Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
-
Size
197KB
-
MD5
7ab09cf27c3f40c2dda8d177614af4df
-
SHA1
c5641c003869f3c35b8c35158bd902d77481dcc6
-
SHA256
9f5cb290f246ab711516464b106d16d714c9b940d450a6efe4d4ae3d170be7cd
-
SHA512
989f7d057c91f946c0e4d195d04c4abf65487c2b509332ff1c8657df5df078bde4e952cb0e2697211887a29453c9d51d82d571df9025b06aa4ca95c5eb9a4964
-
SSDEEP
3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGZlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000014133-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000015c99-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0030000000015e9a-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0004000000004ed7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000300000000b1f3-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0005000000004ed7-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000400000000b1f3-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0006000000004ed7-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000500000000b1f3-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0007000000004ed7-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000600000000b1f3-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6B6362-46DB-4512-A5A8-7D07E4C49501} {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}\stubpath = "C:\\Windows\\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe" {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032110C9-AC34-422d-A53A-441348EEEA94} {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0} {032110C9-AC34-422d-A53A-441348EEEA94}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}\stubpath = "C:\\Windows\\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe" {EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07204088-DD8A-4b39-9959-77ABA5B0EC3D} 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8195CC8F-512C-464f-A280-437245459717}\stubpath = "C:\\Windows\\{8195CC8F-512C-464f-A280-437245459717}.exe" {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2} {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}\stubpath = "C:\\Windows\\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe" {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF789B63-7607-476a-83CB-91E1DC5E07E9}\stubpath = "C:\\Windows\\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe" {E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8195CC8F-512C-464f-A280-437245459717} {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8} {8195CC8F-512C-464f-A280-437245459717}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B151C70-8844-460c-A4F5-47EA5CC04EEC} {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}\stubpath = "C:\\Windows\\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe" {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A} {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A} {EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF789B63-7607-476a-83CB-91E1DC5E07E9} {E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}\stubpath = "C:\\Windows\\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe" 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}\stubpath = "C:\\Windows\\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe" {8195CC8F-512C-464f-A280-437245459717}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}\stubpath = "C:\\Windows\\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe" {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032110C9-AC34-422d-A53A-441348EEEA94}\stubpath = "C:\\Windows\\{032110C9-AC34-422d-A53A-441348EEEA94}.exe" {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}\stubpath = "C:\\Windows\\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe" {032110C9-AC34-422d-A53A-441348EEEA94}.exe -
Executes dropped EXE 11 IoCs
pid Process 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 640 {032110C9-AC34-422d-A53A-441348EEEA94}.exe 2944 {EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe 1096 {E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe 1432 {FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe File created C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe File created C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe File created C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe File created C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe {EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe File created C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe {E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe File created C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe File created C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe File created C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe {8195CC8F-512C-464f-A280-437245459717}.exe File created C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe File created C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe {032110C9-AC34-422d-A53A-441348EEEA94}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe Token: SeIncBasePriorityPrivilege 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe Token: SeIncBasePriorityPrivilege 2672 {8195CC8F-512C-464f-A280-437245459717}.exe Token: SeIncBasePriorityPrivilege 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe Token: SeIncBasePriorityPrivilege 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe Token: SeIncBasePriorityPrivilege 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe Token: SeIncBasePriorityPrivilege 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe Token: SeIncBasePriorityPrivilege 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe Token: SeIncBasePriorityPrivilege 640 {032110C9-AC34-422d-A53A-441348EEEA94}.exe Token: SeIncBasePriorityPrivilege 2944 {EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe Token: SeIncBasePriorityPrivilege 1096 {E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2988 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 28 PID 2892 wrote to memory of 2988 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 28 PID 2892 wrote to memory of 2988 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 28 PID 2892 wrote to memory of 2988 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 28 PID 2892 wrote to memory of 856 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 29 PID 2892 wrote to memory of 856 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 29 PID 2892 wrote to memory of 856 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 29 PID 2892 wrote to memory of 856 2892 2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe 29 PID 2988 wrote to memory of 2672 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 30 PID 2988 wrote to memory of 2672 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 30 PID 2988 wrote to memory of 2672 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 30 PID 2988 wrote to memory of 2672 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 30 PID 2988 wrote to memory of 2832 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 31 PID 2988 wrote to memory of 2832 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 31 PID 2988 wrote to memory of 2832 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 31 PID 2988 wrote to memory of 2832 2988 {07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe 31 PID 2672 wrote to memory of 2424 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 34 PID 2672 wrote to memory of 2424 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 34 PID 2672 wrote to memory of 2424 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 34 PID 2672 wrote to memory of 2424 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 34 PID 2672 wrote to memory of 812 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 35 PID 2672 wrote to memory of 812 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 35 PID 2672 wrote to memory of 812 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 35 PID 2672 wrote to memory of 812 2672 {8195CC8F-512C-464f-A280-437245459717}.exe 35 PID 2424 wrote to memory of 2028 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 36 PID 2424 wrote to memory of 2028 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 36 PID 2424 wrote to memory of 2028 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 36 PID 2424 wrote to memory of 2028 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 36 PID 2424 wrote to memory of 2644 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 37 PID 2424 wrote to memory of 2644 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 37 PID 2424 wrote to memory of 2644 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 37 PID 2424 wrote to memory of 2644 2424 {ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe 37 PID 2028 wrote to memory of 2792 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 38 PID 2028 wrote to memory of 2792 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 38 PID 2028 wrote to memory of 2792 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 38 PID 2028 wrote to memory of 2792 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 38 PID 2028 wrote to memory of 2800 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 39 PID 2028 wrote to memory of 2800 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 39 PID 2028 wrote to memory of 2800 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 39 PID 2028 wrote to memory of 2800 2028 {2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe 39 PID 2792 wrote to memory of 2156 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 40 PID 2792 wrote to memory of 2156 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 40 PID 2792 wrote to memory of 2156 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 40 PID 2792 wrote to memory of 2156 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 40 PID 2792 wrote to memory of 2020 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 41 PID 2792 wrote to memory of 2020 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 41 PID 2792 wrote to memory of 2020 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 41 PID 2792 wrote to memory of 2020 2792 {BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe 41 PID 2156 wrote to memory of 1920 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 42 PID 2156 wrote to memory of 1920 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 42 PID 2156 wrote to memory of 1920 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 42 PID 2156 wrote to memory of 1920 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 42 PID 2156 wrote to memory of 672 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 43 PID 2156 wrote to memory of 672 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 43 PID 2156 wrote to memory of 672 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 43 PID 2156 wrote to memory of 672 2156 {971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe 43 