Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
-
Size
180KB
-
MD5
8d82a2b777d782e76bfac9ed6d45addd
-
SHA1
5c9fe416cf462ab504a214ad40878e31e3443624
-
SHA256
969c106c3de921e51dcf8d9ed004be6c297ec89e1524c38622425cf687cbd4b5
-
SHA512
bdda495669ac9472b57e5a5c5d1254fe6218bf0aa4a0083af896f75a4b0c15c6b2604b639ae43cb56848e59bd0d6b91572cdecbdd9f00c69dc6aa6b6ce0a88ec
-
SSDEEP
3072:jEGh0oClfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGkl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000700000002321d-3.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023217-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023224-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023217-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c86-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c87-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021c86-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070f-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000735-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ED5798-F50E-49f6-8587-1BE750C57253} {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ED5798-F50E-49f6-8587-1BE750C57253}\stubpath = "C:\\Windows\\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe" {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EA55C0-93F5-4848-83C8-9421A078FE23} {76ED5798-F50E-49f6-8587-1BE750C57253}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C} {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5} 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}\stubpath = "C:\\Windows\\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe" 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{278AF669-9213-44bb-9714-726BA685660D}\stubpath = "C:\\Windows\\{278AF669-9213-44bb-9714-726BA685660D}.exe" {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65629895-740A-431b-BA87-438EDD33690F} {278AF669-9213-44bb-9714-726BA685660D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32886B16-178B-4b18-98C6-C3F4595281F8}\stubpath = "C:\\Windows\\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe" {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2A73444-1137-4ab1-934F-4C02ACC6BA76} {146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}\stubpath = "C:\\Windows\\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe" {146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09} {65629895-740A-431b-BA87-438EDD33690F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}\stubpath = "C:\\Windows\\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe" {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146E4933-B102-4ed9-84D1-0DDE11C40ED8} {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}\stubpath = "C:\\Windows\\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe" {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{278AF669-9213-44bb-9714-726BA685660D} {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E60B719-3A63-4176-AC7F-62BBF397CBF6} {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}\stubpath = "C:\\Windows\\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe" {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}\stubpath = "C:\\Windows\\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe" {32886B16-178B-4b18-98C6-C3F4595281F8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96} {32886B16-178B-4b18-98C6-C3F4595281F8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65629895-740A-431b-BA87-438EDD33690F}\stubpath = "C:\\Windows\\{65629895-740A-431b-BA87-438EDD33690F}.exe" {278AF669-9213-44bb-9714-726BA685660D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}\stubpath = "C:\\Windows\\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe" {65629895-740A-431b-BA87-438EDD33690F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41EA55C0-93F5-4848-83C8-9421A078FE23}\stubpath = "C:\\Windows\\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe" {76ED5798-F50E-49f6-8587-1BE750C57253}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32886B16-178B-4b18-98C6-C3F4595281F8} {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe -
Executes dropped EXE 12 IoCs
pid Process 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe 932 {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe 1528 {146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe 5012 {F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe File created C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe File created C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe File created C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe File created C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe {32886B16-178B-4b18-98C6-C3F4595281F8}.exe File created C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe File created C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe File created C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe {146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe File created C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe {278AF669-9213-44bb-9714-726BA685660D}.exe File created C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe {65629895-740A-431b-BA87-438EDD33690F}.exe File created C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe File created C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe {76ED5798-F50E-49f6-8587-1BE750C57253}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4828 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe Token: SeIncBasePriorityPrivilege 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe Token: SeIncBasePriorityPrivilege 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe Token: SeIncBasePriorityPrivilege 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe Token: SeIncBasePriorityPrivilege 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe Token: SeIncBasePriorityPrivilege 