Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe
-
Size
204KB
-
MD5
6030608dbda6f24061302a8b96132583
-
SHA1
cd1e19ddf03775d138f6fc00ba20572f68d2690d
-
SHA256
3c8f713770473a68fa2f70b65f1c2298547b78ca26462e0d7db89518b8fbe950
-
SHA512
bda887b542d4825d6583addc4fcefa68ea03e67e2d093ee85d5bc9c6291899add0486f616458619a55b1eec9b2ff5debad8e3f4202aa29ae324c1bf63f1cdcbe
-
SSDEEP
1536:1EGh0oGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oGl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral1/files/0x000e000000015a98-4.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015c7c-12.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f00000000f680-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000f000000015a98-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000a000000015c7c-33.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0010000000015a98-40.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x000b000000015c7c-47.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0011000000015a98-54.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0008000000015c87-61.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0012000000015a98-68.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral1/files/0x0009000000015c87-75.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10E4A0B-590F-437c-905E-3C783C71CDA1}\stubpath = "C:\\Windows\\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe" 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{264F2785-FCDD-43e0-9391-59585FD2D279}\stubpath = "C:\\Windows\\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe" {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2} {5150B930-5E72-4a46-B950-332CBB906302}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E} {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF93032-56DC-4257-B6BC-A36CA443290A} {B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10E4A0B-590F-437c-905E-3C783C71CDA1} 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1} {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}\stubpath = "C:\\Windows\\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe" {55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB} {B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5150B930-5E72-4a46-B950-332CBB906302} {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1186066-2F68-49c8-AD03-A226BCBAF6F7} {55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}\stubpath = "C:\\Windows\\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe" {B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}\stubpath = "C:\\Windows\\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe" {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{264F2785-FCDD-43e0-9391-59585FD2D279} {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E} {264F2785-FCDD-43e0-9391-59585FD2D279}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}\stubpath = "C:\\Windows\\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe" {264F2785-FCDD-43e0-9391-59585FD2D279}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5150B930-5E72-4a46-B950-332CBB906302}\stubpath = "C:\\Windows\\{5150B930-5E72-4a46-B950-332CBB906302}.exe" {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}\stubpath = "C:\\Windows\\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe" {5150B930-5E72-4a46-B950-332CBB906302}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}\stubpath = "C:\\Windows\\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe" {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55DF49BB-C557-48a3-AC23-D1507FB4642B} {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55DF49BB-C557-48a3-AC23-D1507FB4642B}\stubpath = "C:\\Windows\\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe" {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EF93032-56DC-4257-B6BC-A36CA443290A}\stubpath = "C:\\Windows\\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe" {B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe -
Deletes itself 1 IoCs
pid Process 2856 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 2292 {55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe 1508 {B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe 660 {B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe 268 {8EF93032-56DC-4257-B6BC-A36CA443290A}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe File created C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe File created C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe File created C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe {55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe File created C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe {B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe File created C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe {B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe File created C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe File created C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe {264F2785-FCDD-43e0-9391-59585FD2D279}.exe File created C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe File created C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe {5150B930-5E72-4a46-B950-332CBB906302}.exe File created C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe Token: SeIncBasePriorityPrivilege 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe Token: SeIncBasePriorityPrivilege 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe Token: SeIncBasePriorityPrivilege 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe Token: SeIncBasePriorityPrivilege 