Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
-
Size
168KB
-
MD5
6f7eefc4dcc19cf96d504a8d70f186ec
-
SHA1
7f401dcbab81163ca78f4126cde960da282c3e34
-
SHA256
2da291a4b4ede9f5a03b2c37df6a043eed126b6c3a488c3edf8e7f086dfc1ebb
-
SHA512
271dee908d308300a63dd805bc6a74868552df15d176d9526ab20a4db67c07534c035b97bb168f0a4cbc8de8085cfbf2c582999f17a4ac4c20c484d0ee8a256c
-
SSDEEP
1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
resource yara_rule behavioral2/files/0x0008000000023210-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023205-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023218-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d00000002310d-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023218-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000e00000002310d-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023218-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000f00000002310d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023218-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023218-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001000000002310d-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023215-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x001100000002310d-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463} {4230D073-77CD-453c-A048-C265E7B6C88C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265103C9-430B-4f0a-9818-6BD7EE838406} {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C} {B702087A-6271-48e1-B654-048916612255}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D0E909-6E6C-4dc0-9649-8352FB05D048} {A74D6168-E472-442b-AFA7-3A3270527283}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6033F77B-1201-4192-9A20-4578E4AC9D91} {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}\stubpath = "C:\\Windows\\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe" {B702087A-6271-48e1-B654-048916612255}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}\stubpath = "C:\\Windows\\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe" {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D0E909-6E6C-4dc0-9649-8352FB05D048}\stubpath = "C:\\Windows\\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe" {A74D6168-E472-442b-AFA7-3A3270527283}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}\stubpath = "C:\\Windows\\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe" {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951} 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}\stubpath = "C:\\Windows\\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe" 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CBF6982-3869-43b0-821D-45007428D1F7} {265103C9-430B-4f0a-9818-6BD7EE838406}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74D6168-E472-442b-AFA7-3A3270527283}\stubpath = "C:\\Windows\\{A74D6168-E472-442b-AFA7-3A3270527283}.exe" {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4230D073-77CD-453c-A048-C265E7B6C88C}\stubpath = "C:\\Windows\\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe" {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B702087A-6271-48e1-B654-048916612255}\stubpath = "C:\\Windows\\{B702087A-6271-48e1-B654-048916612255}.exe" {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F} {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74D6168-E472-442b-AFA7-3A3270527283} {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB9947C9-53B0-48ce-BEC3-0F6418F63653} {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4230D073-77CD-453c-A048-C265E7B6C88C} {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}\stubpath = "C:\\Windows\\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe" {4230D073-77CD-453c-A048-C265E7B6C88C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6033F77B-1201-4192-9A20-4578E4AC9D91}\stubpath = "C:\\Windows\\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe" {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B702087A-6271-48e1-B654-048916612255} {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{265103C9-430B-4f0a-9818-6BD7EE838406}\stubpath = "C:\\Windows\\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe" {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CBF6982-3869-43b0-821D-45007428D1F7}\stubpath = "C:\\Windows\\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe" {265103C9-430B-4f0a-9818-6BD7EE838406}.exe -
Executes dropped EXE 12 IoCs
