Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
-
Size
168KB
-
MD5
5f0dc811482238f0932c7529f94c2671
-
SHA1
d6e5550a87d5851acc0a5ad0ea8e2e3944c2382f
-
SHA256
dc4d3c6adc73b6019c3836caeb4fb9c9591b51cf03cffe6f1d1008572ca0e603
-
SHA512
c4bb9f4d54df43d7ccdac3e7808e2a5c773c380d9b098f18cd1e59f783859075daa25d219d268dce983a7f6c565cd6f95ba4c6edbb9353cec0354b6caae0ce11
-
SSDEEP
1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0007000000023219-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002320e-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023220-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002320e-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df7-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df8-21.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021df7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000707-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26} {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00AAA7D-4694-4436-9E58-B37222213553} {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D65A68-DCF9-4abe-84BD-2E378B4D760E} {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF39B152-4D89-480e-B0E9-02C15422758B}\stubpath = "C:\\Windows\\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe" {781E4282-4994-4391-B342-15B572088883}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}\stubpath = "C:\\Windows\\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe" {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53404B33-473F-4be6-A7D1-D5DB573439F3} {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00AAA7D-4694-4436-9E58-B37222213553}\stubpath = "C:\\Windows\\{F00AAA7D-4694-4436-9E58-B37222213553}.exe" {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D2B2551-0A85-4331-AAA6-B34BAD220293} {81B81674-4271-4b43-A106-7F75F63955D7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D2B2551-0A85-4331-AAA6-B34BAD220293}\stubpath = "C:\\Windows\\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe" {81B81674-4271-4b43-A106-7F75F63955D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF39B152-4D89-480e-B0E9-02C15422758B} {781E4282-4994-4391-B342-15B572088883}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}\stubpath = "C:\\Windows\\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe" 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A06BC06B-4F29-43c4-86C7-AA55F106565F}\stubpath = "C:\\Windows\\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe" {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9629E476-A30D-4cdd-A735-B579DD2A307D}\stubpath = "C:\\Windows\\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe" {F00AAA7D-4694-4436-9E58-B37222213553}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}\stubpath = "C:\\Windows\\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe" {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B81674-4271-4b43-A106-7F75F63955D7} {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{781E4282-4994-4391-B342-15B572088883} {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{781E4282-4994-4391-B342-15B572088883}\stubpath = "C:\\Windows\\{781E4282-4994-4391-B342-15B572088883}.exe" {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0028D2C-C8C8-48fc-B227-46F3007D79FC} 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A06BC06B-4F29-43c4-86C7-AA55F106565F} {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53404B33-473F-4be6-A7D1-D5DB573439F3}\stubpath = "C:\\Windows\\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe" {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9629E476-A30D-4cdd-A735-B579DD2A307D} {F00AAA7D-4694-4436-9E58-B37222213553}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1918BBE8-CB09-4cc6-92E1-D0887A785C23} {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}\stubpath = "C:\\Windows\\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe" {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B81674-4271-4b43-A106-7F75F63955D7}\stubpath = "C:\\Windows\\{81B81674-4271-4b43-A106-7F75F63955D7}.exe" {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe -
Executes dropped EXE 12 IoCs
pid Process 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe 1980 {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe 4760 {781E4282-4994-4391-B342-15B572088883}.exe 4240 {FF39B152-4D89-480e-B0E9-02C15422758B}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe {81B81674-4271-4b43-A106-7F75F63955D7}.exe File created C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe File created C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe {781E4282-4994-4391-B342-15B572088883}.exe File created C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe File created C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe File created C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe {F00AAA7D-4694-4436-9E58-B37222213553}.exe File created C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe File created C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe File created C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe File created C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe File created C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe File created C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3456 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe Token: SeIncBasePriorityPrivilege 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe Token: SeIncBasePriorityPrivilege 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe Token: SeIncBasePriorityPrivilege 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe Token: SeIncBasePriorityPrivilege 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe Token: SeIncBasePriorityPrivilege 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe Token: SeIncBasePriorityPrivilege 