Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe
-
Size
168KB
-
MD5
7cef5df66ff7e58f9788b662f6f660c6
-
SHA1
3be730923e04347c9b10dc89f65d08b4619d4517
-
SHA256
4428b755338c423f4b0d8e3273b77918208171919fc3cf38b86df7565eb6bfe5
-
SHA512
49d07f6427139419338d4083e78b6787e7f1b0e2be447b2cbba96630948a039862813ac5afbe759345a2e4fa75ed28c7b500256dca2c8382cff9fda75ec805e9
-
SSDEEP
1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
resource yara_rule behavioral2/files/0x000700000002320d-3.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000231ff-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002320d-11.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0007000000023213-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000021841-17.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000000037-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000000037-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00030000000006df-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000b000000000037-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}\stubpath = "C:\\Windows\\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe" 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B290045B-5532-43bd-98FA-0A3BB423928F}\stubpath = "C:\\Windows\\{B290045B-5532-43bd-98FA-0A3BB423928F}.exe" {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}\stubpath = "C:\\Windows\\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe" {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF3882D-C162-4d6b-9EE9-07EB5F538427} {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}\stubpath = "C:\\Windows\\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe" {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51} {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897} {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}\stubpath = "C:\\Windows\\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe" {B290045B-5532-43bd-98FA-0A3BB423928F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6} {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}\stubpath = "C:\\Windows\\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe" {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA7A391-3447-4ff6-9012-41295DFB015D} {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}\stubpath = "C:\\Windows\\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe" {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78} {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA7A391-3447-4ff6-9012-41295DFB015D}\stubpath = "C:\\Windows\\{AAA7A391-3447-4ff6-9012-41295DFB015D}.exe" {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C} {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}\stubpath = "C:\\Windows\\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe" {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6F47B7-2361-4aa5-8956-A18046597B13}\stubpath = "C:\\Windows\\{2B6F47B7-2361-4aa5-8956-A18046597B13}.exe" {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7} 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B290045B-5532-43bd-98FA-0A3BB423928F} {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6} {B290045B-5532-43bd-98FA-0A3BB423928F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6F47B7-2361-4aa5-8956-A18046597B13} {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}\stubpath = "C:\\Windows\\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exe" {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe -
Executes dropped EXE 11 IoCs
pid Process 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe 2800 {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe 4632 {2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe File created C:\Windows\{B290045B-5532-43bd-98FA-0A3BB423928F}.exe {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe File created C:\Windows\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe {B290045B-5532-43bd-98FA-0A3BB423928F}.exe File created C:\Windows\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe File created C:\Windows\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe File created C:\Windows\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe File created C:\Windows\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe File created C:\Windows\{2B6F47B7-2361-4aa5-8956-A18046597B13}.exe {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe File created C:\Windows\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe File created C:\Windows\{AAA7A391-3447-4ff6-9012-41295DFB015D}.exe {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe File created C:\Windows\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exe {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1888 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe Token: SeIncBasePriorityPrivilege 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe Token: SeIncBasePriorityPrivilege 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe Token: SeIncBasePriorityPrivilege 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe Token: SeIncBasePriorityPrivilege 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe Token: SeIncBasePriorityPrivilege 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe Token: SeIncBasePriorityPrivilege 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe Token: SeIncBasePriorityPrivilege 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe Token: SeIncBasePriorityPrivilege 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe Token: SeIncBasePriorityPrivilege 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe Token: SeIncBasePriorityPrivilege 