pid Process 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe 2760 {B702087A-6271-48e1-B654-048916612255}.exe 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe 2564 {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe 3024 {265103C9-430B-4f0a-9818-6BD7EE838406}.exe 2008 {9CBF6982-3869-43b0-821D-45007428D1F7}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe File created C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe File created C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe File created C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe {265103C9-430B-4f0a-9818-6BD7EE838406}.exe File created C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe File created C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe File created C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe File created C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe File created C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe {B702087A-6271-48e1-B654-048916612255}.exe File created C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe {A74D6168-E472-442b-AFA7-3A3270527283}.exe File created C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe File created C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe {4230D073-77CD-453c-A048-C265E7B6C88C}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 464 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe Token: SeIncBasePriorityPrivilege 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe Token: SeIncBasePriorityPrivilege 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe Token: SeIncBasePriorityPrivilege 2760 {B702087A-6271-48e1-B654-048916612255}.exe Token: SeIncBasePriorityPrivilege 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe Token: SeIncBasePriorityPrivilege 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe Token: SeIncBasePriorityPrivilege 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe Token: SeIncBasePriorityPrivilege 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe Token: SeIncBasePriorityPrivilege 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe Token: SeIncBasePriorityPrivilege 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe Token: SeIncBasePriorityPrivilege 2564 {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe Token: SeIncBasePriorityPrivilege 3024 {265103C9-430B-4f0a-9818-6BD7EE838406}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 464 wrote to memory of 3932 464 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 92 PID 464 wrote to memory of 3932 464 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 92 PID 464 wrote to memory of 3932 464 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 92 PID 464 wrote to memory of 3940 464 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 93 PID 464 wrote to memory of 3940 464 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 93 PID 464 wrote to memory of 3940 464 2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe 93 PID 3932 wrote to memory of 2620 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 94 PID 3932 wrote to memory of 2620 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 94 PID 3932 wrote to memory of 2620 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 94 PID 3932 wrote to memory of 1016 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 95 PID 3932 wrote to memory of 1016 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 95 PID 3932 wrote to memory of 1016 3932 {A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe 95 PID 2620 wrote to memory of 2760 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe 98 PID 2620 wrote to memory of 2760 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe 98 PID 2620 wrote to memory of 2760 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe 98 PID 2620 wrote to memory of 3184 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe 99 PID 2620 wrote to memory of 3184 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe 99 PID 2620 wrote to memory of 3184 2620 {6033F77B-1201-4192-9A20-4578E4AC9D91}.exe 99 PID 2760 wrote to memory of 1832 2760 {B702087A-6271-48e1-B654-048916612255}.exe 101 PID 2760 wrote to memory of 1832 2760 {B702087A-6271-48e1-B654-048916612255}.exe 101 PID 2760 wrote to memory of 1832 2760 {B702087A-6271-48e1-B654-048916612255}.exe 101 PID 2760 wrote to memory of 64 2760 {B702087A-6271-48e1-B654-048916612255}.exe 102 PID 2760 wrote to memory of 64 2760 {B702087A-6271-48e1-B654-048916612255}.exe 102 PID 2760 wrote to memory of 64 2760 {B702087A-6271-48e1-B654-048916612255}.exe 102 PID 1832 wrote to memory of 4048 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe 103 PID 1832 wrote to memory