1.EXE > nul7⤵PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DA4D~1.EXE > nul6⤵PID:3896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A25AF~1.EXE > nul5⤵PID:3272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D74E~1.EXE > nul4⤵PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{685FF~1.EXE > nul3⤵PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5f146143f2ef6021371270deef53111a9
SHA123bd8cca3e9237aede4b9ec330ff5e48c845b5e6
SHA256e77d34eab745bb8d7bc9c2f3c84849646315bcb1c6df29242268d3aa76c54903
SHA5121a1e823a499248024864d0695dfb9d3c920718219cc0acd85e106a3a016937e1f072c7e1ca9b1dc79533092e91b0584c48d10a36d180e85a6b9e99de940d1a2b
-
Filesize
204KB
MD5fafefdf99cfaa77daeabc2a6b2715962
SHA1a43ae8a1da853dc7a44695ee4d41fa1ab636eb25
SHA2567ebb431968c62e7651fcb582d3b4f5c2e2deff6f8274bf4b28d6e7bbda9893b2
SHA512ca73e5eaa5ed7e9689212b0cb3209618fbf4933b7633203b3021c469d70fc005292b980114f1a2823c0d51e4aba966fa5be57cf4fda589226e01970a03d11959
-
Filesize
204KB
MD5d657b61b37f6ddedf05c03215838e8de
SHA100323e974a8783bb7bb022c30f79890b6ecd7687
SHA2563f2f53d8f4333e8a6efe69744d0f456d37478ecfb8c241a150d2a2498ab5a6dd
SHA512c334d1f93162a2407a72f2abdef56ab1dfce6c08cbe1561de16e3c70a46f9c602e7722434122bfb3c9b4522d0f4259f4dcf8814892463ff1d13a3f872d7fea6a
-
Filesize
204KB
MD5c4e344d3e94fab2741f5fa63b457510a
SHA186f25a0acb53669928accb3db26f3e891da9ba24
SHA2564bd0f966754e2b8114684fb74f785348786b6d3304ad1dbbde778fc2b3f2bbf2
SHA512e386f81bca0c04d6f9d0b9f6e6133b8ae1d824c0c97ea0338b7d134f4b496adfe363b0de3c1a87b427030a9ddea67146e435adb2359db09086e0635d8e122389
-
Filesize
204KB
MD587ef0bc28a61ac359e56c5cbe9f5ffe8
SHA15ecf593999f0eb6c6e24cc78b5b112be94a6fbf5
SHA25694e56d00df762168c6ab26febe3f8a1e1957835a4559d245374ed4a9d58a9fe1
SHA5129415f6c3ca27a0e6740609d3cf32e8cea3dd2d681b8299ae9ec8b9276b4407398663207f81f6587d1f6ed3721e450bec96a50809193b5ef4f4914935bc472687
-
Filesize
204KB
MD5871ae90fe42404da8087759c20ce4639
SHA16f756ca0f21f818b3c5f1d770a6e13b7b2716f4e
SHA25608b98c1056e88d94f323984d572b1088bc602d456ed7e68412df8772b82b49ce
SHA512d3b2665ef0210e1e112d2293d1a3815a5cce3f8fce26c87f913bae2f82378a11a6b1b24b27f44fe97a46945a49a0e19e91c2143ce521175d7917ed5d6f28d8a5
-
Filesize
204KB
MD5dadee5902bb19a0f906e4322cd5eafd9
SHA1c7b2a67df809e9d77f38f665378b173d22be83f0
SHA256ae82694a54fbd17fc5933c58f123a33e5e59ce823a96f34f61c573be1ed8b0c9
SHA512cd4f96526d0b0cad0895109fb0b531852d76f4ec13e58ac9367684538a6215b847f0c0452b0942649ff29a19fc7b26f5566007d0bf627aa333145f84687d9e07
-
Filesize
204KB
MD5811ba40cedac4cfd57256e9eb44d1b69
SHA1015047263871b3feb0b27d0d32787f8315cf2bfc
SHA256228119a3bf659bd8bc5ce57caa6191bfc1000d40f7d0d7a307c224de49867c1b
SHA512b1607c2f43a2b54be11b8c5640a593505e12460092e9fab644a8bb726189da9c75be8a4a81760b429587be37b1920fca31c5e55175bc6d88daacab490ee1c4d0
-
Filesize
204KB
MD560a69933a680e105860be1713da3f0e0
SHA14837af4ab057fb11dd9ce675a76f80bf69e5cfb4
SHA256f2aad0027d12a27dd5d8002a36e2fcca7417508224dfc55636bd00ceee1976b2
SHA512b907307daf1581d35248eb70c6207c6f21531a1f7c9c6cdaa4ec616c5d831d35374eb9e77ba2fdf57fa1090460616e53579c394b244f64a3a1d536e628c4d537
-
Filesize
204KB
MD53cc74f982262b2fb2d450a5196681b37
SHA178e3be41e4e3675049c2d1ea665c6b947d859e72
SHA256b825a35ebf4e65c7a353aad1fb8f0c97425cc7a33ffc99894f1c572452f0391a
SHA51276d0ed7660d1b7aa17046b64d0861265cdfa3dbd4ce4dae975234c2aad8d89fbdfbca900eebc99022ab00f6b4f395175a23e7c062d5a6a3709d3949b34cc7c60
-
Filesize
204KB
MD500abee47345ffdf7cf7703df02d45b4a
SHA13020a37efab8a9b375610e252a3d9365d62444d6
SHA256bab173335d06915afc6464ef1693ee2173e4f0901c633a6a72ba92a7b68a5cec
SHA512d2c7e818aa1d56e2e0d7659939c3499152f57cc8ee59573b5832f2679360ff70a399075502d91ca45d60f019ec060a3b8d0eeefa11b45d9019ef3d7004194463
-
Filesize
204KB
MD5658ff29c1d05e212bcc19b92a2d5db2b
SHA13a90dbe4fa9aba73ef16fdbcb27a73f1f880e820
SHA256a8ec0a2b305673dbf5186c3276e639ae649ab6c91d0ea088bc17afc88092f3f9
SHA512f459493be97eb1a0b657a8f2be36327b6e5287d6f1434fea7fdb5bd350e269751f4cdd933fde64f5e86611f84e9b0a31e24f93cc12f1e25485d10b025481d16e