2800 {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2524 1888 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe 92 PID 1888 wrote to memory of 2524 1888 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe 92 PID 1888 wrote to memory of 2524 1888 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe 92 PID 1888 wrote to memory of 4576 1888 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe 93 PID 1888 wrote to memory of 4576 1888 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe 93 PID 1888 wrote to memory of 4576 1888 2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe 93 PID 2524 wrote to memory of 4276 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 96 PID 2524 wrote to memory of 4276 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 96 PID 2524 wrote to memory of 4276 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 96 PID 2524 wrote to memory of 3384 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 97 PID 2524 wrote to memory of 3384 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 97 PID 2524 wrote to memory of 3384 2524 {FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe 97 PID 4276 wrote to memory of 3784 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe 102 PID 4276 wrote to memory of 3784 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe 102 PID 4276 wrote to memory of 3784 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe 102 PID 4276 wrote to memory of 3280 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe 103 PID 4276 wrote to memory of 3280 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe 103 PID 4276 wrote to memory of 3280 4276 {B290045B-5532-43bd-98FA-0A3BB423928F}.exe 103 PID 3784 wrote to memory of 3124 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe 104 PID 3784 wrote to memory of 3124 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe 104 PID 3784 wrote to memory of 3124 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe 104 PID 3784 wrote to memory of 540 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe 105 PID 3784 wrote to memory of 540 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe 105 PID 3784 wrote to memory of 540 3784 {C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe 105 PID 3124 wrote to memory of 3540 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe 106 PID 3124 wrote to memory of 3540 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe 106 PID 3124 wrote to memory of 3540 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe 106 PID 3124 wrote to memory of 4560 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe 107 PID 3124 wrote to memory of 4560 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe 107 PID 3124 wrote to memory of 4560 3124 {81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe 107 PID 3540 wrote to memory of 4456 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe 108 PID 3540 wrote to memory of 4456 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe 108 PID 3540 wrote to memory of 4456 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe 108 PID 3540 wrote to memory of 3660 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe 109 PID 3540 wrote to memory of 3660 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe 109 PID 3540 wrote to memory of 3660 3540 {5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe 109 PID 4456 wrote to memory of 4408 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe 110 PID 4456 wrote to memory of 4408 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe 110 PID 4456 wrote to memory of 4408 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe 110 PID 4456 wrote to memory of 1312 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe 111 PID 4456 wrote to memory of 1312 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe 111 PID 4456 wrote to memory of 1312 4456 {3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe 111 PID 4408 wrote to memory of 2660 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe 112 PID 4408 wrote to memory of 2660 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe 112 PID 4408 wrote to memory of 2660 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe 112 PID 4408 wrote to memory of 5084 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe 113 PID 4408 wrote to memory of 5084 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe 113 PID 4408 wrote to memory of 5084 4408 {AAA7A391-3447-4ff6-9012-41295DFB015D}.exe 113 PID 2660 wrote to memory of 3684 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe 114 PID 2660 wrote to memory of 3684 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe 114 PID 2660 wrote to memory of 3684 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe 114 PID 2660 wrote to memory of 4284 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe 115 PID 2660 wrote to memory of 4284 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe 115 PID 2660 wrote to memory of 4284 2660 {3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe 115 PID 3684 wrote to memory of 2800 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe 116 PID 3684 wrote to memory of 2800 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe 116 PID 3684 wrote to memory of 2800 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe 116 PID 3684 wrote to memory of 708 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe 117 PID 3684 wrote to memory of 708 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe 117 PID 3684 wrote to memory of 708 3684 {816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe 117 PID 2800 wrote to memory of 4632 2800 {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe 118 PID 2800 wrote to memory of 4632 2800 {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe 118 PID 2800 wrote to memory of 4632 2800 {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe 118 PID 2800 wrote to memory of 4688 2800 {2B6F47B7-2361-4aa5-8956-A18046597B13}.