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe Token: SeIncBasePriorityPrivilege 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe Token: SeIncBasePriorityPrivilege 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe Token: SeIncBasePriorityPrivilege 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe Token: SeIncBasePriorityPrivilege 2292 {55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe Token: SeIncBasePriorityPrivilege 1508 {B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe Token: SeIncBasePriorityPrivilege 660 {B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2812 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 28 PID 2892 wrote to memory of 2812 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 28 PID 2892 wrote to memory of 2812 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 28 PID 2892 wrote to memory of 2812 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 28 PID 2892 wrote to memory of 2856 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 29 PID 2892 wrote to memory of 2856 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 29 PID 2892 wrote to memory of 2856 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 29 PID 2892 wrote to memory of 2856 2892 2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe 29 PID 2812 wrote to memory of 2548 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 32 PID 2812 wrote to memory of 2548 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 32 PID 2812 wrote to memory of 2548 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 32 PID 2812 wrote to memory of 2548 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 32 PID 2812 wrote to memory of 2400 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 33 PID 2812 wrote to memory of 2400 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 33 PID 2812 wrote to memory of 2400 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 33 PID 2812 wrote to memory of 2400 2812 {E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe 33 PID 2548 wrote to memory of 920 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 34 PID 2548 wrote to memory of 920 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 34 PID 2548 wrote to memory of 920 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 34 PID 2548 wrote to memory of 920 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 34 PID 2548 wrote to memory of 2444 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 35 PID 2548 wrote to memory of 2444 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 35 PID 2548 wrote to memory of 2444 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 35 PID 2548 wrote to memory of 2444 2548 {881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe 35 PID 920 wrote to memory of 800 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 36 PID 920 wrote to memory of 800 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 36 PID 920 wrote to memory of 800 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 36 PID 920 wrote to memory of 800 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 36 PID 920 wrote to memory of 1484 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 37 PID 920 wrote to memory of 1484 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 37 PID 920 wrote to memory of 1484 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 37 PID 920 wrote to memory of 1484 920 {264F2785-FCDD-43e0-9391-59585FD2D279}.exe 37 PID 800 wrote to memory of 1976 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 38 PID 800 wrote to memory of 1976 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 38 PID 800 wrote to memory of 1976 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 38 PID 800 wrote to memory of 1976 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 38 PID 800 wrote to memory of 1624 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 39 PID 800 wrote to memory of 1624 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 39 PID 800 wrote to memory of 1624 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 39 PID 800 wrote to memory of 1624 800 {0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe 39 PID 1976 wrote to memory of 2636 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 40 PID 1976 wrote to memory of 2636 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 40 PID 1976 wrote to memory of 2636 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 40 PID 1976 wrote to memory of 2636 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 40 PID 1976 wrote to memory of 2280 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 41 PID 1976 wrote to memory of 2280 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 41 PID 1976 wrote to memory of 2280 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 41 PID 1976 wrote to memory of 2280 1976 {5150B930-5E72-4a46-B950-332CBB906302}.exe 41 PID 2636 wrote to memory of 2316 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 42 PID 2636 wrote to memory of 2316 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 42 PID 2636 wrote to memory of 2316 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 42 PID 2636 wrote to memory of 2316 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 42 PID 2636 wrote to memory of 2312 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 43 PID 2636 wrote to memory of 2312 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 43 PID 2636 wrote to memory of 2312 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 43 PID 2636 wrote to memory of 2312 2636 {3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe 43 PID 2316 wrote to memory of 2292 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 44 PID 2316 wrote to memory of 2292 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 44 PID 2316 wrote to memory of 2292 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 44 PID 2316 wrote to memory of 2292 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 44 PID 2316 wrote to memory of 1640 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 45 PID 2316 wrote to memory of 1640 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 45 PID 2316 wrote to memory of 1640 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 45 PID 2316 wrote to memory of 1640 2316 {B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exeC:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exeC:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exeC:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exeC:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exeC:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exeC:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exeC:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exeC:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exeC:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exeC:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:660 -
C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exeC:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe12⤵
- Executes dropped EXE
PID:268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B856C~1.EXE > nul12⤵PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B1186~1.EXE > nul11⤵PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{55DF4~1.EXE > nul10⤵PID:1216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B37BB~1.EXE > nul9⤵PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B859~1.EXE > nul8⤵PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5150B~1.EXE > nul7⤵PID:2280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0B4C9~1.EXE > nul6⤵PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{264F2~1.EXE > nul5⤵PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{881AF~1.EXE > nul4⤵PID:2444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E10E4~1.EXE > nul3⤵PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD536f02598c6d56eee278b9f9cbb72d619
SHA11c088df7d7b2d6a121ac4982ed15e6b98d7208e4
SHA256bb112bf0e18ead7674a99c86639645ee7d9bdd2b27eba718ca563cd031d01f57
SHA5120efa2578240a2c58310e6aaa89547c8224a33544784d07199bf751f1995461f89b9076559ac5c5589dd559039ff9cd89dbc706106bab7d1a2e39c5362f715869
-
Filesize
204KB
MD5949d98d35e97b835f28f078d72b69aca
SHA1d30326be9bbc81eb790305396723dcaf8e437334
SHA256781fbe67a844a1d559fe4074e29a7905db24227d43acb037a98f13dcbb3f4251
SHA512dcf17491f6fe5f65c8ef933c09916477eb640ec80c47ac9f8cc113c55cef637fd4c043af815535fbe87afc064c6b12ed4e25aab2508eed2bcffad5c7cf86b021
-
Filesize
204KB
MD5e26a794d2045114c83298d8d5875c7a0
SHA193bb6506be8b5c338f821b93b8b59821837ab5d6
SHA256d6a33b1f57e29064eb24893b7a277cf86e741fa9dfc39fd3a1ba286dafafbe98
SHA512a769f85d8036d072a3060452f3ccce781a41a2359c81ae60c8cdeddfcf21f3fcbe487cf02c7be854bf45b8c2c7c5b8f5280b87f98b11bde6c75e2a70e6062a87
-
Filesize
204KB
MD5b082d0ff4877e40a9bfdfe9095343976
SHA18ec80b079bd4ccd4328ff396b784826c1e5b9c5e
SHA25665888e3d4bcfff0ed93ec0dcb43c7ff16ad4efa0c9d5b635e0cdb3a7b26570fc
SHA5121a930232afb7e35bf2491cec6e67c6998b9ad916da699b1031ee62f5289c829190293e7dd321b38eff19aaf4d6ac02ab53be23a6d218dbd2e506d6bd82fca964
-
Filesize
204KB
MD5aaa61632abfb10c830613246cc942e7d
SHA136b129240db280b7258b61265d5e289b92cb53a8
SHA256c7c14b18c0c34f3e5529077079d5e72cb213f260e856eccf349712cda1ea7a0b
SHA512ab0bb8f6da304feb85e72722ae1b200307d1ab83a69c185f2b70ffa884001a416747345eb35d109be82a26c45955b9494db067e461cca66c0f6b5851cbaef333
-
Filesize
204KB
MD5d5dfc78fbb73d6edc7c19703fabf77d0
SHA1095c2933296358889b6e10d1f43c51a73b2808a7
SHA2568063779302b9bcc34e6d29c7224fb30fa477fc39e672a4c9b2bf783b3a54e3dd
SHA512a0c64d5cd0fb5fc5c6d2dd0d4a40336485f12da1f66610747450b9b45816ffcc0124fbce6b8ac6830d7c6962589b9ea003594f270a1cadb3d0aa292537b89b55
-
Filesize
204KB
MD5f40535bdf5fe9ea5e925c63184b35c70
SHA1b87bbe67df2126d9790e605eeaaa9523ecaba931
SHA256335b6786a780f2a5d625286b68820df1d196f90111618456f967e163f5b8a5d1
SHA51218b2c452ba5fca45980a81b9f54af2f9f7e179bd16e25ebcd67234912e54f012ce5ab0bed8c3e3afaba7602562e16f9543863f2501400335d73675c41b8d5315
-
Filesize
204KB
MD5f60190a92486c66674a30a333a4260ee
SHA1e2b9ac2507f6ae85677ca3afd0b6f081a9c8abd2
SHA2564537a0bde08f4e89cab3c9207605386372710f51a5412a37d42d7407e9a89e00
SHA5125a2146e7a9bba075ea9fb192cae3ab0ee3abc3fff3c3bcd25bb680991a09191339a2db984e8b0019eb27296601c80d509f7986767a7e1491d9ae66a2405f0c5c
-
Filesize
204KB
MD5f1df4cee614b9fc836baff4035c6336a
SHA19ff7f16f8f42d70ac77106df11363279ecbc5cab
SHA2565a2e8dc2799f9e0f485b6120d7134945b63f4a0319556cd6c249114b3f97ec3b
SHA5121227393d1fd94ec42e37b98464021bd028e7ce3e86bd93d3ecd1952fc2b62105d30a7946ae98b04005957e43a5a7182d187579456bdff26068cca901f4723d00
-
Filesize
204KB
MD59b866c5f58afe88e9fa73e459457f5f8
SHA1dfd0b14b459bd1b358da13b99eacf484d928eb5e
SHA256a5adf49280dd4ec4307da85f48e5471ece791d26f192dd7977c8f670eb4343bf
SHA51254c6cee3298a3f1c0a21387ff491cc6a90dbe79e6fba35e3cf9797e773b90f9463251477d10d938a99a90cea6cb5ec85ebe50e12e63d0027596c8d40717ee2d2
-
Filesize
204KB
MD54014ee03f77db1a15d6f5e8cc36be755
SHA15eb203ae6e495b8a481cb4e9eb3e99fa38c21bca
SHA256bb7da3229ce37a17d13f83c978a56da1e8bcbbf37f7311b9a52dcdd5ca4b32de
SHA51290a8f8dd327b030318ed05ed44b436a32e05bff30efa42a85f7081b627c516895eaa02a93f99e5d158c78b6316fcc94c57d68f8020b25bbdb1a57eb3ef725cdf