Analysis
-
max time kernel
149s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
-
Size
168KB
-
MD5
f844085e931ec6f32dabe71e5314e933
-
SHA1
975a67898eb5efa008571b050e6f3b0c9df5f42b
-
SHA256
d49b9fdfde116b0d01978bdc33e847c319f68683a0d905d269a9ab0d08246c25
-
SHA512
62210862a1cfd012c0d6f237696b7806f4beb44591d175235876e4a30ec01c208d19c8e7535b5c3a9aacc386df2f0d4941e60b413481633c966b5d9e9bd6e808
-
SSDEEP
1536:1EGh0oWlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oWlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000a000000023438-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002343e-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023442-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023445-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000700000002344b-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023445-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002344b-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023445-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002344b-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023445-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002344b-41.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000023445-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764A7453-7E3D-4118-9362-B820E09F31D0}\stubpath = "C:\\Windows\\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe" {3496395F-CA8B-435a-9524-70995A6FE94C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7} {764A7453-7E3D-4118-9362-B820E09F31D0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3A01C3-35FB-4895-B380-BE75925C9A81} {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6062F3B3-C015-43be-992C-64699251F174}\stubpath = "C:\\Windows\\{6062F3B3-C015-43be-992C-64699251F174}.exe" {AC210350-E339-49bd-B050-A142E5950595}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B} {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0} {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764A7453-7E3D-4118-9362-B820E09F31D0} {3496395F-CA8B-435a-9524-70995A6FE94C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}\stubpath = "C:\\Windows\\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe" {764A7453-7E3D-4118-9362-B820E09F31D0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3A01C3-35FB-4895-B380-BE75925C9A81}\stubpath = "C:\\Windows\\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe" {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC210350-E339-49bd-B050-A142E5950595}\stubpath = "C:\\Windows\\{AC210350-E339-49bd-B050-A142E5950595}.exe" 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}\stubpath = "C:\\Windows\\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe" {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3496395F-CA8B-435a-9524-70995A6FE94C} {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC210350-E339-49bd-B050-A142E5950595} 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6062F3B3-C015-43be-992C-64699251F174} {AC210350-E339-49bd-B050-A142E5950595}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1} {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A167D6F-3850-4c96-9765-BBD0608B61B6}\stubpath = "C:\\Windows\\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe" {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}\stubpath = "C:\\Windows\\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe" {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3496395F-CA8B-435a-9524-70995A6FE94C}\stubpath = "C:\\Windows\\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe" {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}\stubpath = "C:\\Windows\\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe" {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F63595F-6305-4aba-83DC-2A2F219295D6} {DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59} {6062F3B3-C015-43be-992C-64699251F174}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}\stubpath = "C:\\Windows\\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe" {6062F3B3-C015-43be-992C-64699251F174}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A167D6F-3850-4c96-9765-BBD0608B61B6} {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F63595F-6305-4aba-83DC-2A2F219295D6}\stubpath = "C:\\Windows\\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe" {DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe -
Executes dropped EXE 12 IoCs
pid Process 400 {AC210350-E339-49bd-B050-A142E5950595}.exe 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe 1948 {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe 1480 {DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe 1648 {2F63595F-6305-4aba-83DC-2A2F219295D6}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe File created C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe {3496395F-CA8B-435a-9524-70995A6FE94C}.exe File created C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe File created C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe File created C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe File created C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe {764A7453-7E3D-4118-9362-B820E09F31D0}.exe File created C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe File created C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe File created C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe {AC210350-E339-49bd-B050-A142E5950595}.exe File created C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe {6062F3B3-C015-43be-992C-64699251F174}.exe File created C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe File created C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe {DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4180 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe Token: SeIncBasePriorityPrivilege 400 {AC210350-E339-49bd-B050-A142E5950595}.exe Token: SeIncBasePriorityPrivilege 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe Token: SeIncBasePriorityPrivilege 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe Token: SeIncBasePriorityPrivilege 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe Token: SeIncBasePriorityPrivilege 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe Token: SeIncBasePriorityPrivilege 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe Token: SeIncBasePriorityPrivilege 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe Token: SeIncBasePriorityPrivilege 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe Token: SeIncBasePriorityPrivilege 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe Token: SeIncBasePriorityPrivilege 1948 {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe Token: SeIncBasePriorityPrivilege 1480 {DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4180 wrote to memory of 400 4180 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 81 PID 4180 wrote to memory of 400 4180 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 81 PID 4180 wrote to memory of 400 4180 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 81 PID 4180 wrote to memory of 2588 4180 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 82 PID 4180 wrote to memory of 2588 4180 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 82 PID 4180 wrote to memory of 2588 4180 2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe 82 PID 400 wrote to memory of 2160 400 {AC210350-E339-49bd-B050-A142E5950595}.exe 83 PID 400 wrote to memory of 2160 400 {AC210350-E339-49bd-B050-A142E5950595}.exe 83 PID 400 wrote to memory of 2160 400 {AC210350-E339-49bd-B050-A142E5950595}.exe 83 PID 400 wrote to memory of 4884 400 {AC210350-E339-49bd-B050-A142E5950595}.exe 84 PID 400 wrote to memory of 4884 400 {AC210350-E339-49bd-B050-A142E5950595}.exe 84 PID 400 wrote to memory of 4884 400 {AC210350-E339-49bd-B050-A142E5950595}.exe 84 PID 2160 wrote to memory of 316 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe 87 PID 2160 wrote to memory of 316 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe 87 PID 2160 wrote to memory of 316 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe 87 PID 2160 wrote to memory of 2404 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe 88 PID 2160 wrote to memory of 2404 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe 88 PID 2160 wrote to memory of 2404 2160 {6062F3B3-C015-43be-992C-64699251F174}.exe 88 PID 316 wrote to memory of 3872 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe 93 PID 316 wrote to memory of 3872 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe 93 PID 316 wrote to memory of 3872 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe 93 PID 316 wrote to memory of 4372 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe 94 PID 316 wrote to memory of 4372 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe 94 PID 316 wrote to memory of 4372 316 {B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe 94 PID 3872 wrote to memory of 1852 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe 96 PID 3872 wrote to memory of 1852 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe 96 PID 3872 wrote to memory of 1852 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe 96 PID 3872 wrote to memory of 5004 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe 97 PID 3872 wrote to memory of 5004 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe 97 PID 3872 wrote to memory of 5004 3872 {5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe 97 PID 1852 wrote to memory of 936 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe 98 PID 1852 wrote to memory of 936 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe 98 PID 1852 wrote to memory of 936 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe 98 PID 1852 wrote to memory of 2668 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe 99 PID 1852 wrote to memory of 2668 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe 99 PID 1852 wrote to memory of 2668 1852 {D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe 99 PID 936 wrote to memory of 4912 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe 100 PID 936 wrote to memory of 4912 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe 100 PID 936 wrote to memory of 4912 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe 100 PID 936 wrote to memory of 4008 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe 101 PID 936 wrote to memory of 4008 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe 101 PID 936 wrote to memory of 4008 936 {6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe 101 PID 4912 wrote to memory of 1992 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe 102 PID 4912 wrote to memory of 1992 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe 102 PID 4912 wrote to memory of 1992 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe 102 PID 4912 wrote to memory of 852 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe 103 PID 4912 wrote to memory of 852 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe 103 PID 4912 wrote to memory of 852 4912 {3496395F-CA8B-435a-9524-70995A6FE94C}.exe 103 PID 1992 wrote to memory of 632 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe 104 PID 1992 wrote to memory of 632 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe 104 PID 1992 wrote to memory of 632 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe 104 PID 1992 wrote to memory of 3876 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe 105 PID 1992 wrote to memory of 3876 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe 105 PID 1992 wrote to memory of 3876 1992 {764A7453-7E3D-4118-9362-B820E09F31D0}.exe 105 PID 632 wrote to memory of 1948 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe 106 PID 632 wrote to memory of 1948 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe 106 PID 632 wrote to memory of 1948 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe 106 PID 632 wrote to memory of 4128 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe 107 PID 632 wrote to memory of 4128 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe 107 PID 632 wrote to memory of 4128 632 {9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe 107 PID 1948 wrote to memory of 1480 1948 {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe 108 PID 1948 wrote to memory of 1480 1948 {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe 108 PID 1948 wrote to memory of 1480 1948 {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe 108 PID 1948 wrote to memory of 3496 1948 {AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exeC:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exeC:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exeC:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exeC:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exeC:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exeC:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exeC:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exeC:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exeC:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exeC:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exeC:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exeC:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe13⤵
- Executes dropped EXE
PID:1648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DB8B4~1.EXE > nul13⤵PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AB3A0~1.EXE > nul12⤵PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9627D~1.EXE > nul11⤵PID:4128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{764A7~1.EXE > nul10⤵PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34963~1.EXE > nul9⤵PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6EB61~1.EXE > nul8⤵PID:4008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D7FEC~1.EXE > nul7⤵PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5A167~1.EXE > nul6⤵PID:5004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B2818~1.EXE > nul5⤵PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6062F~1.EXE > nul4⤵PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AC210~1.EXE > nul3⤵PID:4884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f5d20c83b101abeccce972148c8addc3
SHA18cc7b18f818d9d3e8e8d91ee9c07b502ab17f450
SHA256b89404662b87a445894d339c294b6a8ad282728630650c91f4004e4d4e58f17a
SHA512b83b49452d3c9fd3e2add3b56a2b4e1956805930d8c3bdab14b398fe87050b7cf4f40f31922752b44e04e42542a92bfdf19c51943fa54f99f1000a1c3c0258f3
-
Filesize
168KB
MD569b218057d9b389cacd6114acf67bed9
SHA13d95ad8c2775f79ded6737a08be9caa797e305b6
SHA256b7c6bec42e76a653b75d9aef53fc3ffeee12f22d029e828e35fdc35fa1a7284a
SHA51253c8c4b68f68e0c2a96c9f5b9920ce6e76808294b86c569ff72c27cd3285f06eb45960f32edbb02b80f8284090fcfb7779b11885b818c9e507a6ea0eecd77b89
-
Filesize
168KB
MD505087ea9588fe9195b60934b94b3d176
SHA183b52108e04d4b6b25acb52c6c7f1dfb5792a018
SHA2561456d8003b3427021167eb08db2a56026723ee6bd4989e252f04de091c090119
SHA512f49724ad66072a0703706118ded2203c3235692be1a8b092ee787f0c5a0199633f405d98c7e0e9bd979f9195187c80cc6a8d888e61656212ee1f8e356d0d37e9
-
Filesize
168KB
MD53e8131b48998aabe5a1fd4e9c05f4cbd
SHA173132e63dbf6334f2f1e9937006e1a1f9f0f9795
SHA2566640775106cdc9d27ec3bd976a30776762f6dbd2dcdfa978a68c46d79d27f91b
SHA512aa81f34e1b2e7370858a90f24fbff3eef7d30a35149d81a891c08d28817bad2a94301341f027a26ece55987be4d5cd6e783e7ffa46cc5b4fd28d427503e16a18
-
Filesize
168KB
MD55f1ca619e93b29551179991e94680791
SHA146f63d97b3319e6f2114d8744d257ea94719480e
SHA25608263f012108e55ff2ece7e1c68978749ec736e357905572d382787ea69e517b
SHA5129be65e23105946f9a60e5e06fea5befa7d7e27742af452bb86b2c7e2c5786dd5c65a88c5d6276da9ca6aaaa7bbe795fffa3807299f878d1f8c99654f140c1dd8
-
Filesize
168KB
MD5925b95acfa0fbfd4a98fcf78862fcc9d
SHA12dd267475aed9239910d67ce01a4c149b4862c17
SHA2567332967736e398452fbeef1e0446fa1ed17d57e1a8493e8fe93aee8d48338571
SHA5129092be452605837addf16ed3164476c6ab9e4f9eed86bcf24e7089ebf2ff09f351cab1089d1b6c60073b4982c2d64ca56ca44b4f1661afaa09067db3cbfe276f
-
Filesize
168KB
MD5e1c50ce7815060a6d4d67cdc1ebe741c
SHA162e0ea2036b085926585e0005dd25a597f11a850
SHA2564cd2daf4807ae9796dde5499470c59e6130def4c8b863b4b8bc25bccb1157c43
SHA512774155704f091bb9d0627529d6ffc3b52a6edd1af51f7ff6d6d145e3fff853e0c43b877b8e5ead5f8b3a58503eadfbc5306e4c6d769b6c40c7f0c3dcfc255a54
-
Filesize
168KB
MD5999bc602103e596bc62ef02dc244e756
SHA1ba48e8c8793b84974298bd08d4c185235c497d8b
SHA256bfb2d9714ca08d1036d98cd5e37121c60136b042f45b0509b3b2b97ad96804fa
SHA5124237d27e82b4a5227145f857a04d4c67891da623d9948cda408b73991499b720480adf893c29e3f12f63da481b5027ad15309efa4be14efec68fa8671c0a1776
-
Filesize
168KB
MD56c54c6a52015c2f05385ef7f5f45ed72
SHA11da4daf60fee16a301b9fa45e871306baad98d6f
SHA2569314eb643b0b657f796faa9d5f1825134d2e77bdecc9ab1235e628c75f7dc00e
SHA5127bb671613476a06c7afd7e89cfb9eacdfcd7607609f866b134b52f337ea633a77e03857fb2e7d16761f39ee7001314de3ca3fc6c3509864c455a5f0c8ba16d58
-
Filesize
168KB
MD5386dab9a669f45835798823a0fc5bdac
SHA1a03c2f8c4fd7d0b919737df3bd7d9ce90a6822ee
SHA256d701ab229765308b29c6ccb821a023b6a96a522b30bddf599d5e6f1824f4cdf4
SHA5121b8994d8746ce9849300b21f27c44e6b2b03a332971e8deda45a915fdf6a05bae11d99e86df92501ed1e82e7f16c8caaef0b8be92bc8c606c3fb574690cd3dc9
-
Filesize
168KB
MD533e54f31b0366ca0c464b4ee20a74179
SHA17350e81d602520276f6f27c3b2af7280c62002ea
SHA25666a5d2fbca5b26981e5890a6b2e9e5cf5be0ef3b1c2326719b138ed3a56c3a5b
SHA512a8accebc39c8c0a594f9f92c176c48dc7b0d56bd87bf759cd9e870c6944bbce51ea974b5e06d22bb7c816868ccb64469465b354adfb5c4209dee25a53b9d020c
-
Filesize
168KB
MD5454cd84b8be4da2d7641ca9dfe92c086
SHA1509afe27faeda789f96f8bc526e5ca2a0019779a
SHA25600a99635c2cbf4c3bdb54ca64e27991ab81605c60d97144934cc0b3393efbf51
SHA512b567527d6b4f35ac4b601da24e72915565a0abee232c8537e034b40ca881420ff918103254d7ba5e47fd783815f9a5098c1ac9fa75654d33296a6648fa428bc0