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe Token: SeIncBasePriorityPrivilege 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe Token: SeIncBasePriorityPrivilege 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe Token: SeIncBasePriorityPrivilege 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe Token: SeIncBasePriorityPrivilege 1980 {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe Token: SeIncBasePriorityPrivilege 4760 {781E4282-4994-4391-B342-15B572088883}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3456 wrote to memory of 2012 3456 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 97 PID 3456 wrote to memory of 2012 3456 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 97 PID 3456 wrote to memory of 2012 3456 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 97 PID 3456 wrote to memory of 4684 3456 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 98 PID 3456 wrote to memory of 4684 3456 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 98 PID 3456 wrote to memory of 4684 3456 2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe 98 PID 2012 wrote to memory of 4232 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 99 PID 2012 wrote to memory of 4232 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 99 PID 2012 wrote to memory of 4232 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 99 PID 2012 wrote to memory of 940 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 100 PID 2012 wrote to memory of 940 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 100 PID 2012 wrote to memory of 940 2012 {F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe 100 PID 4232 wrote to memory of 2648 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe 102 PID 4232 wrote to memory of 2648 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe 102 PID 4232 wrote to memory of 2648 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe 102 PID 4232 wrote to memory of 2080 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe 103 PID 4232 wrote to memory of 2080 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe 103 PID 4232 wrote to memory of 2080 4232 {5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe 103 PID 2648 wrote to memory of 1180 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe 104 PID 2648 wrote to memory of 1180 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe 104 PID 2648 wrote to memory of 1180 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe 104 PID 2648 wrote to memory of 4556 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe 105 PID 2648 wrote to memory of 4556 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe 105 PID 2648 wrote to memory of 4556 2648 {A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe 105 PID 1180 wrote to memory of 1820 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe 106 PID 1180 wrote to memory of 1820 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe 106 PID 1180 wrote to memory of 1820 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe 106 PID 1180 wrote to memory of 452 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe 107 PID 1180 wrote to memory of 452 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe 107 PID 1180 wrote to memory of 452 1180 {53404B33-473F-4be6-A7D1-D5DB573439F3}.exe 107 PID 1820 wrote to memory of 2996 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe 108 PID 1820 wrote to memory of 2996 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe 108 PID 1820 wrote to memory of 2996 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe 108 PID 1820 wrote to memory of 2360 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe 109 PID 1820 wrote to memory of 2360 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe 109 PID 1820 wrote to memory of 2360 1820 {F00AAA7D-4694-4436-9E58-B37222213553}.exe 109 PID 2996 wrote to memory of 2240 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe 110 PID 2996 wrote to memory of 2240 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe 110 PID 2996 wrote to memory of 2240 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe 110 PID 2996 wrote to memory of 3472 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe 111 PID 2996 wrote to memory of 3472 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe 111 PID 2996 wrote to memory of 3472 2996 {9629E476-A30D-4cdd-A735-B579DD2A307D}.exe 111 PID 2240 wrote to memory of 3384 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe 112 PID 2240 wrote to memory of 3384 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe 112 PID 2240 wrote to memory of 3384 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe 112 PID 2240 wrote to memory of 2172 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe 113 PID 2240 wrote to memory of 2172 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe 113 PID 2240 wrote to memory of 2172 2240 {1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe 113 PID 3384 wrote to memory of 5000 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe 114 PID 3384 wrote to memory of 5000 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe 114 PID 3384 wrote to memory of 5000 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe 114 PID 3384 wrote to memory of 2908 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe 115 PID 3384 wrote to memory of 2908 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe 115 PID 3384 wrote to memory of 2908 3384 {04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe 115 PID 5000 wrote to memory of 1980 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe 116 PID 5000 wrote to memory of 1980 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe 116 PID 5000 wrote to memory of 1980 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe 116 PID 5000 wrote to memory of 1072 