Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
-
Size
204KB
-
MD5
956e79eb73c9143bd4d4050b31e4b8fa
-
SHA1
f793eccb9add50c4d1708dbfe061b12808c5c07e
-
SHA256
dd304a280fa670f746cf662faa1075faba580015775820450a813f17a9e36735
-
SHA512
74ef24b0ef1bb0b79b5c1410ec2471e3723c152236c65849c0251adafa4245f022fa741112a5503458cc0325fe7108233a8598fffce9d72a2581cbaa00742e11
-
SSDEEP
1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002341f-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023414-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023425-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023414-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021fbd-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021fbe-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021fbd-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000715-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880} {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}\stubpath = "C:\\Windows\\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe" {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D018DCC-20B1-4859-8016-A6A8A570A740}\stubpath = "C:\\Windows\\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe" {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0883C9-91F7-416e-8D41-423E7FECE663}\stubpath = "C:\\Windows\\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe" {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41C3CE43-5EDB-4392-886A-9C8E850710C4}\stubpath = "C:\\Windows\\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe" {3E46D709-0177-4623-930A-519CE3BF3E17}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE611F99-0E39-446a-8918-AE3DC8D61DEA} {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49496341-2A68-4c9e-85D7-C07D08C35280}\stubpath = "C:\\Windows\\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe" 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040B4ABB-671C-4e34-BC97-8CEF2D607407}\stubpath = "C:\\Windows\\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe" {49496341-2A68-4c9e-85D7-C07D08C35280}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}\stubpath = "C:\\Windows\\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe" {C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}\stubpath = "C:\\Windows\\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe" {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}\stubpath = "C:\\Windows\\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe" {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E46D709-0177-4623-930A-519CE3BF3E17}\stubpath = "C:\\Windows\\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe" {899B4096-D491-442b-9141-37C67BC4DF16}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6195716-AE9A-45f9-8F48-C1D4AEE70017} {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD0883C9-91F7-416e-8D41-423E7FECE663} {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{899B4096-D491-442b-9141-37C67BC4DF16} {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}\stubpath = "C:\\Windows\\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe" {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D018DCC-20B1-4859-8016-A6A8A570A740} {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E46D709-0177-4623-930A-519CE3BF3E17} {899B4096-D491-442b-9141-37C67BC4DF16}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41C3CE43-5EDB-4392-886A-9C8E850710C4} {3E46D709-0177-4623-930A-519CE3BF3E17}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F} {C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49496341-2A68-4c9e-85D7-C07D08C35280} 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{040B4ABB-671C-4e34-BC97-8CEF2D607407} {49496341-2A68-4c9e-85D7-C07D08C35280}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9791BA93-6E33-40f0-A5FB-5257BDAF337B} {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{899B4096-D491-442b-9141-37C67BC4DF16}\stubpath = "C:\\Windows\\{899B4096-D491-442b-9141-37C67BC4DF16}.exe" {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe -
Executes dropped EXE 11 IoCs
pid Process 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe 1476 {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe 4264 {C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe File created C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe File created C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe {899B4096-D491-442b-9141-37C67BC4DF16}.exe File created C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe {3E46D709-0177-4623-930A-519CE3BF3E17}.exe File created C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe File created C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe File created C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe File created C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe {C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe File created C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe {49496341-2A68-4c9e-85D7-C07D08C35280}.exe File created C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe File created C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe File created C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3556 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe Token: SeIncBasePriorityPrivilege 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe Token: SeIncBasePriorityPrivilege 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe Token: SeIncBasePriorityPrivilege 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe Token: SeIncBasePriorityPrivilege 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe Token: SeIncBasePriorityPrivilege 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe Token: SeIncBasePriorityPrivilege 