Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
Resource
win10v2004-20240508-en
General
-
Target
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
-
Size
180KB
-
MD5
78daf397d39aa60d56471f67bacf471e
-
SHA1
321307f2afdc67b1a63ae9468c4c6e49b314b56c
-
SHA256
328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983
-
SHA512
6a2238e98ffeef3d3f8500f6279e876091f8d10bbe3fb83f5e340f043b3b7439472b422756c58464e840de5edce8bd1b43f2259b10dbb8ab19a4fb69182707e1
-
SSDEEP
3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00070000000233d1-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233c3-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233d7-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000233c3-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233d7-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b0000000233c3-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000233d7-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c0000000233c3-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b0000000233d7-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000d0000000233c3-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000c0000000233d7-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00070000000233d9-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}\stubpath = "C:\\Windows\\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe" {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6724A17D-E6C6-4b8b-A079-06088FCEAC38} {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}\stubpath = "C:\\Windows\\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe" {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}\stubpath = "C:\\Windows\\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe" {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{377AA324-DAC6-456d-BFD7-9E025BB67430}\stubpath = "C:\\Windows\\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe" {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4} {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}\stubpath = "C:\\Windows\\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe" {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}\stubpath = "C:\\Windows\\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe" {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}\stubpath = "C:\\Windows\\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe" {6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}\stubpath = "C:\\Windows\\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe" {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}\stubpath = "C:\\Windows\\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe" 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785} {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C880EA27-C463-46bf-8BE4-0D584F116BC4} {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E8F43B6-E5AF-454c-B91E-993D578C4D30} {6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8} 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C880EA27-C463-46bf-8BE4-0D584F116BC4}\stubpath = "C:\\Windows\\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe" {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E6EA05B-4D0E-417a-834D-C612AD3147F6} {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89A0A96-B505-4753-8214-302EDFFD0D1A} {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89A0A96-B505-4753-8214-302EDFFD0D1A}\stubpath = "C:\\Windows\\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe" {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3CD81BE-666F-4ad8-BBB0-5D314E634756} {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{377AA324-DAC6-456d-BFD7-9E025BB67430} {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{475B84CB-6E53-4d93-99BF-B804DBDF097C} {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BF07D9D-2D7D-42d4-BC63-49842053B16C} {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{475B84CB-6E53-4d93-99BF-B804DBDF097C}\stubpath = "C:\\Windows\\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe" {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe -
Executes dropped EXE 12 IoCs
pid Process 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe 4236 {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe 4344 {6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe 2792 {2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe File created C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe File created C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe File created C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe File created C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe File created C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe File created C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe File created C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe File created C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe File created C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe File created C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe File created C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe {6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1808 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe Token: SeIncBasePriorityPrivilege 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe Token: SeIncBasePriorityPrivilege 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe Token: SeIncBasePriorityPrivilege 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe Token: SeIncBasePriorityPrivilege 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe Token: SeIncBasePriorityPrivilege 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe Token: SeIncBasePriorityPrivilege 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe Token: SeIncBasePriorityPrivilege 