of 4048 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe 103 PID 1832 wrote to memory of 4048 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe 103 PID 1832 wrote to memory of 1396 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe 104 PID 1832 wrote to memory of 1396 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe 104 PID 1832 wrote to memory of 1396 1832 {0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe 104 PID 4048 wrote to memory of 3496 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe 105 PID 4048 wrote to memory of 3496 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe 105 PID 4048 wrote to memory of 3496 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe 105 PID 4048 wrote to memory of 1956 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe 106 PID 4048 wrote to memory of 1956 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe 106 PID 4048 wrote to memory of 1956 4048 {96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe 106 PID 3496 wrote to memory of 2080 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe 107 PID 3496 wrote to memory of 2080 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe 107 PID 3496 wrote to memory of 2080 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe 107 PID 3496 wrote to memory of 4284 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe 108 PID 3496 wrote to memory of 4284 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe 108 PID 3496 wrote to memory of 4284 3496 {A74D6168-E472-442b-AFA7-3A3270527283}.exe 108 PID 2080 wrote to memory of 4516 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe 109 PID 2080 wrote to memory of 4516 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe 109 PID 2080 wrote to memory of 4516 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe 109 PID 2080 wrote to memory of 2716 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe 110 PID 2080 wrote to memory of 2716 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe 110 PID 2080 wrote to memory of 2716 2080 {61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe 110 PID 4516 wrote to memory of 2232 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe 111 PID 4516 wrote to memory of 2232 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe 111 PID 4516 wrote to memory of 2232 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe 111 PID 4516 wrote to memory of 4524 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe 112 PID 4516 wrote to memory of 4524 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe 112 PID 4516 wrote to memory of 4524 4516 {EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe 112 PID 2232 wrote to memory of 2564 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe 113 PID 2232 wrote to memory of 2564 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe 113 PID 2232 wrote to memory of 2564 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe 113 PID 2232 wrote to memory of 4380 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe 114 PID 2232 wrote to memory of 4380 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe 114 PID 2232 wrote to memory of 4380 2232 {4230D073-77CD-453c-A048-C265E7B6C88C}.exe 114 PID 2564 wrote to memory of 3024 2564 {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe 115 PID 2564 wrote to memory of 3024 2564 {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe 115 PID 2564 wrote to memory of 3024 2564 {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe 115 PID 2564 wrote to memory of 232 2564 {FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exeC:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exeC:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exeC:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exeC:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exeC:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exeC:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exeC:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exeC:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exeC:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exeC:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exeC:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exeC:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe13⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26510~1.EXE > nul13⤵PID:1052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FF609~1.EXE > nul12⤵PID:232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4230D~1.EXE > nul11⤵PID:4380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EB994~1.EXE > nul10⤵PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{61D0E~1.EXE > nul9⤵PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A74D6~1.EXE > nul8⤵PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{96B07~1.EXE > nul7⤵PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D459~1.EXE > nul6⤵PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7020~1.EXE > nul5⤵PID:64