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe Token: SeIncBasePriorityPrivilege 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe Token: SeIncBasePriorityPrivilege 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe Token: SeIncBasePriorityPrivilege 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe Token: SeIncBasePriorityPrivilege 1476 {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3556 wrote to memory of 3688 3556 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 87 PID 3556 wrote to memory of 3688 3556 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 87 PID 3556 wrote to memory of 3688 3556 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 87 PID 3556 wrote to memory of 3520 3556 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 88 PID 3556 wrote to memory of 3520 3556 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 88 PID 3556 wrote to memory of 3520 3556 2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe 88 PID 3688 wrote to memory of 1700 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe 89 PID 3688 wrote to memory of 1700 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe 89 PID 3688 wrote to memory of 1700 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe 89 PID 3688 wrote to memory of 4360 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe 90 PID 3688 wrote to memory of 4360 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe 90 PID 3688 wrote to memory of 4360 3688 {49496341-2A68-4c9e-85D7-C07D08C35280}.exe 90 PID 1700 wrote to memory of 792 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe 92 PID 1700 wrote to memory of 792 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe 92 PID 1700 wrote to memory of 792 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe 92 PID 1700 wrote to memory of 4088 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe 93 PID 1700 wrote to memory of 4088 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe 93 PID 1700 wrote to memory of 4088 1700 {040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe 93 PID 792 wrote to memory of 3664 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe 94 PID 792 wrote to memory of 3664 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe 94 PID 792 wrote to memory of 3664 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe 94 PID 792 wrote to memory of 3700 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe 95 PID 792 wrote to memory of 3700 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe 95 PID 792 wrote to memory of 3700 792 {ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe 95 PID 3664 wrote to memory of 672 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe 96 PID 3664 wrote to memory of 672 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe 96 PID 3664 wrote to memory of 672 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe 96 PID 3664 wrote to memory of 4560 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe 97 PID 3664 wrote to memory of 4560 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe 97 PID 3664 wrote to memory of 4560 3664 {9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe 97 PID 672 wrote to memory of 1208 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe 98 PID 672 wrote to memory of 1208 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe 98 PID 672 wrote to memory of 1208 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe 98 PID 672 wrote to memory of 1612 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe 99 PID 672 wrote to memory of 1612 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe 99 PID 672 wrote to memory of 1612 672 {1D018DCC-20B1-4859-8016-A6A8A570A740}.exe 99 PID 1208 wrote to memory of 1796 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe 100 PID 1208 wrote to memory of 1796 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe 100 PID 1208 wrote to memory of 1796 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe 100 PID 1208 wrote to memory of 1012 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe 101 PID 1208 wrote to memory of 1012 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe 101 PID 1208 wrote to memory of 1012 1208 {DD0883C9-91F7-416e-8D41-423E7FECE663}.exe 101 PID 1796 wrote to memory of 2272 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe 102 PID 1796 wrote to memory of 2272 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe 102 PID 1796 wrote to memory of 2272 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe 102 PID 1796 wrote to memory of 2460 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe 103 PID 1796 wrote to memory of 2460 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe 103 PID 1796 wrote to memory of 2460 1796 {899B4096-D491-442b-9141-37C67BC4DF16}.exe 103 PID 2272 wrote to memory of 4680 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe 104 PID 2272 wrote to memory of 4680 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe 104 PID 2272 wrote to memory of 4680 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe 104 PID 2272 wrote to memory of 3248 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe 105 PID 2272 wrote to memory of 3248 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe 105 PID 2272 wrote to memory of 3248 2272 {3E46D709-0177-4623-930A-519CE3BF3E17}.exe 105 PID 4680 wrote to memory of 1476 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe 106 PID 4680 wrote to memory of 1476 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe 106 PID 4680 wrote to memory of 1476 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe 106 PID 4680 wrote to memory of 4528 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe 107 PID 4680 wrote to memory of 4528 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe 107 PID 4680 wrote to memory of 4528 4680 {41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe 107 PID 1476 wrote to memory of 4264 1476 {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe 108 PID 1476 wrote to memory of 4264 1476 {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe 108 PID 1476 wrote to memory of 4264 1476 {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe 108 PID 1476 wrote to memory of 4424 1476 {EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exeC:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exeC:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exeC:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exeC:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exeC:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exeC:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exeC:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exeC:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exeC:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exeC:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exeC:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
PID:4264 -
C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exeC:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe13⤵PID:1768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6195~1.EXE > nul13⤵PID:4604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EE611~1.EXE > nul12⤵PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{41C3C~1.EXE > nul11⤵PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3E46D~1.EXE > nul10⤵PID:3248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{899B4~1.EXE > nul9⤵PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DD088~1.EXE > nul8⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D018~1.EXE > nul7⤵PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9791B~1.EXE > nul6⤵PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ABC31~1.EXE > nul5⤵PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{040B4~1.EXE > nul4⤵PID:4088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49496~1.EXE > nul3⤵PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5e57ea85cbf1d17ea7be0c49c5d039c6d
SHA11c0bbab0b2a01ad1dea1ed3afd9e798dc63afdc0
SHA256e1be7697b9c7952fa040776a4f2bedaa7b5aa48ec6ef8c3adbb608b60fcb062d
SHA5120fe656a879d67c5c37c52a294ae750e3212ac0e2239f590b8abaaec11abe157f395738f04d7d3485d574ed959999bb8250cbad910cba58f675f4bef427f662a5
-
Filesize
204KB
MD5bede3e0ae9c12d211e91b980474195d4
SHA169046e0a21b64b9003c651c4f36e46868d60bd43
SHA2564539c18a48ff8013a24f563817d86e789fdec4e2b95b62e356fb8a111700a816
SHA5123231be24719f41e596f1df564ff7354c8b213fc07991e36a48ca48aa6dcaa091399bbafac119466d990233e5428ca55c6b823f5a8c1db2ca32d1d6754f5900eb
-
Filesize
204KB
MD5b7a5849516ebf596a8968519f434dd04
SHA1ea7f786e125337be151fdf2846f0f1a2072ba985
SHA2566a5b6e360cb1f4e734d92194878630f4a702303eb665bc549a71401df21ff6fe
SHA512b597f29ffa0a22780f6e5ebc6a4ccf50b812c4a103776654798e7bc1448c7cfa1467db7359ef3c61b67c5d072260df5fbc74e64d82a9e6c1d7e9683b6ef2caca
-
Filesize
204KB
MD58efcbd69ffd5aaa08efd686662da4aa3
SHA190610c5802b4b88fc3c948d5b73ceb0013af350e
SHA2562b4695b9ca803d2c6126f7f3b4924cfbd0a8f5cc6fc265c81229b7e2f798969e
SHA512bbc69c6962b7ebe93a13b00bd314110d706ec2a68a72783d72e87cee542bb4e275aa90d24979634f2447cdeba3aa59cce843dadc93862cb35d7086b7e6d8326f
-
Filesize
204KB
MD5ba89e21ddbf956b4410b215cdaf420a2
SHA10c5853b5ef41a246ff1276d3628ce907091d833b
SHA25605bf3f70a9a371e7d19a649e3953c4b97559bf9ecf9b6be084dfd39770ed6230
SHA5128da89c432d10b1788b92e80462f1e17a52f103c3eacaad172b4cf17ff5b43e9e2ed0d685dc948dd8f7337dd724f5efa61f2328486e05e484cde54c3fd5cd702e
-
Filesize
204KB
MD5696da16c0744330c710076b5fe8a5ca9
SHA1e13c9ed5be10cc8b88010593680fa4bd4e71f4ea
SHA256db4c58591993c1b1776d1a68d239a9397d85f36bdb3d5b79c43dc63c4cb61912
SHA512c3b3db2f2b6b4afea948debd20380b2356ffe28043ea17181baada05b62f22bb89b2621d7e234cf0ffeeaf4a1bb47aa1262c7ee6696c1546dcf4a1532cde74f6
-
Filesize
204KB
MD58a169f855fb37098aca2896d4a104a56
SHA184c1a5cae26fdfd02f71373e3693163de7db118c
SHA256b7fe7f5b89e5ba5c4c6eed4913a23a3d8e58f94480941eb018b2b9e57a1367f4
SHA512fffca775c11e6294b9715089ab8aae3f8d65754e449913b443c31e4ea61d98bd8763b82a77d188ed60991cda79d59287e5d8f209f2fad840cc3ee78375985fb1
-
Filesize
204KB
MD5a12990cd6df11e77df25d0f3d13d18ee
SHA1609d2ea5b3d646b302c961d286188b7cefb6ba72
SHA25601c0c9d3201a8cf64f05bfb94337ff9a6ea6d1b19fb62d9865fc6f46330dc7dd
SHA51224038e8d09674c8006336ccfc13134f54a41c06472fa27055ad083c029ecb0f251879b80bdf97947055990d6acc727171e2943c33a7724ac2cc7c14459ac2d0a
-
Filesize
204KB
MD5b4e23f2f31ee913c36b87665710e748e
SHA1fbd1223adacc06aa9602cf87368686887b9cb75e
SHA2561b72edf103965667a2f918901052bf1a714a91ea48779ee55edc3bc5788341a9
SHA512326c9749d94adcf7f7883cf69f9043909d2728742adb626a2d63e5a784dc9c19c34865eed9dbdafefdf2f45024f1927aff869364b120b89805fd266990132d36
-
Filesize
204KB
MD589372dcd8f842643ff47feffeef2fc57
SHA12b562a7ebef95c1caf88bd26f7d61e92455f0bde
SHA256fc3fb6c61573409fa15d6ac0e39b3e1d617ad6338fd288c44a0afd7ec998edc2
SHA512ad7efeb592bbd9a399c4bf3029adea9f61d53e3cfb582a5c3c7890c0dcfa6627992932e1d62d66461a2275e2c398c51ae69d3aea433d2b4e0d90f5e4a55b3d32
-
Filesize
204KB
MD534a80bdd54c8eae4ecd64c6fe76a9f30
SHA18bdad8e1836f41727afbe1645ef07a8410907c69
SHA256fadae684c495841f6ab9197aa72872ff9f7fb6211e2187dd2305d018ee24ceb3
SHA51201aa638582380f1df55c355ccf5529a94703035f0a86d83b808afb4e9c4ae963a30ce0e519457fa2536f5c00fd4eef388d349b8d0161d6e7a00cb92cab3a1c0d
-
Filesize
204KB
MD5c00874c804063598462f2db14c6990a4
SHA1c52eaf0cdc62d7457f9681f403a80a03f212a73c
SHA256495d50eaba92c93e8e962fecce442075dff12da0b16f72dc66cb40e333104c02
SHA512db5a2987147a1c0985fd37683fadb8100467b9c4df10a67be22088c3e84cec79c557f8d41b7458366506118b81f0a0158539479244c18aa7ab2bc7e98fd94441