Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
-
Size
408KB
-
MD5
6f29dcdc7a7f53d474224d34ee51fa0f
-
SHA1
b81b05f21fcca70fd8991138c83490c53beba0d1
-
SHA256
f7e5eaf69fbc116974ea24609d5d6bd6848e9c0f99189287eacfac2adf37c68b
-
SHA512
64329cd588b0a71009260b3d6c83bff27b554fe0a0510b36b0529bec10b525361ce00064225f7c56e45184118429bef488b6100490afb8a7aac9edccd742ab9c
-
SSDEEP
3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x0006000000023202-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000231f6-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023209-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000231f6-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021f82-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021f83-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000006c5-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000705-29.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b0000000006c5-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000705-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0005000000000705-45.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{430C0D23-6441-441f-908E-103B561E44D7}\stubpath = "C:\\Windows\\{430C0D23-6441-441f-908E-103B561E44D7}.exe" 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6434B841-0202-4607-A9E8-7C037F2850E7}\stubpath = "C:\\Windows\\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe" {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}\stubpath = "C:\\Windows\\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe" {6434B841-0202-4607-A9E8-7C037F2850E7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0} {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}\stubpath = "C:\\Windows\\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe" {430C0D23-6441-441f-908E-103B561E44D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E} {6434B841-0202-4607-A9E8-7C037F2850E7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}\stubpath = "C:\\Windows\\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe" {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D54A8DF5-6FD3-4588-A326-7B20F770469B}\stubpath = "C:\\Windows\\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe" {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7587AF25-E249-451d-BF08-00CDB8CF0F2A} {D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{430C0D23-6441-441f-908E-103B561E44D7} 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6434B841-0202-4607-A9E8-7C037F2850E7} {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88181780-0C18-4c7d-97DC-59C8EAC165FB} {0413D311-79DF-4b3a-A516-83117C660534}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C66E93-6B3D-49ec-B317-0430026ADE94} {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749} {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}\stubpath = "C:\\Windows\\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe" {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C66E93-6B3D-49ec-B317-0430026ADE94}\stubpath = "C:\\Windows\\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe" {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D54A8DF5-6FD3-4588-A326-7B20F770469B} {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}\stubpath = "C:\\Windows\\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe" {D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA} {430C0D23-6441-441f-908E-103B561E44D7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}\stubpath = "C:\\Windows\\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe" {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0413D311-79DF-4b3a-A516-83117C660534} {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0413D311-79DF-4b3a-A516-83117C660534}\stubpath = "C:\\Windows\\{0413D311-79DF-4b3a-A516-83117C660534}.exe" {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88181780-0C18-4c7d-97DC-59C8EAC165FB}\stubpath = "C:\\Windows\\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe" {0413D311-79DF-4b3a-A516-83117C660534}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2} {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe -
Executes dropped EXE 11 IoCs
pid Process 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe 4200 {D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe 440 {C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe File created C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe File created C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe File created C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe {430C0D23-6441-441f-908E-103B561E44D7}.exe File created C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe File created C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe File created C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe File created C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe {0413D311-79DF-4b3a-A516-83117C660534}.exe File created C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe File created C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe {6434B841-0202-4607-A9E8-7C037F2850E7}.exe File created C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1464 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe Token: SeIncBasePriorityPrivilege 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe Token: SeIncBasePriorityPrivilege 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe Token: SeIncBasePriorityPrivilege 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe Token: SeIncBasePriorityPrivilege 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe Token: SeIncBasePriorityPrivilege 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe Token: SeIncBasePriorityPrivilege 