Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
-
Size
197KB
-
MD5
50c172c6f6287f85183ca033525e3bd8
-
SHA1
e864c4444e97779c074d08522cf8d39d351b9ea0
-
SHA256
a165df81640d91fa0676d16d7c2e604afa1055dc5ae45dc6907bb79806be5bee
-
SHA512
73d799742498a9bb2cea7af12c222fe7eaa214a5446e42212f7ede492a83094e25bf7084d2e449d651b1106cbb0dd9971d8843469c8e2440259ab1c649e9f765
-
SSDEEP
3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000a00000002336c-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002341b-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000022f1f-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000022f22-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000022f1f-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000022f22-21.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000022f1f-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0006000000022f22-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000022f1f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000022f22-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000022f1f-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000022f22-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F843788-F64B-44ad-B95B-6C670784A565} 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}\stubpath = "C:\\Windows\\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe" {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5} {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C} {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A53E0-C418-49bb-B824-D572D968ABDB} {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A718273E-E3E6-40e0-8A61-8B0BA487DABE} {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}\stubpath = "C:\\Windows\\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe" {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}\stubpath = "C:\\Windows\\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe" {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}\stubpath = "C:\\Windows\\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe" {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA82FB4-8392-4848-A949-93357B0D7EB7} {771A53E0-C418-49bb-B824-D572D968ABDB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA82FB4-8392-4848-A949-93357B0D7EB7}\stubpath = "C:\\Windows\\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe" {771A53E0-C418-49bb-B824-D572D968ABDB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA861259-F217-40a7-A2B8-0157213E5EAB}\stubpath = "C:\\Windows\\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe" {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8} {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F843788-F64B-44ad-B95B-6C670784A565}\stubpath = "C:\\Windows\\{4F843788-F64B-44ad-B95B-6C670784A565}.exe" 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AF340E-DC64-481a-8A99-1BEB784648D1} {4F843788-F64B-44ad-B95B-6C670784A565}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AF340E-DC64-481a-8A99-1BEB784648D1}\stubpath = "C:\\Windows\\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe" {4F843788-F64B-44ad-B95B-6C670784A565}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5078ECA-D536-43c5-80B0-7E0DD231F52C} {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{771A53E0-C418-49bb-B824-D572D968ABDB}\stubpath = "C:\\Windows\\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe" {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA861259-F217-40a7-A2B8-0157213E5EAB} {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}\stubpath = "C:\\Windows\\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe" {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}\stubpath = "C:\\Windows\\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe" {A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8} {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}\stubpath = "C:\\Windows\\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe" {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C} {A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe -
Executes dropped EXE 12 IoCs
pid Process 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe 664 {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe 3552 {A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe 3004 {A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe {A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe File created C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe File created C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe {4F843788-F64B-44ad-B95B-6C670784A565}.exe File created C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe File created C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe File created C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe File created C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe {771A53E0-C418-49bb-B824-D572D968ABDB}.exe File created C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe File created C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe File created C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe File created C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe File created C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3908 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe Token: SeIncBasePriorityPrivilege 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe Token: SeIncBasePriorityPrivilege 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe Token: SeIncBasePriorityPrivilege 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe Token: SeIncBasePriorityPrivilege 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe Token: SeIncBasePriorityPrivilege 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe Token: SeIncBasePriorityPrivilege 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe Token: SeIncBasePriorityPrivilege 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe Token: SeIncBasePriorityPrivilege 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe Token: SeIncBasePriorityPrivilege 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe Token: SeIncBasePriorityPrivilege 664 {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe Token: SeIncBasePriorityPrivilege 3552 {A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3908 wrote to memory of 5012 3908 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 84 PID 3908 wrote to memory of 5012 3908 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 84 PID 3908 wrote to memory of 5012 3908 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 84 PID 3908 wrote to memory of 2076 3908 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 85 PID 3908 wrote to memory of 2076 3908 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 85 PID 3908 wrote to memory of 2076 3908 2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe 85 PID 5012 wrote to memory of 1900 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe 86 PID 5012 wrote to memory of 1900 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe 86 PID 5012 wrote to memory of 1900 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe 86 PID 5012 wrote to memory of 4840 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe 87 PID 5012 wrote to memory of 4840 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe 87 PID 5012 wrote to memory of 4840 5012 {4F843788-F64B-44ad-B95B-6C670784A565}.exe 87 PID 1900 wrote to memory of 1436 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe 91 PID 1900 wrote to memory of 1436 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe 91 PID 1900 wrote to memory of 1436 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe 91 PID 1900 wrote to memory of 1980 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe 92 PID 1900 wrote to memory of 1980 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe 92 PID 1900 wrote to memory of 1980 1900 {F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe 92 PID 1436 wrote to memory of 1856 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe 93 PID 1436 wrote to memory of 1856 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe 93 PID 1436 wrote to memory of 1856 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe 93 PID 1436 wrote to memory of 3564 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe 94 PID 1436 wrote to memory of 3564 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe 94 PID 1436 wrote to memory of 3564 1436 {C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe 94 PID 1856 wrote to memory of 4724 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe 95 PID 1856 wrote to memory of 4724 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe 95 PID 1856 wrote to memory of 4724 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe 95 PID 1856 wrote to memory of 2664 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe 96 PID 1856 wrote to memory of 2664 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe 96 PID 1856 wrote to memory of 2664 1856 {D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe 96 PID 4724 wrote to memory of 4008 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe 97 PID 4724 wrote to memory of 4008 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe 97 PID 4724 wrote to memory of 4008 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe 97 PID 4724 wrote to memory of 4852 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe 98 PID 4724 wrote to memory of 4852 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe 98 PID 4724 wrote to memory of 4852 4724 {34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe 98 PID 4008 wrote to memory of 4964 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe 99 PID 4008 wrote to memory of 4964 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe 99 PID 4008 wrote to memory of 4964 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe 99 PID 4008 wrote to memory of 2424 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe 100 PID 4008 wrote to memory of 2424 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe 100 PID 4008 wrote to memory of 2424 4008 {4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe 100 PID 4964 wrote to memory of 4252 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe 101 PID 4964 wrote to memory of 4252 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe 101 PID 4964 wrote to memory of 4252 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe 101 PID 4964 wrote to memory of 2408 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe 102 PID 4964 wrote to memory of 2408 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe 102 PID 4964 wrote to memory of 2408 4964 {771A53E0-C418-49bb-B824-D572D968ABDB}.exe 102 PID 4252 wrote to memory of 2264 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe 103 PID 4252 wrote to memory of 2264 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe 103 PID 4252 wrote to memory of 2264 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe 103 PID 4252 wrote to memory of 3136 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe 104 PID 4252 wrote to memory of 3136 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe 104 PID 4252 wrote to memory of 3136 4252 {2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe 104 PID 2264 wrote to memory of 664 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe 105 PID 2264 wrote to memory of 664 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe 105 PID 2264 wrote to memory of 664 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe 105 PID 2264 wrote to memory of 4276 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe 106 PID 2264 wrote to memory of 4276 