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe Token: SeIncBasePriorityPrivilege 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe Token: SeIncBasePriorityPrivilege 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe Token: SeIncBasePriorityPrivilege 4236 {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe Token: SeIncBasePriorityPrivilege 4344 {6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1040 1808 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 91 PID 1808 wrote to memory of 1040 1808 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 91 PID 1808 wrote to memory of 1040 1808 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 91 PID 1808 wrote to memory of 1484 1808 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 92 PID 1808 wrote to memory of 1484 1808 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 92 PID 1808 wrote to memory of 1484 1808 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe 92 PID 1040 wrote to memory of 1796 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 93 PID 1040 wrote to memory of 1796 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 93 PID 1040 wrote to memory of 1796 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 93 PID 1040 wrote to memory of 2272 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 94 PID 1040 wrote to memory of 2272 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 94 PID 1040 wrote to memory of 2272 1040 {51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe 94 PID 1796 wrote to memory of 5052 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe 96 PID 1796 wrote to memory of 5052 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe 96 PID 1796 wrote to memory of 5052 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe 96 PID 1796 wrote to memory of 4736 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe 97 PID 1796 wrote to memory of 4736 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe 97 PID 1796 wrote to memory of 4736 1796 {2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe 97 PID 5052 wrote to memory of 3836 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe 98 PID 5052 wrote to memory of 3836 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe 98 PID 5052 wrote to memory of 3836 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe 98 PID 5052 wrote to memory of 4232 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe 99 PID 5052 wrote to memory of 4232 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe 99 PID 5052 wrote to memory of 4232 5052 {C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe 99 PID 3836 wrote to memory of 4660 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe 100 PID 3836 wrote to memory of 4660 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe 100 PID 3836 wrote to memory of 4660 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe 100 PID 3836 wrote to memory of 1020 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe 101 PID 3836 wrote to memory of 1020 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe 101 PID 3836 wrote to memory of 1020 3836 {C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe 101 PID 4660 wrote to memory of 4288 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe 102 PID 4660 wrote to memory of 4288 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe 102 PID 4660 wrote to memory of 4288 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe 102 PID 4660 wrote to memory of 1576 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe 103 PID 4660 wrote to memory of 1576 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe 103 PID 4660 wrote to memory of 1576 4660 {8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe 103 PID 4288 wrote to memory of 2916 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe 104 PID 4288 wrote to memory of 2916 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe 104 PID 4288 wrote to memory of 2916 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe 104 PID 4288 wrote to memory of 2592 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe 105 PID 4288 wrote to memory of 2592 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe 105 PID 4288 wrote to memory of 2592 4288 {A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe 105 PID 2916 wrote to memory of 2864 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe 106 PID 2916 wrote to memory of 2864 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe 106 PID 2916 wrote to memory of 2864 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe 106 PID 2916 wrote to memory of 4796 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe 107 PID 2916 wrote to memory of 4796 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe 107 PID 2916 wrote to memory of 4796 2916 {F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe 107 PID 2864 wrote to memory of 3624 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe 108 PID 2864 wrote to memory of 3624 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe 108 PID 2864 wrote to memory of 3624 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe 108 PID 2864 wrote to memory of 2456 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe 109 PID 2864 wrote to memory of 2456 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe 109 PID 2864 wrote to memory of 2456 2864 {377AA324-DAC6-456d-BFD7-9E025BB67430}.exe 109 PID 3624 wrote to memory of 4236 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe 110 PID 3624 wrote to memory of 4236 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe 110 PID 3624 wrote to memory of 4236 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe 110 PID 3624 wrote to memory of 4076 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe 111 PID 3624 wrote to memory of 4076 