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe Token: SeIncBasePriorityPrivilege 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe Token: SeIncBasePriorityPrivilege 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe Token: SeIncBasePriorityPrivilege 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe Token: SeIncBasePriorityPrivilege 2480 {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2060 1464 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 92 PID 1464 wrote to memory of 2060 1464 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 92 PID 1464 wrote to memory of 2060 1464 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 92 PID 1464 wrote to memory of 4444 1464 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 93 PID 1464 wrote to memory of 4444 1464 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 93 PID 1464 wrote to memory of 4444 1464 2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe 93 PID 2060 wrote to memory of 4532 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe 94 PID 2060 wrote to memory of 4532 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe 94 PID 2060 wrote to memory of 4532 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe 94 PID 2060 wrote to memory of 4392 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe 95 PID 2060 wrote to memory of 4392 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe 95 PID 2060 wrote to memory of 4392 2060 {430C0D23-6441-441f-908E-103B561E44D7}.exe 95 PID 4532 wrote to memory of 2024 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe 97 PID 4532 wrote to memory of 2024 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe 97 PID 4532 wrote to memory of 2024 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe 97 PID 4532 wrote to memory of 5080 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe 98 PID 4532 wrote to memory of 5080 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe 98 PID 4532 wrote to memory of 5080 4532 {C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe 98 PID 2024 wrote to memory of 4864 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe 99 PID 2024 wrote to memory of 4864 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe 99 PID 2024 wrote to memory of 4864 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe 99 PID 2024 wrote to memory of 408 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe 100 PID 2024 wrote to memory of 408 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe 100 PID 2024 wrote to memory of 408 2024 {6434B841-0202-4607-A9E8-7C037F2850E7}.exe 100 PID 4864 wrote to memory of 4536 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe 101 PID 4864 wrote to memory of 4536 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe 101 PID 4864 wrote to memory of 4536 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe 101 PID 4864 wrote to memory of 2156 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe 102 PID 4864 wrote to memory of 2156 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe 102 PID 4864 wrote to memory of 2156 4864 {1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe 102 PID 4536 wrote to memory of 2452 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe 103 PID 4536 wrote to memory of 2452 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe 103 PID 4536 wrote to memory of 2452 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe 103 PID 4536 wrote to memory of 4060 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe 104 PID 4536 wrote to memory of 4060 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe 104 PID 4536 wrote to memory of 4060 4536 {EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe 104 PID 2452 wrote to memory of 4388 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe 105 PID 2452 wrote to memory of 4388 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe 105 PID 2452 wrote to memory of 4388 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe 105 PID 2452 wrote to memory of 4832 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe 106 PID 2452 wrote to memory of 4832 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe 106 PID 2452 wrote to memory of 4832 2452 {0413D311-79DF-4b3a-A516-83117C660534}.exe 106 PID 4388 wrote to memory of 4196 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe 107 PID 4388 wrote to memory of 4196 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe 107 PID 4388 wrote to memory of 4196 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe 107 PID 4388 wrote to memory of 3784 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe 108 PID 4388 wrote to memory of 3784 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe 108 PID 4388 wrote to memory of 3784 4388 {88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe 108 PID 4196 wrote to memory of 3052 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe 109 PID 4196 wrote to memory of 3052 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe 109 PID 4196 wrote to memory of 3052 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe 109 PID 4196 wrote to memory of 852 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe 110 PID 4196 wrote to memory of 852 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe 110 PID 4196 wrote to memory of 852 4196 {15C66E93-6B3D-49ec-B317-0430026ADE94}.exe 110 PID 3052 wrote to memory of 4200 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe 111 PID 3052 wrote to memory of 4200 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe 111 PID 3052 wrote to memory of 4200 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe 111 PID 3052 wrote to memory of 4304 