Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
Resource
win10v2004-20240319-en
General
-
Target
2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
-
Size
372KB
-
MD5
5dafa0615125a3ba50e55994a49633fa
-
SHA1
8e9722fa468434a42a756be6e92b8193a73282db
-
SHA256
69f8d2729f10a3baa0c24d80a87d75539948803740042403638221db2d151354
-
SHA512
db0e0ecf2dda507800c456cefd6a62f6fd42d63158e0682b2dee300e841bd71420e0b5cf48441524f738000c4e4f947e95bbc1b7260d517217736e4da596508f
-
SSDEEP
3072:CEGh0omlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000b000000014fe1-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x00090000000155e2-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a0000000155e2-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001000000000f680-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b0000000155e2-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001100000000f680-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000015c0d-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001200000000f680-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015c0d-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x001300000000f680-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D46139DD-DE2D-4650-BB17-228C544F5084}\stubpath = "C:\\Windows\\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe" {32148707-3305-494f-A23A-AEC08124CDAD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B} {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69263369-47D9-4e42-A912-82A0B11DFD2A}\stubpath = "C:\\Windows\\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe" {DCD29460-11A4-4d46-A081-02C2CD14383A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}\stubpath = "C:\\Windows\\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe" {69263369-47D9-4e42-A912-82A0B11DFD2A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD100092-BC6E-42b2-B60C-35DABFEA50A3} {C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}\stubpath = "C:\\Windows\\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe" {C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32148707-3305-494f-A23A-AEC08124CDAD}\stubpath = "C:\\Windows\\{32148707-3305-494f-A23A-AEC08124CDAD}.exe" 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D46139DD-DE2D-4650-BB17-228C544F5084} {32148707-3305-494f-A23A-AEC08124CDAD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}\stubpath = "C:\\Windows\\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe" {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0} {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD29460-11A4-4d46-A081-02C2CD14383A} {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}\stubpath = "C:\\Windows\\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe" {D46139DD-DE2D-4650-BB17-228C544F5084}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}\stubpath = "C:\\Windows\\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe" {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C} {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5} {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}\stubpath = "C:\\Windows\\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe" {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCD29460-11A4-4d46-A081-02C2CD14383A}\stubpath = "C:\\Windows\\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe" {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69263369-47D9-4e42-A912-82A0B11DFD2A} {DCD29460-11A4-4d46-A081-02C2CD14383A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008} {69263369-47D9-4e42-A912-82A0B11DFD2A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32148707-3305-494f-A23A-AEC08124CDAD} 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5263DFA3-8555-4a39-962D-E3CE219F7BC2} {D46139DD-DE2D-4650-BB17-228C544F5084}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}\stubpath = "C:\\Windows\\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe" {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe -
Deletes itself 1 IoCs
pid Process 1324 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 1916 {DCD29460-11A4-4d46-A081-02C2CD14383A}.exe 1708 {69263369-47D9-4e42-A912-82A0B11DFD2A}.exe 768 {C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe 1276 {DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe File created C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe File created C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe File created C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe {DCD29460-11A4-4d46-A081-02C2CD14383A}.exe File created C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe {69263369-47D9-4e42-A912-82A0B11DFD2A}.exe File created C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe {32148707-3305-494f-A23A-AEC08124CDAD}.exe File created C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe {D46139DD-DE2D-4650-BB17-228C544F5084}.exe File created C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe File created C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe {C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe File created C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe File created C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe Token: SeIncBasePriorityPrivilege 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe Token: SeIncBasePriorityPrivilege 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe Token: SeIncBasePriorityPrivilege 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe Token: SeIncBasePriorityPrivilege 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe Token: SeIncBasePriorityPrivilege 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe Token: SeIncBasePriorityPrivilege 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe Token: SeIncBasePriorityPrivilege 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe Token: SeIncBasePriorityPrivilege 1916 {DCD29460-11A4-4d46-A081-02C2CD14383A}.exe Token: SeIncBasePriorityPrivilege 1708 {69263369-47D9-4e42-A912-82A0B11DFD2A}.exe Token: SeIncBasePriorityPrivilege 768 {C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1216 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 28 PID 2804 wrote to memory of 1216 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 28 PID 2804 wrote to memory of 1216 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 28 PID 2804 wrote to memory of 1216 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 28 PID 2804 wrote to memory of 1324 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 29 PID 2804 wrote to memory of 1324 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 29 PID 2804 wrote to memory of 1324 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 29 PID 2804 wrote to memory of 1324 2804 2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe 29 PID 1216 wrote to memory of 2488 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 30 PID 1216 wrote to memory of 2488 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 30 PID 1216 wrote to memory of 2488 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 30 PID 1216 wrote to memory of 2488 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 30 PID 1216 wrote to memory of 2608 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 31 PID 1216 wrote to memory of 2608 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 31 PID 1216 wrote to memory of 2608 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 31 PID 1216 wrote to memory of 2608 1216 {32148707-3305-494f-A23A-AEC08124CDAD}.exe 31 PID 2488 wrote to memory of 2500 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 34 PID 2488 wrote to memory of 2500 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 34 PID 2488 wrote to memory of 2500 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 34 PID 2488 wrote to memory of 2500 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 34 PID 2488 wrote to memory of 2332 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 35 PID 2488 wrote to memory of 2332 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 35 PID 2488 wrote to memory of 2332 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 35 PID 2488 wrote to memory of 2332 2488 {D46139DD-DE2D-4650-BB17-228C544F5084}.exe 35 PID 2500 wrote to memory of 2776 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 36 PID 2500 wrote to memory of 2776 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 36 PID 2500 wrote to memory of 2776 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 36 PID 2500 wrote to memory of 2776 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 36 PID 2500 wrote to memory of 2988 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 37 PID 2500 wrote to memory of 2988 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 37 PID 2500 wrote to memory of 2988 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 37 PID 2500 wrote to memory of 2988 2500 {5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe 37 PID 2776 wrote to memory of 1848 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 38 PID 2776 wrote to memory of 1848 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 38 PID 2776 wrote to memory of 1848 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 38 PID 2776 wrote to memory of 1848 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 38 PID 2776 wrote to memory of 1096 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 39 PID 2776 wrote to memory of 1096 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 39 PID 2776 wrote to memory of 1096 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 39 PID 2776 wrote to memory of 1096 2776 {18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe 39 PID 1848 wrote to memory of 1428 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 40 PID 1848 wrote to memory of 1428 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 40 PID 1848 wrote to memory of 1428 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 40 PID 1848 wrote to memory of 1428 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 40 PID 1848 wrote to memory of 1840 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 41 PID 1848 wrote to memory of 1840 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 41 PID 1848 wrote to memory of 1840 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 41 PID 1848 wrote to memory of 1840 1848 {A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe 41 PID 1428 wrote to memory of 2288 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 42 PID 1428 wrote to memory of 2288 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 42 PID 1428 wrote to memory of 2288 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 42 PID 1428 wrote to memory of 2288 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 42 PID 1428 wrote to memory of 2304 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 43 PID 1428 wrote to memory of 2304 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 43 PID 1428 wrote to memory of 2304 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 43 PID 1428 wrote to memory of 2304 1428 {AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe 43 PID 2288 wrote to memory of 1916 