PID 1920 wrote to memory of 640 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 44 PID 1920 wrote to memory of 640 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 44 PID 1920 wrote to memory of 640 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 44 PID 1920 wrote to memory of 640 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 44 PID 1920 wrote to memory of 2588 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 45 PID 1920 wrote to memory of 2588 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 45 PID 1920 wrote to memory of 2588 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 45 PID 1920 wrote to memory of 2588 1920 {FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exeC:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exeC:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exeC:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exeC:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exeC:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exeC:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exeC:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exeC:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exeC:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exeC:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exeC:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe12⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E3DAB~1.EXE > nul12⤵PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EA932~1.EXE > nul11⤵PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03211~1.EXE > nul10⤵PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE4C5~1.EXE > nul9⤵PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{971A2~1.EXE > nul8⤵PID:672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BA6B6~1.EXE > nul7⤵PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B151~1.EXE > nul6⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ACAB2~1.EXE > nul5⤵PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8195C~1.EXE > nul4⤵PID:812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07204~1.EXE > nul3⤵PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD503b73687c220828e2d0ae75311d0eeab
SHA1caaeec20a473e1582fd358ad52c5c931ab11cb57
SHA2563e980cf7e9b4ec71c6dc9bac75063b2d4533176dea4f7ea6a375874c678f6ce2
SHA512394335769434865218d7c5e6f12fcac338cb0a41de34af19a63b3e0177109b7dc84fd83da46f4a6c40732afe88d171572d6fb7eaa55577f4eda23a47f1a32084
-
Filesize
197KB
MD5963b5dc76b1b4c16f68140a011aed4ab
SHA195540dba9559a75acaf966ed900d121d1b4c3cca
SHA256ef7413a58bc735271a01bf015bd7666dd596204ff8c49e0bc971a5e70152e5a4
SHA512c59e1dad07ab745a6cacb86c22b20a64126df4fd736649d39a26d4ea11d8635f1701d12b8f03dca83217c48ea89d403d22c28ece4460584638c0aa5e46818eb4
-
Filesize
197KB
MD5fad57d1e905fefe6ac0c37099b0e5035
SHA152f834e71236b90a1c98b503df70bd2295454d1b
SHA25696714883ff0d6266e7fc89e8ffea671063925b6426a167e5b7ea449bda0587d4
SHA512c00a5501f441090f2d86b41cdbb87ff73e1f30946f8a6d590694cfec70e3f016206ebd64a469e2b469470f5297f7a5dcca4b57673467306fe6d0235463e1d09b
-
Filesize
197KB
MD50aa94af94d012a22ae41312b6c2bcc69
SHA157ae17c93fa21de75635e4a45a0d01bbc443b8fa
SHA256bfc9fdca8daf9c381adee8edfc80a4b2ccdadf279a8c06ad23b2e561d6c88e16
SHA5127ea5875cbce0d599dd91cc8f95f4679d5b8aa955ac27981d3ba211a0d2d683d6bcc23a51994660578635550819423c4c92cf3c39536817d4840f80225db9d1f0
-
Filesize
197KB
MD5804ad540f377206941cc9105f3efec5a
SHA11c31b87f5709a448e6b815f32cbc4dbdcbf6da75
SHA256532b252746365237e77f0d0ea6a81eee4c0dd3ce9bed72ab996e8e876e8058b6
SHA51296cc5c04f0a9cc53bbae70d957b166fa170ed099cee07263415accfe50e5f4270d5a987f9d0b0bfbe2cf4ce90c9d1b25f6d62479eb7f6d3b3bc45d2607728941
-
Filesize
197KB
MD503a12ae6282b1e6f80df6e4d7fcca052
SHA11cb71fb9d95c7ea6a5e5ba1cbdc4bbbad7473120
SHA256e865dbdc781f578bfde9a348b97fff4682f95a078d9046fd1e9e1eefa894e344
SHA512d81bc92cba5f1d2353f44d90e5950cbd1181db6da1df338e75207d741d81a001a2c4f4199e4efc744d66067dfb2ebc1adda7016df97f150d7e313049580c3173
-
Filesize
197KB
MD5307747ef145264a084aabce28e773320
SHA11ebe63d1aa17e81f2c2a5578a5d0c53601a6cfab
SHA25624b0e9be63b304dc63235ee25ca908d1ed53cf485179d63b9f062262168c15d3
SHA5127406d32df73fdfce25ecd8d84aee1f9f1e194f6bcaec9b1a32a39e06c82572ff362e3aaab1a28499967bdaf5e25844546100f1aa876f3d24570b078bc5d93551
-
Filesize
197KB
MD50a6aa30f9ba14b7adfe5bd6e9daa7897
SHA1f6183d3ebba58a3715c266f0f9ca41f675839abc
SHA25658a5ec88709001ed7b6eabc17e9c2432708cb35220fa3d081b0a75bd2c15005e
SHA512e0a1ef8c6978da2b0a4c5fa9ae625d812ebfc188a05a01af527c2f3138b1d356c2616c74fc0adcfcee9aa8e18f616ec3e3664e6bb07d12e12172f03de29a6cfb
-
Filesize
197KB
MD511cd1945fddc484ee65da0d2f0d375b3
SHA19f316915b5480e5223d2bf6fb53dd8f01140d390
SHA2568ee9a81fbcd8012befcdf6fb50948bc6e84d7781ae3443fa34a8a58a8206179c
SHA51281c7f408066d67d646e013026eef97b8ac88b8e2e22da2d6190ead13c0ec93dc53701041bad4a073b0def8e97689d1de1e2089ebd33c8f6eafa6a62c48a52012
-
Filesize
197KB
MD578ad46e48ef853943d75be4b87bb1fe1
SHA1679ce0f8263d96ea3937d0e012a591100cc6ee71
SHA25674cf7eee28d84d01dbe11080b1c10e6b73b95080bd4c046b397f31b01bf8d77f
SHA51294cae19aa382500f2a8d82d3f26370f1a8ee9f687f65d83a8775fcca38282d38846d991cd7c3cf57e9f25c5e950ba60056ecdc2909efd95dd59b0677604cfc55
-
Filesize
197KB
MD504a1b0b472cc08050a8fe4ce5bd8ea0c
SHA1bb77aa24d45d944bb2ceb3e9624997e0e599b005
SHA25623a9f3e2467a3a5b4121809e4d7079f10c869331702f3d39d04abb5b95ef2b0e
SHA5125ca62b9722bb56a808fd89a44a9d7251ff988e8ff5b5527e4a800d834e5452a4644befa75538524f0a49c4e308c2b919d7ecbe22a7eb9040fc12739e7eb65b61