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe 106 PID 2264 wrote to memory of 4276 2264 {CA861259-F217-40a7-A2B8-0157213E5EAB}.exe 106 PID 664 wrote to memory of 3552 664 {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe 107 PID 664 wrote to memory of 3552 664 {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe 107 PID 664 wrote to memory of 3552 664 {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe 107 PID 664 wrote to memory of 2432 664 {779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exeC:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exeC:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exeC:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exeC:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exeC:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exeC:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exeC:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exeC:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exeC:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exeC:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exeC:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3552 -
C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exeC:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe13⤵
- Executes dropped EXE
PID:3004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A7182~1.EXE > nul13⤵PID:4536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{779DB~1.EXE > nul12⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CA861~1.EXE > nul11⤵PID:4276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BA82~1.EXE > nul10⤵PID:3136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{771A5~1.EXE > nul9⤵PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4FC4B~1.EXE > nul8⤵PID:2424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34B0E~1.EXE > nul7⤵PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3FD3~1.EXE > nul6⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C5078~1.EXE > nul5⤵PID:3564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1AF3~1.EXE > nul4⤵PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F843~1.EXE > nul3⤵PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD521befc1bafdc474d1ccdc5b1954c0d3b
SHA1b839e4bda4f42963df81e03e81521e9414c79b5a
SHA2568f2937100e3262a8e0e279db16d054bee2251b2e40aac91df7dbe4edbada6305
SHA5123a6f61c53798f32e33e54a2b8575930d93821454ced14f965df903e6f344ebc2637e1185f5c8c3495e42cf6d379c8103b24902f3a564fd5f5fd3f00c157d438d
-
Filesize
197KB
MD506d32f774cb84196adbc72eff1f35b3f
SHA1cd0ab5ebde66b86579772de54b439051355070be
SHA25682c85e703eee45f47809aa4c075183c7de1669744e9cb86a50dce7b72aa11fdf
SHA5121faccd294f44e6cd629854cd8145d2c65dcb85bbeb708d9417082605b92dde89fbb66b58f59b98f4fe1d9fd7c0477b927c6ab6acd71cd65ba7a2fb8958ff1ad0
-
Filesize
197KB
MD5b89657c7e702ef4d7a6cea1bec1169e8
SHA1c23a69964dce154d4042635ebd08e446fa97dc99
SHA256e69775230e12152805a9bcff09e72dd9d4954931791ad3f8455d5f6c72c73eb3
SHA512c70a839cc31e26615c3569348eaa12b25d40800514c1726b27a6f7f98f77c2f57f7bd04879e20ca296c7b4885972f945886a03e937c9547582a4d241d9279573
-
Filesize
197KB
MD544f71f161c4e940ff3260d6198a2ab81
SHA13373ca01be9a271887e1b6a487ebfeea64a4cf3c
SHA256dc848bb1146e07ee7b0785354ed269dab541802d0c53ea6c2bfee6809775ae2d
SHA5120bc79a3f76aa3eb3ff75b44dc4ccc85aad3998d7b274bfde7ecb5678ce6308bfc444705e87811bc4d1ab8cfcb7c51dc0a9292cbbd46d8c6fb48335784150758f
-
Filesize
197KB
MD5652d19dde2855a10bee674ef1677ac02
SHA1ea945fab2b6fcfd3358bcd364e27de3bda452d00
SHA2566ae55cc754cdb46a5a482c01507fd5ac391646e339c49811dd948d9301ec4322
SHA512e773d84f42ccf2473918d28675b779faa1dbe65da3da1a46129f16531d0774364bca8f13b002f1197f0696f732a04314e6085258605fe96e6aa70efcafd8ee7c
-
Filesize
197KB
MD57a1e886f5340e214e0905a0e15ce7b22
SHA13dec64c294ac0506f404a6a81b3a8b50080bad68
SHA25663679f8e68e6b2a1ce7902dbb7c9f2779f225c424641f0d3f8363254cd0e40c5
SHA5123c2796aad4b9521c4527484e1b2de199bf5e6ec4285e7b7bfe6e5989760fa0d9bc3c4d855f85b501efe8ae4797d00a5f4b13d65a5e371e25e612c377f399f007
-
Filesize
197KB
MD53f22fb8492a9e69014feb5ac8bad3aba
SHA1572b728ddf9ad05a818fe90fd139b2589f39c873
SHA2565a3e75e0c9df5f67de888065d61005c1b5c3f3cf2c63eb21182c3a7a31fa0a99
SHA51238fb19239de8af719ed3ad4549f1f07a5d1a3183d977a9b11943aeaf715bbf0277252940c151d5aac7d9bd9a1c71020ee56fadd6052749ae9dec5a848438098a
-
Filesize
197KB
MD5b4de64a21004a3388d1f6b02a2939cf1
SHA1c1089455c38b20a1bd9aa4e0dddbe11ebffa5818
SHA256b61e65584be9e2b55b1b68700626c6b7d86f269345009b8fbedac0041a5c1fea
SHA51248c20e18d38a540fd127de5dee2512b89175f707883222eec7ae13c7050bfd256bacb2b6d173f5f9f75a509c281bd7539f70dafc25eaf83eacb17497a18cf5af
-
Filesize
197KB
MD544a90b37638cb4171d3b0a74a77162c3
SHA1310cc9eccfebda6570c2b03256914dcd9b9d6b6a
SHA2565c5fc3feeda89b0e975e940128a571369b5d5f12d3a37343e9aee1e9fc2d5093
SHA512a99f00afedcfa7921faf81ad96d398347e41a1325697576d249ec166bf6b80457aebfe2a7344226ea28aef6683ea9e262cd31e0655087294b09ecb33f213bdfc
-
Filesize
197KB
MD58aef2c3b5c4c217a40ec4d7df533622d
SHA1b832540f2b158c4c13ddd069f345d3b2193a5244
SHA256d50223332e6450d3707cecade2b9be4af602394c1078f9b449ad2317fde7a367
SHA512d2ff4f5dd5cb646108f05baa682aaa271f1705b080ccc8e148b07a01e1fb4da3d5a6fc04e8f4df03bdc70b0bd720f3f80039d60b1eee7ee0eaed219a5acd2c6b
-
Filesize
197KB
MD5c9ada1c51fd7eba11c33494abfbac023
SHA14788d3da0342b2e356af53ebf1f38e29dd072fb4
SHA256a84ca2fdb34453453429664f80a1712ff5a606d9dbd4b9937e2c3fa3ca0da339
SHA5124399c1da324311a17d071f182ceeea994f6e3f0f8ef92cacd25a915a8a38bd1f97942fb60f0d45868fa44ed67c0b2d4466f311c11d12970eacb62083812dc364
-
Filesize
197KB
MD56db088a1e022df4c408a08db8f23ff64
SHA1156ff8abe6a8f7b0b7518cb08641fd7daf81b670
SHA2563f7d2df4413f5df0cbd97eb2b84059a524e1d9f67bd6c66963d7d43fee6a4547
SHA51228191ef13b47c1507525155f0e0b734b9ac85529ca94c81b6865b72447486ce1a9aeb5de730fa3d1870e1d5844a0b5c727b0a2004bcaea045eabe2dcebbdb9d6