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 44 PID 2288 wrote to memory of 1916 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 44 PID 2288 wrote to memory of 1916 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 44 PID 2288 wrote to memory of 1916 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 44 PID 2288 wrote to memory of 944 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 45 PID 2288 wrote to memory of 944 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 45 PID 2288 wrote to memory of 944 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 45 PID 2288 wrote to memory of 944 2288 {0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exeC:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exeC:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exeC:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exeC:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exeC:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exeC:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exeC:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exeC:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exeC:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exeC:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:768 -
C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exeC:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe12⤵
- Executes dropped EXE
PID:1276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C9AC8~1.EXE > nul12⤵PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{69263~1.EXE > nul11⤵PID:2428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DCD29~1.EXE > nul10⤵PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0730A~1.EXE > nul9⤵PID:944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AAA72~1.EXE > nul8⤵PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A456D~1.EXE > nul7⤵PID:1840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18989~1.EXE > nul6⤵PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5263D~1.EXE > nul5⤵PID:2988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4613~1.EXE > nul4⤵PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{32148~1.EXE > nul3⤵PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:1324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD50ec921de00125c0e0d29a4a151cce93b
SHA14837eddf7f55b735c305b4bed0ebf0a2cf515bcf
SHA25606c3c1803790c4cdacf511664f0e354ab4224341fd5957a208bc7c9393d31435
SHA512db33ad44cfe7b785f5a32d30eeb4f60e8147f9e162ebc8c47f2ed484e521207b7344714fa2e1aba22be8f55533fb0d961a8ee90524a0f5fb537653b5add18234
-
Filesize
372KB
MD54d8830f5f658a7d6915f962f4cf5988a
SHA1b087991b8c1daf93b302bf3b873685985d78eb1d
SHA256ff80f6d554870899610bedb675a147567d86bbba5284726677e0bfa7e927568f
SHA5120a8782cf0b4cc5930cf9a547bc8e99bae8bb1c4e1e98fb075ae7a424e396774a2bacaf8d4a08b21a8b67d30726228edbac8225ef093e355c1cc3441dc57b6f5e
-
Filesize
372KB
MD5190ecf2346d1cf1c06ef7b2568c1b169
SHA1f27fb3a360382555204b2326f6e0e68b3c108d36
SHA256600182a0f0903851c273f9ada3acdbf46b981928aaae0b818bd050c748bd490d
SHA5124c5243b13a50b797e80edad29a4828af0afe3828199c4aff4af3e2b936ceea61202c381de498378e8857748e89be7afaadd1884af5ae253b7c4499a1e8080e8c
-
Filesize
372KB
MD5fb81e0977bd32db128c631a40b40017f
SHA133679f47fac44fe2eee18df4572a93d316b400a4
SHA256ea00e8f312f87e8f1053ed1045a68ab8c2181b98b1503ca05ac22b5f6110c506
SHA5124e666f6c157e37d3980e7de592cd8311d16f90d29182baaa239c9c2a4007f39513572c8f0a5e3e58eac503aceaa484679afff4d66cc44ccfd2bbeda80427bf41
-
Filesize
372KB
MD50dbe3f48b6db8372dd88885c02ee2982
SHA146c4e48c0add4717a248c60d64c54933d04aafd8
SHA256a11ea72bfcd6982ba932d182b492349d300d731f978356bb45679ff9c0f8e584
SHA51282fb02b77c322203ccc6c90ad66215c6cbadc9acc4cd737950a6580e6a8c9487acf670dc89bd2ac2ddc971ef9adff3fca68a1d7b940c9eeb21fa0d299a085cf1
-
Filesize
372KB
MD5c7c1b9f3f20a6434b03a2bd1ab17dfaa
SHA13c983702424f15eb34d868ed3a0176fa3559393a
SHA256c30443bd9c407ab25513f93eb5bb96dee05da2d6effcf0a06530385d05d83d69
SHA512b0b3af8dd22926ea8eb1c98111e86719cada262b2a152d59ed4004b2d3bbcf4bd62242893fdb6023e575b81ce68db87655408ae3b0d1c1024c6d9b3db4518246
-
Filesize
372KB
MD548335daceca2d6f00a9a62aa59fa60e6
SHA1db6c7246029ea1dafc5670ea0aed3cbe8cf0189b
SHA256a1228f18fb50ab3f62ab97ec04d7e33f242e9d4d849fc61f878c38165abb8aaf
SHA51254238c425dfb6f7f9e5b4d92a946fa0975aa2a1bfe363693c87d4b0670c6f5ec15118724aeb04dae60927e62df12ca4997ea962eb9b7877ef6c39aed0ffcef2d
-
Filesize
372KB
MD5a390168c82f61a9cad66b1e70d98c0d1
SHA193e2681e2f28c2e16e71cc7dc716187b6483ff17
SHA25699af0a45597f486cabda6bf6b7847182519389366ae66677ea0840c6e6ee539b
SHA512d21a3fd57a6f561854e9028c949ea7e1a5456efa032be420e0263f8cdf1a9db603a208171a6febab7ed5a7e3517bc74de3f9c931d9806533f7bd79c60fe06a17
-
Filesize
372KB
MD59db1deed3fca18618d279513b0b4db91
SHA1e86495b346354027b07fb216601428f5c4ea9b72
SHA256baa8975c164495389e1abcc302eb19e97350c8447d0d19bed991ae4132979f24
SHA5126e13b855341e41d11ec0a8437432ab5e78d495b562e92e44cb67dede92748245ec50819962614b5a41cfd9c85ede9f861b2898eac491a0f66e5ecf496d6063b2
-
Filesize
372KB
MD5b717fae994ac25bebb414a416d5895a0
SHA1cb0e64bc03a2df43e60c5ba3cb76ee92674fee0a
SHA2569e227a39a161cef1d6e51d57fa690f0d754425d74b90fe73d738ad4849c899a1
SHA51221502dbb78f98985868f3c1c7670979fd5204061b86537d199071f619332d42e5cf791bee3b93b0a22a866b1edd6f80f45d88d544484d9faf4f2e01a835b1ee9
-
Filesize
372KB
MD57a7c3f6c91d22f3c99f65de5bc1e4965
SHA1a2eb92e01876d1d864aa81a5fb4acbcfd77d1e47
SHA256e21d59a0640b3d3f940a09dfff4f49d3c34d7df305edf7e4c8cead8086842dba
SHA5128a5994b51ee5a3852d1819f4402bae4dc89d6b2dd9054ae755686438e3fb3d0275aaecdcb324e06f37610a95d564b95c0e7e34c883da7adc19fb5b3047a64f52