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe 112 PID 3052 wrote to memory of 4304 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe 112 PID 3052 wrote to memory of 4304 3052 {D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe 112 PID 2480 wrote to memory of 440 2480 {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe 115 PID 2480 wrote to memory of 440 2480 {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe 115 PID 2480 wrote to memory of 440 2480 {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe 115 PID 2480 wrote to memory of 856 2480 {7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exeC:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exeC:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exeC:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exeC:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exeC:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exeC:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exeC:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exeC:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exeC:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exeC:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:4200 -
C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exeC:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe12⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exeC:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe13⤵
- Executes dropped EXE
PID:440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7587A~1.EXE > nul13⤵PID:856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D54A8~1.EXE > nul12⤵PID:3748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3462~1.EXE > nul11⤵PID:4304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{15C66~1.EXE > nul10⤵PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{88181~1.EXE > nul9⤵PID:3784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0413D~1.EXE > nul8⤵PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EB124~1.EXE > nul7⤵PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1C36D~1.EXE > nul6⤵PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6434B~1.EXE > nul5⤵PID:408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C12F5~1.EXE > nul4⤵PID:5080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{430C0~1.EXE > nul3⤵PID:4392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5a39610067739f57b48e06ee2c5f34a8b
SHA120e12a6e21abaf6b95aa9bfb9bb86bc091107e84
SHA2564cc0271100a268d1c2143804a5fcf311a676fad922214740fd8023eaba0ffd06
SHA5120c7a5ab84d11fd57820c91d25853168ceeb28837f2680009ae06a61bf70e3eef731236d8df0f25b7e1b2a383dbb09fa60602a2cc455b63ccc2fa1037e5272e36
-
Filesize
408KB
MD56ec5b5d358618dedf62e751bf3890bfc
SHA128ba1d595367c90c92d1723e9d1bf3d757fb4cf7
SHA256bd14821c89f79e9493eb5d05292b6148478e899a6032a2e4e9d65efdbdea174f
SHA5124cdd674e0043e75facc512f2b9a27598249701bd0403ece77b9746ecc73a828ba7b6574aa22a883280c8259ae2583a5763cfe47dcf9987791041cd434b7570a8
-
Filesize
408KB
MD5e6e51094eca4bedd2f1b13ef454742e7
SHA1ea4b92e5978de3b7bff9ae8690b5c210fe18f0ca
SHA2564c3702b1416be1933faacde794ee9f03e8b2e27bfad410ad6024048ac5320193
SHA512d92aa36823aedcb0a35cafad4fe088780fc0edeb0ac46a3508f945c89a7a41a394fae5e5eac3a36553c04979f860e3c02076ed657c952b11079438d70e2523a3
-
Filesize
408KB
MD5c97f744563f30f2cff976e20081defe6
SHA1a4f58ee0e54e0127e91d0e699117c722e2167f35
SHA2560fcca0dc8400e420cbdc7db070f9a611f7567b18f2d71fb8f89d32527edeffdb
SHA512e7c077613bc05ed7a75aa5ee38f0e8c17ed5732b5125d21841224c68757effacb4334b18cc99e65b032943bcbf1f510f650ac37ebcd4fc7b71154a1d6991db68
-
Filesize
408KB
MD5f03ea52bea24c3a0d1a198cf81de8092
SHA10e6b5d171389f5327d9990becf623c59ab754b0f
SHA256f27034159c845de8f32061bebe252063eaade31a8366883a6a8c95803fd5dcfb
SHA512ef1c87dc9bd9c5394ed9336a05cc36f0375930c75ef7911f8ac4baa20cf6cfa238785f572b1fd3982f56b2da161b8dc0505175a7d139255edd8c33e553945680
-
Filesize
408KB
MD5531304c7fdb0bc8146f104a4adad9675
SHA1d3875494d4a02c85e5a8632672511fd6425f594d
SHA256cfa3ce881589ad94b0f0ae036c1c7336e9486adcf62e75dd8e68aa03e6000cd1
SHA512efb1880f5262204bd516b46b5c7ef3b0ab4efbe2f60364d476d2c4758349236285ba89092cfa2535417ad9f32b418ecfddd87edf722b57d46fbcae88cfce2cbe
-
Filesize
408KB
MD513d0abda867b2401b429e7ce80bed628
SHA1be63fbcb6ae198892fa576bcefee57d9fc24a653
SHA256364dcc64baa86c6bfcf85acbfc6c5f0c3d4887351e864b350916b5a14c743acc
SHA5128faf821ec28ccce6c9241ecd76d1458ba86cdfcd615dafd3f15d6aec36eb69fcb1c0492078aa5bd51e9041b488ce50057261c04bb6c4dc41e10abf3f4d099a0d
-
Filesize
408KB
MD5f265abb664ef4aa60c0f4078ff0be588
SHA1ce6077253b8d5ff646428af05d8378d436512a99
SHA25620f70f72f4ad740061c0e4c517c01b5b3693166517a8d1805dd1b55942e146d3
SHA512ea2f02146e228299cf3c3b96858a9afca9481a7380f0cd5109c35cbe846d8087c7661f71872a10c29e43a2c4e6689a0b56d6012a8c09b0413c66446e8b359fc3
-
Filesize
408KB
MD54ff75fbdc64938bcd263958fa0849402
SHA1514edef1ecd7a1ac5309762e8b347647e701b3c3
SHA256d7521de6bfa8716a0038671cf2ad885f7443a4c0c9b82045298f1d88f17090da
SHA5120324cfed26ab15f715f53bd5936fe2dabe67440e4991d6c83bc23b84558947d4dc4d9124ac78641969f14c91bbf25276c5d1c290f273341aa8de83a88073988d
-
Filesize
408KB
MD5d8fd1cb7d56ac0a840dc966f4cbbeef8
SHA100f097c0072e79955342cfd60c250bce455bba0e
SHA256328496c062585ad67b235829978f827d8ca4fa56208b4f3fa4d1abc3cb96bb86
SHA512cee9d68c81ba051ae9a4ea043433b4ec715de374d51607f0f6da7b2f57eb2750a913f6e4f9596d2a9844f0e6b91161c9c10e21959910b72410300a83ac64278b
-
Filesize
408KB
MD5fcd8d8bbaa1f5855a41c6fd8ceacad22
SHA1c1baaa1cd66315929754756ea800b2fc8f4fbd5d
SHA256342f98550d67769a421208462a929687da787109d4b9866e0e87e5be88ec661a
SHA5127443fdfbc7ee7016c0edd373f396bc01a0df7c4052cdb8e775a193647d792c25b2a1231b1a095c45e4556692b40d2e55a1f6f7e9c525c5b30b2a8c646ea86030