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe Token: SeIncBasePriorityPrivilege 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe Token: SeIncBasePriorityPrivilege 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe Token: SeIncBasePriorityPrivilege 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe Token: SeIncBasePriorityPrivilege 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe Token: SeIncBasePriorityPrivilege 932 {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe Token: SeIncBasePriorityPrivilege 1528 {146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4828 wrote to memory of 4472 4828 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 96 PID 4828 wrote to memory of 4472 4828 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 96 PID 4828 wrote to memory of 4472 4828 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 96 PID 4828 wrote to memory of 3112 4828 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 97 PID 4828 wrote to memory of 3112 4828 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 97 PID 4828 wrote to memory of 3112 4828 2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe 97 PID 4472 wrote to memory of 1876 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 98 PID 4472 wrote to memory of 1876 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 98 PID 4472 wrote to memory of 1876 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 98 PID 4472 wrote to memory of 2132 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 99 PID 4472 wrote to memory of 2132 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 99 PID 4472 wrote to memory of 2132 4472 {5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe 99 PID 1876 wrote to memory of 2692 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe 101 PID 1876 wrote to memory of 2692 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe 101 PID 1876 wrote to memory of 2692 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe 101 PID 1876 wrote to memory of 1564 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe 102 PID 1876 wrote to memory of 1564 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe 102 PID 1876 wrote to memory of 1564 1876 {278AF669-9213-44bb-9714-726BA685660D}.exe 102 PID 2692 wrote to memory of 4524 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe 103 PID 2692 wrote to memory of 4524 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe 103 PID 2692 wrote to memory of 4524 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe 103 PID 2692 wrote to memory of 852 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe 104 PID 2692 wrote to memory of 852 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe 104 PID 2692 wrote to memory of 852 2692 {65629895-740A-431b-BA87-438EDD33690F}.exe 104 PID 4524 wrote to memory of 5072 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe 105 PID 4524 wrote to memory of 5072 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe 105 PID 4524 wrote to memory of 5072 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe 105 PID 4524 wrote to memory of 3816 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe 106 PID 4524 wrote to memory of 3816 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe 106 PID 4524 wrote to memory of 3816 4524 {C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe 106 PID 5072 wrote to memory of 3400 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe 107 PID 5072 wrote to memory of 3400 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe 107 PID 5072 wrote to memory of 3400 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe 107 PID 5072 wrote to memory of 628 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe 108 PID 5072 wrote to memory of 628 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe 108 PID 5072 wrote to memory of 628 5072 {2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe 108 PID 3400 wrote to memory of 2204 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe 109 PID 3400 wrote to memory of 2204 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe 109 PID 3400 wrote to memory of 2204 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe 109 PID 3400 wrote to memory of 736 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe 110 PID 3400 wrote to memory of 736 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe 110 PID 3400 wrote to memory of 736 3400 {76ED5798-F50E-49f6-8587-1BE750C57253}.exe 110 PID 2204 wrote to memory of 4648 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe 111 PID 2204 wrote to memory of 4648 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe 111 PID 2204 wrote to memory of 4648 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe 111 PID 2204 wrote to memory of 4040 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe 112 PID 2204 wrote to memory of 4040 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe 112 PID 2204 wrote to memory of 4040 2204 {41EA55C0-93F5-4848-83C8-9421A078FE23}.exe 112 PID 4648 wrote to memory of 5020 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe 113 PID 4648 wrote to memory of 5020 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe 113 PID 4648 wrote to memory of 5020 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe 113 PID 4648 wrote to memory of 4580 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe 114 PID 4648 wrote to memory of 4580 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe 114 PID 4648 wrote to memory of 4580 4648 {4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe 114 PID 5020 wrote to memory of 932 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe 115 PID 5020 wrote to memory of 932 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe 115 PID 5020 wrote to memory of 932 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe 115 PID 5020 wrote to memory of 2436 