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exeC:\Windows\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\{B290045B-5532-43bd-98FA-0A3BB423928F}.exeC:\Windows\{B290045B-5532-43bd-98FA-0A3BB423928F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exeC:\Windows\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exeC:\Windows\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exeC:\Windows\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exeC:\Windows\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\{AAA7A391-3447-4ff6-9012-41295DFB015D}.exeC:\Windows\{AAA7A391-3447-4ff6-9012-41295DFB015D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exeC:\Windows\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exeC:\Windows\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\{2B6F47B7-2361-4aa5-8956-A18046597B13}.exeC:\Windows\{2B6F47B7-2361-4aa5-8956-A18046597B13}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exeC:\Windows\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exe12⤵
- Executes dropped EXE
PID:4632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B6F4~1.EXE > nul12⤵PID:4688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{816FF~1.EXE > nul11⤵PID:708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BD0F~1.EXE > nul10⤵PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AAA7A~1.EXE > nul9⤵PID:5084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3CF38~1.EXE > nul8⤵PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5EB9F~1.EXE > nul7⤵PID:3660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81C6E~1.EXE > nul6⤵PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C4FC3~1.EXE > nul5⤵PID:540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B2900~1.EXE > nul4⤵PID:3280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE9EF~1.EXE > nul3⤵PID:3384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:4576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5cd733128c0e308b72d72222c94b7df49
SHA1d63211e6561d74a474fa5d83afdbfa1047d40279
SHA256b49a1daa939d5ee5adb9e8c1d710b3b221dce4f8d9149c46d7ec9ff577655cb2
SHA512d7a17f5cc3f2c05f3fde58aa4c6b500f8ab90b7ae026d7c409bc49150c065d601b4cd85e95b311f4cfbb8ea89edabfe7a480fd91decd60a1ff6169f27e9bf254
-
Filesize
168KB
MD5029dc6161c26613d96a7a4b4b3b4dffc
SHA1f6cfa08b40be15beb674318157fadb8bc7930a5e
SHA25648e94e75da5d03856746a6c20c33d54110952455be23db508cab33b47d3ee8bf
SHA5123408a17161380faf3929d0fc38a813a4eb587ea75dff543437ade8118a13360ac1cd07e35936ef50deb063b86aa6a31c42734d6936a239752f8063e7bff79a3d
-
Filesize
168KB
MD504497063577ac5a95296566c7ad41fa1
SHA114c4d6465c6040e665c8b66d746e8506a88b7a16
SHA25631430a180b9adebf350f22120b41a9c78c8abbc69571392d5a45793dce2448f3
SHA512a7a7f77bd7ee2ff00d027532d7ebade3453795d7628806844f52a7f9d3952323cf7c0fea8fc7fc2ec0e693a3603b32cacdbff500baf13bf8fe89c0de37f26265
-
Filesize
168KB
MD551b9e0edd23e855abe00127f213902c2
SHA1908ffe1ab99c0b2b68d5a49a1a504eefe4591b27
SHA25688509b9fcac24bd64e34c03ad7cc07ca96cf8f98204b4554c40268564dfa706c
SHA51283991a48260008315c622c83c177015587233e4f88e1c9db8054ff3d2e4562d3326606d1893f6997082b54fa59fc8c885b301c19307c224b4fcbce3eb6284f00
-
Filesize
168KB
MD50a2f616a3cb2851665c93247b25e3fb8
SHA10f78c94ba3c86c39b66f520a8653e1ea934a71a6
SHA256471effea6aa8be6445590d5ba28aa326d2e6b90eac08e0d1e4bd1e9856817ec7
SHA512b0a6799084b29bd2fe9e0771b43e169c3fd16a0a677772f5f9506a2986ea5be87e8441f96ebdf0941a296d310104e4028ea8fbfa7ca4e46f271d7983ff2e9b5a
-
Filesize
168KB
MD5e7226646e3a60ed64eaf74a723fc91b5
SHA1ad4b18607ec0157cb63d5f8fb591088fc98d53ab
SHA25692de6be66c6f7f9e363843331a2361f2af403fc5ac377961f7a688ea50b11f24
SHA512bea75621fd739becce980d13631e21a946640c3c4a6dc58a3626d492eab4b7a911a8950b35b9115f6aaaf99003ba73f5255357c5e6d9f3f620289dbb62ff770a
-
Filesize
168KB
MD5aef776603f0dd0a09b80414f7df2252d
SHA19b80f2475fdee3a3b367b945f01aec659bb5af66
SHA256ef2deede31c0aa96b8783361f4b9f1c75bb0e9dc8e4e43ef5a116547427e04b5
SHA512864e5424f5ef724cd7241018d2fd8511c4254edcc4ccc25ed7c29d95db81f4799bc96835f6aba157e6e00c0f586e4fe2e5ff8cea592b6d02bf1d2e717bfc6f8e
-
Filesize
168KB
MD5718dc2cf5a98528a5415bcbff57d7329
SHA1f56c1f84eb3bfe3f73d68138010e534f507b0742
SHA256b048cfa954f123550f0dbdd757649950755024239d84bf09ca6965997d17a4d6
SHA512270da870ce22a28e1e60bca66b8afa30bb7d6d4d1f27b8f37d130a522379cc3ed6095d951621f32461c92d4c21f34833fd91ef5d57de9d217d3d1894856fc6ac
-
Filesize
168KB
MD5e010487ac22595ac10b9487eb4153f9c
SHA14fcd5f6be77cce6f42ce37dd58f9dd5f3179ff2e
SHA256d0149d9aeaca624841d732eb6ee40b2e033ffb1ac0a5d5302a917adcd6a48535
SHA5129cbebcd801cada5fd97a2cd29d25a1c448fd64360e094a977402e86e6f0fef6e81f90e929ffb571739ffb735d1c9cca484928d605a0e869c3f677377e46f43a0
-
Filesize
168KB
MD5317b45dd22b9cf6f71f4921bc86ccf0f
SHA1d2c411ba3c3ad236f152adde3a9073e2b32e6e79
SHA25648b904043bcbb79a7e8c0486c5f5cf090c1177bf60a169abc651ef8712f95c2b
SHA5123b544d219a9c6366245a5e27055d4221308994806f278c1a75d470c14d665464a2c506dbe4115c5de916ac7e6ff0118b7ea5fd069e33b5e9356041987f91c530
-
Filesize
168KB
MD549770e2c1f3f9e88b846d31fda13dd7e
SHA14f165ab1cd861f514eb4351ad9cb38cc50bedaac
SHA256e0ccb8a3ec8149214d1d5c46fa4a2455b3ca40b5347aa568c55ea36d6af07a4b
SHA512ce4ed586dbc90249fd0ca63c4fe7abf5b4c17951c9327aecc5ba299b007ae1a177d9e35463a63a378a1d80698fc88cd0bcf627e7b8604d438bd98a3a3a5aee5c