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe 117 PID 5000 wrote to memory of 1072 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe 117 PID 5000 wrote to memory of 1072 5000 {81B81674-4271-4b43-A106-7F75F63955D7}.exe 117 PID 1980 wrote to memory of 4760 1980 {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe 118 PID 1980 wrote to memory of 4760 1980 {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe 118 PID 1980 wrote to memory of 4760 1980 {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe 118 PID 1980 wrote to memory of 3924 1980 {9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exeC:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exeC:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exeC:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exeC:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exeC:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exeC:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exeC:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exeC:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exeC:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exeC:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exeC:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exeC:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe13⤵
- Executes dropped EXE
PID:4240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{781E4~1.EXE > nul13⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9D2B2~1.EXE > nul12⤵PID:3924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81B81~1.EXE > nul11⤵PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04D65~1.EXE > nul10⤵PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1918B~1.EXE > nul9⤵PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9629E~1.EXE > nul8⤵PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F00AA~1.EXE > nul7⤵PID:2360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53404~1.EXE > nul6⤵PID:452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A06BC~1.EXE > nul5⤵PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5746D~1.EXE > nul4⤵PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F0028~1.EXE > nul3⤵PID:940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD55503d5f3700cf9ef57f377d4bc48722f
SHA1efea76922870236a26f1375ed07fbc1061193a6a
SHA25669e599be5f867b97d069fe636bb9908b33518660f9bbd6904f16a209c92a20e2
SHA512bb9a2a416bbba7f759e66ba0df6539c4d36d19228129d1ff848c1195a92e9b470ac64f4678dd3a8e4759e5eee562822ad97708e733cd8f8f4cde2302950b2f41
-
Filesize
168KB
MD5937db7ecd920cc71be64d74b68bc523f
SHA14049ca279f241ca6cb40e78af5765b32c8e79e42
SHA2565b30ded4e5c7192be22fab5c659ca2f6912801b5fb20db8714d6ade10a8127bb
SHA512e9f4dedaf5c7b18c72b23836fabced5123764728bbb6d4a69260dbca28dc4f107acf55f2af7dc9708987bfb2897a89126ede7e7455b30cd823d31eb524516d06
-
Filesize
168KB
MD5b9f4480a11a2b2058c4518d0609a59e2
SHA187c4fbb5a6e900104c5dd81709e951c6d27846b9
SHA256f0cd7d0cd45762253e8df0b36c2a49dea9ab4931640f1f48bafce356b7e81202
SHA5125b0dcab864e75b5a9deb6a6f3fa0880fca39ae71e827e12b6bd3837fe8ebf627261dff1a580c66c025867a173079f39980c64b34b88732006fb1569e87c31b35
-
Filesize
168KB
MD5a2545b19f93d994754edf811546212f0
SHA194de568cb62922fdb27a416ec2e15a627df3ca38
SHA25655f91a17e6455092ddf42e8c24d14e6678814e135194addcb1250dab0da2f729
SHA512a51d50190283be94ef24b873cbe0909384a0d3bddcc45f37da7693272047ff145aa8cacce42efa904feb800b19a88242ea2f63d0d14e73231513af54541ae87d
-
Filesize
168KB
MD523c8650632b111ac326025c4fa49be96
SHA10561e1213302ee8242dc87069e8665aeb0bbb026
SHA2567d883f07b0f9833e21c3c0d8100eddc31731116c6256c85fe1eb93c788e82bc8
SHA512ce9305f14b0e5dd0072b15b445838d333510762e1c0c676cb86f9e545573bf5b0992fd0712d2bcf0507e9dfe05b985407d263e2d2c9ad8b1229e96fd62e90649
-
Filesize
168KB
MD516456c392ab1ac15cf3ea1eeb72b9227
SHA171b72d4e3d395b9c7489011dd31ad89d949d803e
SHA2560ed847e66ec013aa65e177093696f4e63745f882a19b859a27769b2fd8e9158a
SHA512ee069f6c7bc2b4514b981d9b60f7ef470bb04edd10b9f24619dc614868aeeebad0c50929ebe009296c2a25cec19c0d69448cdb9f26e5b6db078ec387f8e95132
-
Filesize
168KB
MD561b1e983912a7fb22b4e6bcc8a195514
SHA135800dc9e1f91d6e007a6225e29cacf1c33e427a
SHA256de8849e03a90b14fdd402dba6caf6441cb08c0ffc546a2b31f792dbeeef5d290
SHA51265eb4246899a1b521ada3d0bb4eae173fd6ffdb8c6c954e4ff02e3f35d29b8aa91210a25503af421902c8f7bd576eb11f3ff2e7e1fda63856afff8c3c7539b14
-
Filesize
168KB
MD561a20dece937e23d96f1aa516302ffb3
SHA14a1881523e1532385369997a71073ff642f5f497
SHA25669bfe42ef18fac805f6dff8652732142196bda7fb9735eff25a309a803eb710e
SHA5127b619e82f44ff0c19238a1ab21035826c9cd5bb2f652705878e2ad781a53955ed13a33f9c43bfce862159fe2821a98196fa7bd1bcd050d57681154d423181656
-
Filesize
168KB
MD538edfa87fccb3960a152c36502cfc34d
SHA1a2f95c2795b0142da540b69f4b178b16a0e4acb9
SHA25609647d3d07fe8b9c813f924a5187a00f9e765a6620f5ee1112245aa375a0dfaf
SHA512ebdfa1fd858187c1b4a1a43d3c9c062fc7a890efe5bafd89d0bc24daa5a320d0aeb7759251d587e1152d3c5a425154a096ac079401abb6712c92ef4326e88050
-
Filesize
168KB
MD5efd6d767e4f57454981d415a47670337
SHA17f97b0423d120fc070667c33915227a4629d7008
SHA256c1d2738cbe617f84cb3e47967e8cd8e9cb93f58b27acbbdd88fb76842f9e3095
SHA51247326d522833a0cdcda8f9e4226a101b3e120a0570ed075838bbdfa0619a56e54efdcab884ae3ab0049ce5e84273d5baccd62c40f433e5d6e83bba0772e0084d
-
Filesize
168KB
MD5dd44912abde6bae5a8788a21ec18f32e
SHA1fd951d9cd432c6de0a64adac38d5802909a1903a
SHA256728ca5b32a4f68d428dfc29a5be763c514f492da43ad0870e4f8f14d1b26d138
SHA51206ad759d8a94cffa8a9344083372a46219d6a19ac06da8b7b5f8db51ec5e997b23cba913ae2127912f6ea3fee5618768ffa84fbc8a5b16c396df630b402a394c
-
Filesize
168KB
MD5c7f39e8aea732518075331a8772c1c33
SHA121719fa4700e734529936c598d9fcb0ae5afb43d
SHA2561570ff7449c35e53b15e78481ffb88b5a6a1e93cb4a8444781c484a17e9a4a98
SHA51243fc2691f9fb08599a6828da92dcd8b83efdf325004a3a848c2009f5e75e24a5203998ee45ccae2bfabec08e65576edd9084d1ae5845c37e4b70f2794a5deafa