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6033F~1.EXE > nul4⤵PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A3B7F~1.EXE > nul3⤵PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD55237f6b7b6b7821e06a3edd0833d3bc2
SHA111401acec1301eaf901d0f8b6bc7486cf3d2953e
SHA256af4e806a5a956bec46189c188ac230926d2aeb49063051ef5c263ebfc0c015a7
SHA512fadcc8a9fcdd3453333d6a5442bf1a1fc76eb646420d1196b9ddfe5fc126823e942a282181e850bb2276419bd0e8f3512538fd6240d85ffa8201a696e146f98f
-
Filesize
168KB
MD5f34b8409633dba039481280551fd4eeb
SHA14828820e77b10824de4fdc502bf5df29f380c269
SHA256711a1363101b5e4cc4f667e3be70b2d6b6b7ca97ab0e65da8dacc488498c6e62
SHA512cf8ac527c04a127e7b62446e1bff6f84e35bbce20a179b9d36c56215b9e6964a0c985dab47c936e60673e537dd5babe09729f868084b4f78ad10a682f3985ce8
-
Filesize
109KB
MD5fe2bc60abd87b30bd3b72e7889201c15
SHA182bdd91ec15f5da8dbfbf2564fb9734d72bbba76
SHA256c3b82ac77a18271b78b50bc644b604c49ed50ebca1e74ff1be5fd78010a52aa6
SHA5127169fc17e3f657b121b0c93b96c83f8c11acd5e6b05c2f32f85f6c21eeb8f9694f9529b142702545a05bc82d93710818c3ec17cd1f9801eebcad9ad771535c0e
-
Filesize
64KB
MD57b3964433f61b823c378e412c551c8b7
SHA17d9e3e3096c1fae79809bbdffd48886db119b503
SHA256fe4da07fd704ff8009f65865f14c6e699b088b20fa86ad1b2d2378f3a2128620
SHA512fd0f217ccd26211dcc2e493dc194a3f0b33186582180af7ee6e26d92e15d98c5f7ade96d6206c0db5a0685cc2b0ec9c08198ef7c5c5f21dcc48d78e4825ce768
-
Filesize
168KB
MD5f15b33461ac9a83eed236f5b934cbe22
SHA178c7ff3c060461b78f41de81336a487cf6cf0362
SHA256e7c82ed7d0bfec120b2cc07137173f6829278b9e8c881eb62bda5c8c220c9a09
SHA51224e82333016f3b5f5d8edbf6c91c4782e6e6c67ad8d0c561ed1978b2faa923d6601048740bfac1fb05049c14faa57416a621d14feae07f4721c255ba7c473026
-
Filesize
168KB
MD5b4758265a1bcb744da59142f4f21fb10
SHA1d27bbef5ea913b5dbd6ae44bb21b1263f94e20e3
SHA25660583ddb6f0a12b0fb0e6bf17b83f700e502c88ba0fcfa15d960cff67838ff41
SHA51276b38b4497fbaf1f5bb419dd67c3262de6128c4a38b451d657b9f372a3f8b339997226c85a8e4817d44ed478c56549364379e12b1350e2cd1ad1b500ee49d2a9
-
Filesize
168KB
MD54c200c84ba34def1fe624f14731ae243
SHA14830ad5d634f74b543430ef2288fe2b7b27f2693
SHA25675205987d26d568bca19e39b80fd67172ee932d023e46bffd1fcd09c7dbffdd4
SHA5120aff53eaad68eeaa56fa57cfe903cf219ac3c63d38aed0120dded0e18f63a2c4d8245b133b4d12366255c9b8ad0f593060cdd2bd89b917f846c46411e053e185
-
Filesize
168KB
MD54f2de4f0cf46e93a4addfdd360be57b0
SHA115d3e623ff339f6c4723af02608442c10205d70b
SHA25671430d66ad0ca9578ea99dfb54168d702bcc39821643c0ee5fc2d914cc5e1715
SHA512f88529cd96e04185ea09d2685f3a2cd0b8f432941f12a86c23c4979bc2b6256b8f99babe006066842fcdd3ae83c3e8216861ebbd83a5ff66a885bd7de4140e64
-
Filesize
168KB
MD55b9430a139ecaee61573ebe8426f5eb5
SHA104ed75c542a4307bc498c60512b1ae7adba5adef
SHA256fb40a326f6845a378db2cb744f565683764f8fc35048fdca0079c2b9379b3241
SHA512e06c8ce49678d21634d9c0131cd21d37d3765dd45aaca01040ae5b06f547dbc08d9f780ea04695f172a1735844c09d2e11434e4cb427843dadd181037486290b
-
Filesize
168KB
MD547882488cf23c1702a8cd47c00178f9f
SHA1a403275e4be5b321aeb45309a67cb8b670690680
SHA2569ad99cfc1d83f99ddb0d50e9869b5c1229e772ec278f6ec6886dfe8958c6ba81
SHA51211fd836f4046fef617c84ac7ea9d85da87fd684e59f95f951895d85b162783b85f4415e8e2a3f4503cafdc7ddb3dd90313bcb495a9e1677b74217926e6a762a7
-
Filesize
168KB
MD5245269caefdf73472f343bb76da7555f
SHA1c507c40d01457f68524c6618d7bbff671c54f7ab
SHA256def68294b8101d9f07f69ebf48249d07bad9236cba1e07d1a3358d242d64d164
SHA51218b8e0b3ad3763d4aa841d9b48748dda7c257287521159488c01bf4b4c76260043905d9bd2ccd1169adf961a992d86bb21a06a568491bae0739117c9fabdf76c
-
Filesize
168KB
MD5b0ee43ceef85b06bb67e9c637f93e4b8
SHA1f771e96685459ebf626e89960d3a99b0706c5fab
SHA2566f588742d92ad5398bf463e75609bfd4bcbb4289e0eba1a7bda9a0eedf55dc1a
SHA5123e4e5049b6316397bf64280e206f9701c5e7f4ae5a255ff5a191f6b9711566c421a921a67655f52519fe272f51f4be5a105b96122aa8d555aced69155b08c675
-
Filesize
168KB
MD57ce1ec0c4a3b0dac191b0e5aa2433d4b
SHA16e9d809458224011bee3fd854ca1105373c14d10
SHA2561107f4f0be773b9becd8cbbb7b1734eb942ca446ab24df43dadfc2e8c4c45fee
SHA512f501f8aec54e166d2ee83d03010f5d37da9afc3a2917e59035ff31640f166dcff75fa6fe8db13bafc9f89410cf1ddc3b8e52944a89a89220bc9e3b6f9806df02