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe 116 PID 5020 wrote to memory of 2436 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe 116 PID 5020 wrote to memory of 2436 5020 {32886B16-178B-4b18-98C6-C3F4595281F8}.exe 116 PID 932 wrote to memory of 1528 932 {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe 117 PID 932 wrote to memory of 1528 932 {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe 117 PID 932 wrote to memory of 1528 932 {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe 117 PID 932 wrote to memory of 332 932 {86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exeC:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exeC:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exeC:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exeC:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exeC:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exeC:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exeC:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exeC:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exeC:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exeC:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exeC:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exeC:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe13⤵
- Executes dropped EXE
PID:5012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{146E4~1.EXE > nul13⤵PID:3160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86D80~1.EXE > nul12⤵PID:332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{32886~1.EXE > nul11⤵PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4CC2B~1.EXE > nul10⤵PID:4580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{41EA5~1.EXE > nul9⤵PID:4040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76ED5~1.EXE > nul8⤵PID:736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2E60B~1.EXE > nul7⤵PID:628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C79A6~1.EXE > nul6⤵PID:3816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65629~1.EXE > nul5⤵PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{278AF~1.EXE > nul4⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5BEBE~1.EXE > nul3⤵PID:2132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD52912d1caa77748e5fa3f95c8c1d15ece
SHA1db8cbc93b83849ec11f09c88ec0e923190c4a4d0
SHA25683e2b8bfdbea0fd79c8d2c47aa4c42656c41bd7bb4f03bac74481e33832e7d39
SHA512dc80ad65af21d30d983451b3cc21ebbb6ea42bd6b3412545346a098a4be32ef866fd1cdaf9dea2efe67333707a150003c4bcdfcf890928769745ef219894b4ab
-
Filesize
180KB
MD56134450ece3c6d582608228f58c337ef
SHA1bb582bdd6750e1e3859439960b70b7934836ceb6
SHA25649146285394797f80b71c0492c3f168d2ae4d370d213082ff57679679ca7b08a
SHA512d1bf87d478e45827bd7e39372af8cfbbb7c09d85f2473f78dcaf36c3726dd4744da54dcc1f8df92e083372577cffc73ea8e9a93534150099cf5071733b22db27
-
Filesize
180KB
MD5fdda85422879f69397e1a4e738e35513
SHA1df718d254fdc4a14184878e7a030e5ba431c7fde
SHA256c4bdfcab796b7b3e015f12e1f9340381f55e9be1b1a76bdd88e30512be17de36
SHA5123909cc67a0cd6a0627a0738a3eccf3eb9d7e6c002c393277ee1990d69b97080b97e13cfdbee2185a1d07cc9d4b4345e3a7968d7ef842d2be55bc38acb7ae59ad
-
Filesize
180KB
MD5c3bf9dba1a2ceb13acd410db4d726d06
SHA11d03a136a91008e0fcf438648f490c6c8d3236d2
SHA25636073b13e36eed30738c8c7b171b28a61715350fb63030be7c9d8178d7d58576
SHA5123da1fdf906ddd32d12ee8a30c141952240bdacac451e5253c080a90247845b4a75c383ecc1a33a676ddfb1bec5f4fc19aa7e6b20555bacfe551c9495eb405095
-
Filesize
180KB
MD5a9cdfafa97c40058aac892fb6e056a0d
SHA1effa6a53b8fecd1681cd48b3817ce8e888391e2e
SHA2563f694aaf56a0aee5f73f42002917873c2c153ad0e09417a7ff64c7a75c0fc5f1
SHA512dad7eb6b476007a5d4235d4446d805fae6182a9d978f65babdc6ff306428714729a1c59593cf4be7e48fbe05162da00a1f2fe04abb84801f20a7c77bfc27e6bc
-
Filesize
180KB
MD5793408a61333c587995894434376d967
SHA18f9b450063afef9a35736bc2b5e871d40353ff8f
SHA256bbc6b690e7928a39972ef0ae7aa541680380138e39dd75759f5717814e70ec67
SHA512521bdb7da053190ed8ddc722829c233ec66c82808100f17cb935f8f0f6805d3c79021c7d77848f85eb00b2c2d5b6c8efcf8fba936386dc43802460216c095a12
-
Filesize
180KB
MD5a58b04d8ad755a69f26444cfdd8b463f
SHA1c8d3504bad61c2a725983e0e8dd1ed74890899fc
SHA256546ac77cc07ed72cf92395814b1c824e6fe9f58e4f3e18efeacd127f4d9343d4
SHA51247941f06e601ea0b4b6c2114a6c936e5273ed02e667968d75ced5bda2f49a4bb0bc6e0444e1b1b6c304b5f8ee85a98aab15e5a3a08a90939e6b83192d3a47ae4
-
Filesize
180KB
MD556011916d51e8109cc76cbd32484a527
SHA194a94613bcf13e921342eada13dd127a835647b6
SHA256f852a61d47bb80a38d819d44dec712a9eacf14ccec3c3f4ee7e4e8574d3a5cdf
SHA512b438ec82b2063e969b64db150e1cb367774ca22fa949192263aa473f702a7de996bdaee6f910ebc0c076e8f8dd915b1c4f7bb9e91e4fb95b597069fe23b9e817
-
Filesize
180KB
MD5fbc9859664284baf51a3f311b5b0e975
SHA138431c941aefccd091eebd44ee3afeb50beaaac6
SHA256ccfd8d9b18f6586aa9294b81d759610ce6729a33bad2c4f2d881a71128c88165
SHA5120dd93ad300f2b983807e92f905cb8f29b9f182326da4a122186f7464538339927c16dce660af3f2c344a767602495be1d8a6c74d80a1298ae33b73889682cfe9
-
Filesize
180KB
MD5078d6db615d52707787b75e92450a492
SHA1642859694f6de0ba28a1874ba8dd6fab0efb608c
SHA2567334ae862cd657f138d0fcb9f9ad21f28e4862d8d3bdd8de1ad1eadd45300c37
SHA51242a8c44a546e1f63c30468e89a36d1bbf61d824d0466d86d0e36f15b1b639f9a58c1c32a1aa046762343bd4ad759dfee2c6e8fe4ac04277ff1b8906ff7282b15
-
Filesize
180KB
MD57e67e11a2ad8cc6b0651a6334072a49e
SHA1673102eebe297978b5554a7cfa14acae2b22ac69
SHA2562c56417f56f48eead0c1d97bb2fa141e217845f87e52c4cc668121cf75d945dc
SHA51243dcae046ce295464ddcc1f9eab22295fb400942bd324d4a2ea3e1a3bf91b6926a5b06ce3228dfa09aacd76fb01b4d2b78fbe6d88b67fb0cb97e5924613e7d92
-
Filesize
180KB
MD50bcef92b08a98cc4ae625dcb42d0ee6a
SHA1a17cbe88d8f645d1a733fc6dfb4b3ae0745f2e86
SHA256320e2ded66e4129fe2119b585e7caa58f5c24078503f652cf9334443e25096df
SHA512c1f010455d2b03f6cef518b2261a481e9cc54f3a27f729446f2d2c1fcfa41cc0398c057e160f89f7d2c0f1563d0f0f6ff38f399695ae8f2eca16c7bd32456cad