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe 111 PID 3624 wrote to memory of 4076 3624 {475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe 111 PID 4236 wrote to memory of 4344 4236 {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe 112 PID 4236 wrote to memory of 4344 4236 {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe 112 PID 4236 wrote to memory of 4344 4236 {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe 112 PID 4236 wrote to memory of 4256 4236 {0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exeC:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exeC:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exeC:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exeC:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exeC:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exeC:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exeC:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exeC:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exeC:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exeC:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exeC:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exeC:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe13⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6724A~1.EXE > nul13⤵PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D8BC~1.EXE > nul12⤵PID:4256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{475B8~1.EXE > nul11⤵PID:4076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{377AA~1.EXE > nul10⤵PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F3CD8~1.EXE > nul9⤵PID:4796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A89A0~1.EXE > nul8⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8E6EA~1.EXE > nul7⤵PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C880E~1.EXE > nul6⤵PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C73C5~1.EXE > nul5⤵PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BF07~1.EXE > nul4⤵PID:4736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{51CA5~1.EXE > nul3⤵PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328FB4~1.EXE > nul2⤵PID:1484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5dd5f7f1ecf35984973d3759799e7e1be
SHA180cb8c95b0c2adb0223320c4dfdd5f79c9f16d67
SHA256ec55af99e27e91f6367a47e1a99ded0926acd3cc8c29199b08703dba435f4d10
SHA51216f2af022d1407a66ad090bebb08de6497df2c8e372117c2bd2d6a84623a23fbf9b9c9840ba950cc2efae689f8df8c863a4ba8a600ae28fe5d4d9a9931c1ddb8
-
Filesize
180KB
MD5fb9fa6901e08ed29ca0e4ec54a27b66a
SHA199ac0efef58918cd8cf5225e7338671444a1dc76
SHA25698b2209488d63e2efafa0bfa4069fd6b36fa32382c3ecd7530d9ce9740a1c212
SHA5120d664bc91ec44172b4223a10be7666bcdc155230920cd6acf97b771d8c2a14c4dcb2c833d221d0734a90897276ffaddf26657c3330ceb1e8028c5706fe2cb68d
-
Filesize
180KB
MD59ab018879f61459b2ade7a4049f3b746
SHA168355f5b386fb8dffef310e048ca2ef8b3e7ba58
SHA256bec32f36f2b1662aa6f56c646d4e5bb236e756295afb4c5d8b909a5f670c7de3
SHA5124377c6d8ffec6fbd07c9d5fe9e6da4bcfff0c7f17b577efffd79d165a851421859c0909402f588cbb3d87250ceacfc09676f14aed3e129e2dffd399e38a7da64
-
Filesize
180KB
MD5e6009c9425a572bc42480d766f45c186
SHA1643845a4e37b0cd54f99a86e84c7d614f34dba40
SHA2562562b680ec15ed8610d0bfca107a1ee9b2574c4a44b3a3d9b8462b7886a2bbab
SHA5120877e89127977d3336df22529123f0e418cda75d085656742a2a3b6506b3daccd2ce0aa564066abe24ccdad3ed0787ef2d693bee944f7b66d60fc8c86f873957
-
Filesize
180KB
MD5b2dc160dc4ac176fab18183229680489
SHA18ec186440e344fa0f3b4aa8a25d68ecbd4c4710f
SHA256b296bfebee036455937a488aec27b2e667d0f06a2417fca4f9f750b195374cb4
SHA512be38723f1cde4a2c0060c64a6bd5cd9a2f0e18e0b54fb3f07a4eb1d03827208c38badd8630bbaabbf4b804cb79814bb1aefebffa76bf98f94bb7efae1217122b
-
Filesize
180KB
MD56d2700d43ab214f5bb945b1109c599d9
SHA11263dffd884fa619450524b3058c1eeb0cb5e178
SHA25658f5647342fb23e52de8e8f4dabb9e02a834b2c6276f62bb5079060675615366
SHA5121cc8df890b36dbd108b1ca3ea65411b5d1eafbcff4d18632979aa3b5b28469e757e3b26becece3b10056936e4aa9c21ef91a5d4b8fd3fae4547636a6fe6ef7ff
-
Filesize
180KB
MD518ea16050465512f9aae2af01e27c481
SHA1ded90b771c7eca7c77e989c1954713abb8c0a69b
SHA25622079bde503d3a6ead1cb044a84c9d751892f82f999d4952d48aa363c8fce2ba
SHA51286ef288b784d69528278b82c608d50fb7b6c1fd66c5b988c2eb19c9c483044f0d4bcd2a057218230433b9ff3600877abccacd82f7914017d246191257f278dc6
-
Filesize
180KB
MD521f0859469d4b20a5fae45dd36d97681
SHA154a22929f240db0a65a28576c1211b1637d2cf56
SHA256cfb8e2a8fbd7ad3e75498d7784a123871987f6b989b1d319bbb5610d3c8f1016
SHA512113f8419f540966943c269be871e5764a914d188b5eb6fd0cfdbdcb9c316a42bee7569909f9efe50662643356c2c9bedb070b9d71e52434318c39e141e954b81
-
Filesize
180KB
MD52310ec4b0e5a155db4071feda377c54b
SHA1fac5f67df40339ec44915781c45aac5b81932320
SHA2568a984ebccea2244e1c204830e5f1bbce70d76adca0a3ee3501452d230020e6c9
SHA5129da637136be898192af27c5f8473dafc19aed9a89a324890b20f9174d85ca185f88a763e8bba2401ad1ed974e56f8b0e88f32920482bf2a2db8d36290b42ab56
-
Filesize
180KB
MD5a281229ec9b9ebb9ef4a4e33b820b90c
SHA1920dbf3bcbe109e43cec76fe8ebec74a8c1b9ae7
SHA25655dca7929eac6405eabc62adde148538b575849772d269db273fa253bf931e45
SHA5124039c1d72508f6bddf103613669ef4f92c5e4ce578ddddab71c1a3b1af28d3100bae9892c0d271f37700156477b3804ef9a3328487f13bc5b6d861da34a8694b
-
Filesize
180KB
MD5d6fecf1449760d73a4a3ab18b2b8c220
SHA11d0e8f33234b401390f00cef3193921493144808
SHA256c42ab485d30e8a13b81ec73f9fc3e775baeed5e08cb2538f67a1d0b0147893dc
SHA512b86b980fda3d40a44d688979a91fbc5a55d3010fed1f48dd342a38a3619bd51b4a9f0a7556b9232e59e858c3299d0ba66552044082f97172274b2dbb1fc366c5
-
Filesize
180KB
MD531b424f2aeb7f298585b569401b805e0
SHA1ad7e98bcc10175b6ee1a5fd37a24d66e12158397
SHA2564dc964f34d897e3b9223ba062f4c6d1999a7e3414f682fc3e0830a39887b1ead
SHA512018587a261d58e0aa91adbd30cca17309a7b51486fe08f0076f1fde0580f9d3852ee6c55568b1b3f19585594217df38b872992263c3fd81ce2c06755759a5f7d