Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
-
Size
380KB
-
MD5
8c67995833d225fec4058ef2767ccfc3
-
SHA1
86a19b8865a11660c4f7124cfb9acb5343aab9a6
-
SHA256
40f2319621aa36a8441100f13eaac93c1ba6b95eaa59a2a5ff95f4a14cce7d90
-
SHA512
945aae6b041e6fb6f0481f9a8098155705ff11e7bbed8dd07a2d00d1e51dfb5c1a14e47e3900be66aefa274dace6a274cd61d1ccb5609fcdf804fe649eb291d4
-
SSDEEP
3072:mEGh0oxlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGTl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x000a000000023124-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023214-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002321a-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023214-13.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002321a-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c86-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021c87-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070d-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000070f-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070d-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000400000000070f-42.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000735-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69AD0E30-5C72-4972-8ADA-033698153D5D} 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8} {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46494377-F956-473d-8783-F4D6CB7DF16C} {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20796186-C809-46e9-AA62-FEE02AD318A9} {46494377-F956-473d-8783-F4D6CB7DF16C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20796186-C809-46e9-AA62-FEE02AD318A9}\stubpath = "C:\\Windows\\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe" {46494377-F956-473d-8783-F4D6CB7DF16C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D23301-4294-4d2d-8B11-DA2AC8834B14}\stubpath = "C:\\Windows\\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe" {20796186-C809-46e9-AA62-FEE02AD318A9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9669F571-58D3-457d-99A4-C87C7DEE27A5} {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}\stubpath = "C:\\Windows\\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe" {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B124C05F-AA98-4252-8045-A96047CF4392}\stubpath = "C:\\Windows\\{B124C05F-AA98-4252-8045-A96047CF4392}.exe" {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C} {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}\stubpath = "C:\\Windows\\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe" {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69AD0E30-5C72-4972-8ADA-033698153D5D}\stubpath = "C:\\Windows\\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe" 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC} {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}\stubpath = "C:\\Windows\\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe" {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B124C05F-AA98-4252-8045-A96047CF4392} {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{954C3D71-5268-4731-9EA8-0B74D2B76E09} {B124C05F-AA98-4252-8045-A96047CF4392}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{954C3D71-5268-4731-9EA8-0B74D2B76E09}\stubpath = "C:\\Windows\\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe" {B124C05F-AA98-4252-8045-A96047CF4392}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46494377-F956-473d-8783-F4D6CB7DF16C}\stubpath = "C:\\Windows\\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe" {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51D23301-4294-4d2d-8B11-DA2AC8834B14} {20796186-C809-46e9-AA62-FEE02AD318A9}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC} {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}\stubpath = "C:\\Windows\\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe" {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9669F571-58D3-457d-99A4-C87C7DEE27A5}\stubpath = "C:\\Windows\\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe" {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{615AE48F-379C-474b-B573-CA8696803F47} {2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{615AE48F-379C-474b-B573-CA8696803F47}\stubpath = "C:\\Windows\\{615AE48F-379C-474b-B573-CA8696803F47}.exe" {2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe -
Executes dropped EXE 12 IoCs
pid Process 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe 4116 {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe 1352 {2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe 3116 {615AE48F-379C-474b-B573-CA8696803F47}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe File created C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe {46494377-F956-473d-8783-F4D6CB7DF16C}.exe File created C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe File created C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe {20796186-C809-46e9-AA62-FEE02AD318A9}.exe File created C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe File created C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe File created C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe File created C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe File created C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe File created C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe {B124C05F-AA98-4252-8045-A96047CF4392}.exe File created C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe File created C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe {2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4520 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe Token: SeIncBasePriorityPrivilege 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe Token: SeIncBasePriorityPrivilege 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe Token: SeIncBasePriorityPrivilege 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe Token: SeIncBasePriorityPrivilege 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe Token: SeIncBasePriorityPrivilege 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe Token: SeIncBasePriorityPrivilege 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe Token: SeIncBasePriorityPrivilege 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe Token: SeIncBasePriorityPrivilege 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe Token: SeIncBasePriorityPrivilege 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe Token: SeIncBasePriorityPrivilege 4116 {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe Token: SeIncBasePriorityPrivilege 1352 {2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4520 wrote to memory of 5068 4520 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 92 PID 4520 wrote to memory of 5068 4520 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 92 PID 4520 wrote to memory of 5068 4520 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 92 PID 4520 wrote to memory of 1452 4520 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 93 PID 4520 wrote to memory of 1452 4520 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 93 PID 4520 wrote to memory of 1452 4520 2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe 93 PID 5068 wrote to memory of 2692 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 96 PID 5068 wrote to memory of 2692 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 96 PID 5068 wrote to memory of 2692 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 96 PID 5068 wrote to memory of 2608 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 97 PID 5068 wrote to memory of 2608 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 97 PID 5068 wrote to memory of 2608 5068 {69AD0E30-5C72-4972-8ADA-033698153D5D}.exe 97 PID 2692 wrote to memory of 3100 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe 99 PID 2692 wrote to memory of 3100 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe 99 PID 2692 wrote to memory of 3100 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe 99 PID 2692 wrote to memory of 1216 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe 100 PID 2692 wrote to memory of 1216 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe 100 PID 2692 wrote to memory of 1216 2692 {9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe 100 PID 3100 wrote to memory of 2196 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe 101 PID 3100 wrote to memory of 2196 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe 101 PID 3100 wrote to memory of 2196 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe 101 PID 3100 wrote to memory of 4016 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe 102 PID 3100 wrote to memory of 4016 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe 102 PID 3100 wrote to memory of 4016 3100 {6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe 102 PID 2196 wrote to memory of 1372 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe 103 PID 2196 wrote to memory of 1372 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe 103 PID 2196 wrote to memory of 1372 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe 103 PID 2196 wrote to memory of 2000 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe 104 PID 2196 wrote to memory of 2000 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe 104 PID 2196 wrote to memory of 2000 2196 {B124C05F-AA98-4252-8045-A96047CF4392}.exe 104 PID 1372 wrote to memory of 1972 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe 105 PID 1372 wrote to memory of 1972 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe 105 PID 1372 wrote to memory of 1972 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe 105 PID 1372 wrote to memory of 2508 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe 106 PID 1372 wrote to memory of 2508 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe 106 PID 1372 wrote to memory of 2508 1372 {954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe 106 PID 1972 wrote to memory of 2280 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe 107 PID 1972 wrote to memory of 2280 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe 107 PID 1972 wrote to memory of 2280 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe 107 PID 1972 wrote to memory of 760 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe 108 PID 1972 wrote to memory of 760 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe 108 PID 1972 wrote to memory of 760 1972 {46494377-F956-473d-8783-F4D6CB7DF16C}.exe 108 PID 2280 wrote to memory of 216 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe 109 PID 2280 wrote to memory of 216 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe 109 PID 2280 wrote to memory of 216 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe 109 PID 2280 wrote to memory of 2624 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe 110 PID 2280 wrote to memory of 2624 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe 110 PID 2280 wrote to memory of 2624 2280 {20796186-C809-46e9-AA62-FEE02AD318A9}.exe 110 PID 216 wrote to memory of 4384 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe 111 PID 216 wrote to memory of 4384 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe 111 PID 216 wrote to memory of 4384 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe 111 PID 216 wrote to memory of 332 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe 112 PID 216 wrote to memory of 332 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe 112 PID 216 wrote to memory of 332 216 {51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe 112 PID 4384 wrote to memory of 4116 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe 113 PID 4384 wrote to memory of 4116 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe 113 PID 4384 wrote to memory of 4116 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe 113 PID 4384 wrote to memory of 3392 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe 114 PID 4384 wrote to memory of 3392 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe 114 PID 4384 wrote to memory of 3392 4384 {9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe 114 PID 4116 wrote to memory of 1352 4116 {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe 115 PID 4116 wrote to memory of 1352 4116 {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe 115 PID 4116 wrote to memory of 1352 4116 {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe 115 PID 4116 wrote to memory of 1632 4116 {D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exeC:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exeC:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exeC:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exeC:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exeC:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exeC:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exeC:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exeC:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exeC:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exeC:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exeC:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exeC:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe13⤵
- Executes dropped EXE
PID:3116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2F5C8~1.EXE > nul13⤵PID:552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D9833~1.EXE > nul12⤵PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9669F~1.EXE > nul11⤵PID:3392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{51D23~1.EXE > nul10⤵PID:332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20796~1.EXE > nul9⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46494~1.EXE > nul8⤵PID:760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{954C3~1.EXE > nul7⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B124C~1.EXE > nul6⤵PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E78C~1.EXE > nul5⤵PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9AEF2~1.EXE > nul4⤵PID:1216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{69AD0~1.EXE > nul3⤵PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5638e397f7fe47de270e0220ce4b7ba20
SHA13e09eb275628d8e178832486db75c94d5e1fcc83
SHA2563330a2d2249afca14cccae0273b4a62d72bfacc2302479e885119e408f38eff7
SHA512048b2a802c43a93a5f09c4154f14b7371ac84ad66e66f5630e4f97ce4dc105235a4d131f0ae624fb93695b15add73e52b9c3c47b57f0eb22fbf489543df28838
-
Filesize
380KB
MD5ae76382ad8378c2c87874091f255b0d5
SHA12972fb2a946c240c59b848855086d9c4adf6998b
SHA25616e203977448b20094136871ac2620bfb111d32950e765a674967d17d1a73a58
SHA51247fcb8f19849afc26f8517f5126a5c1f01a0ef6f6746ffd53d891ae5e233053c47e83ce84f3e0f13834b5a986ca0df292cb93eb7056f7964cd56bd42b5f24146
-
Filesize
380KB
MD5ca7109822e6cfaf2a1af577244f2920c
SHA15d80052b368c2ee9844c8b520fd1d78d74289009
SHA256795e91e405957dc4e8f14dd581cf06dcafcff227ace3edeb7f72d28ab3d1ab23
SHA5125b68b3c17e517320960fba33f925bfa709e0aa108767f690dbecb5cb4cd74d39c2bfee3f240a0e4388734dc133fbb7857099378cbe8383898f23a5873d945471
-
Filesize
380KB
MD5e02d46a1fde63d3d7e9dc98635590596
SHA12f15c4c7c5f792b61860e116f1523012951f766c
SHA256a7cd600a3cc97d1f6ebfeb316298898fd7620fd19e0875325779f7bb6451e5fe
SHA51248c60b0f99f736fa33c600e8d038ed9e3fe1a9583a6b4fb301d92b8303fc60db797e47163c5d63f98a79f47a68cc4cfdf84498a7dcd74fd697f8c53e71241e3e
-
Filesize
380KB
MD57271f7fd4216b79aad1ba93621fb8cf3
SHA17d976676e12cc7ff39f016ab3f8b47993a616ce1
SHA256e6992493d49ada8329da39ceb3a51e99a30d338ad30615facee18372922ebe25
SHA512b474c76b29eba4348cd89d124b052d334adbd44e7b6dfd90212079595bb78c6404c39f94a59ac1572cced13836ce40317913b71d69b3bda3987344a594bb382c
-
Filesize
380KB
MD5dedbb4a21c8cb96e68d8a48afce9dc4b
SHA14ec0e5c76f9c0b0d3b5cdb7085d5556656652f47
SHA2564bfd8d53825d21e5cccdc7d624e910dd498ed189a8547d1a40cceb7dbc4b03f2
SHA51248cd4b5d3c67e55c76a428d5db5cca833a4b69ce4a011f6e4480eac22590407826e2e21bceeeae9ff01a741cdb04091dba43cec443ec9b831ac43ad1d90f2542
-
Filesize
380KB
MD572add08a7fe4edbd9f6f8f772955fab7
SHA1ac3c3c2bf19407c0b6bd2321e3224e6a69e0fdce
SHA2561ba82af1286fe44240ee11fafc10fe0b41dbbd3e4c341cbecfa46455b9cf9625
SHA512ef982069337e7d5e09b01181133470714f2f09b453e77987a801e6a7fc72a589a065159cece4189a9a7982926f9c53cd278e752734bfc269f6052e283047493c
-
Filesize
380KB
MD5d2b3cf41526d12a408ead0393d256516
SHA1f7febde408852e80876b9ff1711216f0c6bd81fb
SHA25648e60085828790b7da9e699d8d25417ff67b525684ad0c96f886b55ae628f88f
SHA5123e7c6567de9b390ee2b28f6f9bb48fff525efeac91c57dfde8cfece5e0eea03d0c9754d6c43c2df72abe24292c4629e0ee163c0d6dae3f88abdf6c27f5c06828
-
Filesize
380KB
MD57bb1314b66001ae9f3756898ff3d98bd
SHA11ee8f75be0374fe1a303bdc115ae9b7fc330759b
SHA256a56331ba3f5f0cc3ab2534f390dc9bb5e7eb4dd9cf941d7895c998e1bfda0858
SHA512e1cb46fc3c8ef58904ca409d5a05506f027e10b8910a294ac2988aa6a846cd445c861f0ff160cbd766e3e31f437c7f9f263f7e1325575a569ee7e28d1f766e18
-
Filesize
380KB
MD58764ca4173ee3854370d419746d02be1
SHA10b5dca907685159ab3757f2aef7ddfa804571d6e
SHA25696fab3c27830489548a207897067003a9bc8fd141b9086f0772c45acf0a5d2b0
SHA5125321b81dbd73d7bd6f8a30b73bd2a04d3eb85943678b711bb17984c1ea6eb45814528defc9d66151bde575d278c1c35a6c156aee3d5653f62dc51680bd8709bc
-
Filesize
380KB
MD589b710518ca00d5a34c44030f2361c72
SHA13dcc5b83709086a09f316fbc4d4266f66fca5da2
SHA25687d4f1d589e1de32641619052e61eab68aa4d24022420913032821ca82983d5d
SHA51282a909dbb185b2e4d2c750fdbc670c2d16dbd2656f115b3e5d31a686a98dbfa701b261a11b3934a336746a401d5c9cfcfcec0dc43a23f45dcb98893684317dc1
-
Filesize
380KB
MD50e50b84893c33492b3919db64f7fe0bc
SHA149cc65d91e7e9d35208e34469cd9979308852305
SHA25638d6dccff438e42184318c7c565400aeaddfd3c8387f654edd06ffca4d5600fa
SHA51229d252027aaa2ba133c0607a34af5ff26793d59c6f82d17950cab06a92e0f4855bbbe2d8842eb05cfa06bc3f48267be41b944a49f3bc07bfa57c7e965eb1de12